Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Reoccurring Strand of Vundo


  • This topic is locked This topic is locked
21 replies to this topic

#1 FrozenVoid

FrozenVoid

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 03 February 2009 - 02:21 AM

This is not my computer. I've worked on this computer before and have "succeeded" with a mix of HJTv2, SAV10, and some other tools at my disposal. Since the computer is back in my hands for the same problem, I feel I need help from you guys. So, as per the instructions at http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/, I'm posting a DDS log and asking for help.

I'm currently running in Safe Mode w/ Networking.

The first thing I did was run a virus scan in Safe Mode w/ Cmd Prompt using SAV10. It found Trojan.Vundo and Trojan.Metajuan which were cleaned by deletion. Unfortunately, after the scan, I was unable to boot into Windows - the computer would reboot itself right before the logon screen. The scan was run with out-of-date definitions (01/25/09 to be exact) and I cannot update them at the moment because LiveUpdate errors out everytime.

Then, I ran HJTv2 in Safe Mode w/ Cmd Prompt and tried removing the questionable DLLs that way, but I get popups that say registry editing has been disabled by the admin. I'm assuming this is caused by the malware, since I've never disabled registry editing.

So, now I'm coming to you guys.

btw, I'm using WinXP Home Edition SP2.

Here's my DDS.txt and my Attach.txt is zipped and attached.

Thanks in advance to anyone willing to help.

DDS (Ver_09-02-01.01) - NTFSx86 NETWORK 
Run by Garrett Thornbrugh at  1:04:55.59 on Tue 02/03/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.511.346 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Garrett Thornbrugh\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = https://restech.baylor.edu
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {1dac8b7f-3081-4b5d-a13b-56564ccff5ac} - c:\windows\system32\khfDSmNf.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\qoMCsRKB.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - 
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe
mRun: [HPHmon04] c:\windows\system32\hphmon04.exe
mRun: [HPHUPD04] "c:\program files\hp photosmart 11\hphinstall\unipatch\hphupd04.exe"
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [VerizonServicepoint.exe] c:\program files\verizon\servicepoint\VerizonServicepoint.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe"  -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: baylor.edu
Trusted Zone: ccsginc.com\frontgatevn
Trusted Zone: microsoft.com\go
Trusted Zone: microsoft.com\WindowsUpdate
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38152.3975231481
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: qoMCsRKB - qoMCsRKB.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\qoMCsRKB.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\khfDSmNf

============= SERVICES / DRIVERS ===============

R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\VetFDDNT.sys [2006-7-10 15735]
R3 CardReaderFilter;Card Reader Filter;c:\windows\system32\drivers\USBCRFT.SYS [2004-5-25 13440]
S1 77ec6f47;77ec6f47;c:\windows\system32\drivers\77ec6f47.sys [2009-1-25 93420]
S1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
S1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
S1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\Vet-Filt.sys [2006-7-10 21031]
S1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\Vet-Rec.sys [2006-7-10 15478]
S1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\VetEFile.sys [2006-7-10 590190]
S1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2006-7-10 26099]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-12-20 1814720]
S2 VETMSGNT;VET Message Service;c:\program files\yahoo!\antivirus\vetmsg.exe --> c:\program files\yahoo!\antivirus\VetMsg.exe [?]
S2 WUSB54GSv2SVC;WUSB54GSv2SVC;c:\program files\linksys wireless-g usb wireless network monitor\WLService.exe [2008-8-21 41025]
S3 asbp2poa;asbp2poa;\??\c:\docume~1\garret~1\locals~1\temp\asbp2poa.sys --> c:\docume~1\garret~1\locals~1\temp\asbp2poa.sys [?]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
S3 cmudax;C-Media Azalia Audio Interface;c:\windows\system32\drivers\cmudax.sys [2004-6-23 1390976]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-6 99376]
S3 IIUSBISP;USB Mass Storage for USB ISP;c:\windows\system32\drivers\iiusbisp.sys --> c:\windows\system32\drivers\iiusbisp.sys [?]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090125.005\naveng.sys [2009-1-25 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090125.005\navex15.sys [2009-1-25 876112]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-12-20 116928]
S3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\VetEBoot.sys [2006-7-10 102398]
S4 CAISafe;CAISafe;c:\program files\yahoo!\antivirus\isafe.exe --> c:\program files\yahoo!\antivirus\ISafe.exe [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

=============== Created Last 30 ================

2009-02-03 00:28	<DIR>	--d-----	C:\temp
2009-01-25 16:18	129,024	a-------	c:\windows\system32\epgnuj.dll
2009-01-25 16:18	129,024	a-------	c:\windows\system32\yhcyqliv.dll
2009-01-25 16:16	1,434,061	---sh---	c:\windows\system32\amndhbhk.ini
2009-01-25 16:16	72,704	a-------	c:\windows\system32\khbhdnma.dll
2009-01-25 16:15	408,996	a--sh---	c:\windows\system32\fNmSDfhk.ini2
2009-01-25 16:15	408,996	a--sh---	c:\windows\system32\fNmSDfhk.ini
2009-01-25 16:15	315,904	a-------	c:\windows\system32\khfDSmNf.dll
2009-01-25 16:12	93,420	a-------	c:\windows\system32\drivers\77ec6f47.sys
2009-01-25 16:10	47,914	a-------	c:\windows\system32\pmnkKdAQ.dll
2009-01-25 16:10	36,352	a-------	c:\windows\system32\qoMCsRKB.dll
2009-01-25 16:10	20,480	a-------	c:\windows\system32\digeste.dll
2009-01-18 19:04	2,201	a-------	c:\windows\system32\TDSSlxwp.dll
2009-01-18 19:03	441	a-------	c:\windows\system32\TDSSosvd.dat
2009-01-18 18:55	1,403,021	a--sh---	c:\windows\system32\fkqardtb.ini
2009-01-18 18:52	3,071	a--sh---	c:\windows\system32\oonqqtwa.ini2
2009-01-18 18:52	3,071	a--sh---	c:\windows\system32\oonqqtwa.ini
2009-01-17 19:31	<DIR>	--d-----	c:\program files\iCheck
2009-01-17 19:31	191,103	a-------	c:\windows\system32\wpv621232083597.cpx
2009-01-16 08:18	0	a-------	c:\windows\hpqEmlSz.INI
2009-01-16 08:14	<DIR>	--d-----	c:\windows\pss
2009-01-15 08:43	<DIR>	a-dshr--	C:\cmdcons
2009-01-14 08:37	<DIR>	--d-----	c:\program files\common files\PC Tools
2009-01-14 08:35	<DIR>	--d-----	c:\docume~1\garret~1\applic~1\Malwarebytes
2009-01-14 08:35	<DIR>	--d-----	c:\program files\Malwarebytes' Anti-Malware
2009-01-14 08:35	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-12 09:15	324	a-------	C:\ituninst.bat
2009-01-12 08:55	0	a-------	c:\windows\vpc32.INI

==================== Find3M  ====================

2009-01-12 09:25	13,440	a-------	c:\windows\system32\drivers\USBCRFT.SYS

============= FINISH:  1:05:19.78 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 04 February 2009 - 01:57 AM

Dont use code/quote tags when posting logs.. Just post them as it is.. It will be much easier for me..


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 FrozenVoid

FrozenVoid
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 04 February 2009 - 11:00 AM

Thanks for helping me, fenzo.

ComboFix is a no-go. Here's what happened (keep in mind, this is all happening in Safe Mode w/ Networking):

First, I downloaded ComboFix (and saved as Combo-Fix) to my flash drive because I wasn't using the infected computer when I checked this thread. I copied CF from the flash drive to the infected computer's desktop, turned off Windows Firewall and ran CF. I then got a message from CF telling me that SAV was running and to click "OK" once I stopped SAV. I checked Task Manager - no SAV-related processes were running. I checked Services.msc - no SAV-related services were running. So I opened the SAV GUI and de-selected "Enable Auto-Protect", "Enable Internet E-mail Auto Protect", "Enable Microsoft Exchange Auto Protect", and "Enable Tamper Protection" - now, ALL SAV-related services were disabled for sure. I selected "OK" in CF and it again told me that SAV was running. So I killed CF and uninstalled it (by running Combo-Fix /u) - I did this to try and make sure a re-run wouldn't screw up (maybe I shouldn't have, but I've read in other posts where uninstalling CF was recommended before re-running). I then rebooted the computer and tried to re-run CF, but got an error message that said "You cannot rename ComboFix as Combo-Fix Please use another name, preferabaly[sic] made up of alphanumeric characters". So I again uninstalled CF, but this time deleted it from my desktop. I rebooted and re-downloaded CF (renamed to Combo-Fix before saving) to my desktop, re-ran, and got the same error message about the name.

So now I await further instruction.

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 04 February 2009 - 10:36 PM

Lets use another route..



Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 FrozenVoid

FrozenVoid
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 05 February 2009 - 08:45 PM

Malwarebytes' Anti-Malware 1.33
Database version: 1733
Windows 5.1.2600 Service Pack 2

2/5/2009 7:17:08 PM
mbam-log-2009-02-05 (19-17-03).txt

Scan type: Full Scan (C:\|)
Objects scanned: 179550
Time elapsed: 31 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 19
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 28

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\heuagpfa.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\khfDSmNf.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\qoMCsRKB.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\xyrlaham.dll (Trojan.Vundo.H) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5d816e7d-f178-4bf7-88c5-856db7260ced} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{5d816e7d-f178-4bf7-88c5-856db7260ced} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qomcsrkb (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e79a405c-3f7e-40ba-bf8c-9aac31e8b241} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{e79a405c-3f7e-40ba-bf8c-9aac31e8b241} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf4552-94f1-42bd-f434-3604812c807d} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{90951405-3daa-4b1d-9d50-18a329bf3bd0} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90951405-3daa-4b1d-9d50-18a329bf3bd0} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\icheck (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\GetPack (Adware.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c8dbb725 (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\khfdsmnf -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\khfdsmnf -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Downloader) -> Data: digeste.dll -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Program Files\iCheck (Trojan.Agent) -> No action taken.

Files Infected:
C:\WINDOWS\system32\ylgfrw.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\qoMCsRKB.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\khfDSmNf.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\fNmSDfhk.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\fNmSDfhk.ini2 (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\heuagpfa.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\afpgaueh.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\khbhdnma.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\amndhbhk.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\rxoutear.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\raetuoxr.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\xyrlaham.dll (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\Garrett Thornbrugh\Local Settings\Temporary Internet Files\Content.IE5\G1MN45YJ\upd105320[1] (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\Garrett Thornbrugh\Local Settings\Temporary Internet Files\Content.IE5\GDIV8XU7\index[1] (Trojan.Vundo.H) -> No action taken.
C:\Program Files\Residential Technology Configuration Utility 8.21\backups\backup-20090203-003611-483.dll (Trojan.Downloader) -> No action taken.
C:\Program Files\Residential Technology Configuration Utility 8.21\backups\backup-20090203-003611-727.dll (Trojan.Vundo) -> No action taken.
C:\Program Files\Residential Technology Configuration Utility 8.21\backups\backup-20090203-003611-754.dll (Trojan.Vundo.H) -> No action taken.
C:\Program Files\Residential Technology Configuration Utility 8.21\backups\backup-20090203-003648-911.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\abdsrmip.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\digeste.dll (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\epgnuj.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\mdoyxx.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\yhcyqliv.dll (Trojan.Vundo) -> No action taken.
C:\Program Files\iCheck\Uninstall.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\wpv621232083597.cpx (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\TDSSlxwp.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\pmnkKdAQ.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\TDSStkdv.log (Trojan.TDSS) -> No action taken.

Edited by FrozenVoid, 05 February 2009 - 08:48 PM.


#6 FrozenVoid

FrozenVoid
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 05 February 2009 - 08:46 PM

Logfile of random's system information tool 1.05 (written by random/random)
Run by Garrett Thornbrugh at 2009-02-05 19:23:39
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 88 GB (60%) free of 147 GB
Total RAM: 511 MB (70% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:45 PM, on 2/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\Garrett Thornbrugh\Desktop\RSIT.exe
C:\Program Files\trend micro\Garrett Thornbrugh.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://restech.baylor.edu
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\qoMCsRKB.dll (file missing)
O2 - BHO: (no name) - {E79A405C-3F7E-40BA-BF8C-9AAC31E8B241} - C:\WINDOWS\system32\khfDSmNf.dll (file missing)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.baylor.edu
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: qoMCsRKB - qoMCsRKB.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing)
O23 - Service: WUSB54GSv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 6473 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\WebReg 20040814190224.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
C:\WINDOWS\system32\qoMCsRKB.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E79A405C-3F7E-40BA-BF8C-9AAC31E8B241}]
C:\WINDOWS\system32\khfDSmNf.dll []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"High Definition Audio Property Page Shortcut"=C:\WINDOWS\system32\HDAudPropShortcut.exe [2004-03-17 61952]
"NvCplDaemon"=C:\WINDOWS\System32\NvCpl.dll [2004-06-07 3809280]
"nwiz"=nwiz.exe /install []
"HPDJ Taskbar Utility"=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe [2002-05-24 188416]
"HPHmon04"=C:\WINDOWS\System32\hphmon04.exe [2002-06-20 339968]
"HPHUPD04"=C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe [2002-05-24 49152]
"Share-to-Web Namespace Daemon"=C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [2002-04-17 69632]
"VerizonServicepoint.exe"=C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe [2006-02-01 1880064]
"HP Software Update"=C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe [2006-02-19 49152]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2007-06-28 270648]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-11-21 52840]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2006-12-20 125632]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-09-07 185896]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2009-01-14 399504]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-01-14 1273488]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2006-12-20 43712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qoMCsRKB]
qoMCsRKB.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=C:\WINDOWS\system32\qoMCsRKB.dll []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\khfDSmNf

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoRecentDocsNetHood"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Kinko's\FPFK\Kinkos.Jupiter.GUI.SysTray.exe"="C:\Program Files\Kinko's\FPFK\Kinkos.Jupiter.GUI.SysTray.exe:*:Disabled: "
"C:\Program Files\Valve\Steam\SteamApps\beandip25\counter-strike source\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\beandip25\counter-strike source\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Valve\Steam\SteamApps\beandip25\half-life 2\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\beandip25\half-life 2\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Atari\ArmA\arma.exe"="C:\Program Files\Atari\ArmA\arma.exe:*:Enabled:ArmA"
"C:\Program Files\Red Storm Entertainment\RavenShield\system\RavenShield.exe"="C:\Program Files\Red Storm Entertainment\RavenShield\system\RavenShield.exe:*:Enabled:RavenShield"
"C:\Program Files\Red Storm Entertainment\RavenShield\system\UCC.exe"="C:\Program Files\Red Storm Entertainment\RavenShield\system\UCC.exe:*:Enabled:UCC"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Valve\Steam\SteamApps\beandip25\garrysmod\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\beandip25\garrysmod\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\Program Files\QuickTime\QuickTimePlayer.exe:*:Enabled:QuickTime Player"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"="C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe:*:Enabled:SPBBCSvc"
"%windir%\system32\drivers\svchost.exe"="%windir%\system32\drivers\svchost.exe:*:Enabled:svchost"
"C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe"="C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe:*:Enabled:VerizonServicepoint"
"C:\WINDOWS\system32\hphmon04.exe"="C:\WINDOWS\system32\hphmon04.exe:*:Enabled:hphmon04"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\system32\drivers\svchost.exe"="%windir%\system32\drivers\svchost.exe:*:Enabled:svchost"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
shell\AutoRun\command - L:\LaunchU3.exe


======List of files/folders created in the last 3 months======

2009-02-05 19:23:40 ----D---- C:\Program Files\trend micro
2009-02-05 19:23:39 ----D---- C:\rsit
2009-02-05 19:18:56 ----D---- C:\Avenger
2009-02-05 19:18:56 ----A---- C:\avenger.txt
2009-02-05 18:43:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-02-04 09:43:38 ----A---- C:\WINDOWS\system32\CF24394.exe
2009-02-04 09:43:36 ----A---- C:\Bug.txt
2009-02-04 09:41:47 ----D---- C:\Documents and Settings\Garrett Thornbrugh\Application Data\Macromedia
2009-02-04 09:38:15 ----D---- C:\WINDOWS\temp
2009-02-04 09:38:15 ----D---- C:\temp
2009-02-04 09:37:33 ----D---- C:\Combo-Fix
2009-02-04 09:36:00 ----A---- C:\WINDOWS\system32\CF22895.exe
2009-02-04 09:24:19 ----A---- C:\WINDOWS\system32\CF20609.exe
2009-01-19 13:19:23 ----A---- C:\WINDOWS\IE4 Error Log.txt
2009-01-18 18:55:13 ----ASH---- C:\WINDOWS\system32\fkqardtb.ini
2009-01-18 18:52:41 ----ASH---- C:\WINDOWS\system32\oonqqtwa.ini2
2009-01-18 18:52:41 ----ASH---- C:\WINDOWS\system32\oonqqtwa.ini
2009-01-16 08:18:58 ----A---- C:\WINDOWS\hpqEmlSz.INI
2009-01-16 08:14:46 ----D---- C:\WINDOWS\pss
2009-01-15 11:01:11 ----SHD---- C:\RECYCLER
2009-01-15 08:43:34 ----A---- C:\Boot.bak
2009-01-15 08:43:20 ----RASHD---- C:\cmdcons
2009-01-15 08:41:11 ----D---- C:\WINDOWS\ERDNT
2009-01-14 08:37:51 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-01-14 08:37:43 ----D---- C:\Program Files\Common Files\PC Tools
2009-01-14 08:35:51 ----D---- C:\Documents and Settings\Garrett Thornbrugh\Application Data\Malwarebytes
2009-01-14 08:35:42 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-12 09:15:18 ----A---- C:\ituninst.bat
2009-01-12 08:55:19 ----A---- C:\WINDOWS\vpc32.INI
2008-12-06 07:11:13 ----A---- C:\WINDOWS\system32\c3f8735b-.txt

======List of files/folders modified in the last 3 months======

2009-02-05 19:23:40 ----RD---- C:\Program Files
2009-02-05 19:19:23 ----A---- C:\WINDOWS\ntbtlog.txt
2009-02-05 19:18:57 ----D---- C:\WINDOWS\system32
2009-02-05 19:18:56 ----D---- C:\WINDOWS
2009-02-05 18:43:12 ----D---- C:\WINDOWS\system32\drivers
2009-02-04 09:37:38 ----D---- C:\WINDOWS\system32\Restore
2009-02-04 09:34:31 ----SHD---- C:\System Volume Information
2009-02-03 00:36:33 ----D---- C:\Program Files\Residential Technology Configuration Utility 8.21
2009-01-25 16:27:20 ----D---- C:\Program Files\Symantec AntiVirus
2009-01-25 16:27:20 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-25 16:22:52 ----A---- C:\WINDOWS\ModemLog_Creatix V.9X DSP Data Fax Modem #2.txt
2009-01-25 16:13:09 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-01-25 16:12:48 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-25 01:30:56 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-01-24 17:51:11 ----D---- C:\WINDOWS\Minidump
2009-01-19 13:32:15 ----D---- C:\WINDOWS\Registration
2009-01-16 08:17:35 ----D---- C:\Documents and Settings\Garrett Thornbrugh\Application Data\HP
2009-01-16 08:09:54 ----SHD---- C:\WINDOWS\Installer
2009-01-16 08:09:54 ----D---- C:\Config.Msi
2009-01-15 11:34:35 ----D---- C:\WINDOWS\WinSxS
2009-01-15 11:34:33 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-01-15 11:34:20 ----D---- C:\Program Files\Common Files\Adobe
2009-01-15 11:34:20 ----D---- C:\Program Files\Adobe
2009-01-15 10:55:36 ----A---- C:\WINDOWS\system.ini
2009-01-15 10:54:35 ----D---- C:\WINDOWS\AppPatch
2009-01-15 10:54:35 ----D---- C:\Program Files\Common Files
2009-01-15 10:50:39 ----D---- C:\Documents and Settings\Garrett Thornbrugh\Application Data\Mozilla
2009-01-15 09:34:12 ----D---- C:\WINDOWS\system32\config
2009-01-15 08:45:56 ----D---- C:\WINDOWS\system
2009-01-15 08:43:35 ----RASH---- C:\boot.ini
2009-01-15 08:30:06 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-01-14 11:34:16 ----D---- C:\Documents and Settings
2009-01-14 08:38:57 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-01-13 06:26:00 ----A---- C:\WINDOWS\NeroDigital.ini
2009-01-13 04:58:03 ----HD---- C:\WINDOWS\inf
2009-01-12 09:48:15 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-01-12 09:34:37 ----D---- C:\Program Files\Google
2009-01-12 09:34:35 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2009-01-12 09:15:11 ----D---- C:\Program Files\InterActual
2009-01-11 07:10:14 ----D---- C:\Documents and Settings\Garrett Thornbrugh\Application Data\Google
2008-12-14 21:49:52 ----A---- C:\WINDOWS\wininit.ini
2008-12-06 08:14:07 ----D---- C:\Program Files\Mozilla Firefox

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 VETFDDNT;VET Floppy Boot Sector Monitor; C:\WINDOWS\system32\drivers\VETFDDNT.sys [2006-07-10 15735]
R3 CardReaderFilter;Card Reader Filter; \??\C:\WINDOWS\system32\Drivers\USBCRFT.SYS []
R3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\System32\DRIVERS\fetnd5b.sys [2004-04-23 41984]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\System32\DRIVERS\HDAudBus.sys [2004-03-17 135168]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-12-05 10368]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S1 77ec6f47;77ec6f47; C:\WINDOWS\System32\drivers\77ec6f47.sys [2009-01-25 93420]
S1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
S1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S1 SAVRT;SAVRT; \??\C:\Program Files\Symantec AntiVirus\savrt.sys []
S1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys []
S1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2006-08-07 195776]
S1 VETEFILE;VET File Scan Engine; C:\WINDOWS\system32\drivers\VETEFILE.sys [2006-07-10 590190]
S1 VET-FILT;VET File System Filter; C:\WINDOWS\system32\drivers\VET-FILT.sys [2006-07-10 21031]
S1 VETMONNT;VET File Monitor; C:\WINDOWS\system32\drivers\VETMONNT.sys [2006-07-10 26099]
S1 VET-REC;VET File System Recognizer; C:\WINDOWS\system32\drivers\VET-REC.sys [2006-07-10 15478]
S2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2008-08-21 17801]
S2 MASPINT;MASPINT; C:\WINDOWS\system32\drivers\MASPINT.sys [2000-03-29 8096]
S2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.9; C:\WINDOWS\System32\DRIVERS\mdc8021x.sys [2004-04-13 15781]
S3 2WIREPCP;2Wire USB; C:\WINDOWS\System32\DRIVERS\2WirePCP.sys [2004-09-15 68672]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2004-08-03 60800]
S3 asbp2poa;asbp2poa; \??\C:\DOCUME~1\GARRET~1\LOCALS~1\Temp\asbp2poa.sys []
S3 ATWPKT2;ATWPKT2; \??\C:\Program Files\America Online 8.0\ATWPKT2.SYS []
S3 Bridge;MAC Bridge; C:\WINDOWS\System32\DRIVERS\bridge.sys [2004-08-03 71552]
S3 BridgeMP;MAC Bridge Miniport; C:\WINDOWS\System32\DRIVERS\bridge.sys [2004-08-03 71552]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 cmudax;C-Media Azalia Audio Interface; C:\WINDOWS\system32\drivers\cmudax.sys [2004-06-08 1390976]
S3 Dot4 HPH11;Dot4 HPH11; C:\WINDOWS\System32\DRIVERS\hphid411.sys [2002-05-24 50896]
S3 dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\System32\DRIVERS\Dot4.sys [2004-08-03 207360]
S3 Dot4Print HPH11;Print Class Driver for IEEE-1284.4 HPH11; C:\WINDOWS\System32\DRIVERS\hphipr11.sys [2002-05-24 16112]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\System32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 Dot4Storage HPH11;Storage Class Driver for IEEE-1284.4 (HPH11); C:\WINDOWS\System32\Drivers\hphs2k11.sys [2002-05-24 50276]
S3 Dot4Usb HPH11;Dot4Usb HPH11; C:\WINDOWS\System32\drivers\hphius11.sys [2002-05-24 18928]
S3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\WINDOWS\System32\DRIVERS\dot4usb.sys [2001-08-17 23808]
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\System32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
S3 grmnusb;grmnusb; C:\WINDOWS\system32\drivers\grmnusb.sys [2003-09-23 7296]
S3 gtndis5;GTNDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\GTNDIS5.SYS []
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2004-03-17 113664]
S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2002-08-29 9600]
S3 IIUSBISP;USB Mass Storage for USB ISP; C:\WINDOWS\System32\Drivers\iiusbisp.sys []
S3 Intels51;Creatix V.9X DSP Data Fax Modem; C:\WINDOWS\System32\DRIVERS\ctxs51.sys [2003-09-10 670203]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2002-08-29 12160]
S3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090125.005\naveng.sys []
S3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090125.005\navex15.sys []
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-03 61824]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-06-07 2324480]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
S3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
S3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2006-08-07 24768]
S3 USB_RNDIS;Linksys Wireless-G USB Network Adapter with SpeedBooster Driver v2; C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 12672]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 VETEBOOT;VET Boot Scan Engine; C:\WINDOWS\system32\drivers\VETEBOOT.sys [2006-07-10 102398]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-04 73472]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-06-28 106496]
S2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2007-01-31 554616]
S2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2006-11-21 169576]
S2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2006-12-20 31424]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2004-08-04 267776]
S2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-30 168432]
S2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
S2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\System32\nvsvc32.exe [2004-06-07 114755]
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2006-03-03 69632]
S2 SPBBCSvc;Symantec SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2006-04-11 1160848]
S2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2006-12-20 1814720]
S2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S2 VETMSGNT;VET Message Service; C:\Program Files\Yahoo!\Antivirus\VetMsg.exe []
S2 WUSB54GSv2SVC;WUSB54GSv2SVC; C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe [2004-02-06 41025]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2006-11-21 192104]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-06-28 501048]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2007-01-31 2975352]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPH11;Pml Driver HPH11; C:\WINDOWS\System32\HPHipm11.exe [2002-05-24 77824]
S3 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2006-12-20 116928]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2006-08-07 214720]
S3 YPCService;YPCService; C:\WINDOWS\system32\YPCSER~1.EXE [2003-05-19 86016]
S4 CAISafe;CAISafe; C:\Program Files\Yahoo!\Antivirus\ISafe.exe []
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]
S4 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe []

-----------------EOF-----------------

Edited by FrozenVoid, 05 February 2009 - 08:48 PM.


#7 FrozenVoid

FrozenVoid
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 05 February 2009 - 08:49 PM

info.txt logfile of random's system information tool 1.05 2009-02-05 19:23:49

======Uninstall list======

-->"C:\Program Files\SBC Yahoo!\umuninst.exe" /S
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\System32\Macromed\Flash\UninstFl.exe -q
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop Elements 2.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop Elements 2\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop Elements 2\Uninst.dll"
Adobe Reader 8.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
Adobe® Photoshop® Album Starter Edition 3.2-->MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
AIM 6-->C:\Program Files\AIM6\uninst.exe
AOL Instant Messenger-->C:\Program Files\AIM95\uninstll.exe -LOG= C:\Program Files\AIM95\install.log -OEM=
Apple Mobile Device Support-->MsiExec.exe /I{8FC46258-0843-4D79-B7F0-F2B82FE6173B}
Apple Software Update-->MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
ArmA Uninstall-->C:\Program files\Atari\ArmA\UnInstall.exe
Army Men Sarge's War-->MsiExec.exe /I{FCC373B6-1FBD-4280-A4BF-E371095DABE8}
C-Media Azalia Audio Driver-->C:\WINDOWS\system32\cmirmdrv.exe
Compton's Interactive Encyclopedia 2000 Deluxe-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Broderbund\CIE2000D\DeIsL1.isu"
Counter-Strike: Source-->MsiExec.exe /I{9580813D-94B1-4C28-9426-A441E2BB29A5}
Delta Force - Black Hawk Down-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\NovaLogic\Delta Force Black Hawk Down\Uninst.isu"
Die Hard: Nakatomi Plaza-->C:\PROGRA~1\Fox\DIEHAR~1\UNWISE.EXE C:\PROGRA~1\Fox\DIEHAR~1\INSTALL.LOG
Far Cry-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D6DBDC2A-E72C-4284-B6AD-6B3B61B4DABC}
File, Print FedEx Kinko's-->MsiExec.exe /I{8F156C85-23F2-4F13-89A6-B0B286D1B4CD}
Flashpoint uninstall-->C:\Program Files\Codemasters\UnInstall.exe
FTP Explorer-->MsiExec.exe /I{CF690C1A-8C14-40FA-877E-77372A579E61}
Garmin StreetPilot i2/i3 North America-->MsiExec.exe /X{6259F28B-6C4A-4259-8A1D-F44794DF73E2}
Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Groove Games\Land Of The Dead-->C:\Program Files\Groove Games\Land Of The Dead\System\Setup.exe uninstall "LandOfTheDead"
GUN ™-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{2DFF2906-52BB-4222-8062-1509259FC013}
Half-Life Dedicated Server Update Tool-->C:\PROGRA~1\Valve\HLServer\UNWISE.EXE C:\PROGRA~1\Valve\HLServer\INSTALL.LOG
Half-Life® 2-->MsiExec.exe /I{D45EC259-4A19-4656-B588-C2C360DD18EA}
Higher Score on the New SAT 1.0-->"C:\Program Files\Kap.NewSAT\unins000.exe"
HighMAT Extension to Microsoft Windows XP CD Writing Wizard-->MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Home Cinema-->"C:\Program Files\Uninstall_PCM.exe"
Hotfix for Microsoft .NET Framework 3.0 (KB932471)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {ECD292A0-0347-4244-8C24-5DBCE990FB40} /package {BAF78226-3200-4DB4-BE33-4D922A799840}
HP Customer Participation Program 7.0-->C:\Program Files\Hewlett-Packard\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Imaging Device Functions 7.0-->C:\Program Files\Hewlett-Packard\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
hp instant support-->C:\PROGRA~1\HEWLET~1\HPINST~1\Uninstall.exe CeS
HP Photo and Imaging 1.0 - HP Photosmart Printer Series-->MsiExec.exe /I{0D396571-7BBD-44CE-ABB3-518BF86B72F7}
HP Photosmart and Deskjet 7.0 Software-->C:\Program Files\Hewlett-Packard\Digital Imaging\{D2A3C9D5-0B56-4656-8277-7EDC65D62B6E}\setup\hpzscr01.exe -datfile hphscr12.dat -showdisconnect -forcereboot
HP Photosmart Essential-->MsiExec.exe /X{6994491D-D491-48F1-AE1F-E179C1FFFC2F}
HP Software Update-->MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}
HP Solution Center 7.0-->C:\Program Files\Hewlett-Packard\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
I'm Going In-->C:\WINDOWS\unvise32.exe C:\Program Files\Eidos Interactive\I'm Going In\uninstal.log
ImageMixer for Sony-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1B4AA674-F5CA-4BB5-831A-CD37B4021959}\setup.exe"
Informations about your PC-->MsiExec.exe /I{0AB149EB-2AE0-466C-9BA4-3A718CF06432}
Ipswitch WS_FTP Home 2006-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{11DE2361-9F73-47B3-B638-2F267927E307}\setup.exe" -l0x9
iTunes-->MsiExec.exe /I{85B90D8C-70F3-4E84-BD31-5E9489C0F9FB}
Kaplan Essential Review - Writing and Vocabulary-->MsiExec.exe /I{C19423A6-78AB-4EF0-BE84-6B18342316A5}
Linksys Wireless-G USB Network Adapter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C7EEF2B9-8C16-4A04-B98D-B1A952A47E55}\setup.exe" -l0x9
LiveUpdate 3.2 (Symantec Corporation)-->"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Macromedia Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Medion Flash XL 2.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA1CB7AC-E221-4822-A789-0ADB051DC498}\Setup.exe" -l0x9 -wUninst
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0 Service Pack 1-->MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}
Microsoft Office Standard Edition 2003-->MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Windows Journal Viewer-->MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Microsoft Works 7.0-->MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
MicroStaff WINASPI-->C:\MWASPI\uninst.exe
mIRC-->"c:\windows\system\svchost.exe" -uninstall
MSN Messenger 6.2-->MsiExec.exe /I{ABEB838C-A1A7-4C5D-B7E1-8B4314600133}
MSN Music Assistant-->rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Musicmatch® Jukebox-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}\setup.exe" -l0x9 -uninst
Nero OEM-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NVIDIA Drivers-->C:\WINDOWS\System32\nvudisp.exe UninstallGUI
OpenAL-->"C:\Program Files\OpenAL\OpenALwEAX.exe" /U
Peter Jackson's King Kong - The Official Game of the Movie-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{111E336D-30BF-4CD4-8D69-4541732AFB27}\setup.exe" -l0x9 -removeonly
Photosmart 130,230,7150,7345,7350,7550 (Remove only)-->C:\Program Files\HP Photosmart 11\Printer\hphuni04.exe
PlayLinc-->MsiExec.exe /I{008EF266-872C-4D71-9D9D-C4A9B9B733D7}
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerProducer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
ProWrite 2005-->MsiExec.exe /I{195427F0-4637-4D6C-A16A-F2E3B1EB0783}
ProWriteUser-->MsiExec.exe /X{517C21B0-952B-47A8-B5A1-A25C3410776B}
QuickTime-->MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Residential Technology Configuration Utility 8.21-->"C:\WINDOWS\Residential Technology Configuration Utility\uninstall.exe" "/U:C:\Program Files\Residential Technology Configuration Utility 8.21\irunin.xml"
Secret Service: In Harm's Way-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Activision Value\FUN labs\Secret Service\Uninst.isu"
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917422)-->"C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921398)-->"C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921503)-->"C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921883)-->"C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922616)-->"C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929969)-->"C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933566)-->"C:\WINDOWS\$NtUninstallKB933566$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937143)-->"C:\WINDOWS\$NtUninstallKB937143$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938127)-->"C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938829)-->"C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Security Update for Windows XP (KB939653)-->"C:\WINDOWS\$NtUninstallKB939653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944338)-->"C:\WINDOWS\$NtUninstallKB944338$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944533)-->"C:\WINDOWS\$NtUninstallKB944533$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB947864)-->"C:\WINDOWS\$NtUninstallKB947864$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948881)-->"C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
ShellShock:Nam'67-->MsiExec.exe /X{B6D6F393-20F7-4580-9585-49F74603C2D8}
Soldier of Fortune Platinum-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Raven\SOF PLATINUM\sofplat.isu"
Soldner-->C:\WINDOWS\unvise32.exe C:\Program Files\SoldnerSecretWars\uninstal.log
Steam™-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Symantec AntiVirus-->MsiExec.exe /I{33CFCF98-F8D6-4549-B469-6F4295676D83}
Tom Clancy's Rainbow Six 3: Athena Sword 1.10.016-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{664FF9A8-7E44-4E17-AD40-D10E15504C49}\setup.exe" -l0x9
Tom Clancy's Rainbow Six 3: Iron Wrath 1.00.000-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{81521545-BE95-4869-92FA-CC2E276C790E}\Setup.exe" -l0x9
Tom Clancy's Rainbow Six 3: Raven Shield 1.60.412-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AF131494-F5D8-45C5-938C-D5F020CF1B0D}\setup.exe" -l0x9
TrueSwitch Wizard SBC-->C:\Program Files\TrueSwitchSBC\TrueWizard.exe -uninstall
TrueSwitch Wizard Verizon Yahoo-->C:\Program Files\TrueSwitchVerizon\TrueWizard.exe -uninstall
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB904942)-->"C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Update for Windows XP (KB908521)-->"C:\WINDOWS\$NtUninstallKB908521$\spuninst\spuninst.exe"
Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB916846)-->"C:\WINDOWS\$NtUninstallKB916846$\spuninst\spuninst.exe"
Update for Windows XP (KB920342)-->"C:\WINDOWS\$NtUninstallKB920342$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB925720)-->"C:\WINDOWS\$NtUninstallKB925720$\spuninst\spuninst.exe"
Update for Windows XP (KB925876)-->"C:\WINDOWS\$NtUninstallKB925876$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB931836)-->"C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Update for Windows XP (KB933360)-->"C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Update for Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB942840)-->"C:\WINDOWS\$NtUninstallKB942840$\spuninst\spuninst.exe"
Verizon Servicepoint 1.3.21-->"C:\Program Files\Verizon\Servicepoint\unins000.exe"
Wasp Bar Code Labeler-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Wasp Bar Code\Labeler\Uninst.isu"
Windows Backup Utility-->MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Blaster Worm Removal Tool (KB833330)-->C:\WINDOWS\$NtUninstallKB833330$\spuninst\spuninst.exe
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 9 Hotfix [See KB885492 for more information]-->C:\WINDOWS\$NtUninstallKB885492$\spuninst\spuninst.exe
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Hotfix - KB873333-->C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB893066-->"C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Windows XP Hotfix - KB893086-->"C:\WINDOWS\$NtUninstallKB893086$\spuninst\spuninst.exe"
Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Xfire (remove only)-->"C:\Program Files\Xfire\uninst.exe"

======Security center information======

AV: Symantec AntiVirus Corporate Edition

System event log

Computer Name: THORNBRUGHGAR84
Event Code: 10005
Message: DCOM got error "%1450" attempting to start the service LiveUpdate with arguments ""
in order to run the server:
{03E0E6C2-363B-11D3-B536-00902771A435}

Record Number: 4559
Source Name: DCOM
Time Written: 20081218200521.000000-360
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: THORNBRUGHGAR84
Event Code: 10005
Message: DCOM got error "%1450" attempting to start the service LiveUpdate with arguments ""
in order to run the server:
{03E0E6C2-363B-11D3-B536-00902771A435}

Record Number: 4558
Source Name: DCOM
Time Written: 20081218200021.000000-360
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: THORNBRUGHGAR84
Event Code: 10005
Message: DCOM got error "%1450" attempting to start the service LiveUpdate with arguments ""
in order to run the server:
{03E0E6C2-363B-11D3-B536-00902771A435}

Record Number: 4557
Source Name: DCOM
Time Written: 20081218195521.000000-360
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: THORNBRUGHGAR84
Event Code: 10005
Message: DCOM got error "%1450" attempting to start the service LiveUpdate with arguments ""
in order to run the server:
{03E0E6C2-363B-11D3-B536-00902771A435}

Record Number: 4556
Source Name: DCOM
Time Written: 20081218195021.000000-360
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: THORNBRUGHGAR84
Event Code: 10005
Message: DCOM got error "%1450" attempting to start the service LiveUpdate with arguments ""
in order to run the server:
{03E0E6C2-363B-11D3-B536-00902771A435}

Record Number: 4555
Source Name: DCOM
Time Written: 20081218194521.000000-360
Event Type: error
User: NT AUTHORITY\SYSTEM

Application event log

Computer Name: THORNBRUGHGAR84
Event Code: 101
Message: Information Level: success

Rolling back the schedule; execution will occur at approximately 5:54 AM.

Record Number: 58310
Source Name: Automatic LiveUpdate Scheduler
Time Written: 20090113054916.000000-360
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: THORNBRUGHGAR84
Event Code: 101
Message: Information Level: success

Rolling back the schedule; execution will occur at approximately 5:49 AM.

Record Number: 58309
Source Name: Automatic LiveUpdate Scheduler
Time Written: 20090113054415.000000-360
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: THORNBRUGHGAR84
Event Code: 101
Message: Information Level: success

Rolling back the schedule; execution will occur at approximately 5:44 AM.

Record Number: 58308
Source Name: Automatic LiveUpdate Scheduler
Time Written: 20090113053914.000000-360
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: THORNBRUGHGAR84
Event Code: 101
Message: Information Level: success

Rolling back the schedule; execution will occur at approximately 5:39 AM.

Record Number: 58307
Source Name: Automatic LiveUpdate Scheduler
Time Written: 20090113053413.000000-360
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: THORNBRUGHGAR84
Event Code: 101
Message: Information Level: success

Rolling back the schedule; execution will occur at approximately 5:34 AM.

Record Number: 58306
Source Name: Automatic LiveUpdate Scheduler
Time Written: 20090113052913.000000-360
Event Type: information
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 3 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0304
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip
"SAFEBOOT_OPTION"=NETWORK

-----------------EOF-----------------

Edited by FrozenVoid, 05 February 2009 - 08:51 PM.


#8 FrozenVoid

FrozenVoid
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 05 February 2009 - 08:53 PM

gmer.txt attached.

Attached Files

  • Attached File  gmer.txt   18.31KB   12 downloads


#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 06 February 2009 - 03:13 AM

IMPORTANT!! Uninstall these programs first (if present..) so that they won't interfere with our fixes..

1. Ask Toolbar
2. Lavasoft Ad-Aware
3. Spybot - Search & Destroy
4. Viewpoint (all of them..)




Please download the OTMoveIt3 by OldTimer
  • Save it to your Desktop.
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    :processes
    explorer.exe
    
    :services
    
    :files
    C:\WINDOWS\system32\qoMCsRKB.dll
    C:\WINDOWS\system32\khfDSmNf.dll
    %windir%\system32\drivers\svchost.exe
    C:\WINDOWS\system32\fkqardtb.ini
    C:\WINDOWS\system32\oonqqtwa.ini2
    C:\WINDOWS\system32\oonqqtwa.ini
    
    :reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E79A405C-3F7E-40BA-BF8C-9AAC31E8B241}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qoMCsRKB]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=-
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\drivers\svchost.exe"=-
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\drivers\svchost.exe"=-
    
    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Run RSIT again... Post these logs in your next reply..

1. OTMoveIt3
2. RSIT log.txt

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 FrozenVoid

FrozenVoid
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 10 February 2009 - 03:50 PM

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== FILES ==========
File/Folder C:\WINDOWS\system32\qoMCsRKB.dll not found.
File/Folder C:\WINDOWS\system32\khfDSmNf.dll not found.
Folder C:\WINDOWS\system32\drivers\svchost.exe not found.
C:\WINDOWS\system32\fkqardtb.ini moved successfully.
C:\WINDOWS\system32\oonqqtwa.ini2 moved successfully.
C:\WINDOWS\system32\oonqqtwa.ini moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E79A405C-3F7E-40BA-BF8C-9AAC31E8B241}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qoMCsRKB\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\ deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\"Authentication Packages"|hex(7):6d,73,76,31,5f,30,00,00 /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\%windir%\system32\drivers\svchost.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list\\%windir%\system32\drivers\svchost.exe deleted successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02102009_144501

Edited by FrozenVoid, 10 February 2009 - 03:51 PM.


#11 FrozenVoid

FrozenVoid
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 10 February 2009 - 03:52 PM

Logfile of random's system information tool 1.05 (written by random/random)
Run by Garrett Thornbrugh at 2009-02-10 14:48:42
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 88 GB (60%) free of 147 GB
Total RAM: 511 MB (71% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:48 PM, on 2/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Garrett Thornbrugh\Desktop\RSIT.exe
C:\Program Files\trend micro\Garrett Thornbrugh.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://restech.baylor.edu
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.baylor.edu
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing)
O23 - Service: WUSB54GSv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 6156 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\WebReg 20040814190224.job

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"High Definition Audio Property Page Shortcut"=C:\WINDOWS\system32\HDAudPropShortcut.exe [2004-03-17 61952]
"NvCplDaemon"=C:\WINDOWS\System32\NvCpl.dll [2004-06-07 3809280]
"nwiz"=nwiz.exe /install []
"HPDJ Taskbar Utility"=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe [2002-05-24 188416]
"HPHmon04"=C:\WINDOWS\System32\hphmon04.exe [2002-06-20 339968]
"HPHUPD04"=C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe [2002-05-24 49152]
"Share-to-Web Namespace Daemon"=C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [2002-04-17 69632]
"VerizonServicepoint.exe"=C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe [2006-02-01 1880064]
"HP Software Update"=C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe [2006-02-19 49152]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2007-06-28 270648]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-11-21 52840]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2006-12-20 125632]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-09-07 185896]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2009-01-14 399504]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-01-14 1273488]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2006-12-20 43712]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoRecentDocsNetHood"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Kinko's\FPFK\Kinkos.Jupiter.GUI.SysTray.exe"="C:\Program Files\Kinko's\FPFK\Kinkos.Jupiter.GUI.SysTray.exe:*:Disabled: "
"C:\Program Files\Valve\Steam\SteamApps\beandip25\counter-strike source\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\beandip25\counter-strike source\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Valve\Steam\SteamApps\beandip25\half-life 2\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\beandip25\half-life 2\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Atari\ArmA\arma.exe"="C:\Program Files\Atari\ArmA\arma.exe:*:Enabled:ArmA"
"C:\Program Files\Red Storm Entertainment\RavenShield\system\RavenShield.exe"="C:\Program Files\Red Storm Entertainment\RavenShield\system\RavenShield.exe:*:Enabled:RavenShield"
"C:\Program Files\Red Storm Entertainment\RavenShield\system\UCC.exe"="C:\Program Files\Red Storm Entertainment\RavenShield\system\UCC.exe:*:Enabled:UCC"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Valve\Steam\SteamApps\beandip25\garrysmod\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\beandip25\garrysmod\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\Program Files\QuickTime\QuickTimePlayer.exe:*:Enabled:QuickTime Player"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"="C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe:*:Enabled:SPBBCSvc"
"C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe"="C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe:*:Enabled:VerizonServicepoint"
"C:\WINDOWS\system32\hphmon04.exe"="C:\WINDOWS\system32\hphmon04.exe:*:Enabled:hphmon04"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
shell\AutoRun\command - L:\LaunchU3.exe


======List of files/folders created in the last 3 months======

2009-02-10 14:45:01 ----D---- C:\_OTMoveIt
2009-02-05 19:25:28 ----A---- C:\WINDOWS\gmer.ini
2009-02-05 19:25:27 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2009-02-05 19:25:27 ----A---- C:\WINDOWS\gmer.exe
2009-02-05 19:25:27 ----A---- C:\WINDOWS\gmer.dll
2009-02-05 19:23:40 ----D---- C:\Program Files\trend micro
2009-02-05 19:23:39 ----D---- C:\rsit
2009-02-05 19:18:56 ----D---- C:\Avenger
2009-02-05 19:18:56 ----A---- C:\avenger.txt
2009-02-05 18:43:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-02-04 09:43:38 ----A---- C:\WINDOWS\system32\CF24394.exe
2009-02-04 09:43:36 ----A---- C:\Bug.txt
2009-02-04 09:41:47 ----D---- C:\Documents and Settings\Garrett Thornbrugh\Application Data\Macromedia
2009-02-04 09:38:15 ----D---- C:\WINDOWS\temp
2009-02-04 09:38:15 ----D---- C:\temp
2009-02-04 09:37:33 ----D---- C:\Combo-Fix
2009-02-04 09:36:00 ----A---- C:\WINDOWS\system32\CF22895.exe
2009-02-04 09:24:19 ----A---- C:\WINDOWS\system32\CF20609.exe
2009-01-19 13:19:23 ----A---- C:\WINDOWS\IE4 Error Log.txt
2009-01-16 08:18:58 ----A---- C:\WINDOWS\hpqEmlSz.INI
2009-01-16 08:14:46 ----D---- C:\WINDOWS\pss
2009-01-15 11:01:11 ----SHD---- C:\RECYCLER
2009-01-15 08:43:34 ----A---- C:\Boot.bak
2009-01-15 08:43:20 ----RASHD---- C:\cmdcons
2009-01-15 08:41:11 ----D---- C:\WINDOWS\ERDNT
2009-01-14 08:37:51 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-01-14 08:37:43 ----D---- C:\Program Files\Common Files\PC Tools
2009-01-14 08:35:51 ----D---- C:\Documents and Settings\Garrett Thornbrugh\Application Data\Malwarebytes
2009-01-14 08:35:42 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-12 09:15:18 ----A---- C:\ituninst.bat
2009-01-12 08:55:19 ----A---- C:\WINDOWS\vpc32.INI
2008-12-06 07:11:13 ----A---- C:\WINDOWS\system32\c3f8735b-.txt

======List of files/folders modified in the last 3 months======

2009-02-10 14:46:30 ----A---- C:\WINDOWS\ntbtlog.txt
2009-02-10 14:45:02 ----D---- C:\WINDOWS\system32
2009-02-05 19:25:28 ----D---- C:\WINDOWS\system32\drivers
2009-02-05 19:25:28 ----D---- C:\WINDOWS
2009-02-05 19:23:40 ----RD---- C:\Program Files
2009-02-04 09:37:38 ----D---- C:\WINDOWS\system32\Restore
2009-02-04 09:34:31 ----SHD---- C:\System Volume Information
2009-02-03 00:36:33 ----D---- C:\Program Files\Residential Technology Configuration Utility 8.21
2009-01-25 16:27:20 ----D---- C:\Program Files\Symantec AntiVirus
2009-01-25 16:27:20 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-25 16:22:52 ----A---- C:\WINDOWS\ModemLog_Creatix V.9X DSP Data Fax Modem #2.txt
2009-01-25 16:13:09 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-01-25 16:12:48 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-25 01:30:56 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-01-24 17:51:11 ----D---- C:\WINDOWS\Minidump
2009-01-19 13:32:15 ----D---- C:\WINDOWS\Registration
2009-01-16 08:17:35 ----D---- C:\Documents and Settings\Garrett Thornbrugh\Application Data\HP
2009-01-16 08:09:54 ----SHD---- C:\WINDOWS\Installer
2009-01-16 08:09:54 ----D---- C:\Config.Msi
2009-01-15 11:34:35 ----D---- C:\WINDOWS\WinSxS
2009-01-15 11:34:33 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-01-15 11:34:20 ----D---- C:\Program Files\Common Files\Adobe
2009-01-15 11:34:20 ----D---- C:\Program Files\Adobe
2009-01-15 10:55:36 ----A---- C:\WINDOWS\system.ini
2009-01-15 10:54:35 ----D---- C:\WINDOWS\AppPatch
2009-01-15 10:54:35 ----D---- C:\Program Files\Common Files
2009-01-15 10:50:39 ----D---- C:\Documents and Settings\Garrett Thornbrugh\Application Data\Mozilla
2009-01-15 09:34:12 ----D---- C:\WINDOWS\system32\config
2009-01-15 08:45:56 ----D---- C:\WINDOWS\system
2009-01-15 08:43:35 ----RASH---- C:\boot.ini
2009-01-15 08:30:06 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-01-14 11:34:16 ----D---- C:\Documents and Settings
2009-01-14 08:38:57 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-01-13 06:26:00 ----A---- C:\WINDOWS\NeroDigital.ini
2009-01-13 04:58:03 ----HD---- C:\WINDOWS\inf
2009-01-12 09:48:15 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-01-12 09:34:37 ----D---- C:\Program Files\Google
2009-01-12 09:34:35 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2009-01-12 09:15:11 ----D---- C:\Program Files\InterActual
2009-01-11 07:10:14 ----D---- C:\Documents and Settings\Garrett Thornbrugh\Application Data\Google
2008-12-14 21:49:52 ----A---- C:\WINDOWS\wininit.ini
2008-12-06 08:14:07 ----D---- C:\Program Files\Mozilla Firefox

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 VETFDDNT;VET Floppy Boot Sector Monitor; C:\WINDOWS\system32\drivers\VETFDDNT.sys [2006-07-10 15735]
R3 CardReaderFilter;Card Reader Filter; \??\C:\WINDOWS\system32\Drivers\USBCRFT.SYS []
R3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\System32\DRIVERS\fetnd5b.sys [2004-04-23 41984]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\System32\DRIVERS\HDAudBus.sys [2004-03-17 135168]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-12-05 10368]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S1 77ec6f47;77ec6f47; C:\WINDOWS\System32\drivers\77ec6f47.sys [2009-01-25 93420]
S1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
S1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S1 SAVRT;SAVRT; \??\C:\Program Files\Symantec AntiVirus\savrt.sys []
S1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys []
S1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2006-08-07 195776]
S1 VETEFILE;VET File Scan Engine; C:\WINDOWS\system32\drivers\VETEFILE.sys [2006-07-10 590190]
S1 VET-FILT;VET File System Filter; C:\WINDOWS\system32\drivers\VET-FILT.sys [2006-07-10 21031]
S1 VETMONNT;VET File Monitor; C:\WINDOWS\system32\drivers\VETMONNT.sys [2006-07-10 26099]
S1 VET-REC;VET File System Recognizer; C:\WINDOWS\system32\drivers\VET-REC.sys [2006-07-10 15478]
S2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2008-08-21 17801]
S2 MASPINT;MASPINT; C:\WINDOWS\system32\drivers\MASPINT.sys [2000-03-29 8096]
S2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.9; C:\WINDOWS\System32\DRIVERS\mdc8021x.sys [2004-04-13 15781]
S3 2WIREPCP;2Wire USB; C:\WINDOWS\System32\DRIVERS\2WirePCP.sys [2004-09-15 68672]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2004-08-03 60800]
S3 asbp2poa;asbp2poa; \??\C:\DOCUME~1\GARRET~1\LOCALS~1\Temp\asbp2poa.sys []
S3 ATWPKT2;ATWPKT2; \??\C:\Program Files\America Online 8.0\ATWPKT2.SYS []
S3 Bridge;MAC Bridge; C:\WINDOWS\System32\DRIVERS\bridge.sys [2004-08-03 71552]
S3 BridgeMP;MAC Bridge Miniport; C:\WINDOWS\System32\DRIVERS\bridge.sys [2004-08-03 71552]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 cmudax;C-Media Azalia Audio Interface; C:\WINDOWS\system32\drivers\cmudax.sys [2004-06-08 1390976]
S3 Dot4 HPH11;Dot4 HPH11; C:\WINDOWS\System32\DRIVERS\hphid411.sys [2002-05-24 50896]
S3 dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\System32\DRIVERS\Dot4.sys [2004-08-03 207360]
S3 Dot4Print HPH11;Print Class Driver for IEEE-1284.4 HPH11; C:\WINDOWS\System32\DRIVERS\hphipr11.sys [2002-05-24 16112]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\System32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 Dot4Storage HPH11;Storage Class Driver for IEEE-1284.4 (HPH11); C:\WINDOWS\System32\Drivers\hphs2k11.sys [2002-05-24 50276]
S3 Dot4Usb HPH11;Dot4Usb HPH11; C:\WINDOWS\System32\drivers\hphius11.sys [2002-05-24 18928]
S3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\WINDOWS\System32\DRIVERS\dot4usb.sys [2001-08-17 23808]
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\System32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2009-02-05 85969]
S3 grmnusb;grmnusb; C:\WINDOWS\system32\drivers\grmnusb.sys [2003-09-23 7296]
S3 gtndis5;GTNDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\GTNDIS5.SYS []
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2004-03-17 113664]
S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2002-08-29 9600]
S3 IIUSBISP;USB Mass Storage for USB ISP; C:\WINDOWS\System32\Drivers\iiusbisp.sys []
S3 Intels51;Creatix V.9X DSP Data Fax Modem; C:\WINDOWS\System32\DRIVERS\ctxs51.sys [2003-09-10 670203]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2002-08-29 12160]
S3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090125.005\naveng.sys []
S3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090125.005\navex15.sys []
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-03 61824]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-06-07 2324480]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
S3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
S3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2006-08-07 24768]
S3 USB_RNDIS;Linksys Wireless-G USB Network Adapter with SpeedBooster Driver v2; C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 12672]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 VETEBOOT;VET Boot Scan Engine; C:\WINDOWS\system32\drivers\VETEBOOT.sys [2006-07-10 102398]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-04 73472]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-06-28 106496]
S2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2007-01-31 554616]
S2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2006-11-21 169576]
S2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2006-12-20 31424]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2004-08-04 267776]
S2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-30 168432]
S2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
S2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\System32\nvsvc32.exe [2004-06-07 114755]
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2006-03-03 69632]
S2 SPBBCSvc;Symantec SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2006-04-11 1160848]
S2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2006-12-20 1814720]
S2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S2 VETMSGNT;VET Message Service; C:\Program Files\Yahoo!\Antivirus\VetMsg.exe []
S2 WUSB54GSv2SVC;WUSB54GSv2SVC; C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe [2004-02-06 41025]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2006-11-21 192104]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-06-28 501048]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2007-01-31 2975352]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPH11;Pml Driver HPH11; C:\WINDOWS\System32\HPHipm11.exe [2002-05-24 77824]
S3 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2006-12-20 116928]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2006-08-07 214720]
S3 YPCService;YPCService; C:\WINDOWS\system32\YPCSER~1.EXE [2003-05-19 86016]
S4 CAISafe;CAISafe; C:\Program Files\Yahoo!\Antivirus\ISafe.exe []
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]
S4 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe []

-----------------EOF-----------------

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 10 February 2009 - 11:04 PM

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 FrozenVoid

FrozenVoid
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 12 February 2009 - 03:15 PM

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3848 (20090212)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=ada27d72d383274ba510b1ee79e22c9e
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-02-12 06:49:09
# local_time=2009-02-12 12:49:09 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=403973
# found=10
# scan_time=2756
C:\Documents and Settings\Garrett Thornbrugh\My Documents\Install_AIM.exe Win32/Adware.WBug.A application (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Garrett Thornbrugh\My Documents\Install_AIM.exe »WISE »WxBug.EXE Win32/Adware.WBug.A application (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Garrett Thornbrugh\My Documents\Install_AIM.exe »WISE »WxBug.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\PeoplePC\Branding\ppcstub.exe probably unknown NewHeur_PE virus (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Residential Technology Configuration Utility 8.21\backups\backup-20090112-094802-192.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Residential Technology Configuration Utility 8.21\backups\backup-20090112-094802-212.inf INF/Downloader.RK trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Residential Technology Configuration Utility 8.21\backups\backup-20090112-123005-983.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Residential Technology Configuration Utility 8.21\backups\backup-20090114-113307-621.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\drivers\77ec6f47.sys Win32/Rustock trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\Tools\PeoplePC v5.2.0\PeoplePC\Branding\ppcstub.exe probably unknown NewHeur_PE virus (unable to clean - deleted) 00000000000000000000000000000000

#14 FrozenVoid

FrozenVoid
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 13 February 2009 - 01:00 AM

I'm able to boot the computer now! :thumbup2:

I've also been able to update SAV10, and Windows.

So, am I clean?

#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 13 February 2009 - 04:04 AM

Repeat the OTMoveIt3 step but this time with below script.. Post the log here after that..

:processes
explorer.exe

:services
77ec6f47

:files
C:\WINDOWS\System32\drivers\77ec6f47.sys

:reg

:commands
[purity]
[emptytemp]
[start explorer]
[reboot]



Then run RSIT again for my final review :thumbup2:


Post these logs in your next reply..

1. OTMoveIt3
2. RSIT log.txt

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users