Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde and Vitrumonde.generic


  • This topic is locked This topic is locked
17 replies to this topic

#1 ViaSarah

ViaSarah

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 23 December 2008 - 12:47 PM

Problem: getting pop-ups occastionally. Sometimes the pop-ups would be severe (constantly after another, especially in sites like youtube), other times they will appear every once in a while. (I would only get pop-ups when I go on the internet)

So far I have...

1) I ran Spybot w/ advanced mode on and identified two trojans: Virtumonde and Virtumonde.generic.
2) After the scan I clicked on 'Fix selected problems'. I assumed that it was deleted because of the check marks.
3) I ran spybot again and it identified the trojans again. So I clicked on the '+' sign to see the entries for each trojan. I right clicked each entry to their location and tried to delete the entries.
4) Assuming that I had deleted them I scanned again w/ spybot to confirm but the trojans were still there.
5) After I rebooted, I scanned again w/ spybot but the trojans were still identified.

*I scanned w/ my Norton but did not identify anything (i think my antivirus is out-of-date even though the subscription did not expire yet. I been using norton for 4 yrs now and never had it go out-of-date.)

**I forgot to mention that that first time I scanned w/ spybot, it also identified a malware called "Smitfraud-C" and 3 more trojans: 'Win32.agent.amyy, Win32.Agent.amwr, Win32.agent.aiae'. I went to the entry location and deleted them and rescanned. Spybot did not identify them, so I assumed that they were deleted.

Windows: XP



Logfile of random's system information tool 1.05 (written by random/random)
Run by User at 2008-12-23 12:36:50
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 19 GB (34%) free of 57 GB
Total RAM: 478 MB (10% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:47 PM, on 12/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Samsung\EmoDio\SMSTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\Desktop\RSIT.exe
C:\Program Files\trend micro\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mapleglobal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: {629a28da-8d83-50ca-76d4-80059074f8d0} - {0d8f4709-5008-4d67-ac05-38d8ad82a926} - C:\WINDOWS\system32\kvkxqv.dll
O2 - BHO: (no name) - {0DF4C60B-9A01-4899-8F38-FFF2D45782C1} - (no file)
O2 - BHO: (no name) - {1286FA35-2C7E-4778-B69A-5F4A98B556AA} - (no file)
O2 - BHO: (no name) - {190A41A3-FC73-4FFE-ACDA-849FFF21B551} - (no file)
O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)
O2 - BHO: (no name) - {37E5929B-CD83-4827-BFD8-019A337D2EC0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56F2E910-C24A-41E1-BA6D-3D7EE1F20C75} - (no file)
O2 - BHO: (no name) - {5904F216-FD04-4803-92A5-CF91ABA2D384} - (no file)
O2 - BHO: (no name) - {6215DF06-8154-4B5D-841B-1935529BC0E4} - (no file)
O2 - BHO: (no name) - {62D793DF-2A2D-4DAF-9D7E-6CFF8948675F} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\khfGxWpp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {77ea9558-cc1e-47fc-8064-53508b1feb39} - (no file)
O2 - BHO: (no name) - {9AA55CAF-6F01-4408-BE6C-7D9DC34B0935} - (no file)
O2 - BHO: (no name) - {9BF638A4-52CE-4027-83EC-5032A93130C1} - C:\WINDOWS\system32\xxywUNDW.dll
O2 - BHO: (no name) - {AC2B1D0E-F7F5-43FF-BB36-46ED552C6E4C} - (no file)
O2 - BHO: (no name) - {D487B500-8277-4538-9F15-119CDE0D87DA} - (no file)
O2 - BHO: (no name) - {D7BF6D05-042A-4305-B425-2E441B9A7D31} - (no file)
O2 - BHO: (no name) - {DABA54A5-FB7B-4321-A4A9-200B9DE1D090} - (no file)
O2 - BHO: (no name) - {E77CEC17-DFFE-4FE0-BBF6-DE401D32C719} - (no file)
O2 - BHO: (no name) - {EC76491C-E79A-441A-85F8-A728BA31899A} - (no file)
O2 - BHO: (no name) - {F24E2423-21D0-47A9-9B79-42A5D10F83C7} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\EmoDio\SMSTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [3574f1da] rundll32.exe "C:\WINDOWS\system32\bgyxmgto.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [GetModule32] C:\Program Files\GetModule\GetModule32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {A1D886C6-4039-4451-97A9-515F5BE5D4C2} (mkdplusCtrl Class) - http://ahnlabdownload.nefficient.co.kr/asp/cab/mkdplus.cab
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: khfGxWpp - C:\WINDOWS\SYSTEM32\khfGxWpp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 8792 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\mgdinrhm.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - User.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0d8f4709-5008-4d67-ac05-38d8ad82a926}]
C:\WINDOWS\system32\kvkxqv.dll [2008-12-23 129024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0DF4C60B-9A01-4899-8F38-FFF2D45782C1}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1286FA35-2C7E-4778-B69A-5F4A98B556AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{190A41A3-FC73-4FFE-ACDA-849FFF21B551}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{348FE907-249E-4C65-A838-F34A193FE1D1}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37E5929B-CD83-4827-BFD8-019A337D2EC0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-07-07 1562448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56F2E910-C24A-41E1-BA6D-3D7EE1F20C75}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5904F216-FD04-4803-92A5-CF91ABA2D384}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6215DF06-8154-4B5D-841B-1935529BC0E4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{62D793DF-2A2D-4DAF-9D7E-6CFF8948675F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
Symantec Intrusion Prevention - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll [2008-01-31 116088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
C:\WINDOWS\system32\khfGxWpp.dll [2008-12-07 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll [2007-09-25 501136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77ea9558-cc1e-47fc-8064-53508b1feb39}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9AA55CAF-6F01-4408-BE6C-7D9DC34B0935}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9BF638A4-52CE-4027-83EC-5032A93130C1}]
C:\WINDOWS\system32\xxywUNDW.dll [2008-12-07 302592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AC2B1D0E-F7F5-43FF-BB36-46ED552C6E4C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D487B500-8277-4538-9F15-119CDE0D87DA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D7BF6D05-042A-4305-B425-2E441B9A7D31}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DABA54A5-FB7B-4321-A4A9-200B9DE1D090}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E77CEC17-DFFE-4FE0-BBF6-DE401D32C719}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EC76491C-E79A-441A-85F8-A728BA31899A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F24E2423-21D0-47A9-9B79-42A5D10F83C7}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2008-01-31 51048]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2007-01-05 185784]
"SMSTray"=C:\Program Files\Samsung\EmoDio\SMSTray.exe [2008-05-27 475136]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-11-14 286720]
"3574f1da"=C:\WINDOWS\system32\bgyxmgto.dll [2008-12-23 72704]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-10-18 204288]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-07-07 2156368]
"GetModule32"=C:\Program Files\GetModule\GetModule32.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
C:\Program Files\HPQ\Default Settings\cpqset.exe [2004-04-30 208958]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe [2004-07-30 286720]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe [2003-10-30 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [2005-01-12 241664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2006-02-19 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\system32\hphmon05.exe [2003-05-22 483328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe [2003-10-30 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
C:\Program Files\Microsoft IntelliPoint\point32.exe [2005-03-23 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2007-08-16 5728112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
C:\Program Files\Norton AntiVirus\osCheck.exe [2007-08-24 714608]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2007-11-14 286720]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe [2007-09-20 132624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StarSkin]
C:\PROGRAM FILES\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE -H []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [2007-09-25 132496]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2004-05-26 536576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2004-05-26 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2007-01-05 185784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-08-19 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe /VeohHide []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [1999-11-04 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe [2006-02-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
C:\PROGRA~1\Quicken\bagent.exe [2004-01-29 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2003-10-30 319488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\khfGxWpp]
C:\WINDOWS\system32\khfGxWpp.dll [2008-12-07 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"=C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 192512]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=C:\WINDOWS\system32\khfGxWpp.dll [2008-12-07 34816]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\xxywUNDW

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink"
"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\Common Files\AOL\1134345264\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1134345264\ee\aolsoftware.exe:*:Enabled:AOL Services"
"C:\Program Files\Common Files\AOL\1134345264\ee\aim6.exe"="C:\Program Files\Common Files\AOL\1134345264\ee\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Common Files\AOL\1136151293\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1136151293\ee\aolsoftware.exe:*:Enabled:AOL Services"
"C:\Program Files\Common Files\AOL\1136151293\ee\aim6.exe"="C:\Program Files\Common Files\AOL\1136151293\ee\aim6.exe:*:Enabled:AIM"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Common Files\AOL\1157142764\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1157142764\ee\aolsoftware.exe:*:Enabled:AOL Services"
"C:\Program Files\Common Files\AOL\1157142764\ee\aim6.exe"="C:\Program Files\Common Files\AOL\1157142764\ee\aim6.exe:*:Enabled:AIM"
"D:\setup\HPZNET01.EXE"="D:\setup\HPZNET01.EXE:*:Enabled:hpznet01.exe"
"D:\setup\HPONICIFS01.EXE"="D:\setup\HPONICIFS01.EXE:*:Enabled:hponicifs01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\WINDOWS\system32\muzapp.exe"="C:\WINDOWS\system32\muzapp.exe:*:Enabled:MUZ AOD APP player"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\uTorrent\utorrent.exe"="C:\Program Files\uTorrent\utorrent.exe:*:Enabled:µTorrent"
"C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe"="C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Nexon\KartRider\NMService.exe"="C:\Nexon\KartRider\NMService.exe:*:Enabled:Nexon Messenger Core"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe:*:Enabled:Veoh Client"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

======File associations======

.js - edit -

======List of files/folders created in the last 1 months======

2008-12-23 12:37:12 ----D---- C:\Program Files\trend micro
2008-12-23 12:36:50 ----DC---- C:\rsit
2008-12-23 12:25:30 ----SH---- C:\WINDOWS\system32\otgmxygb.ini
2008-12-23 12:25:26 ----A---- C:\WINDOWS\system32\bgyxmgto.dll
2008-12-23 12:23:11 ----A---- C:\WINDOWS\system32\kvkxqv.dll
2008-12-23 12:23:09 ----A---- C:\WINDOWS\system32\xpluxobi.dll
2008-12-23 01:59:26 ----DC---- C:\Qoobox
2008-12-23 01:59:26 ----D---- C:\WINDOWS\ERDNT
2008-12-23 01:59:24 ----DC---- C:\ComboFix
2008-12-23 01:59:11 ----A---- C:\WINDOWS\system32\CF11578.exe
2008-12-22 21:24:51 ----ASH---- C:\WINDOWS\system32\WDNUwyxx.ini2
2008-12-22 21:24:04 ----ASH---- C:\WINDOWS\system32\WDNUwyxx.ini
2008-12-21 20:51:20 ----A---- C:\WINDOWS\system32\iifgGVOh.dll
2008-12-21 20:50:27 ----A---- C:\WINDOWS\system32\~.exe
2008-12-21 19:34:03 ----SH---- C:\WINDOWS\system32\jpvncdct.ini
2008-12-21 19:33:20 ----A---- C:\WINDOWS\system32\peouik.dll
2008-12-21 19:33:17 ----A---- C:\WINDOWS\system32\tpqlwexp.dll
2008-12-21 19:09:55 ----A---- C:\WINDOWS\system32\xxyxYoOe.dll
2008-12-21 12:51:17 ----SH---- C:\WINDOWS\system32\kplamqcs.ini
2008-12-21 12:51:08 ----A---- C:\WINDOWS\system32\scqmalpk.dll
2008-12-21 12:48:30 ----A---- C:\WINDOWS\system32\zxkago.dll
2008-12-21 12:48:28 ----A---- C:\WINDOWS\system32\dxbklwql.dll
2008-12-20 12:48:10 ----SH---- C:\WINDOWS\system32\ycelaytv.ini
2008-12-20 12:48:02 ----A---- C:\WINDOWS\system32\vtyalecy.dll
2008-12-20 12:47:40 ----A---- C:\WINDOWS\system32\sjmmoa.dll
2008-12-20 12:47:36 ----A---- C:\WINDOWS\system32\ovaiogwv.dll
2008-12-19 15:38:21 ----SH---- C:\WINDOWS\system32\dgrjnbhs.ini
2008-12-19 15:38:15 ----A---- C:\WINDOWS\system32\shbnjrgd.dll
2008-12-19 15:29:21 ----A---- C:\WINDOWS\system32\dhsuur.dll
2008-12-19 15:29:18 ----A---- C:\WINDOWS\system32\mhiynftj.dll
2008-12-18 15:35:29 ----SH---- C:\WINDOWS\system32\tbbuauqt.ini
2008-12-18 15:35:23 ----A---- C:\WINDOWS\system32\tquaubbt.dll
2008-12-18 15:29:04 ----A---- C:\WINDOWS\system32\wpqflm.dll
2008-12-18 15:29:01 ----A---- C:\WINDOWS\system32\psojffkx.dll
2008-12-17 16:15:01 ----A---- C:\WINDOWS\system32\njphhc.dll
2008-12-17 16:14:59 ----A---- C:\WINDOWS\system32\dqvavlno.dll
2008-12-17 16:09:07 ----SH---- C:\WINDOWS\system32\demsriqg.ini
2008-12-17 16:09:02 ----A---- C:\WINDOWS\system32\gqirsmed.dll
2008-12-16 16:07:16 ----SH---- C:\WINDOWS\system32\ulytljaq.ini
2008-12-16 16:07:07 ----A---- C:\WINDOWS\system32\qajltylu.dll
2008-12-16 16:05:47 ----A---- C:\WINDOWS\system32\ccbwqm.dll
2008-12-16 16:05:45 ----A---- C:\WINDOWS\system32\ihhuvrej.dll
2008-12-15 15:09:31 ----SH---- C:\WINDOWS\system32\ewvcfagx.ini
2008-12-15 15:09:23 ----A---- C:\WINDOWS\system32\xgafcvwe.dll
2008-12-15 15:08:15 ----A---- C:\WINDOWS\system32\bfhkqo.dll
2008-12-15 15:08:12 ----A---- C:\WINDOWS\system32\cvblsmpb.dll
2008-12-14 10:42:32 ----SH---- C:\WINDOWS\system32\hoijhqmc.ini
2008-12-14 10:38:06 ----A---- C:\WINDOWS\system32\wlnnse.dll
2008-12-14 10:37:54 ----A---- C:\WINDOWS\system32\paevuhjh.dll
2008-12-13 10:56:18 ----SH---- C:\WINDOWS\system32\vkbruhcr.ini
2008-12-13 10:53:15 ----A---- C:\WINDOWS\system32\qiqxoj.dll
2008-12-13 10:53:13 ----A---- C:\WINDOWS\system32\grcvrcip.dll
2008-12-12 16:17:37 ----A---- C:\WINDOWS\system32\xryriy.dll
2008-12-12 16:17:33 ----A---- C:\WINDOWS\system32\cqdbfhrq.dll
2008-12-12 16:11:50 ----SH---- C:\WINDOWS\system32\vapqphvb.ini
2008-12-12 16:11:39 ----A---- C:\WINDOWS\system32\bvhpqpav.dll
2008-12-11 16:14:54 ----A---- C:\WINDOWS\system32\icigsw.dll
2008-12-11 16:14:53 ----A---- C:\WINDOWS\system32\fawkvoed.dll
2008-12-11 16:09:39 ----SH---- C:\WINDOWS\system32\dwksmnul.ini
2008-12-11 16:09:31 ----A---- C:\WINDOWS\system32\lunmskwd.dll
2008-12-10 16:21:35 ----SH---- C:\WINDOWS\system32\wryfylyo.ini
2008-12-10 16:21:21 ----A---- C:\WINDOWS\system32\oylyfyrw.dll
2008-12-10 16:18:37 ----A---- C:\WINDOWS\system32\omrkdx.dll
2008-12-10 16:18:21 ----A---- C:\WINDOWS\system32\dvyvxklk.dll
2008-12-09 16:18:08 ----A---- C:\WINDOWS\system32\isplkv.dll
2008-12-09 16:18:06 ----A---- C:\WINDOWS\system32\vumlrqmu.dll
2008-12-09 16:16:07 ----SH---- C:\WINDOWS\system32\laouohpx.ini
2008-12-09 16:15:56 ----A---- C:\WINDOWS\system32\xphouoal.dll
2008-12-08 21:31:09 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-12-08 21:31:09 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-08 16:17:01 ----A---- C:\WINDOWS\system32\tulyxpad.dll
2008-12-08 16:14:01 ----A---- C:\WINDOWS\system32\fkuowh.dll
2008-12-08 16:13:58 ----A---- C:\WINDOWS\system32\iooddqob.dll
2008-12-08 16:10:59 ----A---- C:\WINDOWS\system32\uorcnxea.tmp
2008-12-08 15:43:04 ----D---- C:\Documents and Settings\User\Application Data\AntispywareBot
2008-12-08 15:36:09 ----D---- C:\Program Files\SpywareBlaster
2008-12-07 18:59:00 ----A---- C:\WINDOWS\system32\mcrh.tmp
2008-12-07 16:15:01 ----A---- C:\WINDOWS\system32\xxywWpqP.dll
2008-12-07 16:09:12 ----A---- C:\WINDOWS\system32\jrxghp.dll
2008-12-07 16:09:11 ----A---- C:\WINDOWS\system32\tgdbxxci.dll
2008-12-07 16:08:49 ----A---- C:\WINDOWS\system32\xxyxUkjG.dll
2008-12-07 16:08:34 ----A---- C:\WINDOWS\system32\3e5735a4-.txt
2008-12-07 16:04:03 ----A---- C:\WINDOWS\system32\xxywUNDW.dll
2008-12-07 15:58:53 ----A---- C:\WINDOWS\system32\nnnnNGXP.dll
2008-12-07 15:58:32 ----A---- C:\WINDOWS\system32\khfGxWpp.dll
2008-12-07 15:57:29 ----A---- C:\WINDOWS\system32\prunnet.exe

======List of files/folders modified in the last 1 months======

2008-12-23 12:37:12 ----D---- C:\Program Files
2008-12-23 12:36:31 ----D---- C:\WINDOWS\Prefetch
2008-12-23 12:30:15 ----D---- C:\Program Files\Mozilla Firefox
2008-12-23 12:25:30 ----D---- C:\WINDOWS\system32
2008-12-23 12:21:35 ----D---- C:\WINDOWS\Temp
2008-12-23 12:20:03 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-23 02:55:38 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-23 01:59:26 ----D---- C:\WINDOWS
2008-12-23 01:38:52 ----D---- C:\Spyware Tools
2008-12-23 01:32:31 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-12-22 23:49:48 ----A---- C:\WINDOWS\win.ini
2008-12-21 22:36:26 ----AC---- C:\WINDOWS\wininit.ini
2008-12-21 20:26:39 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-21 20:26:36 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-12-21 20:25:07 ----D---- C:\Program Files\DivX
2008-12-21 20:19:14 ----SHD---- C:\WINDOWS\Installer
2008-12-21 20:19:01 ----HD---- C:\Config.Msi
2008-12-13 14:10:40 ----D---- C:\WINDOWS\Downloaded Installations
2008-12-08 16:33:44 ----SD---- C:\WINDOWS\Tasks
2008-12-07 16:16:19 ----D---- C:\temp
2008-11-25 15:16:03 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2003-05-03 43672]
R1 eabfiltr;EABFiltr; \??\C:\WINDOWS\system32\drivers\EABFiltr.sys []
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SRTSPX;SRTSPX; C:\WINDOWS\System32\Drivers\SRTSPX.SYS [2007-11-30 43696]
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2007-08-13 188464]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R2 npkcrypt;npkcrypt; \??\C:\Program Files\Wizet\MapleStory\npkcrypt.sys []
R3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-11-07 120798]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-11-07 98938]
R3 BCM43XX;BCM 802.11b Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2004-08-04 341760]
R3 CAMCAUD;Conexant AMC 3D Environmental Audio; C:\WINDOWS\system32\drivers\camcaud.sys [2004-04-29 292352]
R3 CAMCHALA;CAMCHALA; C:\WINDOWS\system32\drivers\camchal.sys [2004-04-29 274688]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-03-10 1041536]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys [2004-03-10 199552]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2003-11-07 94075]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080610.036\NAVENG.SYS []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080610.036\NAVEX15.SYS []
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys [2005-03-15 20352]
R3 RTL8023;Realtek RTL8139/810x/8169/8110 all in one NDIS NT Driver; C:\WINDOWS\system32\DRIVERS\Rtlnic51.sys [2004-04-27 69504]
R3 SRTSP;SRTSP; C:\WINDOWS\System32\Drivers\SRTSP.SYS [2007-11-30 279088]
R3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
R3 SYMDNS;SYMDNS; C:\WINDOWS\System32\Drivers\SYMDNS.SYS [2007-08-13 13616]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 SYMFW;SYMFW; C:\WINDOWS\System32\Drivers\SYMFW.SYS [2007-08-13 96432]
R3 SYMIDS;SYMIDS; C:\WINDOWS\System32\Drivers\SYMIDS.SYS [2007-08-13 38576]
R3 SYMIDSCO;SYMIDSCO; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\ipsdefs\20080609.001\SymIDSCo.sys []
R3 SymIMMP;SymIMMP; C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 31280]
R3 SYMNDIS;SYMNDIS; C:\WINDOWS\System32\Drivers\SYMNDIS.SYS [2007-08-13 37424]
R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2007-08-13 22320]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2004-05-26 182720]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-03-10 682624]
S1 rxp;rxp; \??\C:\WINDOWS\system32\drivers\rxp.sys []
S2 zntport;NTPort Library Driver; \??\C:\WINDOWS\system32\zntport.sys []
S3 {E2B953A6-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-A/CH-7011; C:\WINDOWS\system32\drivers\wA301a.sys [2003-11-07 33847]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 COH_Mon;COH_Mon; \??\C:\WINDOWS\system32\Drivers\COH_Mon.sys []
S3 eabusb;eabusb; \??\C:\WINDOWS\system32\drivers\eabusb.sys []
S3 EagleNT;EagleNT; \??\C:\WINDOWS\system32\drivers\EagleNT.sys []
S3 Mkd2kfNt;Mkd2kfNt; C:\WINDOWS\system32\drivers\Mkd2kfNt.sys [2007-03-28 122624]
S3 Mkd2Usbf;Mkd2Usbf; C:\WINDOWS\system32\drivers\Mkd2Usbf.sys [2007-03-06 79360]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
S3 SMCIRDA;SMC IrCC Miniport Device Driver; C:\WINDOWS\system32\DRIVERS\smcirda.sys [2001-08-17 35913]
S3 SRTSPL;SRTSPL; C:\WINDOWS\System32\Drivers\SRTSPL.SYS [2007-11-30 317616]
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 31280]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 w22n51;Intel® PRO/Wireless 2200 Adapter Driver; C:\WINDOWS\system32\DRIVERS\w22n51.sys [2004-03-22 1657344]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe [2007-08-23 243064]
R2 Bonjour Service;##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##; C:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 149864]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 149864]
R2 CLTNetCnService;Symantec Lic NetConnect service; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 149864]
R2 LiveUpdate Notice;LiveUpdate Notice; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 149864]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2006-03-03 69632]
R2 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R3 Symantec Core LC;Symantec Core LC; C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe [2008-01-31 1251720]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2005-07-30 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-07-21 654848]
S3 HP Port Resolver;HP Port Resolver; C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE [2005-05-20 81920]
S3 hpqwmi;HP WMI Interface; C:\Program Files\HPQ\SHARED\HPQWMI.exe [2004-07-27 98304]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 LiveUpdate;LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE [2007-08-23 3192184]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-08-16 98672]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-08-23 261120]

-----------------EOF-----------------



info.txt logfile of random's system information tool 1.05 2008-12-23 12:39:58

======Uninstall list======

-->"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
3D Groove Playback Engine-->RunDll32 C:\WINDOWS\DOWNLO~1\GrooveAX.dll,_RemoveGroove@16
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color Common Settings-->MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Illustrator CS3-->C:\Program Files\Common Files\Adobe\Installers\a04a925a57548091300ada368235fc6\Setup.exe
Adobe Illustrator CS3-->MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}
Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop 7.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 7.0.8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
Adobe Setup-->MsiExec.exe /I{4F3E17F8-F1C8-4A4B-9EB8-1EE2D190CDA9}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
AppCore-->MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
ccCommon-->MsiExec.exe /I{B24E05CC-46FF-4787-BBB8-5CD516AFB118}
Component Framework-->MsiExec.exe /I{31478BE1-CDE5-4753-A8B2-F6D4BC1FBE09}
Conexant AC-Link Audio-->CIAunwdm.exe
Daisy Screensaver 1-->C:\WINDOWS\system32\Daisy Screensaver 1.scr /u
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
Easy Internet Sign-up-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{8105684D-8CA6-440D-8F58-7E5FD67A499D} /l1033
EmoDio-->"C:\Program Files\InstallShield Installation Information\{C20CE592-B0F8-4D20-BF31-0151CA6331A6}\setup.exe" -runfromtemp -l0x0409 -removeonly
EmoDio-->MsiExec.exe /X{C20CE592-B0F8-4D20-BF31-0151CA6331A6}
GameGuard-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4747AE81-A915-467D-92F6-21A10A4E6EFE}\Setup.exe" -l0x9
GdiplusUpgrade-->MsiExec.exe /I{5421155F-B033-49DB-9B33-8F80F233D4D5}
GOM Player-->"C:\Program Files\GRETECH\GomPlayer\Uninstall.exe"
Gunbound Revolution-->"c:\ijji\ENGLISH\Gunbound Revolution\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HP Customer Participation Program 7.0-->C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Deskjet Preloaded Printer Drivers-->MsiExec.exe /X{F419D20A-7719-4639-8E30-C073A040D878}
HP Document Viewer 7.0-->C:\Program Files\HP\Digital Imaging\DocumentViewer\hpzscr01.exe -datfile hpqbud04.dat
HP Help and Support-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}\setup.exe" -l0x9
HP Imaging Device Functions 7.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Premier Software 6.5-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Photosmart, Officejet and Deskjet 7.0.A-->C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzscr01.exe -datfile hposcr11.dat
HP PSC & OfficeJet 3.5-->"C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\setup\hpzscr01.exe" -datfile hposcr03.dat
HP Solution Center 7.0-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update-->MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
Intel® Extreme Graphics 2 Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
InterVideo WinDVD-->"C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 Update 10-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 8-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150080}
J2SE Runtime Environment 5.0 Update 9-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Jasc Paint Shop Pro 8-->MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java 2 Runtime Environment, SE v1.4.2_03-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java™ 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Lame ACM MP3 Codec-->"C:\WINDOWS\IFinst26.exe" -UC:\Program Files\Lame MP3 Codec\IFU4A7.inf
LiveUpdate (Symantec Corporation)-->MsiExec.exe /x {E80F62FF-5D3C-4A19-8409-9721F2928206} /l*v "C:\Documents and Settings\All Users\Application Data\LuUninstall.LiveUpdate"
LiveUpdate (Symantec Corporation)-->MsiExec.exe /X{E80F62FF-5D3C-4A19-8409-9721F2928206}
LiveUpdate Notice (Symantec Corporation)-->MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
MapleStory-->MsiExec.exe /I{F99C5427-4D78-43E2-B97E-F4C4E622D612}
Memories Disc Creator 2.0-->MsiExec.exe /X{2E132061-C78A-48D4-A899-1D13B9D189FA}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Money 2004 System Pack-->MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}
Microsoft Money 2004-->MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works 7.0-->MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Mozilla Firefox (3.0.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
muvee autoProducer DVD Edition - HPH-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{882F2BCD-C6A3-4D91-8A09-B2B34CB7E481}\Setup.exe" -l0x9 anything
MyFreeCodec-->C:\Program Files\MyFree Codec\09b beta\uninstall.exe
Norton AntiVirus (Symantec Corporation)-->"C:\Program Files\Common Files\Symantec Shared\SymSetup\{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}_15_0_0_58\Setup.exe" /X
Norton AntiVirus Help-->MsiExec.exe /I{34EEB1F5-E939-40A1-A6BA-957282A4B2C8}
Norton AntiVirus-->MsiExec.exe /X{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}
Norton Protection Center-->MsiExec.exe /I{62120008-8E1E-4807-860D-A8B48F8552DB}
OCR Software by I.R.I.S 7.0-->C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
overland-->MsiExec.exe /I{766273C1-A39B-47EB-ACE8-DEBDD8094BCC}
PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Photosmart 140,240,7200,7600,7700,7900 Series-->C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat
Quick Launch Buttons 5.00 B3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEB326EC-8F40-47B2-BA22-BB092565D66F}\setup.exe" -l0x9 -uninst
Quicken 2004-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8} anything
QuickTime-->MsiExec.exe /I{9763E36A-08E9-4228-BBCE-12989A4EB1A8}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RecordNow!-->MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB955936)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {1D94099C-2BBA-440E-BD5E-093BBDF8F028}
Security Update for Microsoft Office Excel 2007 (KB955470)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6E8637D8-10D6-4568-AA06-E2706F31685E}
Security Update for Microsoft Office OneNote 2007 (KB950130)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F1B2401C-B610-4BF2-AA1C-52C55827A8F4}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office Publisher 2007 (KB950114)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office Word 2007 (KB950113)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Visio 2007 (KB947590)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
SigmaTel MSCN Audio Player-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8E240C1C-25D0-4248-BC6C-ACC3472E35CE}\SETUP.exe" -l0x9
SoftV92 Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_3080103C\HXFSETUP.EXE -U -Ihpm30805.inf
Sonic Update Manager-->MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
SPBBC 32bit-->MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.1-->"C:\Program Files\SpywareBlaster\unins000.exe"
Symantec Technical Support Web Controls-->MsiExec.exe /X{9743AF47-B746-4324-B4C4-512E67D04370}
SymNet-->MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Update for Microsoft Office Outlook 2007 (KB952142)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {4AD3A076-427C-491F-A5B7-7D1DE788A756}
Update for Office 2007 (KB946691)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb957829)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {07A1F6B6-4F1C-418C-A605-755A121C4A16}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Live installer-->MsiExec.exe /X{7BC43F11-02C8-45FA-ABDC-E2F9FF31F825}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Media Connect-->"C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122-->"C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
XviD MPEG-4 Video Codec-->"C:\Program Files\XviD\unins000.exe"
yuki - Screen Saver-->C:\WINDOWS\system32\yuki.scr /uninstall

======Hosts File======

192.168.1.100 HP0018715223E9
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com

127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com

======Security center information======

AV: Norton AntiVirus (outdated)
FW: Norton AntiVirus

System event log

Computer Name: YOUR-72486D6880
Event Code: 7036
Message: The LiveUpdate service entered the stopped state.

Record Number: 63399
Source Name: Service Control Manager
Time Written: 20081113184554.000000-300
Event Type: information
User:

Computer Name: YOUR-72486D6880
Event Code: 7036
Message: The LiveUpdate service entered the running state.

Record Number: 63398
Source Name: Service Control Manager
Time Written: 20081113184512.000000-300
Event Type: information
User:

Computer Name: YOUR-72486D6880
Event Code: 7035
Message: The LiveUpdate service was successfully sent a start control.

Record Number: 63397
Source Name: Service Control Manager
Time Written: 20081113184512.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: YOUR-72486D6880
Event Code: 7036
Message: The LiveUpdate service entered the stopped state.

Record Number: 63396
Source Name: Service Control Manager
Time Written: 20081113184510.000000-300
Event Type: information
User:

Computer Name: YOUR-72486D6880
Event Code: 7036
Message: The LiveUpdate service entered the running state.

Record Number: 63395
Source Name: Service Control Manager
Time Written: 20081113184506.000000-300
Event Type: information
User:

Application event log

Computer Name: YOUR-72486D6880
Event Code: 101
Message: Information Level: success

Scheduler launched Automatic LiveUpdate.

Record Number: 48006
Source Name: Automatic LiveUpdate Scheduler
Time Written: 20081012101901.000000-240
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: YOUR-72486D6880
Event Code: 35
Message: The 'ccAppPlgMgr_188' service has started.

Record Number: 48005
Source Name: ccSvcHst
Time Written: 20081012100456.000000-240
Event Type: information
User: YOUR-72486D6880\User

Computer Name: YOUR-72486D6880
Event Code: 34
Message: The 'ccAppPlgMgr_188' service is starting.

Record Number: 48004
Source Name: ccSvcHst
Time Written: 20081012100404.000000-240
Event Type: information
User: YOUR-72486D6880\User

Computer Name: YOUR-72486D6880
Event Code: 1
Message:
Record Number: 48003
Source Name: Bonjour Service
Time Written: 20081012100352.000000-240
Event Type: information
User:

Computer Name: YOUR-72486D6880
Event Code: 35
Message: The 'CLTNetCnService' service has started.

Record Number: 48002
Source Name: ccSvcHst
Time Written: 20081012100351.000000-240
Event Type: information
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\iTunes\Plug-Ins\Qloud\;C:\Program Files\QuickTime\QTSystem\;C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 9 Stepping 5, GenuineIntel
"PROCESSOR_REVISION"=0905
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"VERSION"=3.0.2.993
"SESSIONID"=1102557412357htx694c2ea0b:1016d9f3618:2d97
"COLLECTIONID"=COL8143
"ITEMID"=dj-22741-10
"UPDATEDIR"=C:\DOCUME~1\User\LOCALS~1\Temp\radE76BD.tmp
"TOOLPATH"=/C:\Program%20Files\HP\HP%20Software%20Update\install.htm
"HMSERVER"=https://wwss1pro.cce.hp.com/wuss/servlet/WUSSServlet
"SWUTVER"=1.0.22.20030804
"OSVER"=winXPH
"LANG"=1033
"TIMEOUT"=0
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip

-----------------EOF-----------------



Malwarebytes's Log report:


Malwarebytes' Anti-Malware 1.31
Database version: 1538
Windows 5.1.2600 Service Pack 3

12/23/2008 9:35:23 PM
mbam-log-2008-12-23 (21-35-23).txt

Scan type: Quick Scan
Objects scanned: 60160
Time elapsed: 17 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 46
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 78

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\bgyxmgto.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xxywUNDW.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\khfGxWpp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xpluxobi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\kvkxqv.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0d8f4709-5008-4d67-ac05-38d8ad82a926} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0d8f4709-5008-4d67-ac05-38d8ad82a926} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\khfgxwpp (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9bf638a4-52ce-4027-83ec-5032a93130c1} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{9bf638a4-52ce-4027-83ec-5032a93130c1} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9bf638a4-52ce-4027-83ec-5032a93130c1} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0d8f4709-5008-4d67-ac05-38d8ad82a926} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\activationmanager.activationmanager (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\activationmanager.activationmanager.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adstechnology.adstechnology (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adstechnology.adstechnology.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\pornpro.pornpro_bho (Adware.PlayaZ) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\pornpro.pornpro_bho.1 (Adware.PlayaZ) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{831cbac4-8283-4653-9d81-feb9f3f6e47c} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{831cbac3-8283-4653-9d81-feb9f3f6e47c} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{831cbac2-8283-4653-9d81-feb9f3f6e47c} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{831cbac0-8283-4653-9d81-feb9f3f6e47c} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{86a44ef7-78fc-4e18-a564-b18f806f7f56} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7c559105-9ecf-42b8-b3f7-832e75edd959} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9} (Adware.MediaMotor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{deceaaa2-370a-49bb-9362-68c3a58ddc62} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0d39a900-0f3a-4c29-a254-3e65244fdc34} (Adware.PlayaZ) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Mirar (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3574f1da (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getmodule32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\xxywundw -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxywundw -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\User\Application Data\AntispywareBot (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\kvkxqv.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\khfGxWpp.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xxywUNDW.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\WDNUwyxx.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\WDNUwyxx.ini2 (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bgyxmgto.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\otgmxygb.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bvhpqpav.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vapqphvb.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gqirsmed.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\demsriqg.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lunmskwd.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dwksmnul.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oylyfyrw.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wryfylyo.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qajltylu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ulytljaq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\scqmalpk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kplamqcs.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shbnjrgd.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dgrjnbhs.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tquaubbt.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tbbuauqt.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtyalecy.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ycelaytv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xgafcvwe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ewvcfagx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xphouoal.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\laouohpx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xpluxobi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bfhkqo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ccbwqm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cqdbfhrq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cvblsmpb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dhsuur.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dqvavlno.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dvyvxklk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dxbklwql.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fawkvoed.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fkuowh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\grcvrcip.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\icigsw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iooddqob.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\isplkv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jrxghp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\njphhc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnnNGXP.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\omrkdx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ovaiogwv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\paevuhjh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\peouik.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\prunnet.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\psojffkx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qiqxoj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sjmmoa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tgdbxxci.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tpqlwexp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tulyxpad.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vumlrqmu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wlnnse.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpqflm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv201229907443.cpx (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ihhuvrej.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iifgGVOh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xryriy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxywWpqP.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyxUkjG.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyxYoOe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mhiynftj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zxkago.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\213UM8NT\load[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\213UM8NT\load[2].exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\213UM8NT\zc113432[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\TE10MNYC\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\TZ6Y21CU\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\YD5HJFZC\apstpldr.dll[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.



**Sorry about my double post, I didn't post the log reports. Feel free to delete my other post!

Thanks You!

Edited by ViaSarah, 23 December 2008 - 09:52 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:25 AM

Posted 28 December 2008 - 06:54 PM

Hi ViaSarah,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Tell me if you have done anything since previous post. Or you have run any other tools. Also tell me how is the current condition of your computer.

  • Open your Malwarebytes' Anti-Malware, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply.

    Note:the logs are saved by default under the Logs tab.

  • Please run RSIT, set the list of Files/Folders created to 3 Months and copy/paste the content of log.txt to your reply (this time RSIT creates just one log).

You might want to save this page on your favorites, so you can find it again when you return.

#3 ViaSarah

ViaSarah
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 29 December 2008 - 12:12 AM

1) I rescanned my computer w/ Malwarebytes' Anti-Malware and it detected nothing.

2) Malwarebytes' Anti-Malware Log:

Malwarebytes' Anti-Malware 1.31
Database version: 1538
Windows 5.1.2600 Service Pack 3

12/29/2008 12:09:49 AM
mbam-log-2008-12-29 (00-09-48).txt

Scan type: Quick Scan
Objects scanned: 60123
Time elapsed: 15 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

3) RSIT Log:

RSIT Logfile of random's system information tool 1.05 (written by random/random)
Run by User at 2008-12-28 23:52:49
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 15 GB (26%) free of 57 GB
Total RAM: 478 MB (30% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:26 PM, on 12/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Samsung\EmoDio\SMSTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\User\Desktop\RSIT.exe
C:\Program Files\trend micro\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mapleglobal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {0DF4C60B-9A01-4899-8F38-FFF2D45782C1} - (no file)
O2 - BHO: (no name) - {1286FA35-2C7E-4778-B69A-5F4A98B556AA} - (no file)
O2 - BHO: (no name) - {190A41A3-FC73-4FFE-ACDA-849FFF21B551} - (no file)
O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)
O2 - BHO: (no name) - {37E5929B-CD83-4827-BFD8-019A337D2EC0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56F2E910-C24A-41E1-BA6D-3D7EE1F20C75} - (no file)
O2 - BHO: (no name) - {5904F216-FD04-4803-92A5-CF91ABA2D384} - (no file)
O2 - BHO: (no name) - {6215DF06-8154-4B5D-841B-1935529BC0E4} - (no file)
O2 - BHO: (no name) - {62D793DF-2A2D-4DAF-9D7E-6CFF8948675F} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {77ea9558-cc1e-47fc-8064-53508b1feb39} - (no file)
O2 - BHO: (no name) - {9AA55CAF-6F01-4408-BE6C-7D9DC34B0935} - (no file)
O2 - BHO: (no name) - {9BF638A4-52CE-4027-83EC-5032A93130C1} - (no file)
O2 - BHO: (no name) - {AC2B1D0E-F7F5-43FF-BB36-46ED552C6E4C} - (no file)
O2 - BHO: (no name) - {D487B500-8277-4538-9F15-119CDE0D87DA} - (no file)
O2 - BHO: (no name) - {D7BF6D05-042A-4305-B425-2E441B9A7D31} - (no file)
O2 - BHO: (no name) - {DABA54A5-FB7B-4321-A4A9-200B9DE1D090} - (no file)
O2 - BHO: (no name) - {E77CEC17-DFFE-4FE0-BBF6-DE401D32C719} - (no file)
O2 - BHO: (no name) - {EC76491C-E79A-441A-85F8-A728BA31899A} - (no file)
O2 - BHO: (no name) - {F24E2423-21D0-47A9-9B79-42A5D10F83C7} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\EmoDio\SMSTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {A1D886C6-4039-4451-97A9-515F5BE5D4C2} (mkdplusCtrl Class) - http://ahnlabdownload.nefficient.co.kr/asp/cab/mkdplus.cab
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: khfGxWpp - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 8371 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\mgdinrhm.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - User.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0DF4C60B-9A01-4899-8F38-FFF2D45782C1}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1286FA35-2C7E-4778-B69A-5F4A98B556AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{190A41A3-FC73-4FFE-ACDA-849FFF21B551}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{348FE907-249E-4C65-A838-F34A193FE1D1}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37E5929B-CD83-4827-BFD8-019A337D2EC0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-07-07 1562448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56F2E910-C24A-41E1-BA6D-3D7EE1F20C75}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5904F216-FD04-4803-92A5-CF91ABA2D384}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6215DF06-8154-4B5D-841B-1935529BC0E4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{62D793DF-2A2D-4DAF-9D7E-6CFF8948675F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
Symantec Intrusion Prevention - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll [2008-01-31 116088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll [2007-09-25 501136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77ea9558-cc1e-47fc-8064-53508b1feb39}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9AA55CAF-6F01-4408-BE6C-7D9DC34B0935}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9BF638A4-52CE-4027-83EC-5032A93130C1}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AC2B1D0E-F7F5-43FF-BB36-46ED552C6E4C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D487B500-8277-4538-9F15-119CDE0D87DA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D7BF6D05-042A-4305-B425-2E441B9A7D31}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DABA54A5-FB7B-4321-A4A9-200B9DE1D090}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E77CEC17-DFFE-4FE0-BBF6-DE401D32C719}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EC76491C-E79A-441A-85F8-A728BA31899A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F24E2423-21D0-47A9-9B79-42A5D10F83C7}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2008-01-31 51048]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2007-01-05 185784]
"SMSTray"=C:\Program Files\Samsung\EmoDio\SMSTray.exe [2008-05-27 475136]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-11-14 286720]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-10-18 204288]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
C:\Program Files\HPQ\Default Settings\cpqset.exe [2004-04-30 208958]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe [2004-07-30 286720]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe [2003-10-30 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [2005-01-12 241664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2006-02-19 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\system32\hphmon05.exe [2003-05-22 483328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe [2003-10-30 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
C:\Program Files\Microsoft IntelliPoint\point32.exe [2005-03-23 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2007-08-16 5728112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
C:\Program Files\Norton AntiVirus\osCheck.exe [2007-08-24 714608]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2007-11-14 286720]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe [2007-09-20 132624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StarSkin]
C:\PROGRAM FILES\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE -H []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [2007-09-25 132496]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2004-05-26 536576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2004-05-26 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2007-01-05 185784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-08-19 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe /VeohHide []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [1999-11-04 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe [2006-02-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
C:\PROGRA~1\Quicken\bagent.exe [2004-01-29 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2003-10-30 319488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\khfGxWpp]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"=C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 192512]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink"
"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\Common Files\AOL\1134345264\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1134345264\ee\aolsoftware.exe:*:Enabled:AOL Services"
"C:\Program Files\Common Files\AOL\1134345264\ee\aim6.exe"="C:\Program Files\Common Files\AOL\1134345264\ee\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Common Files\AOL\1136151293\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1136151293\ee\aolsoftware.exe:*:Enabled:AOL Services"
"C:\Program Files\Common Files\AOL\1136151293\ee\aim6.exe"="C:\Program Files\Common Files\AOL\1136151293\ee\aim6.exe:*:Enabled:AIM"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Common Files\AOL\1157142764\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1157142764\ee\aolsoftware.exe:*:Enabled:AOL Services"
"C:\Program Files\Common Files\AOL\1157142764\ee\aim6.exe"="C:\Program Files\Common Files\AOL\1157142764\ee\aim6.exe:*:Enabled:AIM"
"D:\setup\HPZNET01.EXE"="D:\setup\HPZNET01.EXE:*:Enabled:hpznet01.exe"
"D:\setup\HPONICIFS01.EXE"="D:\setup\HPONICIFS01.EXE:*:Enabled:hponicifs01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\WINDOWS\system32\muzapp.exe"="C:\WINDOWS\system32\muzapp.exe:*:Enabled:MUZ AOD APP player"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\uTorrent\utorrent.exe"="C:\Program Files\uTorrent\utorrent.exe:*:Enabled:µTorrent"
"C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe"="C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Nexon\KartRider\NMService.exe"="C:\Nexon\KartRider\NMService.exe:*:Enabled:Nexon Messenger Core"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe:*:Enabled:Veoh Client"
"C:\ijji\ENGLISH\u_gbound.exe"="C:\ijji\ENGLISH\u_gbound.exe:*:Enabled:<ijji Downloader>"
"C:\ijji\ENGLISH\Gunbound Revolution\GunBound.gme"="C:\ijji\ENGLISH\Gunbound Revolution\GunBound.gme:*:Enabled:GunBound"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

======File associations======

.js - edit -

======List of files/folders created in the last 3 months======

2008-12-24 20:28:59 ----AC---- C:\cmdline.txt
2008-12-23 21:14:38 ----D---- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-12-23 21:13:22 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-23 21:13:22 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-23 12:37:12 ----D---- C:\Program Files\trend micro
2008-12-23 12:36:50 ----DC---- C:\rsit
2008-12-23 01:59:26 ----DC---- C:\Qoobox
2008-12-23 01:59:26 ----D---- C:\WINDOWS\ERDNT
2008-12-23 01:59:24 ----DC---- C:\ComboFix
2008-12-23 01:59:11 ----A---- C:\WINDOWS\system32\CF11578.exe
2008-12-21 19:34:03 ----SH---- C:\WINDOWS\system32\jpvncdct.ini
2008-12-14 10:42:32 ----SH---- C:\WINDOWS\system32\hoijhqmc.ini
2008-12-13 10:56:18 ----SH---- C:\WINDOWS\system32\vkbruhcr.ini
2008-12-08 21:31:09 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-12-08 21:31:09 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-08 16:10:59 ----A---- C:\WINDOWS\system32\uorcnxea.tmp
2008-12-08 15:36:09 ----D---- C:\Program Files\SpywareBlaster
2008-12-07 16:08:34 ----A---- C:\WINDOWS\system32\3e5735a4-.txt
2008-11-21 16:47:56 ----A---- C:\WINDOWS\system32\DivXsm.exe
2008-11-21 16:47:52 ----AC---- C:\WINDOWS\system32\qt-dx331.dll
2008-11-21 16:46:10 ----AC---- C:\WINDOWS\system32\ssldivx.dll
2008-11-21 16:46:10 ----AC---- C:\WINDOWS\system32\libdivx.dll
2008-11-21 16:45:16 ----AC---- C:\WINDOWS\system32\dtu100.dll.manifest
2008-11-21 16:45:16 ----AC---- C:\WINDOWS\system32\dtu100.dll
2008-11-21 16:45:16 ----AC---- C:\WINDOWS\system32\dpl100.dll.manifest
2008-11-21 16:45:16 ----AC---- C:\WINDOWS\system32\dpl100.dll
2008-11-21 16:45:12 ----AC---- C:\WINDOWS\system32\dpv11.dll
2008-11-21 16:45:12 ----AC---- C:\WINDOWS\system32\dpus11.dll
2008-11-21 16:45:12 ----AC---- C:\WINDOWS\system32\dpuGUI11.dll
2008-11-21 16:45:12 ----AC---- C:\WINDOWS\system32\dpuGUI10.dll
2008-11-21 16:45:12 ----AC---- C:\WINDOWS\system32\dpu11.dll
2008-11-21 16:45:12 ----AC---- C:\WINDOWS\system32\dpu10.dll
2008-11-21 16:45:08 ----A---- C:\WINDOWS\system32\divx_xx11.dll
2008-11-21 16:45:08 ----A---- C:\WINDOWS\system32\divx_xx0c.dll
2008-11-21 16:45:08 ----A---- C:\WINDOWS\system32\divx_xx0a.dll
2008-11-21 16:45:08 ----A---- C:\WINDOWS\system32\divx_xx07.dll
2008-11-21 16:45:06 ----A---- C:\WINDOWS\system32\DivX.dll
2008-11-21 16:44:38 ----AC---- C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-11-21 16:44:16 ----AC---- C:\WINDOWS\system32\DivXWMPExtType.dll
2008-11-12 22:03:52 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-12 22:03:24 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-12 22:02:39 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-10-23 20:30:01 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-10-16 23:37:20 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-16 23:37:03 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-16 23:36:50 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-16 23:35:27 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-16 23:34:59 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-09-30 16:43:34 ----A---- C:\WINDOWS\system32\msxml4.dll

======List of files/folders modified in the last 3 months======

2008-12-28 23:52:42 ----D---- C:\WINDOWS\Prefetch
2008-12-28 13:35:41 ----D---- C:\Program Files\Mozilla Firefox
2008-12-28 11:50:36 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-28 11:50:26 ----D---- C:\WINDOWS\Temp
2008-12-28 02:25:48 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-27 20:07:11 ----D---- C:\WINDOWS\system32\drivers
2008-12-24 21:27:22 ----HD---- C:\Documents and Settings\User\Application Data\ijjigame
2008-12-23 21:39:57 ----D---- C:\WINDOWS\system32
2008-12-23 21:39:55 ----D---- C:\WINDOWS
2008-12-23 21:13:22 ----D---- C:\Program Files
2008-12-23 01:38:52 ----D---- C:\Spyware Tools
2008-12-23 01:32:31 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-12-22 23:49:48 ----A---- C:\WINDOWS\win.ini
2008-12-21 22:36:26 ----AC---- C:\WINDOWS\wininit.ini
2008-12-21 20:26:39 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-21 20:26:36 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-12-21 20:25:07 ----D---- C:\Program Files\DivX
2008-12-21 20:19:14 ----SHD---- C:\WINDOWS\Installer
2008-12-21 20:19:01 ----HD---- C:\Config.Msi
2008-12-13 14:10:40 ----D---- C:\WINDOWS\Downloaded Installations
2008-12-08 16:33:44 ----SD---- C:\WINDOWS\Tasks
2008-12-07 16:16:19 ----D---- C:\temp
2008-11-25 15:16:03 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-23 21:58:23 ----D---- C:\Documents and Settings\User\Application Data\uTorrent
2008-11-21 16:47:48 ----C---- C:\WINDOWS\system32\pxafs.dll
2008-11-20 21:44:57 ----HD---- C:\WINDOWS\inf
2008-11-16 11:18:26 ----RSHD---- C:\WINDOWS\system32\dllcache
2008-11-15 17:57:07 ----D---- C:\WINDOWS\Help
2008-11-12 22:10:56 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-11-12 22:03:40 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-12 22:03:35 ----A---- C:\WINDOWS\imsins.BAK
2008-11-12 21:59:56 ----D---- C:\WINDOWS\WinSxS
2008-11-03 19:10:25 ----AC---- C:\WINDOWS\system32\MRT.exe
2008-10-17 21:35:45 ----D---- C:\Documents and Settings\User\Application Data\Move Networks
2008-10-16 23:36:14 ----D---- C:\Program Files\Internet Explorer
2008-10-16 14:13:40 ----A---- C:\WINDOWS\system32\wuweb.dll
2008-10-16 14:13:40 ----A---- C:\WINDOWS\system32\wuaueng.dll
2008-10-16 14:12:22 ----A---- C:\WINDOWS\system32\wucltui.dll
2008-10-16 14:12:20 ----A---- C:\WINDOWS\system32\wuapi.dll
2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\wups2.dll
2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\wuauclt.exe
2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\cdm.dll
2008-10-16 14:09:40 ----A---- C:\WINDOWS\system32\wucltui.dll.mui
2008-10-16 14:08:58 ----AC---- C:\WINDOWS\system32\wups.dll
2008-10-16 14:07:44 ----A---- C:\WINDOWS\system32\wuapi.dll.mui
2008-10-16 14:07:14 ----A---- C:\WINDOWS\system32\wuaueng.dll.mui
2008-10-16 14:06:48 ----A---- C:\WINDOWS\system32\muweb.dll
2008-10-16 14:06:48 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2008-10-16 14:06:48 ----A---- C:\WINDOWS\system32\mucltui.dll
2008-10-15 11:34:24 ----A---- C:\WINDOWS\system32\netapi32.dll
2008-10-03 12:41:15 ----A---- C:\WINDOWS\system32\ieframe.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2003-05-03 43672]
R1 eabfiltr;EABFiltr; \??\C:\WINDOWS\system32\drivers\EABFiltr.sys []
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SRTSPX;SRTSPX; C:\WINDOWS\System32\Drivers\SRTSPX.SYS [2007-11-30 43696]
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2007-08-13 188464]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R2 npkcrypt;npkcrypt; \??\C:\Program Files\Wizet\MapleStory\npkcrypt.sys []
R3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-11-07 120798]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-11-07 98938]
R3 BCM43XX;BCM 802.11b Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2004-08-04 341760]
R3 CAMCAUD;Conexant AMC 3D Environmental Audio; C:\WINDOWS\system32\drivers\camcaud.sys [2004-04-29 292352]
R3 CAMCHALA;CAMCHALA; C:\WINDOWS\system32\drivers\camchal.sys [2004-04-29 274688]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-03-10 1041536]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys [2004-03-10 199552]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2003-11-07 94075]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080610.036\NAVENG.SYS []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080610.036\NAVEX15.SYS []
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys [2005-03-15 20352]
R3 RTL8023;Realtek RTL8139/810x/8169/8110 all in one NDIS NT Driver; C:\WINDOWS\system32\DRIVERS\Rtlnic51.sys [2004-04-27 69504]
R3 SRTSP;SRTSP; C:\WINDOWS\System32\Drivers\SRTSP.SYS [2007-11-30 279088]
R3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
R3 SYMDNS;SYMDNS; C:\WINDOWS\System32\Drivers\SYMDNS.SYS [2007-08-13 13616]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 SYMFW;SYMFW; C:\WINDOWS\System32\Drivers\SYMFW.SYS [2007-08-13 96432]
R3 SYMIDS;SYMIDS; C:\WINDOWS\System32\Drivers\SYMIDS.SYS [2007-08-13 38576]
R3 SYMIDSCO;SYMIDSCO; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\ipsdefs\20080609.001\SymIDSCo.sys []
R3 SymIMMP;SymIMMP; C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 31280]
R3 SYMNDIS;SYMNDIS; C:\WINDOWS\System32\Drivers\SYMNDIS.SYS [2007-08-13 37424]
R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2007-08-13 22320]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2004-05-26 182720]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-03-10 682624]
S1 rxp;rxp; \??\C:\WINDOWS\system32\drivers\rxp.sys []
S2 zntport;NTPort Library Driver; \??\C:\WINDOWS\system32\zntport.sys []
S3 {E2B953A6-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-A/CH-7011; C:\WINDOWS\system32\drivers\wA301a.sys [2003-11-07 33847]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 COH_Mon;COH_Mon; \??\C:\WINDOWS\system32\Drivers\COH_Mon.sys []
S3 eabusb;eabusb; \??\C:\WINDOWS\system32\drivers\eabusb.sys []
S3 EagleNT;EagleNT; \??\C:\WINDOWS\system32\drivers\EagleNT.sys []
S3 Mkd2kfNt;Mkd2kfNt; C:\WINDOWS\system32\drivers\Mkd2kfNt.sys [2007-03-28 122624]
S3 Mkd2Usbf;Mkd2Usbf; C:\WINDOWS\system32\drivers\Mkd2Usbf.sys [2007-03-06 79360]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
S3 SMCIRDA;SMC IrCC Miniport Device Driver; C:\WINDOWS\system32\DRIVERS\smcirda.sys [2001-08-17 35913]
S3 SRTSPL;SRTSPL; C:\WINDOWS\System32\Drivers\SRTSPL.SYS [2007-11-30 317616]
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 31280]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 w22n51;Intel® PRO/Wireless 2200 Adapter Driver; C:\WINDOWS\system32\DRIVERS\w22n51.sys [2004-03-22 1657344]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe [2007-08-23 243064]
R2 Bonjour Service;##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##; C:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 149864]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 149864]
R2 CLTNetCnService;Symantec Lic NetConnect service; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 149864]
R2 LiveUpdate Notice;LiveUpdate Notice; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 149864]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2006-03-03 69632]
R2 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R3 Symantec Core LC;Symantec Core LC; C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe [2008-01-31 1251720]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2005-07-30 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-07-21 654848]
S3 HP Port Resolver;HP Port Resolver; C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE [2005-05-20 81920]
S3 hpqwmi;HP WMI Interface; C:\Program Files\HPQ\SHARED\HPQWMI.exe [2004-07-27 98304]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 LiveUpdate;LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE [2007-08-23 3192184]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-08-16 98672]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-08-23 261120]

-----------------EOF-----------------

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:25 AM

Posted 29 December 2008 - 10:04 AM

You forgot to give me feedback about the first question and I see you have run Combofix. How many times you have run it? Because I don't see the log of its latest run on the your log. I need to see the log of the first run. Please open the following folder:

C:\Qoobox

There you see a file like CombofixX.txt (x is a number), please post the content of the log with the highest number.

#5 ViaSarah

ViaSarah
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 29 December 2008 - 02:42 PM

1) I rescanned my computer w/ Malwarebytes' Anti-Malware and it detected nothing. I also scanned my comp w/ norton but it's out-of-date. My computer no longer has pop-ups and is running normally.

I attempted to run combofix once. I opened the folder but I don't see any Combox file. The folders in here are BackEnv, LastRun, Quarantine, Test, and TestC(all of them are empty).

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:25 AM

Posted 29 December 2008 - 05:47 PM

OK thanks for the feedback. There are a few things left to be taken care of. We will also run Combofix again.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do.
    • First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup

      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
    • Then download ResetTeaTimer.exe to your desktop. (In case you use Firefox, rightclick the link and choose "Save Link As").
      • Doubleclick ResetTeaTimer.exe and let it run.
    This will only take a few seconds.
  • Please tell me if you have set this page as your Start Page:

    http://www.mapleglobal.com/

    Note: The Teatimer should be kept disabled until I give you the clean sign.

  • We are going to repair a broken file association.
    • Download Deckard's Association File Tool daft.exe and save it to your desktop.
    • Double click on it and click Run.
    • Click on the Scan button.
    • The faulty file associations will appear in red beside a checkbox. Just place a checkmark (tick) in the boxes in question.
    • Click the Fix button.
  • Open notepad (start-all programs-accessories-notepad). Copy and paste the text in the code box into the notepad.

    @ECHO OFF
    IF EXIST log.txt DEL log.txt
    ECHO Deleting files>>log.txt
    FOR %%g in (
    "C:\WINDOWS\tasks\mgdinrhm.job") DO (
    IF EXIST %%g (
    ATTRIB -r -s -h %%g
    DEL %%g
    IF EXIST %%g (
    ECHO %%g not deleted>>log.txt
    ) ELSE (
    ECHO %%g deleted>>log.txt)
    ) ELSE (
    ECHO %%g not found>>log.txt))
    START NOTEPAD.EXE log.txt
    del remove.bat
    • Select save in:desktop
    • Fill in File name: remove.bat
    • Save as type: All file types (*.*)
    • Click Save and close the Notepad.
    • Double-click remove.bat on the desktop.
  • Delete your copy of Combofix from your desktop and download the latest ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

  • Please copy and paste a fresh Hijackthis log to your reply.
Please copy/paste in your next reply:
  • The content of log.txt.
  • The Combofix log.
  • Any comment or feedback about how it went.


#7 ViaSarah

ViaSarah
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 30 December 2008 - 03:37 AM

1. While running ResetTeaTimer.exe, a black window comes up with the following content "spybot and tea timer must be closed!! press any key to continue..". I pressed enter and it came up with "finished, press any key to continue". Again I pressed enter and the window closed on its own. I wasn't sure if it was suppose to do that. (i double checked and my tea timer was off and rebooted a couple of times).

2 Yes, it is my homepage for internet explorer.

3. Deckard's Association File Tool doesn't work for me. When I ran the file and clicked scan, a mini window will pop-up saying "all associations okay!". I pressed "ok". The Deckard's Association File Tool window is blank with nothing present. At the bottom there are two buttons: "scan" and "save log". I clicked scan again but the same window came up.

The content of log.txt (the text that i pasted on notepad?):

Deleting files
"C:\WINDOWS\tasks\mgdinrhm.job" deleted

The Combofix log:

ComboFix 08-12-29.02 - User 2008-12-30 2:16:17.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.61 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Outdated)
FW: Norton AntiVirus *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\User\Application Data\CURITY~1
c:\documents and settings\User\Application Data\DOBE~1
c:\documents and settings\User\Application Data\PPATCH~1
c:\documents and settings\User\Application Data\SEMBLY~1
c:\documents and settings\User\Application Data\SMBOLS~1
c:\documents and settings\User\Application Data\WNSXS~1
c:\documents and settings\User\Application Data\YMBOLS~1
c:\documents and settings\User\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\User\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\documents and settings\User\Local Settings\Temporary Internet Files\MUZAoDA.cfg
c:\documents and settings\User\Local Settings\Temporary Internet Files\MUZAoDA0.che
c:\documents and settings\User\Local Settings\Temporary Internet Files\MUZAoDA1.che
c:\documents and settings\User\Local Settings\Temporary Internet Files\MUZAoDA2.che
c:\documents and settings\User\Local Settings\Temporary Internet Files\MUZAoDA3.che
c:\documents and settings\User\Local Settings\Temporary Internet Files\MUZAoDA4.che
c:\documents and settings\User\Local Settings\Temporary Internet Files\MUZAoDA5.che
c:\documents and settings\User\Local Settings\Temporary Internet Files\MUZAoDA6.che
c:\documents and settings\User\Local Settings\Temporary Internet Files\MUZAoDA7.che
c:\documents and settings\User\Local Settings\Temporary Internet Files\MUZAoDA8.che
c:\documents and settings\User\Local Settings\Temporary Internet Files\MUZAoDA9.che
c:\program files\Common Files\fnts~1
c:\program files\Common Files\smante~1
c:\program files\Common Files\smbols~1
c:\program files\Common Files\wnsxs~1
c:\program files\Common Files\ymbols~1
c:\program files\icroso~1.net
c:\windows\crosof~1
c:\windows\IE4 Error Log.txt
c:\windows\ppatch~1
c:\windows\smbols~1
c:\windows\system32\appatc~1
c:\windows\system32\crosof~1
c:\windows\system32\curity~1
c:\windows\system32\fnts~1
c:\windows\system32\fnts~2
c:\windows\system32\hoijhqmc.ini
c:\windows\system32\icroso~1
c:\windows\system32\icroso~1.net
c:\windows\system32\jpvncdct.ini
c:\windows\system32\ppatch~1
c:\windows\system32\sembly~1
c:\windows\system32\sks~1
c:\windows\system32\smbols~1
c:\windows\system32\vkbruhcr.ini
c:\windows\system32\ystem3~1
c:\windows\wiaserviv.log
c:\windows\wnsxs~1

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.

2008-12-23 21:14 . 2008-12-23 21:14 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2008-12-23 21:13 . 2008-12-23 21:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-23 21:13 . 2008-12-23 21:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-23 21:13 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-23 21:13 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-23 12:37 . 2008-12-28 23:53 <DIR> d-------- c:\program files\trend micro
2008-12-23 12:36 . 2008-12-23 12:39 <DIR> d----c--- C:\rsit
2008-12-08 21:31 . 2008-12-08 21:32 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-08 21:31 . 2008-12-08 22:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-08 16:10 . 2008-12-08 16:10 0 --a------ c:\windows\system32\uorcnxea.tmp
2008-12-08 15:36 . 2008-12-08 15:36 <DIR> d-------- c:\program files\SpywareBlaster
2008-11-21 16:47 . 2008-11-21 16:47 3,596,288 --a--c--- c:\windows\system32\qt-dx331.dll
2008-11-21 16:47 . 2008-11-21 16:47 524,288 --a------ c:\windows\system32\DivXsm.exe
2008-11-21 16:47 . 2008-11-21 16:47 4,816 --a------ c:\windows\system32\divxsm.tlb
2008-11-21 16:46 . 2008-11-21 16:46 1,044,480 --a--c--- c:\windows\system32\libdivx.dll
2008-11-21 16:46 . 2008-11-21 16:46 200,704 --a--c--- c:\windows\system32\ssldivx.dll
2008-11-21 16:44 . 2008-11-21 16:44 161,096 --a--c--- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 16:44 . 2008-11-21 16:44 12,288 --a--c--- c:\windows\system32\DivXWMPExtType.dll
2008-11-12 16:01 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-25 02:27 --------- d--h--w c:\documents and settings\User\Application Data\ijjigame
2008-12-23 06:32 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-22 01:26 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-22 01:25 --------- d-----w c:\program files\DivX
2008-11-24 02:58 --------- d-----w c:\documents and settings\User\Application Data\uTorrent
2008-11-21 21:47 129,784 -c----w c:\windows\system32\pxafs.dll
2008-11-13 03:10 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 -c--a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 17:41 6,066,176 ----a-w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2005-08-06 00:46 774,144 -c--a-w c:\program files\RngInterstitial.dll
2005-05-01 22:34 32 -c--a-r c:\documents and settings\All Users\hash.dat
2006-09-30 19:29 168 -csha-r c:\windows\system32\47E84B5F98.sys
2006-11-26 17:53 7,518 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 51048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-05 185784]
"SMSTray"="c:\program files\Samsung\EmoDio\SMSTray.exe" [2008-05-27 475136]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-14 286720]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= "c:\progra~1\MarkAny\CONTEN~1\MACSMA~1.DLL" [2004-11-23 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=peouik.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a--c--- 2004-04-30 12:32 208958 c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a--c--- 2004-07-30 10:33 286720 c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 06:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a--c--- 2003-10-30 03:33 118784 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a--c--- 2005-01-12 13:54 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2006-02-19 02:41 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
--a--c--- 2003-05-22 21:55 483328 c:\windows\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a--c--- 2003-10-30 03:46 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a--c--- 2005-03-23 18:26 217088 c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-08-16 16:19 5728112 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2007-08-24 23:53 714608 c:\program files\Norton AntiVirus\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-11-14 23:43 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
--a--c--- 2007-09-20 08:23 132624 c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a--c--- 2004-05-26 12:15 536576 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a--c--- 2004-05-26 12:15 98304 c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-01-05 23:10 185784 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a--c--- 2003-08-19 03:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a--c--- 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\ijji\\ENGLISH\\u_gbound.exe"=
"c:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16910:UDP"= 16910:UDP:CrashOnlineSend
"16900:UDP"= 16900:UDP:CrashOnlineRecv

R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2007-08-25 149864]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-01-18 109616]
S1 rxp;rxp;\??\c:\windows\system32\drivers\rxp.sys []
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2007-05-29 23888]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNt.sys [2007-04-15 122624]
S3 Mkd2Usbf;Mkd2Usbf;c:\windows\system32\drivers\Mkd2Usbf.sys [2007-04-15 79360]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-30 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - User.job
- c:\program files\Norton AntiVirus\Navw32.exe [2007-08-26 20:19]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0DF4C60B-9A01-4899-8F38-FFF2D45782C1} - (no file)
BHO-{1286FA35-2C7E-4778-B69A-5F4A98B556AA} - (no file)
BHO-{190A41A3-FC73-4FFE-ACDA-849FFF21B551} - (no file)
BHO-{37E5929B-CD83-4827-BFD8-019A337D2EC0} - (no file)
BHO-{56F2E910-C24A-41E1-BA6D-3D7EE1F20C75} - (no file)
BHO-{5904F216-FD04-4803-92A5-CF91ABA2D384} - (no file)
BHO-{6215DF06-8154-4B5D-841B-1935529BC0E4} - (no file)
BHO-{62D793DF-2A2D-4DAF-9D7E-6CFF8948675F} - (no file)
BHO-{77ea9558-cc1e-47fc-8064-53508b1feb39} - (no file)
BHO-{9AA55CAF-6F01-4408-BE6C-7D9DC34B0935} - (no file)
BHO-{9BF638A4-52CE-4027-83EC-5032A93130C1} - (no file)
BHO-{AC2B1D0E-F7F5-43FF-BB36-46ED552C6E4C} - (no file)
BHO-{D487B500-8277-4538-9F15-119CDE0D87DA} - (no file)
BHO-{D7BF6D05-042A-4305-B425-2E441B9A7D31} - (no file)
BHO-{DABA54A5-FB7B-4321-A4A9-200B9DE1D090} - (no file)
BHO-{E77CEC17-DFFE-4FE0-BBF6-DE401D32C719} - (no file)
BHO-{EC76491C-E79A-441A-85F8-A728BA31899A} - (no file)
BHO-{F24E2423-21D0-47A9-9B79-42A5D10F83C7} - (no file)
Notify-khfGxWpp - (no file)
MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-HPHUPD05 - c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-StarSkin - c:\program files\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE
MSConfigStartUp-Veoh - c:\program files\Veoh Networks\Veoh\VeohClient.exe
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mapleglobal.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

O16 -: {A1D886C6-4039-4451-97A9-515F5BE5D4C2} - hxxp://ahnlabdownload.nefficient.co.kr/asp/cab/mkdplus.cab
c:\windows\Downloaded Program Files\mkdplus.inf
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\shdr6e24.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - hxxp://www.awesomestart.com/superjunior/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\shdr6e24.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMySrWB.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9FC132B-096D-460B-B7D5-1DB0FAE0C062", "AllAccess");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 02:24:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-30 2:27:44
ComboFix-quarantined-files.txt 2008-12-30 07:26:43

Pre-Run: 19,364,024,320 bytes free
Post-Run: 19,271,753,728 bytes free

331 --- E O F --- 2008-11-13 03:10:57

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:36:59 AM, on 12/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Samsung\EmoDio\SMSTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mapleglobal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\EmoDio\SMSTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {A1D886C6-4039-4451-97A9-515F5BE5D4C2} (mkdplusCtrl Class) - http://ahnlabdownload.nefficient.co.kr/asp/cab/mkdplus.cab
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: peouik.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 6786 bytes

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:25 AM

Posted 30 December 2008 - 07:57 AM

Great job. Thanks for the detailed feedback. :thumbsup:

Everything is gone well and Combofix removed a lot of stuff.
  • It seems your Norton antivirus is outdated and you are not protected any more against the latest malware and viruses. Please give me feedback about it.

  • I see a driver related to Starskin from Rocket Division Software. It seems the software is uninstalled. Please tell me about it. If the sofware is uninstalled we will remove the driver leftover.

  • Open notepad and copy/paste the text in the code box below into it:

    http://www.bleepingcomputer.com/forums/t/188769/virtumonde-and-vitrumondegeneric/?p=1067552
    
    Collect::[4]
    c:\windows\system32\peouik.dll
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{348FE907-249E-4C65-A838-F34A193FE1D1}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}]

    Save this as CFScript.txt


    Posted Image


    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Post that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.
    • A browser will open.
    • Simply follow the instructions to copy/paste/send the requested file.
  • Please download ATF Cleaner by Atribune & save it to your desktop.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main "Select Files to Delete" choose: Select All.
    • Click the Empty Selected button.
    • If you use Firefox browser click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      If you would like to keep your saved passwords, please click No at the prompt.
    • If you use Opera browser click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      If you would like to keep your saved passwords, please click No at the prompt.
    • Click Exit on the Main menu to close the program.
  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11".
    • Click the "Download" button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Click on the link to download Windows Offline Installation and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
  • Please copy and paste a fresh Hijackthis log to your reply.
Please copy/paste in your next reply:
  • The Combofix log.
  • A fresh Hijackthis log.
  • Any comment or feedback about how it went. Give me feedback about the questions.


#9 ViaSarah

ViaSarah
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 30 December 2008 - 02:12 PM

1. My Norton was outdated since 6/10/08 (I've been using Norton for about 4 yrs and this never happened). It expires in 3 days and I plan on updating it with something else other than Norton this week with a different anti-virus protection (not sure which though). Any recommendations?

2. I tried uninstalling it way back but couldn't. My start-up has one of the skins from Starskin that I would like to remove (removing all components of Starskin would be better).

3. When ComboFix finished the log, it did not open w/ a message box. I have the log though (here it is):

ComboFix 08-12-29.02 - User 2008-12-30 13:00:57.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.65 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Outdated)
FW: Norton AntiVirus *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.

2008-12-23 21:14 . 2008-12-23 21:14 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2008-12-23 21:13 . 2008-12-23 21:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-23 21:13 . 2008-12-23 21:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-23 21:13 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-23 21:13 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-23 12:37 . 2008-12-30 03:34 <DIR> d-------- c:\program files\trend micro
2008-12-23 12:36 . 2008-12-23 12:39 <DIR> d----c--- C:\rsit
2008-12-08 21:31 . 2008-12-08 21:32 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-08 21:31 . 2008-12-08 22:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-08 16:10 . 2008-12-08 16:10 0 --a------ c:\windows\system32\uorcnxea.tmp
2008-12-08 15:36 . 2008-12-08 15:36 <DIR> d-------- c:\program files\SpywareBlaster
2008-11-21 16:47 . 2008-11-21 16:47 3,596,288 --a--c--- c:\windows\system32\qt-dx331.dll
2008-11-21 16:47 . 2008-11-21 16:47 524,288 --a------ c:\windows\system32\DivXsm.exe
2008-11-21 16:47 . 2008-11-21 16:47 4,816 --a------ c:\windows\system32\divxsm.tlb
2008-11-21 16:46 . 2008-11-21 16:46 1,044,480 --a--c--- c:\windows\system32\libdivx.dll
2008-11-21 16:46 . 2008-11-21 16:46 200,704 --a--c--- c:\windows\system32\ssldivx.dll
2008-11-21 16:44 . 2008-11-21 16:44 161,096 --a--c--- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 16:44 . 2008-11-21 16:44 12,288 --a--c--- c:\windows\system32\DivXWMPExtType.dll
2008-11-12 16:01 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-30 17:32 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-25 02:27 --------- d--h--w c:\documents and settings\User\Application Data\ijjigame
2008-12-23 06:32 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-22 01:26 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-22 01:25 --------- d-----w c:\program files\DivX
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-11-24 02:58 --------- d-----w c:\documents and settings\User\Application Data\uTorrent
2008-11-21 21:47 129,784 -c----w c:\windows\system32\pxafs.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 -c--a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ----a-w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2005-08-06 00:46 774,144 -c--a-w c:\program files\RngInterstitial.dll
2005-05-01 22:34 32 -c--a-r c:\documents and settings\All Users\hash.dat
2006-09-30 19:29 168 -csha-r c:\windows\system32\47E84B5F98.sys
2006-11-26 17:53 7,518 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-30_ 2.25.49.81 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-26 07:24:28 124,928 -c----w c:\windows\ie7updates\KB958215-IE7\advpack.dll
+ 2008-08-26 07:24:28 347,136 -c----w c:\windows\ie7updates\KB958215-IE7\dxtmsft.dll
+ 2008-08-26 07:24:28 214,528 -c----w c:\windows\ie7updates\KB958215-IE7\dxtrans.dll
+ 2008-08-26 07:24:28 133,120 -c----w c:\windows\ie7updates\KB958215-IE7\extmgr.dll
+ 2008-08-26 07:24:28 63,488 -c----w c:\windows\ie7updates\KB958215-IE7\icardie.dll
+ 2008-08-25 08:37:59 70,656 -c----w c:\windows\ie7updates\KB958215-IE7\ie4uinit.exe
+ 2008-08-26 07:24:28 153,088 -c----w c:\windows\ie7updates\KB958215-IE7\ieakeng.dll
+ 2008-08-26 07:24:28 230,400 -c----w c:\windows\ie7updates\KB958215-IE7\ieaksie.dll
+ 2008-08-23 05:54:51 161,792 -c----w c:\windows\ie7updates\KB958215-IE7\ieakui.dll
+ 2008-08-26 07:24:28 383,488 -c----w c:\windows\ie7updates\KB958215-IE7\ieapfltr.dll
+ 2008-08-26 07:24:29 384,512 -c----w c:\windows\ie7updates\KB958215-IE7\iedkcs32.dll
+ 2008-10-03 17:41:15 6,066,176 -c----w c:\windows\ie7updates\KB958215-IE7\ieframe.dll
+ 2008-08-26 07:24:29 44,544 -c----w c:\windows\ie7updates\KB958215-IE7\iernonce.dll
+ 2008-08-26 07:24:29 267,776 -c----w c:\windows\ie7updates\KB958215-IE7\iertutil.dll
+ 2008-08-25 08:38:00 13,824 -c----w c:\windows\ie7updates\KB958215-IE7\ieudinit.exe
+ 2008-08-23 05:56:15 635,848 -c----w c:\windows\ie7updates\KB958215-IE7\iexplore.exe
+ 2008-08-26 07:24:30 27,648 -c----w c:\windows\ie7updates\KB958215-IE7\jsproxy.dll
+ 2008-08-26 07:24:30 459,264 -c----w c:\windows\ie7updates\KB958215-IE7\msfeeds.dll
+ 2008-08-26 07:24:30 52,224 -c----w c:\windows\ie7updates\KB958215-IE7\msfeedsbs.dll
+ 2008-08-26 07:24:30 477,696 -c----w c:\windows\ie7updates\KB958215-IE7\mshtmled.dll
+ 2008-08-26 07:24:30 193,024 -c----w c:\windows\ie7updates\KB958215-IE7\msrating.dll
+ 2008-08-26 07:24:30 671,232 -c----w c:\windows\ie7updates\KB958215-IE7\mstime.dll
+ 2008-08-26 07:24:30 102,912 -c----w c:\windows\ie7updates\KB958215-IE7\occache.dll
+ 2008-08-26 07:24:30 44,544 -c----w c:\windows\ie7updates\KB958215-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB958215-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB958215-IE7\spuninst\updspapi.dll
+ 2008-08-26 07:24:30 105,984 -c----w c:\windows\ie7updates\KB958215-IE7\url.dll
+ 2008-08-26 07:24:31 1,159,680 -c----w c:\windows\ie7updates\KB958215-IE7\urlmon.dll
+ 2008-08-26 07:24:31 233,472 -c----w c:\windows\ie7updates\KB958215-IE7\webcheck.dll
+ 2008-08-26 07:24:31 826,368 -c----w c:\windows\ie7updates\KB958215-IE7\wininet.dll
+ 2008-08-27 08:24:32 3,593,216 -c----w c:\windows\ie7updates\KB960714-IE7\mshtml.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\updspapi.dll
- 2008-11-13 03:10:50 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-12-30 17:32:17 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-11-13 03:10:52 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-12-30 17:32:22 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-11-13 03:10:51 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-12-30 17:32:18 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-11-13 03:10:51 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-12-30 17:32:18 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-11-13 03:10:51 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2008-12-30 17:32:20 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-11-13 03:10:52 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-12-30 17:32:22 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-11-13 03:10:52 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-12-30 17:32:23 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-11-13 03:10:51 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-12-30 17:32:19 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-11-13 03:10:51 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-12-30 17:32:20 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-11-13 03:10:52 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-12-30 17:32:21 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-11-13 03:10:52 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-12-30 17:32:23 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-11-13 03:10:50 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-12-30 17:32:18 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-08-26 07:24:28 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\advpack.dll
- 2008-08-26 07:24:28 124,928 -c--a-w c:\windows\system32\dllcache\advpack.dll
+ 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\dllcache\advpack.dll
- 2008-08-26 07:24:28 347,136 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-08-26 07:24:28 214,528 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dllcache\dxtrans.dll
- 2008-08-26 07:24:28 133,120 -c--a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-16 20:38:35 133,120 ----a-w c:\windows\system32\dllcache\extmgr.dll
- 2008-08-26 07:24:28 63,488 -c--a-w c:\windows\system32\dllcache\icardie.dll
+ 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\dllcache\icardie.dll
- 2008-08-26 07:24:28 153,088 -c--a-w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-10-16 20:38:35 153,088 ----a-w c:\windows\system32\dllcache\ieakeng.dll
- 2008-08-26 07:24:28 230,400 -c--a-w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-10-16 20:38:35 230,400 ----a-w c:\windows\system32\dllcache\ieaksie.dll
- 2008-08-26 07:24:28 383,488 -c--a-w c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\dllcache\ieapfltr.dll
- 2008-08-26 07:24:29 384,512 -c--a-w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-10-16 20:38:35 384,512 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
- 2008-10-03 17:41:15 6,066,176 ----a-w c:\windows\system32\dllcache\ieframe.dll
+ 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\dllcache\ieframe.dll
- 2008-08-26 07:24:29 44,544 -c--a-w c:\windows\system32\dllcache\iernonce.dll
+ 2008-10-16 20:38:37 44,544 ----a-w c:\windows\system32\dllcache\iernonce.dll
- 2008-08-26 07:24:29 267,776 -c--a-w c:\windows\system32\dllcache\iertutil.dll
+ 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\dllcache\iertutil.dll
- 2008-08-26 07:24:30 27,648 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\dllcache\jsproxy.dll
- 2006-10-19 01:03:58 100,864 -c--a-w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-18 06:09:22 100,864 ----a-w c:\windows\system32\dllcache\logagent.exe
- 2008-08-26 07:24:30 459,264 -c--a-w c:\windows\system32\dllcache\msfeeds.dll
+ 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\dllcache\msfeeds.dll
- 2008-08-26 07:24:30 52,224 -c--a-w c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-10-16 20:38:37 52,224 ----a-w c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-08-26 07:24:30 477,696 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\dllcache\mshtmled.dll
- 2008-08-26 07:24:30 193,024 -c--a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-10-16 20:38:38 193,024 ----a-w c:\windows\system32\dllcache\msrating.dll
- 2008-08-26 07:24:30 671,232 -c--a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-10-16 20:38:39 671,232 ----a-w c:\windows\system32\dllcache\mstime.dll
- 2008-08-26 07:24:30 102,912 -c--a-w c:\windows\system32\dllcache\occache.dll
+ 2008-10-16 20:38:39 102,912 ----a-w c:\windows\system32\dllcache\occache.dll
- 2008-08-26 07:24:30 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\dllcache\pngfilt.dll
- 2008-08-26 07:24:30 105,984 -c--a-w c:\windows\system32\dllcache\url.dll
+ 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\dllcache\url.dll
- 2008-08-26 07:24:31 1,159,680 -c--a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\dllcache\urlmon.dll
- 2008-08-26 07:24:31 233,472 -c--a-w c:\windows\system32\dllcache\webcheck.dll
+ 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\dllcache\webcheck.dll
- 2008-08-26 07:24:31 826,368 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 20:38:40 826,368 ----a-w c:\windows\system32\dllcache\wininet.dll
- 2006-10-19 02:47:20 937,984 -c--a-w c:\windows\system32\dllcache\wmnetmgr.dll
+ 2008-06-18 10:03:08 938,496 ----a-w c:\windows\system32\dllcache\WMNetmgr.dll
- 2006-10-19 02:47:22 2,450,944 -c--a-w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-06-18 10:03:14 2,458,112 ----a-w c:\windows\system32\dllcache\WMVCore.dll
- 2008-08-26 07:24:28 347,136 -c--a-w c:\windows\system32\dxtmsft.dll
+ 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-08-26 07:24:28 214,528 -c--a-w c:\windows\system32\dxtrans.dll
+ 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dxtrans.dll
- 2008-08-26 07:24:28 133,120 -c--a-w c:\windows\system32\extmgr.dll
+ 2008-10-16 20:38:35 133,120 ----a-w c:\windows\system32\extmgr.dll
- 2008-08-26 07:24:28 63,488 -c--a-w c:\windows\system32\icardie.dll
+ 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\icardie.dll
- 2008-08-25 08:37:59 70,656 -c--a-w c:\windows\system32\ie4uinit.exe
+ 2008-10-16 13:11:09 70,656 ----a-w c:\windows\system32\ie4uinit.exe
- 2008-08-26 07:24:28 153,088 -c--a-w c:\windows\system32\ieakeng.dll
+ 2008-10-16 20:38:35 153,088 ----a-w c:\windows\system32\ieakeng.dll
- 2008-08-26 07:24:28 230,400 -c--a-w c:\windows\system32\ieaksie.dll
+ 2008-10-16 20:38:35 230,400 ----a-w c:\windows\system32\ieaksie.dll
- 2008-08-23 05:54:51 161,792 -c--a-w c:\windows\system32\ieakui.dll
+ 2008-10-15 07:04:53 161,792 ----a-w c:\windows\system32\ieakui.dll
- 2008-08-26 07:24:28 383,488 -c--a-w c:\windows\system32\ieapfltr.dll
+ 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2008-08-26 07:24:29 384,512 -c--a-w c:\windows\system32\iedkcs32.dll
+ 2008-10-16 20:38:35 384,512 ----a-w c:\windows\system32\iedkcs32.dll
- 2008-10-03 17:41:15 6,066,176 ----a-w c:\windows\system32\ieframe.dll
+ 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\ieframe.dll
- 2008-08-26 07:24:29 44,544 -c--a-w c:\windows\system32\iernonce.dll
+ 2008-10-16 20:38:37 44,544 ----a-w c:\windows\system32\iernonce.dll
- 2008-08-26 07:24:29 267,776 ----a-w c:\windows\system32\iertutil.dll
+ 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2008-08-25 08:38:00 13,824 -c--a-w c:\windows\system32\ieudinit.exe
+ 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2008-08-26 07:24:30 27,648 -c--a-w c:\windows\system32\jsproxy.dll
+ 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\jsproxy.dll
- 2006-10-19 01:03:58 100,864 -c--a-w c:\windows\system32\logagent.exe
+ 2008-06-18 06:09:22 100,864 ----a-w c:\windows\system32\logagent.exe
- 2008-11-04 00:10:25 17,318,336 -c--a-w c:\windows\system32\MRT.exe
+ 2008-12-09 23:24:37 17,593,280 -c--a-w c:\windows\system32\MRT.exe
- 2008-08-26 07:24:30 459,264 -c--a-w c:\windows\system32\msfeeds.dll
+ 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2008-08-26 07:24:30 52,224 -c--a-w c:\windows\system32\msfeedsbs.dll
+ 2008-10-16 20:38:37 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
- 2008-08-27 08:24:32 3,593,216 -c--a-w c:\windows\system32\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
- 2008-08-26 07:24:30 477,696 -c--a-w c:\windows\system32\mshtmled.dll
+ 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\mshtmled.dll
- 2008-08-26 07:24:30 193,024 -c--a-w c:\windows\system32\msrating.dll
+ 2008-10-16 20:38:38 193,024 ----a-w c:\windows\system32\msrating.dll
- 2008-08-26 07:24:30 671,232 -c--a-w c:\windows\system32\mstime.dll
+ 2008-10-16 20:38:39 671,232 ----a-w c:\windows\system32\mstime.dll
- 2008-08-26 07:24:30 102,912 ----a-w c:\windows\system32\occache.dll
+ 2008-10-16 20:38:39 102,912 ----a-w c:\windows\system32\occache.dll
- 2008-08-26 07:24:30 44,544 -c--a-w c:\windows\system32\pngfilt.dll
+ 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\pngfilt.dll
- 2008-07-08 13:02:01 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
- 2008-04-14 00:12:38 60,416 -c--a-w c:\windows\system32\tzchange.exe
+ 2008-10-23 10:06:59 62,976 ----a-w c:\windows\system32\tzchange.exe
- 2008-08-26 07:24:30 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\url.dll
- 2008-08-26 07:24:31 1,159,680 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2008-08-26 07:24:31 233,472 ----a-w c:\windows\system32\webcheck.dll
+ 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\webcheck.dll
- 2008-08-26 07:24:31 826,368 ----a-w c:\windows\system32\wininet.dll
+ 2008-10-16 20:38:40 826,368 ----a-w c:\windows\system32\wininet.dll
- 2006-10-19 02:47:20 937,984 -c--a-w c:\windows\system32\WMNetMgr.dll
+ 2008-06-18 10:03:08 938,496 ----a-w c:\windows\system32\WMNetmgr.dll
- 2006-10-19 02:47:22 2,450,944 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-06-18 10:03:14 2,458,112 ----a-w c:\windows\system32\WMVCore.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 51048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-05 185784]
"SMSTray"="c:\program files\Samsung\EmoDio\SMSTray.exe" [2008-05-27 475136]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-14 286720]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= "c:\progra~1\MarkAny\CONTEN~1\MACSMA~1.DLL" [2004-11-23 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a--c--- 2004-04-30 12:32 208958 c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a--c--- 2004-07-30 10:33 286720 c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 06:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a--c--- 2003-10-30 03:33 118784 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a--c--- 2005-01-12 13:54 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2006-02-19 02:41 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
--a--c--- 2003-05-22 21:55 483328 c:\windows\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a--c--- 2003-10-30 03:46 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a--c--- 2005-03-23 18:26 217088 c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-08-16 16:19 5728112 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2007-08-24 23:53 714608 c:\program files\Norton AntiVirus\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-11-14 23:43 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
--a--c--- 2007-09-20 08:23 132624 c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a--c--- 2004-05-26 12:15 536576 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a--c--- 2004-05-26 12:15 98304 c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-01-05 23:10 185784 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a--c--- 2003-08-19 03:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a--c--- 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\ijji\\ENGLISH\\u_gbound.exe"=
"c:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16910:UDP"= 16910:UDP:CrashOnlineSend
"16900:UDP"= 16900:UDP:CrashOnlineRecv

R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2007-08-25 149864]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-01-18 109616]
S1 rxp;rxp;\??\c:\windows\system32\drivers\rxp.sys []
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2007-05-29 23888]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNt.sys [2007-04-15 122624]
S3 Mkd2Usbf;Mkd2Usbf;c:\windows\system32\drivers\Mkd2Usbf.sys [2007-04-15 79360]
.
Contents of the 'Scheduled Tasks' folder

2008-12-30 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - User.job
- c:\program files\Norton AntiVirus\Navw32.exe [2007-08-26 20:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mapleglobal.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

O16 -: {A1D886C6-4039-4451-97A9-515F5BE5D4C2} - hxxp://ahnlabdownload.nefficient.co.kr/asp/cab/mkdplus.cab
c:\windows\Downloaded Program Files\mkdplus.inf
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\shdr6e24.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - hxxp://www.awesomestart.com/superjunior/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\shdr6e24.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMySrWB.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9FC132B-096D-460B-B7D5-1DB0FAE0C062", "AllAccess");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 13:08:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-12-30 13:13:20
ComboFix-quarantined-files.txt 2008-12-30 18:12:02
ComboFix2.txt 2008-12-30 07:27:45

Pre-Run: 19,121,864,704 bytes free
Post-Run: 18,980,409,344 bytes free

440 --- E O F --- 2008-12-30 17:47:15



4. Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:30 PM, on 12/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Samsung\EmoDio\SMSTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\trend micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mapleglobal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\EmoDio\SMSTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {A1D886C6-4039-4451-97A9-515F5BE5D4C2} (mkdplusCtrl Class) - http://ahnlabdownload.nefficient.co.kr/asp/cab/mkdplus.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 6869 bytes

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:25 AM

Posted 30 December 2008 - 06:48 PM

My Norton was outdated since 6/10/08 (I've been using Norton for about 4 yrs and this never happened). It expires in 3 days and I plan on updating it with something else other than Norton this week with a different anti-virus protection (not sure which though). Any recommendations?


In fact you were not protected since 6/10/08 against the latest viruses.

It depends on if you want a paid one. Then Kaspersky, BitDefender and Eset NOD32 are good ones at the moment. Having both Antivirus and firewall, called Internet Security or Total Security is the best option.

I tried uninstalling it way back but couldn't. My start-up has one of the skins from Starskin that I would like to remove (removing all components of Starskin would be better).


That start up was just a registry leftover without a file backing it. You had removed it with msconfig and Combofix removed it totally.

Let see what we have in their folders, we are going to disable its driver to prevent it from loading. We can remove it later on.
  • Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    @echo off
    dir /a /s "c:\program files\ROCKET DIVISION SOFTWARE" > c:\dirlook.txt
    sc config rxp start=disabled
    start c:\dirlook.txt
    del dirlook.bat
    exit
    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: dirlook.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate and double-click dirlook.bat on the desktop.
    • A notepad opens, copy and paste the content (dirlook.txt) to your reply.
  • Please first reboot then run RSIT, set the list of Files/Folders created to 1 Months and copy/paste the content of log.txt to your reply (this time RSIT creates just one log).


#11 ViaSarah

ViaSarah
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 30 December 2008 - 10:29 PM

1)Content of log.txt:

Deleting files
"C:\WINDOWS\tasks\mgdinrhm.job" deleted


2) dirlook.txt content:

Volume in drive C has no label.
Volume Serial Number is 3574-F175


3) RSIT Log:

Logfile of random's system information tool 1.05 (written by random/random)
Run by User at 2008-12-30 22:21:30
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 18 GB (32%) free of 57 GB
Total RAM: 478 MB (8% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:06 PM, on 12/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Samsung\EmoDio\SMSTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\Desktop\RSIT.exe
C:\Program Files\trend micro\HijackThis\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mapleglobal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\EmoDio\SMSTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {A1D886C6-4039-4451-97A9-515F5BE5D4C2} (mkdplusCtrl Class) - http://ahnlabdownload.nefficient.co.kr/asp/cab/mkdplus.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 6913 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - User.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-07-07 1562448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
Symantec Intrusion Prevention - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll [2008-01-31 116088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-30 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-30 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-30 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2008-01-31 51048]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2007-01-05 185784]
"SMSTray"=C:\Program Files\Samsung\EmoDio\SMSTray.exe [2008-05-27 475136]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-11-14 286720]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-30 136600]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
C:\Program Files\HPQ\Default Settings\cpqset.exe [2004-04-30 208958]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe [2004-07-30 286720]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe [2003-10-30 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [2005-01-12 241664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2006-02-19 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\system32\hphmon05.exe [2003-05-22 483328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe [2003-10-30 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
C:\Program Files\Microsoft IntelliPoint\point32.exe [2005-03-23 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2007-08-16 5728112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
C:\Program Files\Norton AntiVirus\osCheck.exe [2007-08-24 714608]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2007-11-14 286720]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe [2007-09-20 132624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2004-05-26 536576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2004-05-26 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2007-01-05 185784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-08-19 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [1999-11-04 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe [2006-02-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
C:\PROGRA~1\Quicken\bagent.exe [2004-01-29 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2003-10-30 319488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"=C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 192512]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\WINDOWS\system32\muzapp.exe"="C:\WINDOWS\system32\muzapp.exe:*:Enabled:MUZ AOD APP player"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\uTorrent\utorrent.exe"="C:\Program Files\uTorrent\utorrent.exe:*:Enabled:µTorrent"
"C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe"="C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\ijji\ENGLISH\u_gbound.exe"="C:\ijji\ENGLISH\u_gbound.exe:*:Enabled:<ijji Downloader>"
"C:\ijji\ENGLISH\Gunbound Revolution\GunBound.gme"="C:\ijji\ENGLISH\Gunbound Revolution\GunBound.gme:*:Enabled:GunBound"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

======File associations======

.js - edit -

======List of files/folders created in the last 1 months======

2008-12-30 22:06:17 ----AC---- C:\dirlook.txt
2008-12-30 13:49:53 ----SHDC---- C:\RECYCLER
2008-12-30 13:47:13 ----A---- C:\WINDOWS\system32\javaws.exe
2008-12-30 13:47:13 ----A---- C:\WINDOWS\system32\javaw.exe
2008-12-30 13:47:13 ----A---- C:\WINDOWS\system32\java.exe
2008-12-30 13:47:13 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-12-30 13:13:22 ----AC---- C:\ComboFix.txt
2008-12-30 03:46:38 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-30 03:44:57 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-30 03:34:02 ----D---- C:\Program Files\Hijackthis
2008-12-30 03:11:38 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-30 03:08:59 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-30 02:02:24 ----AC---- C:\Boot.bak
2008-12-30 02:02:09 ----DC---- C:\cmdcons
2008-12-30 01:56:34 ----A---- C:\WINDOWS\zip.exe
2008-12-30 01:56:34 ----A---- C:\WINDOWS\VFIND.exe
2008-12-30 01:56:34 ----A---- C:\WINDOWS\SWREG.exe
2008-12-30 01:56:34 ----A---- C:\WINDOWS\sed.exe
2008-12-30 01:56:34 ----A---- C:\WINDOWS\NIRCMD.exe
2008-12-30 01:56:34 ----A---- C:\WINDOWS\grep.exe
2008-12-30 01:56:34 ----A---- C:\WINDOWS\fdsv.exe
2008-12-30 01:56:24 ----DC---- C:\Qoobox
2008-12-29 14:39:24 ----RA---- C:\WINDOWS\SWSC.exe
2008-12-29 14:39:24 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-12-24 20:28:59 ----AC---- C:\cmdline.txt
2008-12-23 21:14:38 ----D---- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-12-23 21:13:22 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-23 21:13:22 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-23 12:37:12 ----D---- C:\Program Files\trend micro
2008-12-23 12:36:50 ----DC---- C:\rsit
2008-12-23 01:59:26 ----D---- C:\WINDOWS\ERDNT
2008-12-08 21:31:09 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-12-08 21:31:09 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-08 16:10:59 ----A---- C:\WINDOWS\system32\uorcnxea.tmp
2008-12-08 15:36:09 ----D---- C:\Program Files\SpywareBlaster
2008-12-07 16:08:34 ----A---- C:\WINDOWS\system32\3e5735a4-.txt

======List of files/folders modified in the last 1 months======

2008-12-30 22:21:32 ----D---- C:\WINDOWS\Prefetch
2008-12-30 22:17:44 ----D---- C:\Program Files\Mozilla Firefox
2008-12-30 22:16:00 ----D---- C:\WINDOWS\Temp
2008-12-30 22:15:52 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-30 22:13:30 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-30 13:47:29 ----SHD---- C:\WINDOWS\Installer
2008-12-30 13:47:27 ----HD---- C:\Config.Msi
2008-12-30 13:47:13 ----D---- C:\WINDOWS\system32
2008-12-30 13:46:41 ----D---- C:\Program Files\Java
2008-12-30 13:13:27 ----D---- C:\WINDOWS
2008-12-30 13:09:03 ----C---- C:\WINDOWS\system.ini
2008-12-30 13:06:12 ----D---- C:\WINDOWS\system32\drivers
2008-12-30 13:06:07 ----D---- C:\Program Files\Common Files
2008-12-30 13:06:06 ----D---- C:\WINDOWS\AppPatch
2008-12-30 12:47:09 ----HD---- C:\WINDOWS\inf
2008-12-30 12:46:42 ----RSHD---- C:\WINDOWS\system32\dllcache
2008-12-30 12:46:36 ----D---- C:\Program Files\Internet Explorer
2008-12-30 12:44:59 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-30 12:32:29 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-12-30 03:46:44 ----A---- C:\WINDOWS\imsins.BAK
2008-12-30 03:34:08 ----D---- C:\Program Files
2008-12-30 03:29:38 ----D---- C:\Spyware Tools
2008-12-30 02:02:25 ----RASH---- C:\boot.ini
2008-12-30 01:53:05 ----SD---- C:\WINDOWS\Tasks
2008-12-24 21:27:22 ----HD---- C:\Documents and Settings\User\Application Data\ijjigame
2008-12-23 01:32:31 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-12-22 23:49:48 ----A---- C:\WINDOWS\win.ini
2008-12-21 22:36:26 ----AC---- C:\WINDOWS\wininit.ini
2008-12-21 20:26:39 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-21 20:26:36 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-12-21 20:25:07 ----D---- C:\Program Files\DivX
2008-12-13 14:10:40 ----D---- C:\WINDOWS\Downloaded Installations
2008-12-13 01:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-09 18:24:37 ----AC---- C:\WINDOWS\system32\MRT.exe
2008-12-07 16:16:19 ----D---- C:\temp

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2003-05-03 43672]
R1 eabfiltr;EABFiltr; \??\C:\WINDOWS\system32\drivers\EABFiltr.sys []
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SRTSPX;SRTSPX; C:\WINDOWS\System32\Drivers\SRTSPX.SYS [2007-11-30 43696]
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2007-08-13 188464]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R2 npkcrypt;npkcrypt; \??\C:\Program Files\Wizet\MapleStory\npkcrypt.sys []
R3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-11-07 120798]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-11-07 98938]
R3 BCM43XX;BCM 802.11b Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2004-08-04 341760]
R3 CAMCAUD;Conexant AMC 3D Environmental Audio; C:\WINDOWS\system32\drivers\camcaud.sys [2004-04-29 292352]
R3 CAMCHALA;CAMCHALA; C:\WINDOWS\system32\drivers\camchal.sys [2004-04-29 274688]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-03-10 1041536]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys [2004-03-10 199552]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2003-11-07 94075]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080610.036\NAVENG.SYS []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080610.036\NAVEX15.SYS []
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys [2005-03-15 20352]
R3 RTL8023;Realtek RTL8139/810x/8169/8110 all in one NDIS NT Driver; C:\WINDOWS\system32\DRIVERS\Rtlnic51.sys [2004-04-27 69504]
R3 SRTSP;SRTSP; C:\WINDOWS\System32\Drivers\SRTSP.SYS [2007-11-30 279088]
R3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
R3 SYMDNS;SYMDNS; C:\WINDOWS\System32\Drivers\SYMDNS.SYS [2007-08-13 13616]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 SYMFW;SYMFW; C:\WINDOWS\System32\Drivers\SYMFW.SYS [2007-08-13 96432]
R3 SYMIDS;SYMIDS; C:\WINDOWS\System32\Drivers\SYMIDS.SYS [2007-08-13 38576]
R3 SYMIDSCO;SYMIDSCO; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\ipsdefs\20080609.001\SymIDSCo.sys []
R3 SymIMMP;SymIMMP; C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 31280]
R3 SYMNDIS;SYMNDIS; C:\WINDOWS\System32\Drivers\SYMNDIS.SYS [2007-08-13 37424]
R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2007-08-13 22320]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2004-05-26 182720]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-03-10 682624]
S1 rxp;rxp; \??\C:\WINDOWS\system32\drivers\rxp.sys []
S2 zntport;NTPort Library Driver; \??\C:\WINDOWS\system32\zntport.sys []
S3 {E2B953A6-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-A/CH-7011; C:\WINDOWS\system32\drivers\wA301a.sys [2003-11-07 33847]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 COH_Mon;COH_Mon; \??\C:\WINDOWS\system32\Drivers\COH_Mon.sys []
S3 eabusb;eabusb; \??\C:\WINDOWS\system32\drivers\eabusb.sys []
S3 EagleNT;EagleNT; \??\C:\WINDOWS\system32\drivers\EagleNT.sys []
S3 Mkd2kfNt;Mkd2kfNt; C:\WINDOWS\system32\drivers\Mkd2kfNt.sys [2007-03-28 122624]
S3 Mkd2Usbf;Mkd2Usbf; C:\WINDOWS\system32\drivers\Mkd2Usbf.sys [2007-03-06 79360]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
S3 SMCIRDA;SMC IrCC Miniport Device Driver; C:\WINDOWS\system32\DRIVERS\smcirda.sys [2001-08-17 35913]
S3 SRTSPL;SRTSPL; C:\WINDOWS\System32\Drivers\SRTSPL.SYS [2007-11-30 317616]
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 31280]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 w22n51;Intel® PRO/Wireless 2200 Adapter Driver; C:\WINDOWS\system32\DRIVERS\w22n51.sys [2004-03-22 1657344]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe [2007-08-23 243064]
R2 Bonjour Service;##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##; C:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 149864]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 149864]
R2 CLTNetCnService;Symantec Lic NetConnect service; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 149864]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-30 152984]
R2 LiveUpdate Notice;LiveUpdate Notice; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 149864]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2006-03-03 69632]
R2 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2005-07-30 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-07-21 654848]
S3 HP Port Resolver;HP Port Resolver; C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE [2005-05-20 81920]
S3 hpqwmi;HP WMI Interface; C:\Program Files\HPQ\SHARED\HPQWMI.exe [2004-07-27 98304]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 LiveUpdate;LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE [2007-08-23 3192184]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 Symantec Core LC;Symantec Core LC; C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe [2008-01-31 1251720]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-08-16 98672]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-08-23 261120]

-----------------EOF-----------------

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:25 AM

Posted 31 December 2008 - 01:35 AM

OK the folder of ROCKET DIVISION SOFTWARE is empty. So the Starskin is effectively removed. Just this driver. Perhaps it is just a registry leftover.

Close any open browsers.

Open notepad and copy/paste the text in the code box below into it:

Rootkit::
C:\WINDOWS\system32\drivers\rxp.sys

Driver::
rxp

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#13 ViaSarah

ViaSarah
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 31 December 2008 - 03:05 AM

Where do I go to delete the registry leftover of ROCKET DIVISION SOFTWARE?

ComboFix Log:

ComboFix 08-12-30.02 - User 2008-12-31 2:20:49.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.179 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Outdated)
FW: Norton AntiVirus *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RXP
-------\Service_rxp


((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 )))))))))))))))))))))))))))))))
.

2008-12-30 13:47 . 2008-12-30 13:46 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-30 13:47 . 2008-12-30 13:46 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-23 21:14 . 2008-12-23 21:14 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2008-12-23 21:13 . 2008-12-23 21:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-23 21:13 . 2008-12-23 21:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-23 21:13 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-23 21:13 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-23 12:37 . 2008-12-30 03:34 <DIR> d-------- c:\program files\trend micro
2008-12-23 12:36 . 2008-12-23 12:39 <DIR> d----c--- C:\rsit
2008-12-08 21:31 . 2008-12-08 21:32 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-08 21:31 . 2008-12-08 22:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-08 16:10 . 2008-12-08 16:10 0 --a------ c:\windows\system32\uorcnxea.tmp
2008-12-08 15:36 . 2008-12-08 15:36 <DIR> d-------- c:\program files\SpywareBlaster
2008-11-21 16:47 . 2008-11-21 16:47 3,596,288 --a--c--- c:\windows\system32\qt-dx331.dll
2008-11-21 16:47 . 2008-11-21 16:47 524,288 --a------ c:\windows\system32\DivXsm.exe
2008-11-21 16:47 . 2008-11-21 16:47 4,816 --a------ c:\windows\system32\divxsm.tlb
2008-11-21 16:46 . 2008-11-21 16:46 1,044,480 --a--c--- c:\windows\system32\libdivx.dll
2008-11-21 16:46 . 2008-11-21 16:46 200,704 --a--c--- c:\windows\system32\ssldivx.dll
2008-11-21 16:44 . 2008-11-21 16:44 161,096 --a--c--- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 16:44 . 2008-11-21 16:44 12,288 --a--c--- c:\windows\system32\DivXWMPExtType.dll
2008-11-12 16:01 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-30 18:46 --------- d-----w c:\program files\Java
2008-12-30 17:32 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-25 02:27 --------- d--h--w c:\documents and settings\User\Application Data\ijjigame
2008-12-23 06:32 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-22 01:26 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-22 01:25 --------- d-----w c:\program files\DivX
2008-11-24 02:58 --------- d-----w c:\documents and settings\User\Application Data\uTorrent
2005-08-06 00:46 774,144 -c--a-w c:\program files\RngInterstitial.dll
2005-05-01 22:34 32 -c--a-r c:\documents and settings\All Users\hash.dat
2006-09-30 19:29 168 -csha-r c:\windows\system32\47E84B5F98.sys
2006-11-26 17:53 7,518 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot_2008-12-30_13.11.07.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2007-09-25 03:30:28 135,168 -c--a-w c:\windows\system32\java.exe
+ 2008-12-30 18:46:48 144,792 ----a-w c:\windows\system32\java.exe
- 2007-09-25 03:30:30 135,168 -c--a-w c:\windows\system32\javaw.exe
+ 2008-12-30 18:46:48 144,792 ----a-w c:\windows\system32\javaw.exe
- 2007-09-25 04:31:42 139,264 -c--a-w c:\windows\system32\javaws.exe
+ 2008-12-30 18:46:48 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-31 07:31:27 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_3ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 51048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-05 185784]
"SMSTray"="c:\program files\Samsung\EmoDio\SMSTray.exe" [2008-05-27 475136]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-14 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-30 136600]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= "c:\progra~1\MarkAny\CONTEN~1\MACSMA~1.DLL" [2004-11-23 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a--c--- 2004-04-30 12:32 208958 c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a--c--- 2004-07-30 10:33 286720 c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 06:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a--c--- 2003-10-30 03:33 118784 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a--c--- 2005-01-12 13:54 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2006-02-19 02:41 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
--a--c--- 2003-05-22 21:55 483328 c:\windows\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a--c--- 2003-10-30 03:46 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a--c--- 2005-03-23 18:26 217088 c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-08-16 16:19 5728112 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2007-08-24 23:53 714608 c:\program files\Norton AntiVirus\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-11-14 23:43 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
--a--c--- 2007-09-20 08:23 132624 c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a--c--- 2004-05-26 12:15 536576 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a--c--- 2004-05-26 12:15 98304 c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-01-05 23:10 185784 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a--c--- 2003-08-19 03:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a--c--- 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\ijji\\ENGLISH\\u_gbound.exe"=
"c:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16910:UDP"= 16910:UDP:CrashOnlineSend
"16900:UDP"= 16900:UDP:CrashOnlineRecv

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-01-18 109616]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2007-05-29 23888]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNt.sys [2007-04-15 122624]
S3 Mkd2Usbf;Mkd2Usbf;c:\windows\system32\drivers\Mkd2Usbf.sys [2007-04-15 79360]
.
Contents of the 'Scheduled Tasks' folder

2008-12-30 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - User.job
- c:\program files\Norton AntiVirus\Navw32.exe [2007-08-26 20:19]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_03\bin\jusched.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mapleglobal.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

O16 -: {A1D886C6-4039-4451-97A9-515F5BE5D4C2} - hxxp://ahnlabdownload.nefficient.co.kr/asp/cab/mkdplus.cab
c:\windows\Downloaded Program Files\mkdplus.inf
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\shdr6e24.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (English)
FF - prefs.js: browser.startup.homepage - hxxp://www.awesomestart.com/superjunior/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\shdr6e24.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMySrWB.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9FC132B-096D-460B-B7D5-1DB0FAE0C062", "AllAccess");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-31 02:32:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Owner=S-1-5-21-2423071534-2897178087-3008414254-1007
"*"=dword:00000004

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004

[HKEY_USERS\S-1-5-21-2423071534-2897178087-3008414254-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-2423071534-2897178087-3008414254-1007
@Allowed: (Full) (S-1-5-21-2423071534-2897178087-3008414254-1007)
@Allowed: (Full) (S-1-5-21-2423071534-2897178087-3008414254-1007)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
"*"=dword:00000004

[HKEY_USERS\S-1-5-21-2423071534-2897178087-3008414254-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
@Owner=S-1-5-21-2423071534-2897178087-3008414254-1007
@Denied: (A 2) (Everyone)
@Denied: (A 2) (S-1-5-7)
@="FlashProp Class"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32]
@Owner=S-1-5-21-2423071534-2897178087-3008414254-1007
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash9.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\Programmable]
@Owner=S-1-5-21-2423071534-2897178087-3008414254-1007

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Owner=S-1-5-21-2423071534-2897178087-3008414254-1007
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE
.
**************************************************************************
.
Completion time: 2008-12-31 2:41:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-31 07:40:51
ComboFix2.txt 2008-12-30 18:13:22
ComboFix3.txt 2008-12-30 07:27:45

Pre-Run: 17,699,356,672 bytes free
Post-Run: 18,837,880,832 bytes free

295 --- E O F --- 2008-12-30 17:47:15

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:25 AM

Posted 31 December 2008 - 07:33 AM

Where do I go to delete the registry leftover of ROCKET DIVISION SOFTWARE?


Go to Bleeping Computer. :thumbsup:
You don't have to do anything, we just took care of the driver left.
  • Go to start > run and copy and paste or type next command in the field then hit enter:

    ComboFix /u

    Note: There's a space between Combofix and /

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

  • I wanted to remind you, your computer is susceptible to nasty infections out there without an updated antivirus.

  • I recommend using Site Advisor for safe surfing. It is an extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how save a site is: http://www.siteadvisor.com/

  • I recommend installing this small application for safe surfing: Javacools© SpywareBlaster
    SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. What you need is updating it once in 2-3 weeks and enabling the restriction. You can find more information and a download link here.
Please let me know if you have any question?

#15 ViaSarah

ViaSarah
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 31 December 2008 - 01:17 PM

So I'm officially clean? Do I delete the other tools/programs we used like normally? (I can also delete log.txt?) Do you have recommend any free anti-virus programs that might be just as good as paid ones? Thank you for your help :thumbsup:

Edited by ViaSarah, 31 December 2008 - 02:14 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users