Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Virus Trouble- Any help is appreciated!


  • This topic is locked This topic is locked
15 replies to this topic

#1 Bimmer14pa

Bimmer14pa

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 05 February 2009 - 10:05 AM

My computer was reciently hit with a Trojan. Norton Anti-Virus says it's Trojan Vundo which I believe is what my girlfriends computer got hit with as well. If you could help any help it would be greatly greatly appreciated.

Thanks in advance,

-Chris

Here is my HJT log sheet


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\DOCUME~1\CHRISF~1\LOCALS~1\Temp\winlognn.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Documents and Settings\Chris Ferenz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\XoftSpySE\XoftSpy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\yaywTMFv.dll
O2 - BHO: (no name) - {BB7AC767-C7D2-45AF-BAF1-C3C1A5D65B63} - C:\WINDOWS\system32\cbXPfdaa.dll
O2 - BHO: C:\WINDOWS\system32\hsfd83jfdg.dll - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hsfd83jfdg.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\CHRISF~1\LOCALS~1\Temp\winlognn.exe
O4 - HKLM\..\Run: [a844f56d] rundll32.exe "C:\WINDOWS\system32\hgswexxb.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chris Ferenz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\CHRISF~1\LOCALS~1\Temp\winlognn.exe
O4 - HKCU\..\Run: [sysguard] C:\WINDOWS\sysguard.exe
O4 - Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: dlirrz.dll
O20 - Winlogon Notify: yaywTMFv - C:\WINDOWS\SYSTEM32\yaywTMFv.dll
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hsfd83jfdg.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 8536 bytes

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 05 February 2009 - 11:08 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Bimmer14pa

Bimmer14pa
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 05 February 2009 - 01:04 PM

Malwarebytes' Anti-Malware 1.33
Database version: 1731
Windows 5.1.2600 Service Pack 3

2/5/2009 12:51:06 PM
mbam-log-2009-02-05 (12-51-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 122348
Time elapsed: 1 hour(s), 6 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 6
Registry Keys Infected: 29
Registry Values Infected: 6
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 34

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\gbxruriv.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hgswexxb.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ssqQjHwt.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yaywTMFv.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\retvjpuj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gbezxm.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{403f8f3d-fc0b-428c-9c35-1c25ef550c51} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{403f8f3d-fc0b-428c-9c35-1c25ef550c51} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yaywtmfv (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{baa2e9bf-c748-42d4-a9c4-3ca669084256} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{baa2e9bf-c748-42d4-a9c4-3ca669084256} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bb7ac767-c7d2-45af-baf1-c3c1a5d65b63} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bb7ac767-c7d2-45af-baf1-c3c1a5d65b63} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{403f8f3d-fc0b-428c-9c35-1c25ef550c51} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{baa2e9bf-c748-42d4-a9c4-3ca669084256} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bb7ac767-c7d2-45af-baf1-c3c1a5d65b63} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ed52d81d-899d-4536-bba1-6eb78e68e600} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ed52d81d-899d-4536-bba1-6eb78e68e600} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a844f56d (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysguard (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsf8uiw3jnjgffght (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsf8uiw3jnjgffght (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tezrtsjhfr84iusjfo84f (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\ssqqjhwt -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ssqqjhwt -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ssqQjHwt.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\twHjQqss.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twHjQqss.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yaywTMFv.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\gbezxm.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cbXPfdaa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aadfPXbc.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aadfPXbc.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gbxruriv.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\virurxbg.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgswexxb.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bxxewsgh.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqPHBrq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qrBHPqss.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qrBHPqss.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\sysguard.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\retvjpuj.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Chris Ferenz\Local Settings\Temporary Internet Files\Content.IE5\5COA5IH6\divx20[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Ferenz\Local Settings\Temporary Internet Files\Content.IE5\5COA5IH6\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Ferenz\Local Settings\Temporary Internet Files\Content.IE5\5COA5IH6\yetlee[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Ferenz\Local Settings\Temporary Internet Files\Content.IE5\HXZCAUBB\divx20[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Ferenz\Local Settings\Temporary Internet Files\Content.IE5\HXZCAUBB\qjnxuvis[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Ferenz\Local Settings\Temporary Internet Files\Content.IE5\NQYRQR36\divx20[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Ferenz\Local Settings\Temporary Internet Files\Content.IE5\NQYRQR36\yeofzmq[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Ferenz\Local Settings\Temporary Internet Files\Content.IE5\PUPHZ180\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Ferenz\Local Settings\Temporary Internet Files\Content.IE5\PUPHZ180\syurof[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUKaxxY.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wdjjyvon.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl377.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl6.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl9.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Ferenz\Local Settings\Temp\winlognn.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Chris Ferenz\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> Delete on reboot.

#4 Bimmer14pa

Bimmer14pa
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 05 February 2009 - 01:06 PM

Logfile of random's system information tool 1.05 (written by random/random)
Run by Chris Ferenz at 2009-02-05 13:04:53
Microsoft Windows XP Professional Service Pack 3
System drive C: has 45 GB (62%) free of 72 GB
Total RAM: 1023 MB (42% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:04:54 PM, on 2/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Documents and Settings\Chris Ferenz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\DNA\btdna.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\CHRISF~1\LOCALS~1\Temp\Rar$EX10.656\gmer.exe
C:\Documents and Settings\Chris Ferenz\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Chris Ferenz.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: (no name) - {5B8726AB-4944-4D73-90BF-888065B2AC74} - C:\WINDOWS\system32\ssqQjHwt.dll (file missing)
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chris Ferenz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: dlirrz.dll gbezxm.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 7833 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2132221565-445815717-289932066-1005.job
C:\WINDOWS\tasks\XoftSpySE 2.job
C:\WINDOWS\tasks\XoftSpySE.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B8726AB-4944-4D73-90BF-888065B2AC74}]
C:\WINDOWS\system32\ssqQjHwt.dll []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"PCMService"=C:\Program Files\Dell\Media Experience\PCMService.exe [2004-04-11 290816]
"Dell QuickSet"=C:\Program Files\Dell\QuickSet\Quickset.exe [2005-03-04 606208]
"ccApp"=c:\Program Files\Common Files\Symantec Shared\ccApp.exe [2005-12-21 48800]
"vptray"=c:\PROGRA~1\SYMANT~1\VPTray.exe [2005-12-21 85744]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-01-31 385024]
"Zune Launcher"=c:\Program Files\Zune\ZuneLauncher.exe [2008-11-10 157312]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe [2006-12-15 75520]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"BlackBerryAutoUpdate"=C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe [2008-09-19 615696]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"NCLaunch"=C:\WINDOWS\NCLAUNCH.EXe [2007-02-08 40960]
"Google Update"=C:\Documents and Settings\Chris Ferenz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 133104]
"BitTorrent DNA"=C:\Program Files\DNA\btdna.exe [2008-12-21 342848]

C:\Documents and Settings\Chris Ferenz\Start Menu\Programs\Startup
Nikon Monitor.lnk - C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="dlirrz.dll gbezxm.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2004-12-04 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
c:\WINDOWS\system32\NavLogon.dll [2005-12-21 43760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=0
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\1124376087\ee\AOLServiceHost.exe"="C:\Program Files\Common Files\AOL\1124376087\ee\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\Common Files\AOL\1147823858\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1147823858\ee\aolsoftware.exe:*:Enabled:AOL Services"
"C:\Program Files\Common Files\AOL\1147823858\ee\aim6.exe"="C:\Program Files\Common Files\AOL\1147823858\ee\aim6.exe:*:Enabled:AIM"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Documents and Settings\Chris Ferenz\Desktop\THE WHOLE WORLD\Movie player\Azureus\Azureus.exe"="C:\Documents and Settings\Chris Ferenz\Desktop\THE WHOLE WORLD\Movie player\Azureus\Azureus.exe:*:Enabled:Azureus"
"C:\Program Files\Steam\SteamApps\vrjetta14\counter-strike source\hl2.exe"="C:\Program Files\Steam\SteamApps\vrjetta14\counter-strike source\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\SteamApps\vrjetta14\team fortress classic\hl.exe"="C:\Program Files\Steam\SteamApps\vrjetta14\team fortress classic\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\HP\HP Software Update\HPWUCli.exe"="C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:HP Software Update Client"
"C:\Program Files\Steam\SteamApps\vrjetta14\the ship\ship.exe"="C:\Program Files\Steam\SteamApps\vrjetta14\the ship\ship.exe:*:Enabled:ship"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Steam\steam.exe"="C:\Program Files\Steam\steam.exe:*:Enabled:Steam"
"C:\Program Files\Steam\SteamApps\vrjetta14\half-life\hl.exe"="C:\Program Files\Steam\SteamApps\vrjetta14\half-life\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\Steam\SteamApps\vrjetta14\counter-strike\hl.exe"="C:\Program Files\Steam\SteamApps\vrjetta14\counter-strike\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\1124376087\ee\AOLServiceHost.exe"="C:\Program Files\Common Files\AOL\1124376087\ee\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{412c5cd3-daec-11db-9a35-00123fd7d4cf}]
shell\AutoRun\command - E:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b7d24aa-138a-11db-8a8a-00123fd7d4cf}]
shell\AutoRun\command - J:\LaunchU3.exe


======List of files/folders created in the last 3 months======

2009-02-05 13:00:47 ----A---- C:\WINDOWS\gmer.ini
2009-02-05 13:00:46 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2009-02-05 13:00:46 ----A---- C:\WINDOWS\gmer.exe
2009-02-05 13:00:46 ----A---- C:\WINDOWS\gmer.dll
2009-02-05 12:59:03 ----D---- C:\rsit
2009-02-05 11:43:41 ----D---- C:\Documents and Settings\Chris Ferenz\Application Data\Malwarebytes
2009-02-05 11:43:32 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-02-05 11:43:32 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-02-04 02:00:26 ----D---- C:\Program Files\Trend Micro
2009-02-04 00:08:45 ----A---- C:\WINDOWS\system32\a3673113-.txt
2009-02-04 00:01:51 ----D---- C:\Program Files\AVS4YOU
2009-02-04 00:01:34 ----D---- C:\WINDOWS\system32\tov15
2009-02-01 14:27:20 ----D---- C:\Program Files\Microsoft Silverlight
2009-01-20 16:47:58 ----D---- C:\Program Files\SmartDraw 2009
2009-01-14 23:37:04 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-01-06 20:13:10 ----D---- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2009-01-02 12:27:45 ----D---- C:\Program Files\XoftSpySE
2008-12-31 15:27:51 ----D---- C:\Documents and Settings\Chris Ferenz\Application Data\GARMIN
2008-12-31 15:27:31 ----D---- C:\Garmin
2008-12-31 15:27:30 ----D---- C:\Program Files\Garmin GPS Plugin
2008-12-29 20:25:15 ----D---- C:\Netgear
2008-12-09 18:03:14 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-09 17:54:01 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-09 17:51:56 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-09 17:48:53 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-07 19:42:33 ----D---- C:\Documents and Settings\Chris Ferenz\Application Data\BitTorrent
2008-12-07 19:41:42 ----D---- C:\Program Files\BitTorrent
2008-12-03 00:20:44 ----D---- C:\Program Files\Google
2008-12-03 00:08:38 ----D---- C:\Program Files\DNA
2008-12-03 00:08:38 ----D---- C:\Documents and Settings\Chris Ferenz\Application Data\DNA
2008-11-23 23:01:20 ----D---- C:\Documents and Settings\All Users\Application Data\Azureus
2008-11-21 15:42:28 ----D---- C:\Documents and Settings\Chris Ferenz\Application Data\Blackberry Desktop
2008-11-21 15:39:18 ----D---- C:\Documents and Settings\Chris Ferenz\Application Data\Research In Motion
2008-11-21 15:38:42 ----A---- C:\WINDOWS\ModemLog_Standard Modem.txt
2008-11-21 15:29:51 ----SHD---- C:\WINDOWS\ftpcache
2008-11-21 10:12:41 ----D---- C:\Program Files\Research In Motion
2008-11-21 10:12:41 ----D---- C:\Program Files\Common Files\Research In Motion
2008-11-20 19:38:29 ----D---- C:\Documents and Settings\Chris Ferenz\Application Data\PTGui Pro
2008-11-20 19:38:22 ----D---- C:\Program Files\PTGui
2008-11-12 15:02:42 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-12 15:02:32 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-12 15:02:12 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-11-10 12:23:42 ----A---- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe
2008-11-10 12:23:38 ----A---- C:\WINDOWS\system32\ZuneBusEnum.exe

======List of files/folders modified in the last 3 months======

2009-02-05 13:00:47 ----D---- C:\WINDOWS
2009-02-05 13:00:46 ----D---- C:\WINDOWS\system32\drivers
2009-02-05 12:56:23 ----D---- C:\Program Files\Mozilla Firefox
2009-02-05 12:55:23 ----D---- C:\WINDOWS\Prefetch
2009-02-05 12:55:04 ----A---- C:\WINDOWS\ModemLog_Conexant D110 MDC V.9x Modem.txt
2009-02-05 12:52:41 ----D---- C:\WINDOWS\system32
2009-02-05 12:52:16 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-02-05 12:51:02 ----D---- C:\Program Files
2009-02-05 12:28:24 ----D---- C:\WINDOWS\Temp
2009-02-05 08:27:19 ----D---- C:\WINDOWS\system32\Restore
2009-02-05 08:15:02 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-02-05 08:14:35 ----D---- C:\WINDOWS\system32\CatRoot2
2009-02-04 14:20:53 ----SHD---- C:\WINDOWS\CSC
2009-02-04 14:16:51 ----D---- C:\temp
2009-02-04 11:37:10 ----AC---- C:\WINDOWS\ntbtlog.txt
2009-02-04 01:41:43 ----D---- C:\My Downloads
2009-02-04 00:12:18 ----D---- C:\Program Files\Common Files\AVSMedia
2009-02-01 14:27:23 ----SHD---- C:\WINDOWS\Installer
2009-02-01 14:27:23 ----SHD---- C:\Config.Msi
2009-01-15 14:18:48 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-01-15 14:02:58 ----HD---- C:\WINDOWS\inf
2009-01-14 23:35:03 ----HD---- C:\WINDOWS\$hf_mig$
2009-01-09 17:35:30 ----A---- C:\WINDOWS\system32\MRT.exe
2009-01-02 12:27:48 ----SD---- C:\WINDOWS\Tasks
2008-12-30 21:16:45 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-12-27 08:41:42 ----A---- C:\WINDOWS\imsins.BAK
2008-12-27 08:41:17 ----D---- C:\WINDOWS\ie7updates
2008-12-13 16:55:56 ----D---- C:\WINDOWS\Microsoft.NET
2008-12-13 01:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-12 16:07:29 ----SHD---- C:\System Volume Information
2008-12-12 16:03:21 ----RSD---- C:\WINDOWS\assembly
2008-12-12 16:02:21 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-12-12 16:02:11 ----D---- C:\Program Files\Zune
2008-12-09 18:01:54 ----D---- C:\Program Files\Internet Explorer
2008-12-03 00:10:48 ----D---- C:\Documents and Settings\Chris Ferenz\Application Data\Azureus
2008-11-22 11:27:27 ----D---- C:\WINDOWS\Help
2008-11-21 10:15:02 ----D---- C:\WINDOWS\system32\CatRoot
2008-11-21 10:12:41 ----D---- C:\Program Files\Common Files
2008-11-18 12:34:11 ----D---- C:\Program Files\NCH Software
2008-11-18 12:30:22 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-11-12 15:00:56 ----D---- C:\WINDOWS\WinSxS
2008-11-06 22:17:35 ----D---- C:\Program Files\Common Files\Adobe
2008-11-06 22:17:35 ----D---- C:\Program Files\Adobe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 APPDRV;APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [2004-08-18 16128]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 omci;OMCI WDM Device Driver; C:\WINDOWS\system32\DRIVERS\omci.sys [2004-02-13 17153]
R1 SAVRTPEL;SAVRTPEL; \??\c:\Program Files\Symantec AntiVirus\Savrtpel.sys []
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R2 zumbus;Zune Bus Enumerator Driver; C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-09-12 40832]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2004-12-04 800768]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2004-05-26 44928]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-06-17 1041536]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys [2004-06-17 200064]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090204.021\naveng.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090204.021\navex15.sys []
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 26496]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 SAVRT;SAVRT; \??\c:\Program Files\Symantec AntiVirus\savrt.sys []
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-13 79232]
R3 STAC97;SigmaTel C-Major Audio; C:\WINDOWS\system32\drivers\STAC97.sys [2005-03-10 273168]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 w29n51;Intel® PRO/Wireless 2915ABG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2004-10-21 3210496]
R3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2008-03-27 503008]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-06-17 685056]
S3 ApfiltrService;Alps Touch Pad Filter Driver for Windows 2000/XP; C:\WINDOWS\system32\DRIVERS\Apfiltr.sys [2004-11-16 108791]
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\drivers\BVRPMPR5.SYS []
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2009-02-05 85969]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2005-03-08 51120]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2005-03-08 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-03-08 21744]
S3 LHidUsbK;Logitech SetPoint USB Receiver device driver; C:\WINDOWS\System32\Drivers\LHidUsbK.Sys [2006-05-10 36736]
S3 LMouKE;Logitech SetPoint Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouKE.Sys []
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 pfsvgae;pfsvgae; \??\C:\DOCUME~1\CHRISF~1\LOCALS~1\Temp\pfsvgae.sys []
S3 RimUsb;BlackBerry Smartphone; C:\WINDOWS\System32\Drivers\RimUsb.sys [2008-05-20 22784]
S3 sffdisk;SFF Storage Class Driver; C:\WINDOWS\system32\DRIVERS\sffdisk.sys [2008-04-13 11904]
S3 sffp_sd;SFF Storage Protocol Driver for SDBus; C:\WINDOWS\system32\DRIVERS\sffp_sd.sys [2008-04-13 11008]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
S3 TfNetMon;TfNetMon; \??\C:\WINDOWS\system32\drivers\TfNetMon.sys []
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 WinUSB;WinUSB; C:\WINDOWS\system32\DRIVERS\WinUSB.sys [2006-11-02 39368]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2008-01-18 83328]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys []
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73472]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2004-12-04 405504]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 ccEvtMgr;Symantec Event Manager; c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2005-12-21 186016]
R2 ccSetMgr;Symantec Settings Manager; c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2005-12-21 177824]
R2 DefWatch;Symantec AntiVirus Definition Watcher; c:\Program Files\Symantec AntiVirus\DefWatch.exe [2005-12-21 20208]
R2 NICCONFIGSVC;NICCONFIGSVC; C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe [2005-03-03 356352]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
R2 Symantec AntiVirus;Symantec AntiVirus; c:\Program Files\Symantec AntiVirus\Rtvscan.exe [2005-12-21 1756912]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 ZuneBusEnum;Zune Bus Enumerator; c:\WINDOWS\system32\ZuneBusEnum.exe [2008-11-10 60032]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe []
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2006-02-03 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 ccPwdSvc;Symantec Password Validation; c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2005-12-21 83616]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-09-06 658432]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 SavRoam;SAVRoam; c:\Program Files\Symantec AntiVirus\SavRoam.exe [2005-12-21 169200]
S3 SPBBCSvc;Symantec SPBBCSvc; c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2005-03-30 992864]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 ZuneNetworkSvc;Zune Network Sharing Service; c:\Program Files\Zune\ZuneNss.exe [2008-11-10 5117568]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service; c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-11-10 243840]

-----------------EOF-----------------

#5 Bimmer14pa

Bimmer14pa
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 05 February 2009 - 01:08 PM

If there is anything I am missing please let me know.

Thank you in advance,

-Chris

Ps.. when I ran the RSIT, it only spit me out one log so that's what my second post is. Hope this helps

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 06 February 2009 - 01:07 AM

IMPORTANT!! Uninstall these programs first (if present..) so that they won't interfere with our fixes..

1. Ask Toolbar
2. Lavasoft Ad-Aware
3. Spybot - Search & Destroy
4. Viewpoint (all of them..)




Please download the OTMoveIt3 by OldTimer
  • Save it to your Desktop.
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    :processes
    explorer.exe
    
    :services
    
    :files
    C:\WINDOWS\system32\ssqQjHwt.dll
    C:\WINDOWS\system32\a3673113-.txt
    
    :reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B8726AB-4944-4D73-90BF-888065B2AC74}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS"=""
    
    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




NEXT


Please download Dr.Web CureIt to the Desktop:
  • Please reboot into Safe Mode
  • Once you are in Safe Mode, double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, please do a re-scan.. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Move incurable
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit. Reboot your PC in Normal Mode, and post DrWeb.csv in your next reply (Open it as Notepad)

Run RSIT again... Post these logs in your next reply..

1. OTMoveIt3
2. Dr. Web CureIt
3. RSIT log.txt
4. How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Bimmer14pa

Bimmer14pa
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 06 February 2009 - 11:53 AM

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== FILES ==========
File/Folder C:\WINDOWS\system32\ssqQjHwt.dll not found.
C:\WINDOWS\system32\a3673113-.txt moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B8726AB-4944-4D73-90BF-888065B2AC74}\\ deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_DLLS"|"" /E : value set successfully!
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\CHRISF~1\LOCALS~1\Temp\etilqs_9nOsoDwa651mLTncq8X5 scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Chris Ferenz\Local Settings\Application Data\Mozilla\Firefox\Profiles\w1ue6k5x.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Chris Ferenz\Local Settings\Application Data\Mozilla\Firefox\Profiles\w1ue6k5x.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Chris Ferenz\Local Settings\Application Data\Mozilla\Firefox\Profiles\w1ue6k5x.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Chris Ferenz\Local Settings\Application Data\Mozilla\Firefox\Profiles\w1ue6k5x.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Chris Ferenz\Local Settings\Application Data\Mozilla\Firefox\Profiles\w1ue6k5x.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Chris Ferenz\Local Settings\Application Data\Mozilla\Firefox\Profiles\w1ue6k5x.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02062009_115203

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 06 February 2009 - 01:01 PM

waiting for other logs :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Bimmer14pa

Bimmer14pa
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 07 February 2009 - 01:56 PM

I ran Cure it but it didn't find anything and when I went to File and attempted to save the log, nothing was there and the link to save was shaded out so I couldn't click it.

#10 Bimmer14pa

Bimmer14pa
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 07 February 2009 - 01:58 PM

And here's the RSIT




Logfile of random's system information tool 1.05 (written by random/random)
Run by Chris Ferenz at 2009-02-07 13:57:23
Microsoft Windows XP Professional Service Pack 3
System drive C: has 45 GB (62%) free of 72 GB
Total RAM: 1023 MB (42% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:57:32 PM, on 2/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\DNA\btdna.exe
C:\Documents and Settings\Chris Ferenz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Chris Ferenz\Desktop\Virus Fighting\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Chris Ferenz.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: C:\WINDOWS\system32\hsfd83jfdg.dll - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hsfd83jfdg.dll (file missing)
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chris Ferenz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hsfd83jfdg.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 7792 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2132221565-445815717-289932066-1005.job
C:\WINDOWS\tasks\XoftSpySE 2.job
C:\WINDOWS\tasks\XoftSpySE.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5BF49A2-94F3-42BD-F434-3604812C8955}]
C:\WINDOWS\system32\hsfd83jfdg.dll - C:\WINDOWS\system32\hsfd83jfdg.dll []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"PCMService"=C:\Program Files\Dell\Media Experience\PCMService.exe [2004-04-11 290816]
"Dell QuickSet"=C:\Program Files\Dell\QuickSet\Quickset.exe [2005-03-04 606208]
"ccApp"=c:\Program Files\Common Files\Symantec Shared\ccApp.exe [2005-12-21 48800]
"vptray"=c:\PROGRA~1\SYMANT~1\VPTray.exe [2005-12-21 85744]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-01-31 385024]
"Zune Launcher"=c:\Program Files\Zune\ZuneLauncher.exe [2008-11-10 157312]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe [2006-12-15 75520]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"BlackBerryAutoUpdate"=C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe [2008-09-19 615696]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"NCLaunch"=C:\WINDOWS\NCLAUNCH.EXe [2007-02-08 40960]
"Google Update"=C:\Documents and Settings\Chris Ferenz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 133104]
"BitTorrent DNA"=C:\Program Files\DNA\btdna.exe [2008-12-21 342848]

C:\Documents and Settings\Chris Ferenz\Start Menu\Programs\Startup
Nikon Monitor.lnk - C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2004-12-04 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
c:\WINDOWS\system32\NavLogon.dll [2005-12-21 43760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hsfd83jfdg.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\ssqQjHwt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=0
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\1124376087\ee\AOLServiceHost.exe"="C:\Program Files\Common Files\AOL\1124376087\ee\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\Common Files\AOL\1147823858\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1147823858\ee\aolsoftware.exe:*:Enabled:AOL Services"
"C:\Program Files\Common Files\AOL\1147823858\ee\aim6.exe"="C:\Program Files\Common Files\AOL\1147823858\ee\aim6.exe:*:Enabled:AIM"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Documents and Settings\Chris Ferenz\Desktop\THE WHOLE WORLD\Movie player\Azureus\Azureus.exe"="C:\Documents and Settings\Chris Ferenz\Desktop\THE WHOLE WORLD\Movie player\Azureus\Azureus.exe:*:Enabled:Azureus"
"C:\Program Files\Steam\SteamApps\vrjetta14\counter-strike source\hl2.exe"="C:\Program Files\Steam\SteamApps\vrjetta14\counter-strike source\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\SteamApps\vrjetta14\team fortress classic\hl.exe"="C:\Program Files\Steam\SteamApps\vrjetta14\team fortress classic\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\HP\HP Software Update\HPWUCli.exe"="C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:HP Software Update Client"
"C:\Program Files\Steam\SteamApps\vrjetta14\the ship\ship.exe"="C:\Program Files\Steam\SteamApps\vrjetta14\the ship\ship.exe:*:Enabled:ship"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Steam\steam.exe"="C:\Program Files\Steam\steam.exe:*:Enabled:Steam"
"C:\Program Files\Steam\SteamApps\vrjetta14\half-life\hl.exe"="C:\Program Files\Steam\SteamApps\vrjetta14\half-life\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\Steam\SteamApps\vrjetta14\counter-strike\hl.exe"="C:\Program Files\Steam\SteamApps\vrjetta14\counter-strike\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\1124376087\ee\AOLServiceHost.exe"="C:\Program Files\Common Files\AOL\1124376087\ee\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{412c5cd3-daec-11db-9a35-00123fd7d4cf}]
shell\AutoRun\command - E:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b7d24aa-138a-11db-8a8a-00123fd7d4cf}]
shell\AutoRun\command - J:\LaunchU3.exe


======List of files/folders created in the last 3 months======

2009-02-06 11:52:03 ----D---- C:\_OTMoveIt
2009-02-05 13:00:47 ----A---- C:\WINDOWS\gmer.ini
2009-02-05 13:00:46 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2009-02-05 13:00:46 ----A---- C:\WINDOWS\gmer.exe
2009-02-05 13:00:46 ----A---- C:\WINDOWS\gmer.dll
2009-02-05 12:59:03 ----D---- C:\rsit
2009-02-05 11:43:41 ----D---- C:\Documents and Settings\Chris Ferenz\Application Data\Malwarebytes
2009-02-05 11:43:32 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-02-05 11:43:32 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-02-04 02:00:26 ----D---- C:\Program Files\Trend Micro
2009-02-04 00:01:51 ----D---- C:\Program Files\AVS4YOU
2009-02-04 00:01:34 ----D---- C:\WINDOWS\system32\tov15
2009-02-01 14:27:20 ----D---- C:\Program Files\Microsoft Silverlight
2009-01-20 16:47:58 ----D---- C:\Program Files\SmartDraw 2009
2009-01-14 23:37:04 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-01-06 20:13:10 ----D---- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2009-01-02 12:27:45 ----D---- C:\Program Files\XoftSpySE
2008-12-31 15:27:51 ----D---- C:\Documents and Settings\Chris Ferenz\Application Data\GARMIN
2008-12-31 15:27:31 ----D---- C:\Garmin
2008-12-31 15:27:30 ----D---- C:\Program Files\Garmin GPS Plugin
2008-12-29 20:25:15 ----D---- C:\Netgear
2008-12-09 18:03:14 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-09 17:54:01 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-09 17:51:56 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-09 17:48:53 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-07 19:42:33 ----D---- C:\Documents and Settings\Chris Ferenz\Application Data\BitTorrent
2008-12-07 19:41:42 ----D---- C:\Program Files\BitTorrent
2008-12-03 00:20:44 ----D---- C:\Program Files\Google
2008-12-03 00:08:38 ----D---- C:\Program Files\DNA
2008-12-03 00:08:38 ----D---- C:\Documents and Settings\Chris Ferenz\Application Data\DNA
2008-11-23 23:01:20 ----D---- C:\Documents and Settings\All Users\Application Data\Azureus
2008-11-21 15:42:28 ----D---- C:\Documents and Settings\Chris Ferenz\Application Data\Blackberry Desktop
2008-11-21 15:39:18 ----D---- C:\Documents and Settings\Chris Ferenz\Application Data\Research In Motion
2008-11-21 15:38:42 ----A---- C:\WINDOWS\ModemLog_Standard Modem.txt
2008-11-21 15:29:51 ----SHD---- C:\WINDOWS\ftpcache
2008-11-21 10:12:41 ----D---- C:\Program Files\Research In Motion
2008-11-21 10:12:41 ----D---- C:\Program Files\Common Files\Research In Motion
2008-11-20 19:38:29 ----D---- C:\Documents and Settings\Chris Ferenz\Application Data\PTGui Pro
2008-11-20 19:38:22 ----D---- C:\Program Files\PTGui
2008-11-12 15:02:42 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-12 15:02:32 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-12 15:02:12 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-11-10 12:23:42 ----A---- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe
2008-11-10 12:23:38 ----A---- C:\WINDOWS\system32\ZuneBusEnum.exe

======List of files/folders modified in the last 3 months======

2009-02-07 13:55:03 ----D---- C:\Program Files\Mozilla Firefox
2009-02-07 11:03:56 ----D---- C:\WINDOWS\Prefetch
2009-02-07 10:50:01 ----D---- C:\WINDOWS\Temp
2009-02-07 10:46:21 ----SD---- C:\WINDOWS\Tasks
2009-02-06 22:22:53 ----A---- C:\WINDOWS\ModemLog_Conexant D110 MDC V.9x Modem.txt
2009-02-06 16:24:04 ----AC---- C:\WINDOWS\ntbtlog.txt
2009-02-06 16:18:34 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-02-06 16:16:56 ----D---- C:\WINDOWS\system32
2009-02-06 11:33:39 ----D---- C:\WINDOWS
2009-02-05 13:00:46 ----D---- C:\WINDOWS\system32\drivers
2009-02-05 12:51:02 ----D---- C:\Program Files
2009-02-05 08:27:19 ----D---- C:\WINDOWS\system32\Restore
2009-02-05 08:15:02 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-02-05 08:14:35 ----D---- C:\WINDOWS\system32\CatRoot2
2009-02-04 14:20:53 ----SHD---- C:\WINDOWS\CSC
2009-02-04 14:16:51 ----D---- C:\temp
2009-02-04 01:41:43 ----D---- C:\My Downloads
2009-02-04 00:12:18 ----D---- C:\Program Files\Common Files\AVSMedia
2009-02-01 14:27:23 ----SHD---- C:\WINDOWS\Installer
2009-02-01 14:27:23 ----SHD---- C:\Config.Msi
2009-01-15 14:18:48 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-01-15 14:02:58 ----HD---- C:\WINDOWS\inf
2009-01-14 23:37:12 ----A---- C:\WINDOWS\imsins.BAK
2009-01-14 23:35:03 ----HD---- C:\WINDOWS\$hf_mig$
2009-01-09 17:35:30 ----A---- C:\WINDOWS\system32\MRT.exe
2008-12-30 21:16:45 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-12-27 08:41:17 ----D---- C:\WINDOWS\ie7updates
2008-12-13 16:55:56 ----D---- C:\WINDOWS\Microsoft.NET
2008-12-13 01:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-12 16:07:29 ----SHD---- C:\System Volume Information
2008-12-12 16:03:21 ----RSD---- C:\WINDOWS\assembly
2008-12-12 16:02:21 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-12-12 16:02:11 ----D---- C:\Program Files\Zune
2008-12-09 18:01:54 ----D---- C:\Program Files\Internet Explorer
2008-12-03 00:10:48 ----D---- C:\Documents and Settings\Chris Ferenz\Application Data\Azureus
2008-11-22 11:27:27 ----D---- C:\WINDOWS\Help
2008-11-21 10:15:02 ----D---- C:\WINDOWS\system32\CatRoot
2008-11-21 10:12:41 ----D---- C:\Program Files\Common Files
2008-11-18 12:34:11 ----D---- C:\Program Files\NCH Software
2008-11-18 12:30:22 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-11-12 15:00:56 ----D---- C:\WINDOWS\WinSxS

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 APPDRV;APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [2004-08-18 16128]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 omci;OMCI WDM Device Driver; C:\WINDOWS\system32\DRIVERS\omci.sys [2004-02-13 17153]
R1 SAVRTPEL;SAVRTPEL; \??\c:\Program Files\Symantec AntiVirus\Savrtpel.sys []
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R2 zumbus;Zune Bus Enumerator Driver; C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-09-12 40832]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2004-12-04 800768]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2004-05-26 44928]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-06-17 1041536]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys [2004-06-17 200064]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090206.007\naveng.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090206.007\navex15.sys []
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 26496]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 SAVRT;SAVRT; \??\c:\Program Files\Symantec AntiVirus\savrt.sys []
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-13 79232]
R3 STAC97;SigmaTel C-Major Audio; C:\WINDOWS\system32\drivers\STAC97.sys [2005-03-10 273168]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 w29n51;Intel® PRO/Wireless 2915ABG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2004-10-21 3210496]
R3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2008-03-27 503008]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-06-17 685056]
S3 ApfiltrService;Alps Touch Pad Filter Driver for Windows 2000/XP; C:\WINDOWS\system32\DRIVERS\Apfiltr.sys [2004-11-16 108791]
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\drivers\BVRPMPR5.SYS []
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2009-02-05 85969]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2005-03-08 51120]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2005-03-08 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-03-08 21744]
S3 LHidUsbK;Logitech SetPoint USB Receiver device driver; C:\WINDOWS\System32\Drivers\LHidUsbK.Sys [2006-05-10 36736]
S3 LMouKE;Logitech SetPoint Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouKE.Sys []
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 pfsvgae;pfsvgae; \??\C:\DOCUME~1\CHRISF~1\LOCALS~1\Temp\pfsvgae.sys []
S3 RimUsb;BlackBerry Smartphone; C:\WINDOWS\System32\Drivers\RimUsb.sys [2008-05-20 22784]
S3 sffdisk;SFF Storage Class Driver; C:\WINDOWS\system32\DRIVERS\sffdisk.sys [2008-04-13 11904]
S3 sffp_sd;SFF Storage Protocol Driver for SDBus; C:\WINDOWS\system32\DRIVERS\sffp_sd.sys [2008-04-13 11008]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
S3 TfNetMon;TfNetMon; \??\C:\WINDOWS\system32\drivers\TfNetMon.sys []
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 WinUSB;WinUSB; C:\WINDOWS\system32\DRIVERS\WinUSB.sys [2006-11-02 39368]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2008-01-18 83328]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys []
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73472]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2004-12-04 405504]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 ccEvtMgr;Symantec Event Manager; c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2005-12-21 186016]
R2 ccSetMgr;Symantec Settings Manager; c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2005-12-21 177824]
R2 DefWatch;Symantec AntiVirus Definition Watcher; c:\Program Files\Symantec AntiVirus\DefWatch.exe [2005-12-21 20208]
R2 NICCONFIGSVC;NICCONFIGSVC; C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe [2005-03-03 356352]
R2 Symantec AntiVirus;Symantec AntiVirus; c:\Program Files\Symantec AntiVirus\Rtvscan.exe [2005-12-21 1756912]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 ZuneBusEnum;Zune Bus Enumerator; c:\WINDOWS\system32\ZuneBusEnum.exe [2008-11-10 60032]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
S2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe []
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2006-02-03 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 ccPwdSvc;Symantec Password Validation; c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2005-12-21 83616]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-09-06 658432]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 SavRoam;SAVRoam; c:\Program Files\Symantec AntiVirus\SavRoam.exe [2005-12-21 169200]
S3 SPBBCSvc;Symantec SPBBCSvc; c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2005-03-30 992864]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 ZuneNetworkSvc;Zune Network Sharing Service; c:\Program Files\Zune\ZuneNss.exe [2008-11-10 5117568]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service; c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-11-10 243840]

-----------------EOF-----------------

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 08 February 2009 - 12:31 PM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 Bimmer14pa

Bimmer14pa
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 10 February 2009 - 11:50 PM

ComboFix 09-02-10.01 - Chris Ferenz 2009-02-10 23:37:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.353 [GMT -5:00]
Running from: c:\documents and settings\Chris Ferenz\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))
.

2009-02-06 12:02 . 2009-02-06 12:25 <DIR> d-------- c:\documents and settings\Chris Ferenz\DoctorWeb
2009-02-06 11:52 . 2009-02-06 11:52 <DIR> d-------- C:\_OTMoveIt
2009-02-05 13:00 . 2009-02-05 13:02 250 --a------ c:\windows\gmer.ini
2009-02-05 12:59 . 2009-02-05 12:59 <DIR> d-------- C:\rsit
2009-02-05 11:43 . 2009-02-05 11:43 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-05 11:43 . 2009-02-05 11:43 <DIR> d-------- c:\documents and settings\Chris Ferenz\Application Data\Malwarebytes
2009-02-05 11:43 . 2009-02-05 11:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-05 11:43 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-05 11:43 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-04 02:00 . 2009-02-04 02:00 <DIR> d-------- c:\program files\Trend Micro
2009-02-04 00:01 . 2009-02-04 00:01 <DIR> d-------- c:\windows\system32\tov15
2009-02-04 00:01 . 2009-02-04 00:01 <DIR> d-------- c:\temp\sTMP3
2009-02-04 00:01 . 2009-02-04 00:12 <DIR> d-------- c:\program files\AVS4YOU
2009-02-03 23:53 . 2009-02-03 23:53 322 --a------ c:\windows\system32\temp_0000_85-19.aok
2009-02-03 23:53 . 2009-02-03 23:53 166 --a------ c:\windows\system32\test.aok
2009-02-01 14:27 . 2009-02-01 14:27 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-01-20 16:47 . 2009-01-20 17:09 <DIR> d-------- c:\program files\SmartDraw 2009

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-11 04:43 --------- d-----w c:\program files\DNA
2009-02-11 04:43 --------- d-----w c:\documents and settings\Chris Ferenz\Application Data\DNA
2009-02-04 05:12 --------- d-----w c:\program files\Common Files\AVSMedia
2009-02-04 04:58 --------- d-----w c:\documents and settings\Chris Ferenz\Application Data\BitTorrent
2009-02-02 19:06 --------- d-----w c:\program files\XoftSpySE
2009-01-15 19:18 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-07 01:13 --------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2008-12-31 20:27 --------- d-----w c:\program files\Garmin GPS Plugin
2008-12-31 20:27 --------- d-----w c:\documents and settings\Chris Ferenz\Application Data\GARMIN
2008-12-12 21:02 --------- d-----w c:\program files\Zune
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-08-29 23:29 0 -c-h--w c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2008-08-21 20:55 0 -c--a-w c:\documents and settings\All Users\Application Data\PKP_DLbx.DAT
2008-08-09 18:35 0 -c-h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2007-02-12 23:44 0 -c-h--w c:\program files\AppUpdate.log
2005-11-26 22:09 774,144 -c--a-w c:\program files\RngInterstitial.dll
2006-04-25 04:14 952 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-09-20 17:34 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092020080921\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"NCLaunch"="c:\windows\NCLAUNCH.EXe" [2007-02-08 40960]
"Google Update"="c:\documents and settings\Chris Ferenz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-06 133104]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-21 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2005-03-04 606208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-12-21 48800]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-12-21 85744]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2008-09-19 615696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [2008-09-06 99376]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 pfsvgae;pfsvgae;\??\c:\docume~1\CHRISF~1\LOCALS~1\Temp\pfsvgae.sys --> c:\docume~1\CHRISF~1\LOCALS~1\Temp\pfsvgae.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-12-21 169200]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{412c5cd3-daec-11db-9a35-00123fd7d4cf}]
\Shell\AutoRun\command - E:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b7d24aa-138a-11db-8a8a-00123fd7d4cf}]
\Shell\AutoRun\command - J:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2132221565-445815717-289932066-1005.job
- c:\documents and settings\Chris Ferenz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 10:16]

2009-02-11 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2008-12-23 12:08]

2009-01-02 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2008-12-23 12:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.msn.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/wdgt3/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/wdgt3/*http://www.yahoo.com
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Chris Ferenz\Application Data\Mozilla\Firefox\Profiles\w1ue6k5x.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bimmerforums.com/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - plugin: c:\documents and settings\Chris Ferenz\Application Data\Mozilla\Firefox\Profiles\w1ue6k5x.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\Chris Ferenz\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPinfotl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 23:43:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2132221565-445815717-289932066-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CC61CD41-FBC0-4BCB-051F-ACDAA82A4E11}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"eaipllobli"=hex:66,61,6b,6e,6d,63,62,6f,6a,6e,65,70,00,31
"dajoameo"=hex:64,62,6d,65,6f,63,64,6d,61,69,6a,6c,62,6d,6a,6a,69,68,70,6b,6f,
66,68,61,66,6a,6b,62,68,69,70,65,65,6d,61,6a,67,63,65,64,00,00
"iaafmdcehaalcolcag"=hex:6a,61,64,66,61,6d,70,6e,65,67,64,64,6f,68,61,6d,6b,61,
6a,64,00,00
"hacfbbhhpfgngkld"=hex:6a,61,64,66,61,6d,70,6e,65,67,64,64,6f,68,61,6d,6b,61,
6a,64,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\ZuneBusEnum.exe
.
**************************************************************************
.
Completion time: 2009-02-10 23:48:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-11 04:48:08

Pre-Run: 46,808,559,616 bytes free
Post-Run: 47,211,753,472 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

189 --- E O F --- 2009-01-15 04:38:04


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:25 PM, on 2/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Documents and Settings\Chris Ferenz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chris Ferenz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 7298 bytes

#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 11 February 2009 - 12:17 AM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
pfsvgae

File::
c:\windows\system32\temp_0000_85-19.aok
c:\windows\system32\test.aok
c:\docume~1\CHRISF~1\LOCALS~1\Temp\pfsvgae.sys

RegNull::
[HKEY_USERS\S-1-5-21-2132221565-445815717-289932066-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CC61CD41-FBC0-4BCB-051F-ACDAA82A4E11}*]

RegLock::
[HKEY_USERS\S-1-5-21-2132221565-445815717-289932066-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CC61CD41-FBC0-4BCB-051F-ACDAA82A4E11}*]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 Bimmer14pa

Bimmer14pa
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 12 February 2009 - 06:36 PM

ComboFix 09-02-12.03 - Chris Ferenz 2009-02-12 18:21:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.411 [GMT -5:00]
Running from: c:\documents and settings\Chris Ferenz\Desktop\Virus Fighting\ComboFix.exe
Command switches used :: c:\documents and settings\Chris Ferenz\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\docume~1\CHRISF~1\LOCALS~1\Temp\pfsvgae.sys
c:\windows\system32\temp_0000_85-19.aok
c:\windows\system32\test.aok
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\temp_0000_85-19.aok
c:\windows\system32\test.aok

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PFSVGAE
-------\Service_pfsvgae


((((((((((((((((((((((((( Files Created from 2009-01-12 to 2009-02-12 )))))))))))))))))))))))))))))))
.

2009-02-06 12:02 . 2009-02-06 12:25 <DIR> d-------- c:\documents and settings\Chris Ferenz\DoctorWeb
2009-02-06 11:52 . 2009-02-06 11:52 <DIR> d-------- C:\_OTMoveIt
2009-02-05 13:00 . 2009-02-05 13:02 250 --a------ c:\windows\gmer.ini
2009-02-05 12:59 . 2009-02-05 12:59 <DIR> d-------- C:\rsit
2009-02-05 11:43 . 2009-02-05 11:43 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-05 11:43 . 2009-02-05 11:43 <DIR> d-------- c:\documents and settings\Chris Ferenz\Application Data\Malwarebytes
2009-02-05 11:43 . 2009-02-05 11:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-05 11:43 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-05 11:43 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-04 02:00 . 2009-02-04 02:00 <DIR> d-------- c:\program files\Trend Micro
2009-02-04 00:01 . 2009-02-04 00:01 <DIR> d-------- c:\windows\system32\tov15
2009-02-04 00:01 . 2009-02-04 00:01 <DIR> d-------- c:\temp\sTMP3
2009-02-04 00:01 . 2009-02-04 00:12 <DIR> d-------- c:\program files\AVS4YOU
2009-02-01 14:27 . 2009-02-01 14:27 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-01-20 16:47 . 2009-01-20 17:09 <DIR> d-------- c:\program files\SmartDraw 2009

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 23:29 --------- d-----w c:\program files\DNA
2009-02-12 23:29 --------- d-----w c:\documents and settings\Chris Ferenz\Application Data\DNA
2009-02-11 19:22 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-04 05:12 --------- d-----w c:\program files\Common Files\AVSMedia
2009-02-04 04:58 --------- d-----w c:\documents and settings\Chris Ferenz\Application Data\BitTorrent
2009-02-02 19:06 --------- d-----w c:\program files\XoftSpySE
2009-01-07 01:13 --------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2008-12-31 20:27 --------- d-----w c:\program files\Garmin GPS Plugin
2008-12-31 20:27 --------- d-----w c:\documents and settings\Chris Ferenz\Application Data\GARMIN
2008-12-12 21:02 --------- d-----w c:\program files\Zune
2008-08-29 23:29 0 -c-h--w c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2008-08-21 20:55 0 -c--a-w c:\documents and settings\All Users\Application Data\PKP_DLbx.DAT
2008-08-09 18:35 0 -c-h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2007-02-12 23:44 0 -c-h--w c:\program files\AppUpdate.log
2005-11-26 22:09 774,144 -c--a-w c:\program files\RngInterstitial.dll
2006-04-25 04:14 952 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-09-20 17:34 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092020080921\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-10_23.47.02.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-16 20:38:34 124,928 -c----w c:\windows\ie7updates\KB961260-IE7\advpack.dll
+ 2008-10-16 20:38:34 347,136 -c----w c:\windows\ie7updates\KB961260-IE7\dxtmsft.dll
+ 2008-10-16 20:38:34 214,528 -c----w c:\windows\ie7updates\KB961260-IE7\dxtrans.dll
+ 2008-10-16 20:38:35 133,120 -c----w c:\windows\ie7updates\KB961260-IE7\extmgr.dll
+ 2008-10-16 20:38:35 63,488 -c----w c:\windows\ie7updates\KB961260-IE7\icardie.dll
+ 2008-10-16 13:11:09 70,656 -c----w c:\windows\ie7updates\KB961260-IE7\ie4uinit.exe
+ 2008-10-16 20:38:35 153,088 -c----w c:\windows\ie7updates\KB961260-IE7\ieakeng.dll
+ 2008-10-16 20:38:35 230,400 -c----w c:\windows\ie7updates\KB961260-IE7\ieaksie.dll
+ 2008-10-15 07:04:53 161,792 -c----w c:\windows\ie7updates\KB961260-IE7\ieakui.dll
+ 2008-10-16 20:38:35 383,488 -c----w c:\windows\ie7updates\KB961260-IE7\ieapfltr.dll
+ 2008-10-16 20:38:35 384,512 -c----w c:\windows\ie7updates\KB961260-IE7\iedkcs32.dll
+ 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\ie7updates\KB961260-IE7\ieframe.dll
+ 2008-10-16 20:38:37 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\iernonce.dll
+ 2008-10-16 20:38:37 267,776 -c----w c:\windows\ie7updates\KB961260-IE7\iertutil.dll
+ 2008-10-16 13:11:09 13,824 -c----w c:\windows\ie7updates\KB961260-IE7\ieudinit.exe
+ 2008-10-15 07:06:26 633,632 -c----w c:\windows\ie7updates\KB961260-IE7\iexplore.exe
+ 2008-10-16 20:38:37 27,648 -c----w c:\windows\ie7updates\KB961260-IE7\jsproxy.dll
+ 2008-10-16 20:38:37 459,264 -c----w c:\windows\ie7updates\KB961260-IE7\msfeeds.dll
+ 2008-10-16 20:38:37 52,224 -c----w c:\windows\ie7updates\KB961260-IE7\msfeedsbs.dll
+ 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\ie7updates\KB961260-IE7\mshtml.dll
+ 2008-10-16 20:38:38 477,696 -c----w c:\windows\ie7updates\KB961260-IE7\mshtmled.dll
+ 2008-10-16 20:38:38 193,024 -c----w c:\windows\ie7updates\KB961260-IE7\msrating.dll
+ 2008-10-16 20:38:39 671,232 -c----w c:\windows\ie7updates\KB961260-IE7\mstime.dll
+ 2008-10-16 20:38:39 102,912 -c----w c:\windows\ie7updates\KB961260-IE7\occache.dll
+ 2008-10-16 20:38:39 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\pngfilt.dll
+ 2007-03-06 01:22:41 213,216 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\updspapi.dll
+ 2008-10-16 20:38:39 105,984 -c----w c:\windows\ie7updates\KB961260-IE7\url.dll
+ 2008-10-16 20:38:39 1,160,192 -c----w c:\windows\ie7updates\KB961260-IE7\urlmon.dll
+ 2008-10-16 20:38:39 233,472 -c----w c:\windows\ie7updates\KB961260-IE7\webcheck.dll
+ 2008-10-16 20:38:40 826,368 -c----w c:\windows\ie7updates\KB961260-IE7\wininet.dll
- 2009-01-15 04:37:58 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-02-11 19:22:12 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2009-01-15 04:37:59 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-02-11 19:22:13 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-01-15 04:37:59 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\Icon.D7845768.A511.4C07.AF3C.3F0CA6DBF07A.exe
+ 2009-02-11 19:22:14 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\Icon.D7845768.A511.4C07.AF3C.3F0CA6DBF07A.exe
- 2009-01-15 04:37:58 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-02-11 19:22:12 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2009-01-15 04:37:59 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-02-11 19:22:12 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2009-01-15 04:37:59 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-02-11 19:22:13 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2009-01-15 04:37:59 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-02-11 19:22:13 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-01-15 04:37:59 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-02-11 19:22:13 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-01-15 04:37:59 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-02-11 19:22:12 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2009-01-15 04:37:59 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-02-11 19:22:13 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2009-01-15 04:37:59 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-02-11 19:22:13 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2009-01-15 04:37:59 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-02-11 19:22:13 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-01-15 04:37:58 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-02-11 19:22:12 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2008-12-20 23:15:11 124,928 ----a-w c:\windows\system32\advpack.dll
- 2008-10-16 20:38:34 124,928 ------w c:\windows\system32\dllcache\advpack.dll
+ 2008-12-20 23:15:11 124,928 ------w c:\windows\system32\dllcache\advpack.dll
- 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 ----a-w c:\windows\system32\dllcache\dxtrans.dll
- 2008-10-16 20:38:35 133,120 ----a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-12-20 23:15:13 133,120 ----a-w c:\windows\system32\dllcache\extmgr.dll
- 2008-10-16 20:38:35 63,488 ------w c:\windows\system32\dllcache\icardie.dll
+ 2008-12-20 23:15:13 63,488 ------w c:\windows\system32\dllcache\icardie.dll
- 2008-10-16 13:11:09 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 ------w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 ------w c:\windows\system32\dllcache\ieakeng.dll
- 2008-10-16 20:38:35 230,400 ------w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 ------w c:\windows\system32\dllcache\ieaksie.dll
- 2008-10-15 07:04:53 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
+ 2008-12-19 05:23:56 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
- 2008-10-16 20:38:35 383,488 ------w c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 ------w c:\windows\system32\dllcache\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 ------w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 ------w c:\windows\system32\dllcache\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 ------w c:\windows\system32\dllcache\ieframe.dll
- 2008-10-16 20:38:37 44,544 ------w c:\windows\system32\dllcache\iernonce.dll
+ 2008-12-20 23:15:21 44,544 ------w c:\windows\system32\dllcache\iernonce.dll
- 2008-10-16 20:38:37 267,776 ------w c:\windows\system32\dllcache\iertutil.dll
+ 2008-12-20 23:15:22 267,776 ------w c:\windows\system32\dllcache\iertutil.dll
- 2008-10-16 13:11:09 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
- 2008-10-15 07:06:26 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
+ 2008-12-19 05:25:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
- 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 ----a-w c:\windows\system32\dllcache\jsproxy.dll
- 2008-10-16 20:38:37 459,264 ------w c:\windows\system32\dllcache\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 ------w c:\windows\system32\dllcache\msfeeds.dll
- 2008-10-16 20:38:37 52,224 ------w c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 ------w c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
+ 2009-01-17 02:35:14 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
- 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 ----a-w c:\windows\system32\dllcache\mshtmled.dll
- 2008-10-16 20:38:38 193,024 ----a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-12-20 23:15:31 193,024 ----a-w c:\windows\system32\dllcache\msrating.dll
- 2008-10-16 20:38:39 671,232 ----a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-12-20 23:15:32 671,232 ----a-w c:\windows\system32\dllcache\mstime.dll
- 2008-10-16 20:38:39 102,912 ------w c:\windows\system32\dllcache\occache.dll
+ 2008-12-20 23:15:38 102,912 ------w c:\windows\system32\dllcache\occache.dll
- 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 ----a-w c:\windows\system32\dllcache\pngfilt.dll
- 2008-10-16 20:38:39 105,984 ------w c:\windows\system32\dllcache\url.dll
+ 2008-12-20 23:15:39 105,984 ------w c:\windows\system32\dllcache\url.dll
- 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 ----a-w c:\windows\system32\dllcache\urlmon.dll
- 2008-10-16 20:38:39 233,472 ------w c:\windows\system32\dllcache\webcheck.dll
+ 2008-12-20 23:15:40 233,472 ------w c:\windows\system32\dllcache\webcheck.dll
- 2008-10-16 20:38:40 826,368 ----a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-12-20 23:15:41 826,368 ----a-w c:\windows\system32\dllcache\wininet.dll
- 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 ----a-w c:\windows\system32\dxtrans.dll
- 2008-10-16 20:38:35 133,120 ----a-w c:\windows\system32\extmgr.dll
+ 2008-12-20 23:15:13 133,120 ----a-w c:\windows\system32\extmgr.dll
- 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\icardie.dll
+ 2008-12-20 23:15:13 63,488 ----a-w c:\windows\system32\icardie.dll
- 2008-10-16 13:11:09 70,656 ----a-w c:\windows\system32\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 ----a-w c:\windows\system32\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 ----a-w c:\windows\system32\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 ----a-w c:\windows\system32\ieakeng.dll
- 2008-10-16 20:38:35 230,400 ----a-w c:\windows\system32\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 ----a-w c:\windows\system32\ieaksie.dll
- 2008-10-15 07:04:53 161,792 ----a-w c:\windows\system32\ieakui.dll
+ 2008-12-19 05:23:56 161,792 ----a-w c:\windows\system32\ieakui.dll
- 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 ----a-w c:\windows\system32\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 ----a-w c:\windows\system32\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 ----a-w c:\windows\system32\ieframe.dll
- 2008-10-16 20:38:37 44,544 ----a-w c:\windows\system32\iernonce.dll
+ 2008-12-20 23:15:21 44,544 ----a-w c:\windows\system32\iernonce.dll
- 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\iertutil.dll
+ 2008-12-20 23:15:22 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 ----a-w c:\windows\system32\jsproxy.dll
- 2009-01-09 22:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe
+ 2009-02-03 23:21:12 21,244,864 ----a-w c:\windows\system32\MRT.exe
- 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2008-10-16 20:38:37 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
- 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2009-01-17 02:35:14 3,594,752 ----a-w c:\windows\system32\mshtml.dll
- 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 ----a-w c:\windows\system32\mshtmled.dll
- 2008-10-16 20:38:38 193,024 ----a-w c:\windows\system32\msrating.dll
+ 2008-12-20 23:15:31 193,024 ----a-w c:\windows\system32\msrating.dll
- 2008-10-16 20:38:39 671,232 ----a-w c:\windows\system32\mstime.dll
+ 2008-12-20 23:15:32 671,232 ----a-w c:\windows\system32\mstime.dll
- 2008-10-16 20:38:39 102,912 ----a-w c:\windows\system32\occache.dll
+ 2008-12-20 23:15:38 102,912 ----a-w c:\windows\system32\occache.dll
- 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 ----a-w c:\windows\system32\pngfilt.dll
- 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
+ 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
- 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-12-20 23:15:39 105,984 ----a-w c:\windows\system32\url.dll
- 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\webcheck.dll
+ 2008-12-20 23:15:40 233,472 ----a-w c:\windows\system32\webcheck.dll
- 2008-10-16 20:38:40 826,368 ----a-w c:\windows\system32\wininet.dll
+ 2008-12-20 23:15:41 826,368 ----a-w c:\windows\system32\wininet.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"NCLaunch"="c:\windows\NCLAUNCH.EXe" [2007-02-08 40960]
"Google Update"="c:\documents and settings\Chris Ferenz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-06 133104]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-21 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2005-03-04 606208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-12-21 48800]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-12-21 85744]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2008-09-19 615696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [2008-09-06 99376]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-12-21 169200]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{412c5cd3-daec-11db-9a35-00123fd7d4cf}]
\Shell\AutoRun\command - E:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b7d24aa-138a-11db-8a8a-00123fd7d4cf}]
\Shell\AutoRun\command - J:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2132221565-445815717-289932066-1005.job
- c:\documents and settings\Chris Ferenz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 10:16]

2009-02-12 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2008-12-23 12:08]

2009-01-02 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2008-12-23 12:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.msn.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/wdgt3/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/wdgt3/*http://www.yahoo.com
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Chris Ferenz\Application Data\Mozilla\Firefox\Profiles\w1ue6k5x.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bimmerforums.com/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - plugin: c:\documents and settings\Chris Ferenz\Application Data\Mozilla\Firefox\Profiles\w1ue6k5x.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\Chris Ferenz\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPinfotl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-12 18:30:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\ZuneBusEnum.exe
.
**************************************************************************
.
Completion time: 2009-02-12 18:34:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-12 23:34:22
ComboFix2.txt 2009-02-11 04:48:51

Pre-Run: 47,034,847,232 bytes free
Post-Run: 47,020,281,856 bytes free

361 --- E O F --- 2009-02-11 19:24:04


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:19 PM, on 2/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Documents and Settings\Chris Ferenz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chris Ferenz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 7330 bytes

#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 13 February 2009 - 01:49 AM

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users