Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Prunnet.exe and constant pop ups! HELP!


  • This topic is locked This topic is locked
22 replies to this topic

#1 Groovsheep

Groovsheep

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 27 December 2008 - 02:25 PM

Anti-virus software (AVG Free) has flagged up numerous problems over the last 24 hrs or so, constantly getting pop ups despite having pop up blocker. Think it may be trojan, have encountered files name prunnet.exe and gadcom.exe.

Just got a new laptop from Santa and wanted to set up a network but I'm concerned incase problem spreads onto it! Please help.


DDS (Version 1.1.0) - NTFSx86
Run by Del at 19:04:14.81 on 27/12/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.768.267 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\runservice.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Del\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.virginmedia.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\tuvWolig.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {8289ed41-021b-8129-3044-3bb2b7a9c91a}: {a19c9a7b-2bb3-4403-9218-b12014de9828} - c:\windows\system32\hovgrl.dll
BHO: {ac6bc292-69f9-46fd-aff3-766e6916f3d3} - c:\windows\system32\opnopMgE.dll
TB: {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - No File
TB: {E1BACF55-35E1-4E47-9247-2D48660E5545} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [Desktop Gordon] c:\documents and settings\del\my documents\rippleffect\desktop gordon\gordon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [gadcom] "c:\documents and settings\del\application data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
uRunOnce: [Shockwave Updater] c:\windows\system32\macromed\shockw~1\SWHELP~1.EXE -Update -1020023 -IEXPLORE.EXE7.0
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [PC Suite for Smartphones] "c:\program files\sony ericsson\mobile4\application launcher\Application Launcher.exe" /startoptions
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [ec8f8ae4] rundll32.exe "c:\windows\system32\adqigasp.dll",b
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\del\startm~1\programs\startup\hit12d~1.lnk - c:\program files\hit 12 days\hit_ticker_PC_F8.exe
StartupFolder: c:\docume~1\del\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\del\startm~1\programs\startup\regist~2.lnk - d:\support\register\RegistrationReminder.exe
StartupFolder: c:\docume~1\del\startm~1\programs\startup\regist~1.lnk - c:\program files\ubisoft\silenthunteriii\support\register\RegistrationReminder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\clock.lnk - c:\windows\installer\{7106dffd-2c84-11d7-a490-00c0df117e72}\_36AE9230F109_497C_A465_FFFAFF496641.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\recent~1.lnk - c:\windows\installer\{7106dffd-2c84-11d7-a490-00c0df117e72}\_36AE9230F109_497C_A465_FFFAFF496641.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\runnin~1.lnk - c:\program files\wificonnector\NintendoWFCReg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\startu~1.lnk - c:\windows\installer\{7106dffd-2c84-11d7-a490-00c0df117e72}\_36AE9230F109_497C_A465_FFFAFF496641.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to AMV Converter... - c:\program files\mp3 player utilities 4.15\amvconverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: tuvWolig - tuvWolig.dll
Notify: __c0028C51 - c:\windows\system32\__c0028C51.dat
AppInit_DLLs: avgrsstx.dll hovgrl.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\tuvWolig.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\opnopMgE

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\del\applic~1\mozilla\firefox\profiles\9kgwco40.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.virginmedia.co.uk
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2007-9-13 110360]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-20 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-8-25 26824]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2007-9-13 119576]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-9-13 394984]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\c:\program files\cyberlink\powerdvd\000.fcl [2006-11-2 13560]
R2 aawservice;Ad-Aware 2007 Service;"c:\program files\lavasoft\ad-aware 2007\aawservice.exe" [2007-9-25 587096]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-20 231704]
R2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2007-9-21 2560]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service []
R3 zebrceb;Sony Ericsson Cable Emulation Bus (WDM);c:\windows\system32\drivers\zebrceb.sys [2008-5-10 62984]
S2 Auto HotKey Poller;Auto HotKey Poller;c:\windows\system32\winpol.exe []
S2 Seekeen Service;Seekeen Service;"c:\program files\seekeen\seekeen.exe" "c:\program files\seekeen\seekeen.dll" Service []
S3 CAM1690;USB 2.0 Compliance JPEG Video Camera;c:\windows\system32\drivers\cam1690.sys [2007-1-5 123264]
S3 zebrbus;Sony Ericsson Composite Device driver;c:\windows\system32\drivers\zebrbus.sys [2008-5-10 83200]
S3 zebrmdfl;Sony Ericsson Modem Filter;c:\windows\system32\drivers\zebrmdfl.sys [2008-10-15 15112]
S3 zebrmdm;Sony Ericsson Port (WDM);c:\windows\system32\drivers\zebrmdm.sys [2008-10-15 109568]
S3 zebrmdmc;Sony Ericsson mRouter Port (WDM);c:\windows\system32\drivers\zebrmdmc.sys [2008-10-15 108424]
S3 zebrsce;Sony Ericsson PC-Connect Port;c:\windows\system32\drivers\zebrsce.sys [2008-10-15 90888]

=============== Created Last 30 ================

2008-12-27 18:51 <DIR> --d----- c:\program files\Trend Micro
2008-12-27 00:50 135,680 a------- c:\windows\system32\hovgrl.dll
2008-12-27 00:50 135,680 a------- c:\windows\system32\gdvroitf.dll
2008-12-27 00:47 1,303,364 ---sh--- c:\windows\system32\psagiqda.ini
2008-12-27 00:47 89,600 a------- c:\windows\system32\adqigasp.dll
2008-12-27 00:47 52,224 a------- c:\windows\system32\byXQIXOF.dll
2008-12-27 00:45 41,472 a------- c:\windows\system32\jreukgjq.dll
2008-12-27 00:44 837,426 a--sh--- c:\windows\system32\EgMponpo.ini2
2008-12-27 00:44 837,426 a--sh--- c:\windows\system32\EgMponpo.ini
2008-12-27 00:44 293,376 a------- c:\windows\system32\opnopMgE.dll
2008-12-27 00:39 45,056 a------- c:\windows\system32\vtUonlMD.dll
2008-12-27 00:38 52,224 a------- c:\windows\system32\tuvWolig.dll
2008-12-26 14:55 <DIR> --d----- c:\program files\MyFree Codec
2008-12-25 09:32 65 a------- c:\windows\FISHUI.INI
2008-12-25 09:00 <DIR> --d----- c:\docume~1\del\applic~1\DataCast
2008-12-25 08:59 <DIR> --d----- c:\program files\MarkAny
2008-12-25 08:59 <DIR> --d----- c:\program files\Samsung
2008-12-23 01:13 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-23 01:13 1,409 a------- c:\windows\QTFont.for
2008-12-08 09:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AlawarWrapper
2008-12-08 09:04 <DIR> --d----- c:\program files\Games
2008-12-01 14:43 <DIR> --d----- c:\docume~1\del\applic~1\Application Data

==================== Find3M ====================

2008-12-27 15:43 8,942,924 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-27 15:43 763,650,080 a--sh--- c:\windows\system32\drivers\fidbox.dat
2008-12-25 08:58 348,160 a------- c:\windows\system32\msvcr71.dll
2008-10-27 20:08 7,334,496 a------- c:\program files\Firefox Setup 3.0.3.exe
2008-10-23 13:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-03 10:15 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-07-19 15:12 1,657,659 a------- c:\program files\ts2_server_rc2_202319.exe
2008-02-05 22:24 7,462,912 a------- c:\program files\WinZip Pro 10[1].0 (6685) + Key Generator.zip
2008-01-20 11:26 31,861,281 a------- c:\program files\setupoffice.exe
2008-01-20 11:11 7,886,336 a------- c:\program files\setup.msi
2007-12-28 20:44 112,341,981 a------- c:\program files\OOo_2.3.1rc1_20071113_Win32Intel_install_en-US.exe
2007-12-21 23:23 28,868,320 a------- c:\program files\FileFormatConverters.exe
2007-12-20 14:50 4,436,563 a------- c:\program files\burn4free_setup.exe
2007-12-20 14:45 3,374,936 a------- c:\program files\vvpro_setupgc.exe
2007-10-06 12:55 24,265,736 a------- c:\program files\dotnetfx.exe
2007-10-06 12:42 1,494,536 a------- c:\program files\advisor.exe
2007-10-06 12:35 46,445,152 a------- c:\program files\7-9_xp32_dd_ccc_wdm_enu_52443.exe
2007-09-13 21:36 3,378,248 a------- c:\program files\LimeWireWin.exe
2007-09-13 21:24 41,573,776 a------- c:\program files\zlsSetup_70_362_000_en.exe
2007-09-01 10:16 1,542,656 a------- c:\program files\SteamInstall.msi

============= FINISH: 19:06:37.15 ===============


Any help would be much appreciated. Merry Christmas! Thanks, Amanda

Attached Files



BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:08:47 PM

Posted 02 January 2009 - 05:52 PM

Hello, Groovsheep

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

I Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
I need some time to look over your log, I'll post back soon.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:08:47 PM

Posted 03 January 2009 - 04:58 AM

Hi,

Your log is old, a lot can happen in the space of a few days so I need to see a new DDS log. Will also need an OTViewIt log, see below for instructions.

OTViewIt

We need to create an OTViewIt Report
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized


In your next reply, please post:
  • DDS log
  • OTViewIt log
  • Description of any problems

Edited by Jat90, 03 January 2009 - 05:00 AM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#4 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:47 PM

Posted 07 January 2009 - 05:23 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image

#5 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:47 PM

Posted 09 January 2009 - 03:12 AM

Reopened upon request.
Microsoft MVP Consumer Security
Posted Image

Posted Image

#6 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:08:47 PM

Posted 09 January 2009 - 04:32 AM

Hi Groovsheep,

I need to see a new DDS log, please :thumbsup:

Edited by Jat90, 09 January 2009 - 02:35 PM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#7 Groovsheep

Groovsheep
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 09 January 2009 - 04:42 PM

Hi there - sorry I've just came online there to your messages - I hope you're still about.

Here is the DDS file


DDS (Version 1.1.0) - NTFSx86
Run by Del at 21:38:36.77 on 09/01/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.768.244 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\runservice.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Del\Desktop\dds.scr
C:\WINDOWS\system32\SearchProtocolHost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.virginmedia.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - AskBar BHO
BHO: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {d4490153-2531-1f89-6364-8a97dfbaab58}: {85baabfd-79a8-4636-98f1-13523510944d} - c:\windows\system32\faqxpt.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
{ac8a54b9-f740-4e72-bc63-a2ae26c6094a}
BHO: {d8dfc2ba-a17f-4c62-a13f-756c97701d89} - c:\windows\system32\bidapako.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} -
TB: {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - No File
TB: {E1BACF55-35E1-4E47-9247-2D48660E5545} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [Desktop Gordon] c:\documents and settings\del\my documents\rippleffect\desktop gordon\gordon.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [PC Suite for Smartphones] "c:\program files\sony ericsson\mobile4\application launcher\Application Launcher.exe" /startoptions
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [ec8f8ae4] rundll32.exe "c:\windows\system32\yibabofi.dll",b
mRun: [fohujuhome] Rundll32.exe "c:\windows\system32\yahosuze.dll",s
mRun: [CPMefbcb978] Rundll32.exe "c:\windows\system32\yikujesa.dll",a
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\startu~1.lnk - c:\windows\installer\{7106dffd-2c84-11d7-a490-00c0df117e72}\_36AE9230F109_497C_A465_FFFAFF496641.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to AMV Converter...
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: tuvWolig - tuvWolig.dll
AppInit_DLLs: avgrsstx.dll faqxpt.dll c:\windows\system32\safevayi.dll c:\windows\system32\tarokuwe.dll c:\windows\system32\yafinoka.dll c:\windows\system32\yikujesa.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yikujesa.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\yikujesa.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\opnopMgE
LSA: Notification Packages = scecli c:\windows\system32\safevayi.dll c:\windows\system32\tarokuwe.dll c:\windows\system32\yafinoka.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\del\applic~1\mozilla\firefox\profiles\9kgwco40.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.virginmedia.co.uk
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2007-9-13 110360]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-20 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-8-25 26824]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2007-9-13 119576]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-9-13 394984]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\c:\program files\cyberlink\powerdvd\000.fcl [2006-11-2 13560]
R2 aawservice;Ad-Aware 2007 Service;"c:\program files\lavasoft\ad-aware 2007\aawservice.exe" [2007-9-25 587096]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-20 231704]
R2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2007-9-21 2560]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service []
R3 zebrceb;Sony Ericsson Cable Emulation Bus (WDM);c:\windows\system32\drivers\zebrceb.sys [2008-5-10 62984]
S2 Auto HotKey Poller;Auto HotKey Poller; []
S2 Seekeen Service;Seekeen Service; []
S3 CAM1690;USB 2.0 Compliance JPEG Video Camera;c:\windows\system32\drivers\cam1690.sys [2007-1-5 123264]
S3 MRVW225;802.11g/b Wireless LAN Dirver for Windows XP;c:\windows\system32\drivers\MRVW225.sys [2008-12-28 299904]
S3 zebrbus;Sony Ericsson Composite Device driver;c:\windows\system32\drivers\zebrbus.sys [2008-5-10 83200]
S3 zebrmdfl;Sony Ericsson Modem Filter;c:\windows\system32\drivers\zebrmdfl.sys [2008-10-15 15112]
S3 zebrmdm;Sony Ericsson Port (WDM);c:\windows\system32\drivers\zebrmdm.sys [2008-10-15 109568]
S3 zebrmdmc;Sony Ericsson mRouter Port (WDM);c:\windows\system32\drivers\zebrmdmc.sys [2008-10-15 108424]
S3 zebrsce;Sony Ericsson PC-Connect Port;c:\windows\system32\drivers\zebrsce.sys [2008-10-15 90888]

=============== Created Last 30 ================

2009-01-07 20:07 1,287,091 ---sh--- c:\windows\system32\ifobabiy.ini
2009-01-07 08:06 1,281,308 ---sh--- c:\windows\system32\ifigawat.ini
2009-01-06 20:03 1,281,308 ---sh--- c:\windows\system32\akutihuy.ini
2009-01-05 08:03 1,266,245 ---sh--- c:\windows\system32\ezopotaf.ini
2009-01-04 15:15 1,266,209 ---sh--- c:\windows\system32\iwajonod.ini
2009-01-02 01:14 1,266,218 ---sh--- c:\windows\system32\enihukob.ini
2009-01-01 23:58 <DIR> --d----- c:\program files\Eusing Free Registry Cleaner
2009-01-01 13:37 <DIR> --d----- c:\program files\AskBarDis
2009-01-01 13:14 1,266,209 ---sh--- c:\windows\system32\ibuyefew.ini
2008-12-31 22:18 1,266,209 ---sh--- c:\windows\system32\atamadub.ini
2008-12-31 10:18 1,266,218 ---sh--- c:\windows\system32\ijizavej.ini
2008-12-30 22:18 1,266,209 ---sh--- c:\windows\system32\ebokikuk.ini
2008-12-29 18:27 <DIR> --d----- c:\windows\SxsCaPendDel
2008-12-28 10:20 299,904 a----r-- c:\windows\system32\drivers\MRVW225.sys
2008-12-28 00:52 1,312,533 ---sh--- c:\windows\system32\cvkcmalm.ini
2008-12-28 00:46 41,472 a------- c:\windows\system32\herwsajt.dll
2008-12-27 18:51 <DIR> --d----- c:\program files\Trend Micro
2008-12-27 00:47 1,312,533 ---sh--- c:\windows\system32\psagiqda.ini
2008-12-27 00:45 41,472 a------- c:\windows\system32\jreukgjq.dll
2008-12-27 00:44 577,869 a--sh--- c:\windows\system32\EgMponpo.ini2
2008-12-27 00:44 577,869 a--sh--- c:\windows\system32\EgMponpo.ini
2008-12-26 14:55 <DIR> --d----- c:\program files\MyFree Codec
2008-12-25 09:32 65 a------- c:\windows\FISHUI.INI
2008-12-25 09:00 <DIR> --d----- c:\docume~1\del\applic~1\DataCast
2008-12-25 08:59 <DIR> --d----- c:\program files\MarkAny
2008-12-25 08:59 <DIR> --d----- c:\program files\Samsung

==================== Find3M ====================

2009-01-09 21:38 775,157,792 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-01-09 17:29 9,084,332 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-25 08:58 348,160 a------- c:\windows\system32\msvcr71.dll
2008-10-27 20:08 7,334,496 a------- c:\program files\Firefox Setup 3.0.3.exe
2008-10-23 13:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-07-19 15:12 1,657,659 a------- c:\program files\ts2_server_rc2_202319.exe
2008-02-05 22:24 7,462,912 a------- c:\program files\WinZip Pro 10[1].0 (6685) + Key Generator.zip
2008-01-20 11:26 31,861,281 a------- c:\program files\setupoffice.exe
2008-01-20 11:11 7,886,336 a------- c:\program files\setup.msi
2007-12-21 23:23 28,868,320 a------- c:\program files\FileFormatConverters.exe
2007-12-20 14:45 3,374,936 a------- c:\program files\vvpro_setupgc.exe
2007-10-06 12:55 24,265,736 a------- c:\program files\dotnetfx.exe
2007-10-06 12:42 1,494,536 a------- c:\program files\advisor.exe
2007-10-06 12:35 46,445,152 a------- c:\program files\7-9_xp32_dd_ccc_wdm_enu_52443.exe
2007-09-13 21:24 41,573,776 a------- c:\program files\zlsSetup_70_362_000_en.exe
2007-09-01 10:16 1,542,656 a------- c:\program files\SteamInstall.msi

============= FINISH: 21:40:10.99 ===============

Attached Files



#8 Groovsheep

Groovsheep
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 09 January 2009 - 04:46 PM

And here is the OTViewit log

OTViewIt logfile created on: 09/01/2009 21:44:19 - Run 2
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Del\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

767.55 Mb Total Physical Memory | 231.26 Mb Available Physical Memory | 30.13% Memory free
1.83 Gb Paging File | 1.32 Gb Available in Paging File | 72.21% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68.52 Gb Total Space | 4.71 Gb Free Space | 6.88% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PC-57F798A99DC4
Current User Name: Del
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2006/05/03 16:43:46 | 00,413,696 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
[2007/06/21 20:54:46 | 00,075,304 | ---- | M] (Zone Labs, LLC) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
[2006/05/03 16:43:46 | 00,413,696 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
[2007/12/26 19:33:48 | 00,587,096 | ---- | M] (Lavasoft AB) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
[2008/08/30 07:35:30 | 00,231,704 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
[2007/09/21 20:26:08 | 00,002,560 | ---- | M] () -- C:\WINDOWS\Runservice.exe
[2007/02/07 15:29:50 | 00,173,616 | ---- | M] () -- C:\Program Files\CyberLink\Shared files\RichVideo.exe
[2004/08/11 00:45:04 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe
[2008/05/26 21:18:44 | 00,439,808 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\searchindexer.exe
[2008/08/20 09:25:17 | 00,287,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
[2007/04/10 14:01:18 | 00,336,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\WgaTray.exe
[2007/02/07 15:24:52 | 00,071,216 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[2007/06/21 20:54:46 | 00,919,016 | ---- | M] (Zone Labs, LLC) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
[2008/02/06 18:54:42 | 00,185,632 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[2008/06/10 03:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
[2007/10/18 10:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[2008/05/26 21:19:14 | 00,123,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe
[2007/10/18 10:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe
[2004/08/03 23:56:56 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rundll32.exe
[2008/12/19 22:03:10 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
[2009/01/08 23:41:12 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Del\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2007/12/26 19:33:48 | 00,587,096 | ---- | M] (Lavasoft AB) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe -- (aawservice [Auto | Running])
[2007/10/24 00:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2006/05/03 16:43:46 | 00,413,696 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
[2006/05/03 10:57:00 | 00,520,192 | ---- | M] () -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])
File not found -- -- (Auto HotKey Poller [Auto | Stopped])
[2008/08/30 07:35:30 | 00,231,704 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
[2007/10/24 00:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2007/09/21 20:26:08 | 00,002,560 | ---- | M] () -- C:\WINDOWS\Runservice.exe -- (LicCtrlService [Auto | Running])
[2006/10/27 00:47:54 | 00,065,824 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service [On_Demand | Stopped])
File not found -- -- (NMIndexingService [Disabled | Stopped])
[2006/10/26 19:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
[2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2007/02/07 15:29:50 | 00,173,616 | ---- | M] () -- C:\Program Files\CyberLink\Shared files\RichVideo.exe -- (RichVideo [Auto | Running])
File not found -- -- (Seekeen Service [Auto | Stopped])
[2004/08/11 00:45:04 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Running])
[2007/10/18 10:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Running])
[2007/06/21 20:54:46 | 00,075,304 | ---- | M] (Zone Labs, LLC) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- (vsmon [Auto | Running])
[2007/10/25 14:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])
[2008/05/26 21:18:44 | 00,439,808 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\searchindexer.exe -- (WSearch [Auto | Running])

========== Driver Services ==========

[2004/08/04 00:05:44 | 00,037,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\amdk7.sys -- (AmdK7 [System | Running])
[2006/05/03 16:50:42 | 01,540,608 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
[2008/08/30 07:35:05 | 00,097,928 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
[2008/08/20 09:25:38 | 00,026,824 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
[2008/02/27 12:49:00 | 00,003,840 | ---- | M] () -- C:\WINDOWS\system32\drivers\BANTExt.sys -- (BANTExt [System | Running])
[2007/01/05 13:45:16 | 00,123,264 | ---- | M] () -- C:\WINDOWS\system32\drivers\cam1690.sys -- (CAM1690 [On_Demand | Stopped])
[2007/05/30 23:03:48 | 00,110,360 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1 [Boot | Running])
[2007/05/30 23:03:50 | 00,119,576 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF [System | Running])
[2007/07/05 10:09:09 | 00,299,904 | R--- | M] (Marvell Semiconductor, Inc) -- C:\WINDOWS\system32\drivers\MRVW225.sys -- (MRVW225 [On_Demand | Stopped])
[2001/08/23 12:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2006/04/10 05:02:18 | 00,162,816 | ---- | M] (Ralink Technology Inc.) -- C:\WINDOWS\system32\drivers\RT25USBAP.SYS -- (RT25USBAP [On_Demand | Stopped])
[2004/08/03 21:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139 [On_Demand | Running])
[2007/11/13 10:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [Auto | Running])
[2007/06/11 11:44:10 | 00,050,416 | ---- | M] (Zone Labs, LLC) -- C:\WINDOWS\system32\ZoneLabs\srescan.sys -- (srescan [Boot | Running])
[2004/08/03 22:32:32 | 00,084,480 | ---- | M] (VIA Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ac97via.sys -- (VIAudio [On_Demand | Running])
[2007/06/21 20:54:52 | 00,394,984 | ---- | M] (Zone Labs, LLC) -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant [System | Running])
[2008/10/25 23:41:35 | 00,083,200 | ---- | M] (MCCI) -- C:\WINDOWS\system32\drivers\zebrbus.sys -- (zebrbus [On_Demand | Stopped])
[2007/04/13 07:50:30 | 00,062,984 | R--- | M] (MCCI) -- C:\WINDOWS\system32\drivers\zebrceb.sys -- (zebrceb [On_Demand | Running])
[2007/04/13 07:50:36 | 00,015,112 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\zebrmdfl.sys -- (zebrmdfl [On_Demand | Stopped])
[2008/10/25 23:41:35 | 00,109,568 | ---- | M] (MCCI) -- C:\WINDOWS\system32\drivers\zebrmdm.sys -- (zebrmdm [On_Demand | Stopped])
[2007/04/13 07:50:38 | 00,108,424 | R--- | M] (MCCI) -- C:\WINDOWS\system32\drivers\zebrmdmc.sys -- (zebrmdmc [On_Demand | Stopped])
[2007/04/13 07:50:42 | 00,090,888 | R--- | M] (MCCI) -- C:\WINDOWS\system32\drivers\zebrsce.sys -- (zebrsce [On_Demand | Stopped])
[2006/11/02 15:51:58 | 00,013,560 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\000.fcl -- ({95808DC4-FA4A-4c74-92FE-5B863F82066B} [Auto | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"Default_Search_URL"=http://www.google.com/ie
"SearchAssistant"=http://www.google.com/ie

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.google.com
"SearchMigratedDefaultName"=Google
"SearchMigratedDefaultURL"=http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
"Start Page"=http://www.virginmedia.com/

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"=http://www.google.com/ie

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://www.google.com/search?q=%s

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{02478D38-C3F9-4efb-9B51-7695ECA05670} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{201f27d4-3704-41d6-89c1-aa35e39143ed} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
{85baabfd-79a8-4636-98f1-13523510944d} (HKLM) -- C:\WINDOWS\system32\faqxpt.dll File not found
{9030D464-4C02-4ABF-8ECC-5164760863C6} (HKLM) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
{AC8A54B9-F740-4E72-BC63-A2AE26C6094A} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{d8dfc2ba-a17f-4c62-a13f-756c97701d89} (HKLM) -- C:\WINDOWS\system32\bidapako.dll File not found

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
"{55FAF0F2-44D4-425F-B5F5-6B275B621EAB}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
"{E1BACF55-35E1-4E47-9247-2D48660E5545}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
"CPMefbcb978"=Rundll32.exe "c:\windows\system32\yikujesa.dll",a File not found
"ec8f8ae4"=rundll32.exe "C:\WINDOWS\system32\yibabofi.dll",b File not found
"fohujuhome"=Rundll32.exe "C:\WINDOWS\system32\yahosuze.dll",s File not found
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" ()
"PC Suite for Smartphones"="C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" /startoptions ()
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" (Cyberlink Corp.)
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" (Sun Microsystems, Inc.)
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" (Zone Labs, LLC)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Desktop Gordon"=C:\Documents and Settings\Del\My Documents\Rippleffect\Desktop Gordon\gordon.exe (Rippleffect Studio Ltd.)
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (Microsoft Corporation)
"Steam"="c:\program files\steam\steam.exe" -silent (Valve Corporation)

========== (O4) Startup Folders ==========

[2008/01/20 11:28:08 | 03,321,856 | R--- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Startup Desktop.lnk = C:\WINDOWS\Installer\{7106DFFD-2C84-11D7-A490-00C0DF117E72}\_36AE9230F109_497C_A465_FFFAFF496641.exe
[2008/05/26 21:19:14 | 00,123,904 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
Add to AMV Converter...: Reg Error: Value does not exist or could not be read. File not found
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\Office12\EXCEL.EXE [2008/10/18 18:30:22 | 17,931,616 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [2008/06/10 03:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{2670000A-7350-4f3c-8081-5663EE0C6C49}: Button: Send to OneNote -- %ProgramFiles%\Microsoft Office\Office12\ONBttnIE.dll [2007/12/13 01:20:58 | 00,606,288 | ---- | M] (Microsoft Corporation)
{2670000A-7350-4f3c-8081-5663EE0C6C49}: Menu: S&end to OneNote -- %ProgramFiles%\Microsoft Office\Office12\ONBttnIE.dll [2007/12/13 01:20:58 | 00,606,288 | ---- | M] (Microsoft Corporation)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\Office12\REFIEBAR.DLL [2006/10/26 20:12:22 | 00,040,424 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/10/13 16:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/10/13 16:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}: http://www.apple.com/qtactivex/qtplugin.cab -- Reg Error: Key does not exist or could not be opened.
{138E6DC9-722B-4F4B-B09D-95D191869696}: http://www.bebo.com/files/BeboUploader.5.1.4.cab -- Bebo Uploader Control
{166B1BCA-3F9C-11CF-8075-444553540000}: http://download.macromedia.com/pub/shockwa...director/sw.cab -- Shockwave ActiveX Control
{17492023-C23A-453E-A040-C7C580BBF700}: http://download.microsoft.com/download/8/b...heckControl.cab -- Windows Genuine Advantage Validation Tool
{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}: http://ak.exe.imgfarm.com/images/nocache/f...etup1.0.1.0.cab -- Reg Error: Key does not exist or could not be opened.
{20D70B3E-1D58-4729-9608-FA8D742711C7}: http://ecdl.bell.ac.uk/activlite/BTEngine.cab -- BTAPI.XMLReader
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab -- Reg Error: Key does not exist or could not be opened.
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}: http://acs.pandasoftware.com/activescan/as5free/asinst.cab -- ActiveScan Installer Class
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{D8089245-3211-40F6-819B-9E5E92CD61A2}: https://flashpoker.ladbrokes.com/ladbrokes/FlashAX.cab -- FlashXControl Object

========== (O17) DNS Name Servers ==========

{0D7154C5-0B37-43FC-B997-BF32ED259558} (Servers: | Description: 802.11g/b Wireless LAN Client Adapter - USB)
{1920B71B-D45A-4ACA-A0B1-0F030C290ABA} (Servers: | Description: Realtek RTL8139 Family PCI Fast Ethernet NIC)
{970CB699-199B-41E5-8BCF-A5CB60B445C4} (Servers: | Description: )

========== (O19) User Style Sheets ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles]

========== (O20) AppInit_DLLs ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=avgrsstx.dll faqxpt.dll C:\WINDOWS\system32\safevayi.dll C:\WINDOWS\system32\tarokuwe.dll C:\WINDOWS\system32\yafinoka.dll c:\windows\system32\yikujesa.dll
>[2008/08/20 09:25:40 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\avgrsstx.dll
>File not found --
>File not found -- C:\WINDOWS\system32\safevayi.dll
>File not found -- C:\WINDOWS\system32\tarokuwe.dll
>File not found -- C:\WINDOWS\system32\yafinoka.dll
>File not found -- c:\windows\system32\yikujesa.dll

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
__c0028C51: "DllName" = Reg Error: Value DLLName does not exist or could not be read. -- File not found
AtiExtEvent: "DllName" = Ati2evxx.dll -- C:\WINDOWS\system32\ati2evxx.dll (ATI Technologies Inc.)
tuvWolig: "DllName" = tuvWolig.dll -- File not found

========== (O21) SSODL Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"={EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} (HKLM) -- c:\windows\system32\yikujesa.dll File not found

========== (O22) Shared Task Scheduler ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}" (HKLM) = STS -- c:\windows\system32\yikujesa.dll File not found

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}" (HKLM) -- C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" (HKLM) -- C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

========== LSA *Authentication Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=msv1_0,C:\WINDOWS\system32\opnopMgE,
>File not found --

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2007/08/25 09:29:58 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[2009/01/08 23:41:11 | 00,422,912 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Del\Desktop\OTViewIt.exe
[2009/01/07 20:07:03 | 01,287,091 | -HS- | C] () -- C:\WINDOWS\System32\ifobabiy.ini
[2009/01/07 08:06:39 | 01,281,308 | -HS- | C] () -- C:\WINDOWS\System32\ifigawat.ini
[2009/01/06 20:03:12 | 01,281,308 | -HS- | C] () -- C:\WINDOWS\System32\akutihuy.ini
[2009/01/05 08:03:14 | 01,266,245 | -HS- | C] () -- C:\WINDOWS\System32\ezopotaf.ini
[2009/01/04 15:15:20 | 01,266,209 | -HS- | C] () -- C:\WINDOWS\System32\iwajonod.ini
[2009/01/02 01:14:38 | 01,266,218 | -HS- | C] () -- C:\WINDOWS\System32\enihukob.ini
[2009/01/01 23:58:42 | 00,000,000 | ---D | C] -- C:\Program Files\Eusing Free Registry Cleaner
[2009/01/01 13:39:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Del\My Documents\FrostWire
[2009/01/01 13:38:36 | 00,000,852 | ---- | C] () -- C:\Documents and Settings\Del\Desktop\FrostWire 4.17.2.lnk
[2009/01/01 13:37:32 | 00,000,000 | ---D | C] -- C:\Program Files\AskBarDis
[2009/01/01 13:14:27 | 01,266,209 | -HS- | C] () -- C:\WINDOWS\System32\ibuyefew.ini
[2008/12/31 22:18:45 | 01,266,209 | -HS- | C] () -- C:\WINDOWS\System32\atamadub.ini
[2008/12/31 10:18:37 | 01,266,218 | -HS- | C] () -- C:\WINDOWS\System32\ijizavej.ini
[2008/12/30 22:18:40 | 01,266,209 | -HS- | C] () -- C:\WINDOWS\System32\ebokikuk.ini
[2008/12/29 18:27:03 | 00,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2008/12/28 23:03:37 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2008/12/28 10:20:11 | 00,299,904 | R--- | C] (Marvell Semiconductor, Inc) -- C:\WINDOWS\System32\drivers\MRVW225.sys
[2008/12/28 00:52:33 | 01,312,533 | -HS- | C] () -- C:\WINDOWS\System32\cvkcmalm.ini
[2008/12/28 00:46:24 | 00,041,472 | ---- | C] () -- C:\WINDOWS\System32\herwsajt.dll
[2008/12/27 19:01:21 | 00,369,624 | ---- | C] () -- C:\Documents and Settings\Del\Desktop\dds.scr
[2008/12/27 18:51:20 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2008/12/27 00:47:49 | 01,312,533 | -HS- | C] () -- C:\WINDOWS\System32\psagiqda.ini
[2008/12/27 00:45:21 | 00,041,472 | ---- | C] () -- C:\WINDOWS\System32\jreukgjq.dll
[2008/12/27 00:44:23 | 00,577,869 | -HS- | C] () -- C:\WINDOWS\System32\EgMponpo.ini2
[2008/12/27 00:44:22 | 00,577,869 | -HS- | C] () -- C:\WINDOWS\System32\EgMponpo.ini
[2008/12/27 00:39:27 | 00,000,306 | ---- | C] () -- C:\WINDOWS\tasks\ulattwlx.job
[2008/12/26 23:12:34 | 21,168,919 | ---- | C] () -- C:\Documents and Settings\Del\My Documents\Burger_Shop.rar
[2008/12/26 14:55:58 | 00,000,000 | ---D | C] -- C:\Program Files\MyFree Codec
[2008/12/26 12:00:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Del\My Documents\SelfMV
[2008/12/26 09:50:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Del\My Documents\Downloads
[2008/12/25 09:32:01 | 00,000,065 | ---- | C] () -- C:\WINDOWS\FISHUI.INI
[2008/12/25 09:01:28 | 00,001,635 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\EmoDio.lnk
[2008/12/25 09:00:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Del\Application Data\DataCast
[2008/12/25 08:59:57 | 00,000,000 | ---D | C] -- C:\Program Files\MarkAny
[2008/12/25 08:59:04 | 00,000,000 | ---D | C] -- C:\Program Files\Samsung

========== Files - Modified Within 30 Days ==========

[2009/01/09 21:44:59 | 77,516,5984 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2009/01/09 21:30:51 | 00,000,581 | ---- | M] () -- C:\Documents and Settings\Del\My Documents\My Sharing Folders.lnk
[2009/01/09 18:00:00 | 00,000,306 | ---- | M] () -- C:\WINDOWS\tasks\ulattwlx.job
[2009/01/09 17:34:33 | 31,718,482 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/01/09 17:33:02 | 00,002,361 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Startup Desktop.lnk
[2009/01/09 17:32:19 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/01/09 17:32:05 | 00,053,263 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2009/01/09 17:31:30 | 00,000,777 | -HS- | M] () -- C:\WINDOWS\System32\mmf.sys
[2009/01/09 17:31:20 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/01/09 17:30:47 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/01/09 17:30:39 | 80,490,0864 | -HS- | M] () -- C:\hiberfil.sys
[2009/01/09 17:29:55 | 09,084,332 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2009/01/09 00:05:40 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\surohowa
[2009/01/08 23:41:12 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Del\Desktop\OTViewIt.exe
[2009/01/08 22:10:30 | 00,052,224 | ---- | M] () -- C:\Documents and Settings\Del\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/08 20:08:23 | 01,287,091 | -HS- | M] () -- C:\WINDOWS\System32\ifobabiy.ini
[2009/01/08 08:00:59 | 00,035,042 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/01/07 08:06:46 | 01,281,308 | -HS- | M] () -- C:\WINDOWS\System32\ifigawat.ini
[2009/01/06 20:03:25 | 01,281,308 | -HS- | M] () -- C:\WINDOWS\System32\akutihuy.ini
[2009/01/06 08:04:36 | 01,266,245 | -HS- | M] () -- C:\WINDOWS\System32\ezopotaf.ini
[2009/01/04 15:15:26 | 01,266,209 | -HS- | M] () -- C:\WINDOWS\System32\iwajonod.ini
[2009/01/02 13:33:53 | 01,266,218 | -HS- | M] () -- C:\WINDOWS\System32\enihukob.ini
[2009/01/01 13:38:36 | 00,000,852 | ---- | M] () -- C:\Documents and Settings\Del\Desktop\FrostWire 4.17.2.lnk
[2009/01/01 13:14:50 | 01,266,209 | -HS- | M] () -- C:\WINDOWS\System32\ibuyefew.ini
[2008/12/31 22:19:02 | 01,266,209 | -HS- | M] () -- C:\WINDOWS\System32\atamadub.ini
[2008/12/31 13:49:19 | 01,266,218 | -HS- | M] () -- C:\WINDOWS\System32\ijizavej.ini
[2008/12/31 00:40:56 | 02,542,482 | -H-- | M] () -- C:\Documents and Settings\Del\Local Settings\Application Data\IconCache.db
[2008/12/30 22:18:54 | 01,266,209 | -HS- | M] () -- C:\WINDOWS\System32\ebokikuk.ini
[2008/12/29 12:10:48 | 00,498,086 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2008/12/29 12:10:48 | 00,421,816 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2008/12/29 12:10:48 | 00,067,794 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2008/12/28 10:06:09 | 00,577,869 | -HS- | M] () -- C:\WINDOWS\System32\EgMponpo.ini
[2008/12/28 10:05:05 | 00,577,869 | -HS- | M] () -- C:\WINDOWS\System32\EgMponpo.ini2
[2008/12/28 00:52:49 | 01,312,533 | -HS- | M] () -- C:\WINDOWS\System32\cvkcmalm.ini
[2008/12/28 00:48:11 | 01,312,533 | -HS- | M] () -- C:\WINDOWS\System32\psagiqda.ini
[2008/12/28 00:46:24 | 00,041,472 | ---- | M] () -- C:\WINDOWS\System32\herwsajt.dll
[2008/12/27 19:01:48 | 00,369,624 | ---- | M] () -- C:\Documents and Settings\Del\Desktop\dds.scr
[2008/12/27 00:45:21 | 00,041,472 | ---- | M] () -- C:\WINDOWS\System32\jreukgjq.dll
[2008/12/26 23:12:38 | 21,168,919 | ---- | M] () -- C:\Documents and Settings\Del\My Documents\Burger_Shop.rar
[2008/12/25 09:32:01 | 00,000,065 | ---- | M] () -- C:\WINDOWS\FISHUI.INI
[2008/12/25 09:01:31 | 00,001,635 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\EmoDio.lnk
[2008/12/25 08:58:04 | 00,348,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr71.dll
[2008/12/23 07:46:55 | 00,368,010 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2008/12/22 23:59:29 | 00,003,788 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2008/12/19 17:55:03 | 00,000,232 | -H-- | M] () -- C:\sqmdata12.sqm
[2008/12/19 17:55:02 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2008/12/13 11:22:03 | 00,000,924 | ---- | M] () -- C:\WINDOWS\win.ini
[2008/12/13 11:19:44 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2008/12/13 06:40:02 | 03,593,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mshtml.dll
[2008/12/13 06:40:02 | 03,593,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
< End of report >


And the "Extras.txt" file as well if you need this?


OTViewIt Extras logfile created on: 09/01/2009 21:44:19 - Run 2
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Del\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

767.55 Mb Total Physical Memory | 231.26 Mb Available Physical Memory | 30.13% Memory free
1.83 Gb Paging File | 1.32 Gb Available in Paging File | 72.21% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68.52 Gb Total Space | 4.71 Gb Free Space | 6.88% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PC-57F798A99DC4
Current User Name: Del
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days
"Use My Stylesheet"=
"User Stylesheet"=

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=1
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2004/08/03 23:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2007/10/18 10:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2007/10/02 16:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2004/08/03 23:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
File not found -- C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe
File not found -- C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe
File not found -- C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe
[2007/02/07 22:57:20 | 00,976,432 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD
[2004/10/13 16:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
[2008/10/08 16:59:12 | 01,410,296 | ---- | M] (Valve Corporation) -- C:\Program Files\Steam\Steam.exe:*:Enabled:Steam Client
[2008/02/17 17:54:59 | 00,106,496 | ---- | M] () -- C:\Program Files\Steam\steamapps\delbhoy1981\day of defeat source\hl2.exe:*:Enabled:hl2
[2007/05/30 23:03:18 | 00,118,784 | ---- | M] () -- C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe:*:Enabled:Kaspersky AV Scanner
File not found -- C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
[2008/05/21 03:37:24 | 12,844,576 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook
[2006/10/27 15:37:44 | 00,338,216 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove
[2008/05/21 04:54:40 | 01,022,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote
File not found -- C:\Program Files\PPMate\ppmate.exe:*:Enabled:PPMate
File not found -- C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service
[2007/07/27 11:59:42 | 01,275,136 | ---- | M] (Sony Creative Software Inc.) -- C:\Program Files\Sony Ericsson\Sony Ericsson Media Manager 1.0\MediaManager.exe:*:Enabled:Sony Ericsson Media Manager 1.0
[2007/10/18 10:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2007/10/02 16:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)
[2008/08/28 20:50:44 | 00,641,304 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe
File not found -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
File not found -- C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
[2008/09/03 22:39:00 | 00,114,688 | ---- | M] (FrostWire Group) -- C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:LimeWire
[2008/09/17 12:36:18 | 00,167,936 | ---- | M] (Musiccity Co.Ltd.) -- C:\WINDOWS\system32\muzapp.exe:*:Enabled:MUZ AOD APP player
File not found -- C:\WINDOWS\system32\~.exe:*:Enabled:~
[2008/12/19 22:03:10 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:firefox
[2004/08/03 23:56:52 | 00,514,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\logonui.exe:*:Enabled:logonui
[2008/08/20 09:25:17 | 00,287,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe:*:Enabled:avgrsx
[2007/06/13 10:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe:*:Enabled:Explorer
[2004/08/03 23:56:58 | 00,502,272 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon
[2006/05/03 16:43:46 | 00,413,696 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe:*:Enabled:Ati2evxx

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2008/03/06 16:37:36 | 00,106,496 | ---- | M] (Belarc, Inc.) C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (belarc:{6318E0AB-2E93-11D1-B8ED-00608CC9A71F} (HKLM) [VoilaXctl Class])
[2006/10/27 00:48:02 | 00,222,512 | ---- | M] (Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (grooveLocalGWS:{88FED34C-F0CA-4636-A375-3CB6248B04CD} (HKLM) [Local Groove Web Services Protocol])
ipp: [HKLM - No CLSID value]
[2007/08/28 22:55:14 | 01,014,128 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]
[2008/08/20 09:25:22 | 00,079,128 | ---- | M] (AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG8\avgpp.dll (linkscanner:{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} (HKLM) [XPLPPFilter Class])
[2007/10/18 10:31:54 | 00,066,072 | ---- | M] (Microsoft Corporation) C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (livecall:{828030A1-22C1-4009-854F-8E305202313F} (HKLM) [Reg Error: Value does not exist or could not be read.])
msdaipp: [HKLM - No CLSID value]
[2007/08/28 22:55:14 | 01,014,128 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]
[2007/08/28 22:55:14 | 01,014,128 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]
[2006/10/26 13:45:02 | 00,873,216 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (ms-help:{314111c7-a502-11d2-bbca-00c04f8ec294} (HKLM) [HxProtocol Class])
[2007/10/18 10:31:54 | 00,066,072 | ---- | M] (Microsoft Corporation) C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (msnim:{828030A1-22C1-4009-854F-8E305202313F} (HKLM) [Reg Error: Value does not exist or could not be read.])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2006/10/26 21:41:48 | 00,044,344 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL text/xml:{807563E5-5146-11D5-A672-00B0D022E945} (HKLM) [Microsoft Office InfoPath XML Mime Filter]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}"=Steam
"{06AC45D1-CB9B-48CC-B5C8-1A55DEE26AD0}"=Sony Ericsson Media Manager 1.0
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}"=Google Earth
"{3248F0A8-6813-11D6-A77B-00B0D0160070}"=Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}"=Windows Live Messenger
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}"=neroxml
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}"=PowerDVD
"{7106DFFD-2C84-11D7-A490-00C0DF117E72}"=SSuite Office - The Fifth Element
"{90120000-0010-0409-0000-0000000FF1CE}"=Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}"=Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}"=Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}"=Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0019-0409-0000-0000000FF1CE}"=Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001A-0409-0000-0000000FF1CE}"=Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}"=Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}"=Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{3EC77D26-799B-4CD8-914F-C1565E796173}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}"=Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{430971B1-C31E-45DA-81E0-72C095BAB72C}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}"=Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}"=Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}"=Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}"=Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-006E-0409-0000-0000000FF1CE}"=Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00A1-0409-0000-0000000FF1CE}"=Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00BA-0409-0000-0000000FF1CE}"=Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0114-0409-0000-0000000FF1CE}"=Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}"=Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0117-0409-0000-0000000FF1CE}"=Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{9B1473BA-7B0E-4373-A8E2-AED09D9019C4}"=JPEG USB Video Camera Driver v0.93
"{A2092B2A-A4FB-4464-A4C0-023D2C9993F8}"=
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}"=Microsoft Visual C++ 2005 Redistributable
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}"=Windows Live installer
"{AC76BA86-7AD7-1033-7B44-A81200000003}"=Adobe Reader 8.1.2
"{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}"=Windows Live Sign-in Assistant
"{B508B3F1-A24A-32C0-B310-85786919EF28}"=Microsoft .NET Framework 2.0 Service Pack 1
"{C19BE821-89B1-4A96-AC7C-873810C0CB5F}"=ContentSAFER for Wizmax
"{C20CE592-B0F8-4D20-BF31-0151CA6331A6}"=EmoDio
"{C297F052-BB51-43FF-B403-A4045D865816}"=PowerArchiver 2007
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}"=Ad-Aware 2007
"{E09936FE-9B7B-4AB5-B08A-A9216E0D042F}"=Sony Ericsson PC Suite for Smartphones
"{E1252473-6306-4d5d-904D-B06AA7F38161}"=Sony Ericsson PC Suite for Smartphones
"Adobe Flash Player Plugin"=Adobe Flash Player 10 Plugin
"Adobe Shockwave Player"=Adobe Shockwave Player
"All ATI Software"=ATI - Software Uninstall Utility
"ATI Display Driver"=ATI Display Driver
"AVG8Uninstall"=AVG Free 8.0
"Belarc Advisor"=Belarc Advisor 7.2
"Championship Manager 01-02"=Championship Manager 01-02
"DRM7Tool"=Personal License Update Wizard for Windows Media Player
"ENTERPRISE"=Microsoft Office Enterprise 2007
"Eusing Free Registry Cleaner"=Eusing Free Registry Cleaner
"FrostWire"=FrostWire 4.17.2
"HijackThis"=HijackThis 2.0.2
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"InstallShield_{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}"=PowerDVD
"InstallShield_{C20CE592-B0F8-4D20-BF31-0151CA6331A6}"=EmoDio
"Mozilla Firefox (3.0.5)"=Mozilla Firefox (3.0.5)
"mRouterRuntime"=
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"Panda ActiveScan"=Panda ActiveScan
"RealPlayer 6.0"=RealPlayer
"Sony Ericsson"=Sony Ericsson Symbian 9 Drivers
"Teamspeak 2 RC2_is1"=TeamSpeak 2 RC2
"TeamSpeak 2 Server_is1"=TeamSpeak 2 Server RC2
"Windows Media Format Runtime"=Windows Media Format Runtime
"WinRAR archiver"=WinRAR archiver
"WinZip"=WinZip
"Your Uninstaller! 2008_is1"=Your Uninstaller! 2008 Version 6.0
"ZoneAlarm"=ZoneAlarm

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Desktop Gordon"=Desktop Gordon
"Steam App 30"=Day of Defeat
"Steam App 300"=Day of Defeat: Source

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 08/01/2009 04:10:03 | Computer Name = PC-57F798A99DC4 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\DEL\START MENU\PROGRAMS\CYBERLINK
POWERDVD\ONLINE REGISTRATION.LNK> in the hash map cannot be updated. Context: Application,
SystemIndex Catalog Details: A device attached to the system is not functioning.
(0x8007001f)

Error - 08/01/2009 04:10:03 | Computer Name = PC-57F798A99DC4 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\DEL\START MENU\PROGRAMS\CYBERLINK
POWERDVD\ONLINE REGISTRATION.LNK> in the hash map cannot be updated. Context: Application,
SystemIndex Catalog Details: A device attached to the system is not functioning.
(0x8007001f)

Error - 08/01/2009 04:10:03 | Computer Name = PC-57F798A99DC4 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\DEL\START MENU\PROGRAMS\CYBERLINK
POWERDVD\SYSTEM DIAGNOSIS.LNK> in the hash map cannot be updated. Context: Application,
SystemIndex Catalog Details: A device attached to the system is not functioning.
(0x8007001f)

Error - 08/01/2009 04:10:03 | Computer Name = PC-57F798A99DC4 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\DEL\START MENU\PROGRAMS\CYBERLINK
POWERDVD\SYSTEM DIAGNOSIS.LNK> in the hash map cannot be updated. Context: Application,
SystemIndex Catalog Details: A device attached to the system is not functioning.
(0x8007001f)

Error - 08/01/2009 04:10:04 | Computer Name = PC-57F798A99DC4 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\DEL\START MENU\PROGRAMS\CYBERLINK
POWERDVD\READ ME.LNK> in the hash map cannot be updated. Context: Application,
SystemIndex Catalog Details: A device attached to the system is not functioning.
(0x8007001f)

Error - 08/01/2009 04:10:04 | Computer Name = PC-57F798A99DC4 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\DEL\START MENU\PROGRAMS\CYBERLINK
POWERDVD\READ ME.LNK> in the hash map cannot be updated. Context: Application,
SystemIndex Catalog Details: A device attached to the system is not functioning.
(0x8007001f)

Error - 08/01/2009 04:10:04 | Computer Name = PC-57F798A99DC4 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\DEL\START MENU\PROGRAMS\CYBERLINK
POWERDVD\UNINSTALL POWERDVD.LNK> in the hash map cannot be updated. Context: Application,
SystemIndex Catalog Details: A device attached to the system is not functioning.
(0x8007001f)

Error - 08/01/2009 04:10:04 | Computer Name = PC-57F798A99DC4 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\DEL\START MENU\PROGRAMS\CYBERLINK
POWERDVD\UNINSTALL POWERDVD.LNK> in the hash map cannot be updated. Context: Application,
SystemIndex Catalog Details: A device attached to the system is not functioning.
(0x8007001f)

Error - 08/01/2009 18:01:23 | Computer Name = PC-57F798A99DC4 | Source = Application Hang | ID = 1002
Description = Hanging application SMSMain.exe, version 6.0.3.8, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 08/01/2009 18:01:28 | Computer Name = PC-57F798A99DC4 | Source = Application Hang | ID = 1002
Description = Hanging application SMSMain.exe, version 6.0.3.8, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ OSession Events ]
Error - 04/06/2008 08:22:38 | Computer Name = PC-57F798A99DC4 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 1096
seconds with 240 seconds of active time. This session ended with a crash.

Error - 04/06/2008 08:23:06 | Computer Name = PC-57F798A99DC4 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 16
seconds with 0 seconds of active time. This session ended with a crash.

Error - 04/06/2008 08:23:31 | Computer Name = PC-57F798A99DC4 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 20
seconds with 0 seconds of active time. This session ended with a crash.

Error - 04/06/2008 08:24:12 | Computer Name = PC-57F798A99DC4 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 37
seconds with 0 seconds of active time. This session ended with a crash.

Error - 04/06/2008 08:25:25 | Computer Name = PC-57F798A99DC4 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 61
seconds with 60 seconds of active time. This session ended with a crash.

Error - 04/06/2008 11:08:28 | Computer Name = PC-57F798A99DC4 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 173
seconds with 120 seconds of active time. This session ended with a crash.

Error - 04/06/2008 11:09:03 | Computer Name = PC-57F798A99DC4 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 25
seconds with 0 seconds of active time. This session ended with a crash.

Error - 28/06/2008 09:51:55 | Computer Name = PC-57F798A99DC4 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 8, Application Name: Microsoft Office Publisher, Application Version:
12.0.6308.5000, Microsoft Office Version: 12.0.4518.1014. This session lasted 11
seconds with 0 seconds of active time. This session ended with a crash.

Error - 28/06/2008 09:52:38 | Computer Name = PC-57F798A99DC4 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 8, Application Name: Microsoft Office Publisher, Application Version:
12.0.6308.5000, Microsoft Office Version: 12.0.4518.1014. This session lasted 36
seconds with 0 seconds of active time. This session ended with a crash.

Error - 28/06/2008 11:54:21 | Computer Name = PC-57F798A99DC4 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6308.5000, Microsoft Office Version: 12.0.4518.1014. This session lasted 5956
seconds with 480 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 08/01/2009 03:57:40 | Computer Name = PC-57F798A99DC4 | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.MFC could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 08/01/2009 03:57:40 | Computer Name = PC-57F798A99DC4 | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.MFC. Reference error
message: The referenced assembly is not installed on your system. .

Error - 08/01/2009 03:57:40 | Computer Name = PC-57F798A99DC4 | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\PROGRA~1\AVG\AVG8\avgtray.exe.
Reference
error message: The operation completed successfully. .

Error - 09/01/2009 04:00:36 | Computer Name = PC-57F798A99DC4 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.55.102 for the Network Card with network
address 00E04C7715DA has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 09/01/2009 04:02:32 | Computer Name = PC-57F798A99DC4 | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.MFC could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 09/01/2009 04:02:32 | Computer Name = PC-57F798A99DC4 | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.MFC. Reference error
message: The referenced assembly is not installed on your system. .

Error - 09/01/2009 04:02:32 | Computer Name = PC-57F798A99DC4 | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\PROGRA~1\AVG\AVG8\avgtray.exe.
Reference
error message: The operation completed successfully. .

Error - 09/01/2009 13:32:36 | Computer Name = PC-57F798A99DC4 | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.MFC could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 09/01/2009 13:32:36 | Computer Name = PC-57F798A99DC4 | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.MFC. Reference error
message: The referenced assembly is not installed on your system. .

Error - 09/01/2009 13:32:36 | Computer Name = PC-57F798A99DC4 | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\PROGRA~1\AVG\AVG8\avgtray.exe.
Reference
error message: The operation completed successfully. .


< End of report >



Thanks again for your help. I look forward to your reply.

Amanda

#9 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:08:47 PM

Posted 10 January 2009 - 06:08 AM

Hello,

Looks like you are heavily infected with Vundo.

ComboFix

Please download ComboFix from one of these locations (if you already have ComboFix, then delete it and download again) :

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. See this topic to find out how to disable your antivirus and firewall (post #1 and #2).
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

NOTE**ComboFix was intended to be used under the supervision of a helper, not for general use. This is a powerful tool which can permanently damage your computer.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Scan with HJT

We need to create a HJT report.
  • Click here to download HijackThis.
  • Save HJTInstall.exe to your Desktop.
  • Double click on the HJTInstall.exe icon to start the program.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis
  • After the final dialogue box it will launch HijackThis.
Click on the scan button. It will scan and then ask you to save the log.
Save the log, and post me it in your next reply.


In your next reply, please post:
  • ComboFix log
  • HJT log

Edited by Jat90, 10 January 2009 - 06:28 AM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#10 Groovsheep

Groovsheep
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 10 January 2009 - 03:52 PM

Hi there, again - sorry for the delay - I have a toddler in the middle of his terrible twos and never get a moment's peace!!!

I ran ComboFix, it came up with the warning about AVG still running, but I've been having problems with this and it doesnt seem to be running, but maybe it is in the background somewhere? I closed AVG related running processes via the task manager before continuing.

But it hung at a line which said :

C:/windows/system32 is not a recognised file, folder etc

I left it while I had dinner but over an hour later it hadnt changed so I restarted the computer.

I'm not sure if it saved a log - where would it be if it did? and filename? I have a folder in C:/ called ComboFix if it may be in here somewhere?

Before it crashed it had completed up to Section/Part 50 i think.

Here is the HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:43, on 2009-01-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\runservice.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: {d4490153-2531-1f89-6364-8a97dfbaab58} - {85baabfd-79a8-4636-98f1-13523510944d} - C:\WINDOWS\system32\faqxpt.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AC8A54B9-F740-4E72-BC63-A2AE26C6094A} - (no file)
O2 - BHO: (no name) - {d8dfc2ba-a17f-4c62-a13f-756c97701d89} - C:\WINDOWS\system32\bidapako.dll (file missing)
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PC Suite for Smartphones] "C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ec8f8ae4] rundll32.exe "C:\WINDOWS\system32\yibabofi.dll",b
O4 - HKLM\..\Run: [fohujuhome] Rundll32.exe "C:\WINDOWS\system32\yahosuze.dll",s
O4 - HKLM\..\Run: [CPMefbcb978] Rundll32.exe "c:\windows\system32\yikujesa.dll",a
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Desktop Gordon] C:\Documents and Settings\Del\My Documents\Rippleffect\Desktop Gordon\gordon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Startup Desktop.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {20D70B3E-1D58-4729-9608-FA8D742711C7} (BTAPI.XMLReader) - http://ecdl.bell.ac.uk/activlite/BTEngine.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashpoker.ladbrokes.com/ladbrokes/FlashAX.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: tuvWolig - tuvWolig.dll (file missing)
O20 - Winlogon Notify: __c0028C51 - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7343 bytes

Incidentally, I have one new icon on my desktop which has appeared since the restart - a new "Internet Explorer" icon, which was def not there before (its appeared after the ComboFix icon, which was the last thing installed) and the original Internet Explorer shortcut still remains also? Not sure if its dodgy?

Let me know what the next step should be....


Amanda

#11 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:08:47 PM

Posted 11 January 2009 - 03:22 AM

Hello,

It is weird to see ComboFix stall like that, although it did tear through a good deal of malware, there is some left though. Don't worry, it is normal for the Internet Explorer icon to appear after running CF.

HJT Fix

Run HijackThis.
Click on Do a system scan only.
Place a checkmark next to these lines (if still present).

O2 - BHO: (no name) - {AC8A54B9-F740-4E72-BC63-A2AE26C6094A} - (no file)
O2 - BHO: (no name) - {d8dfc2ba-a17f-4c62-a13f-756c97701d89} - C:\WINDOWS\system32\bidapako.dll (file missing)
O2 - BHO: {d4490153-2531-1f89-6364-8a97dfbaab58} - {85baabfd-79a8-4636-98f1-13523510944d} - C:\WINDOWS\system32\faqxpt.dll (file missing)
O4 - HKLM\..\Run: [ec8f8ae4] rundll32.exe "C:\WINDOWS\system32\yibabofi.dll",b
O4 - HKLM\..\Run: [fohujuhome] Rundll32.exe "C:\WINDOWS\system32\yahosuze.dll",s
O4 - HKLM\..\Run: [CPMefbcb978] Rundll32.exe "c:\windows\system32\yikujesa.dll",a
O20 - Winlogon Notify: tuvWolig - tuvWolig.dll (file missing)


Then close all windows except HijackThis and click Fix Checked.

CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\yibabofi.dll
C:\WINDOWS\system32\yahosuze.dll
C:\windows\system32\yikujesa.dll


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

ReScan

Please rescan with HJT and post a new log


In your next reply, please post:
  • ComboFix log
  • MBAM log
  • HJT log

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#12 Groovsheep

Groovsheep
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 11 January 2009 - 08:55 AM

Hi there

followed all instructions, although still had similar problem with ComboFix, it got as far as "Stage 50 completed" then said the following :

'"C:\WINDOWS\system32\"' is not recognised as an internal or external command, operable program or batch file.



I left it for a while, but it seemed to have stopped again, so I restarted.

Here is the ComboFix file (doesnt seem to tell much though!?)

---------------------------------------------------
ComboFix 09-01-10.01 - Del 2009-01-11 12:58:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.768.397 [GMT 0:00]
Running from: C:\Documents and Settings\Del\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Del\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
* Created a new restore point

FILE ::
C:\WINDOWS\system32\yahosuze.dll
C:\WINDOWS\system32\yibabofi.dll
C:\windows\system32\yikujesa.dll
.

------------------------------------------

MBAM ran fine, here is it's log :

------------------------------------------

Malwarebytes' Anti-Malware 1.32
Database version: 1643
Windows 5.1.2600 Service Pack 2

2009-01-11 13:36:40
mbam-log-2009-01-11 (13-36-40).txt

Scan type: Quick Scan
Objects scanned: 53726
Time elapsed: 9 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85baabfd-79a8-4636-98f1-13523510944d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85baabfd-79a8-4636-98f1-13523510944d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0028c51 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ErrorInspector (Rogue.ErrorInspector) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\faqxpt.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Del\Favorites\Free Porn - FreePorn.com Porn Videos Porno Free Sex Movies.url (Rogue.Link) -> Quarantined and deleted successfully.

---------------------------------------------------------------------------------

and finally the HJT log :

------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:49, on 2009-01-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\runservice.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PC Suite for Smartphones] "C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Desktop Gordon] C:\Documents and Settings\Del\My Documents\Rippleffect\Desktop Gordon\gordon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Startup Desktop.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {20D70B3E-1D58-4729-9608-FA8D742711C7} (BTAPI.XMLReader) - http://ecdl.bell.ac.uk/activlite/BTEngine.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashpoker.ladbrokes.com/ladbrokes/FlashAX.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6597 bytes

-----------------------------------------------------------


Your help is much appreciated, the comp is running a little better already!

Amanda x

#13 Groovsheep

Groovsheep
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 11 January 2009 - 08:58 AM

Incidentally, ComboFix told me AVG is running, altho it says it cant run, due to an error in AVGTray.exe and i should try to reinstall it. I uninstalled it, altho, it gave one error saying it couldnt do something with the registy.

I tried to reinstall it - it came up with the same error.

Now I feel like I'm running without an AV and scared I'll get something else in. Altho, according to all those files, AVG still running!? What could this mean? Am i protected or not?

#14 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:08:47 PM

Posted 11 January 2009 - 10:04 AM

Hello, it may be that your AVG was interfering with the ComboFix scan. There was no need to uninstall it however. Although you claim to have removed it, its still running. Remove it properly via Add/Remove Programs on the Control Panel and reinstall it or perhaps try some other free antivirus:On another note, your logs appear clean. I would like to perform an online scan to make sure, though.

ESET Online Scan

Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.
  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Uncheck (untick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.
ReScan

Please rescan with DDS and post DDS.txt


In your next reply, please post:
  • ESET online scan log
  • DDS logs

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#15 Groovsheep

Groovsheep
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 11 January 2009 - 03:37 PM

Hi there,

the online scan took around 3 hrs to complete here is the log :

------------------------------------------

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3757 (20090111)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=a9f0298a016d3d4da2bb1230e1c824f6
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2009-01-11 07:46:06
# local_time=2009-01-11 07:46:06 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=313937
# found=11
# scan_time=9934
C:\Documents and Settings\Del\Desktop\My Music\John Lennon\Lennon Legend\12 - (Just like ) Starting Over.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan F2DDC457A522494B29F52680D5F3CB8E
C:\Documents and Settings\Del\Incomplete\Preview-T-3545425-flowers in window travis.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan F8889ED85CB1F4A4F6F46CFB83492F68
C:\Documents and Settings\Del\Incomplete\Preview-T-3545426-flowers in window travis.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 79D828F9A942B7EAA5AC20049F6494F0
C:\Documents and Settings\Del\Incomplete\Preview-T-5745425-David Grey - Late night radio.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan A15B08524762D49345DAF2639282EE9B
C:\Documents and Settings\Del\Incomplete\T-3545425-flowers in window travis.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 0E2347C26C567FE48969D7C8CD4EB24B
C:\Documents and Settings\Del\Incomplete\T-3545425-your protector.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan C288E4016D5AB0D7FC4CAE6D6A910063
C:\Documents and Settings\Del\Incomplete\T-3545426-flowers in window travis.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan F146CF749F1D15D93CF19604E90D8D15
C:\Documents and Settings\Del\My Documents\Delbhoy\Incomplete\T-125030-(H2O) axel foley ringtone _better version_ 18.wma WMA/TrojanDownloader.Wimad.D trojan E98D3CCB9AD0C885038C234236CA6143
C:\Documents and Settings\Del\Shared\David Grey - Late night radio.mp3 WMA/TrojanDownloader.GetCodec.C trojan 1A31AF52C42A4B385BFD1DC08CCDF7F2
C:\Qoobox\Quarantine\C\WINDOWS\system32\herwsajt.dll.vir Win32/TrojanDownloader.Agent.ONC trojan 7451FE0D92C0F92B558E6465B5ED4D7A
C:\Qoobox\Quarantine\C\WINDOWS\system32\jreukgjq.dll.vir Win32/TrojanDownloader.Agent.ONC trojan 7451FE0D92C0F92B558E6465B5ED4D7A
----------------------------------------------------------------

and DDS file

-----------------------------------------------------


DDS (Version 1.1.0) - NTFSx86
Run by Del at 20:33:59.37 on 2009-01-11
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.768.144 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\runservice.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Del\Desktop\OTViewit files\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.virginmedia.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - AskBar BHO
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} -
TB: {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [Desktop Gordon] c:\documents and settings\del\my documents\rippleffect\desktop gordon\gordon.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [PC Suite for Smartphones] "c:\program files\sony ericsson\mobile4\application launcher\Application Launcher.exe" /startoptions
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\startu~1.lnk - c:\windows\installer\{7106dffd-2c84-11d7-a490-00c0df117e72}\_36AE9230F109_497C_A465_FFFAFF496641.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to AMV Converter...
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\del\applic~1\mozilla\firefox\profiles\9kgwco40.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.virginmedia.co.uk
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2007-9-13 110360]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-20 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-8-25 26824]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2007-9-13 119576]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-9-13 394984]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\c:\program files\cyberlink\powerdvd\000.fcl [2006-11-2 13560]
R2 aawservice;Ad-Aware 2007 Service;"c:\program files\lavasoft\ad-aware 2007\aawservice.exe" [2007-9-25 587096]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-20 231704]
R2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2007-9-21 2560]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service []
R3 zebrceb;Sony Ericsson Cable Emulation Bus (WDM);c:\windows\system32\drivers\zebrceb.sys [2008-5-10 62984]
S2 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast4\ashServ.exe" [2009-1-11 155160]
S2 Seekeen Service;Seekeen Service; []
S3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast4\ashMaiSv.exe" /service [2009-1-11 254040]
S3 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast4\ashWebSv.exe" /service [2009-1-11 352920]
S3 CAM1690;USB 2.0 Compliance JPEG Video Camera;c:\windows\system32\drivers\cam1690.sys [2007-1-5 123264]
S3 MRVW225;802.11g/b Wireless LAN Dirver for Windows XP;c:\windows\system32\drivers\MRVW225.sys [2008-12-28 299904]
S3 zebrbus;Sony Ericsson Composite Device driver;c:\windows\system32\drivers\zebrbus.sys [2008-5-10 83200]
S3 zebrmdfl;Sony Ericsson Modem Filter;c:\windows\system32\drivers\zebrmdfl.sys [2008-10-15 15112]
S3 zebrmdm;Sony Ericsson Port (WDM);c:\windows\system32\drivers\zebrmdm.sys [2008-10-15 109568]
S3 zebrmdmc;Sony Ericsson mRouter Port (WDM);c:\windows\system32\drivers\zebrmdmc.sys [2008-10-15 108424]
S3 zebrsce;Sony Ericsson PC-Connect Port;c:\windows\system32\drivers\zebrsce.sys [2008-10-15 90888]

=============== Created Last 30 ================

2009-01-11 16:58 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-01-11 13:25 <DIR> --d----- c:\docume~1\del\applic~1\Malwarebytes
2009-01-11 13:24 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-11 13:24 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-11 13:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-11 13:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-11 12:56 <DIR> -cd----- C:\ComboFix
2009-01-11 12:56 388,608 a------- c:\windows\system32\CF3062.exe
2009-01-10 18:58 <DIR> acdshr-- C:\cmdcons
2009-01-10 18:52 161,792 a------- c:\windows\SWREG.exe
2009-01-10 18:52 98,816 a------- c:\windows\sed.exe
2009-01-10 18:51 388,608 a------- c:\windows\system32\CF19920.exe
2009-01-01 23:58 <DIR> --d----- c:\program files\Eusing Free Registry Cleaner
2009-01-01 13:37 <DIR> --d----- c:\program files\AskBarDis
2008-12-29 18:27 <DIR> --d----- c:\windows\SxsCaPendDel
2008-12-28 10:20 299,904 a----r-- c:\windows\system32\drivers\MRVW225.sys
2008-12-27 18:51 <DIR> --d----- c:\program files\Trend Micro
2008-12-26 14:55 <DIR> --d----- c:\program files\MyFree Codec
2008-12-25 09:32 65 a------- c:\windows\FISHUI.INI
2008-12-25 09:00 <DIR> --d----- c:\docume~1\del\applic~1\DataCast
2008-12-25 08:59 <DIR> --d----- c:\program files\MarkAny
2008-12-25 08:59 <DIR> --d----- c:\program files\Samsung

==================== Find3M ====================

2009-01-11 20:33 783,247,392 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-01-11 13:38 9,096,644 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-25 08:58 348,160 a------- c:\windows\system32\msvcr71.dll
2008-10-27 20:08 7,334,496 a------- c:\program files\Firefox Setup 3.0.3.exe
2008-10-23 13:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-07-19 15:12 1,657,659 a------- c:\program files\ts2_server_rc2_202319.exe
2008-02-05 22:24 7,462,912 a------- c:\program files\WinZip Pro 10[1].0 (6685) + Key Generator.zip
2008-01-20 11:26 31,861,281 a------- c:\program files\setupoffice.exe
2008-01-20 11:11 7,886,336 a------- c:\program files\setup.msi
2007-12-21 23:23 28,868,320 a------- c:\program files\FileFormatConverters.exe
2007-12-20 14:45 3,374,936 a------- c:\program files\vvpro_setupgc.exe
2007-10-06 12:55 24,265,736 a------- c:\program files\dotnetfx.exe
2007-10-06 12:42 1,494,536 a------- c:\program files\advisor.exe
2007-10-06 12:35 46,445,152 a------- c:\program files\7-9_xp32_dd_ccc_wdm_enu_52443.exe
2007-09-13 21:24 41,573,776 a------- c:\program files\zlsSetup_70_362_000_en.exe
2007-09-01 10:16 1,542,656 a------- c:\program files\SteamInstall.msi

============= FINISH: 20:35:32.64 ===============


----------------------------------------------

Thanks

Amanda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users