Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

# hijack this log help please

38 replies to this topic

### #1 motherof4

motherof4

• Members
• 21 posts
• OFFLINE
•
• Gender:Female
• Location:Florida
• Local time:11:48 AM

Posted 17 March 2009 - 06:18 PM

Hello im new to this forum and dont know that much about computers but I just got this dell latitude and from someone it had yoog in it and i think i managed to clean it out but i wanted to check my hijack log and i have no idea what im looking at if someone could please help. Only helpful comments. Thank you in advance!  hijackthis.log   7.25KB   37 downloads

Edited by motherof4, 17 March 2009 - 06:43 PM.

### #2 Net_Surfer

Net_Surfer

• Banned
• 2,154 posts
• OFFLINE
•
• Gender:Male
• Local time:08:48 AM

Posted 17 March 2009 - 09:40 PM

I will be working on your Malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing "your computer problems only" and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown Here.

Please be patient and I'd be grateful if you would note the following:

The cleaning process is not instant. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.

2. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
3. All of my posts need to be checked by my coach, so please be patient while I attempt to remove your malware.
4. Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

Ok.. motherof4, please observe these rules while we work:
• Perform all actions in the order given.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Do not attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.
• Please continue to review my answers until I tell you your machine appears to be clear. Remember absence of symptoms does not mean that everything is clear.
If you can do these things, everything should go smoothly.

We need to see some information about what is happening in your machine. Please perform the following scan:

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Step #1.

random's system information tool (RSIT)

Please note that it is important that RSIT be run and a log created while in normal mode. If you run it and create your log while in safe mode, you will be asked to redo it again properly.
• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open.

log.txt (<info.txt (<
Kind Regards

Net_Surfer

### #3 motherof4

motherof4
• Topic Starter

• Members
• 21 posts
• OFFLINE
•
• Gender:Female
• Location:Florida
• Local time:11:48 AM

Posted 18 March 2009 - 09:01 AM

Thank you Net_surfer for you help and time I added this topic to email notifications. Then disabled symantec av, ran the rsit and this is what I got........

info.txt logfile of random's system information tool 1.05 2009-03-18 09:43:20

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3DVIA player 4.1-->MsiExec.exe /X{4E868D3D-6EEB-4273-926C-2287236B5B79}
Acrobat.com-->MsiExec.exe /X{287ECFA4-719A-2143-A09B-D6A12DE54E40}
CDBurnerXP-->"C:\Program Files\CDBurnerXP\unins000.exe"
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HP Image Zone 4.2-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 4.2-->"C:\Program Files\HP\Digital Imaging\{A1062847-0846-427A-92A1-BB8251A91E91}\setup\hpzscr01.exe" -datfile hposcr04.dat
InfraRecorder-->C:\Program Files\InfraRecorder\uninstall.exe
Java™ 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
K-Lite Codec Pack 4.7.0 (Full)-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
LiveUpdate 3.1 (Symantec Corporation)-->"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.7)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
QuickTime-->MsiExec.exe /I{F958CA02-BB40-4007-894B-258729456EE4}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937894)-->"C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938127)-->"C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938829)-->"C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944533)-->"C:\WINDOWS\$NtUninstallKB944533$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948881)-->"C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
SigmaTel Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Symantec AntiVirus-->MsiExec.exe /I{50E125D1-88E5-48CE-80AE-98EC9698E639}
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB932823-v3)-->"C:\WINDOWS\$NtUninstallKB932823-v3$\spuninst\spuninst.exe"
Update for Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB942840)-->"C:\WINDOWS\$NtUninstallKB942840$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Vuze-->C:\Program Files\Vuze\uninstall.exe
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Mail-->MsiExec.exe /I{184E7118-0295-43C4-B72C-1D54AA75AAF7}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Photo Gallery-->MsiExec.exe /X{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}
Windows Live Sign-in Assistant-->MsiExec.exe /I{9422C8EA-B0C6-4197-B8FC-DC797658CA00}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe

=====HijackThis Backups=====

O24 - Desktop Component 1: (no name) - http://images.craigslist.org/0115120116010...a2e77006dbc.jpg
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\My.Freeze.com Toolbar\freeze_us.dll (file missing)
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O3 - Toolbar: My.Freeze.com Toolbar - {D0523BB4-21E7-11DD-9AB7-415B56D89593} - C:\Program Files\My.Freeze.com Toolbar\freeze_us.dll (file missing)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)

======Security center information======

AV: Symantec AntiVirus Corporate Edition (disabled)

System event log

Computer Name: 3AND3
Event Code: 7036
Message: The Windows Installer service entered the running state.

Record Number: 9312
Source Name: Service Control Manager
Time Written: 20090305221342.000000-300
Event Type: information
User:

Computer Name: 3AND3
Event Code: 7035
Message: The Windows Installer service was successfully sent a start control.

Record Number: 9311
Source Name: Service Control Manager
Time Written: 20090305221342.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: 3AND3
Event Code: 4201
Message: The system detected that network adapter \DEVICE\TCPIP_{4332371D-3841-43C7-8979-577E0A9DF086} was connected to the network,
and has initiated normal operation over the network adapter.

Record Number: 9310
Source Name: Tcpip
Time Written: 20090305220642.000000-300
Event Type: information
User:

Computer Name: 3AND3
Event Code: 4202
Message: The system detected that network adapter \DEVICE\TCPIP_{4332371D-3841-43C7-8979-577E0A9DF086} was disconnected from the network,
and the adapter's network configuration has been released. If the network
adapter was not disconnected, this may indicate that it has malfunctioned.

Record Number: 9309
Source Name: Tcpip
Time Written: 20090305220637.000000-300
Event Type: information
User:

Computer Name: 3AND3
Event Code: 7036
Message: The Windows Image Acquisition (WIA) service entered the running state.

Record Number: 9308
Source Name: Service Control Manager
Time Written: 20090305220636.000000-300
Event Type: information
User:

Application event log

Computer Name: USER-E6224A4A82
Event Code: 1041
Message: Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration.

Record Number: 5700
Source Name: Userenv
Time Written: 20090228162309.000000-300
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: USER-E6224A4A82
Event Code: 1041
Message: Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.

Record Number: 5699
Source Name: Userenv
Time Written: 20090228160908.000000-300
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: USER-E6224A4A82
Event Code: 1041
Message: Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration.

Record Number: 5698
Source Name: Userenv
Time Written: 20090228160908.000000-300
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: USER-E6224A4A82
Event Code: 51
Message:

Security Risk Found!Risk: Trojan.Brisv.A in File: C:\Documents and Settings\User\My Documents\My Music\other\frost wire bleep\The Riot Squad - I take it We're Through.mp3 by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description:

Record Number: 5697
Source Name: Symantec AntiVirus
Time Written: 20090228150342.000000-300
Event Type: error
User:

Computer Name: USER-E6224A4A82
Event Code: 5
Message:

Risk Found!Risk: Trojan.Brisv.A in File: C:\Documents and Settings\User\My Documents\My Music\other\frost wire bleep\The Riot Squad - I take it We're Through.mp3 by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description:

Record Number: 5696
Source Name: Symantec AntiVirus
Time Written: 20090228150342.000000-300
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=0f06
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip

-----------------EOF-----------------

the other one I accidently exited out can u tell me how to pull it back up also how can i delete the attachment i sent on my first post. Thank you! I really want to clean my computer and get everything I dont need out!

### #4 motherof4

motherof4
• Topic Starter

• Members
• 21 posts
• OFFLINE
•
• Gender:Female
• Location:Florida
• Local time:11:48 AM

Posted 18 March 2009 - 09:08 AM

okay sorry. I found it......................

Logfile of random's system information tool 1.05 (written by random/random)
Run by User at 2009-03-18 09:43:12
Microsoft Windows XP Professional Service Pack 2
System drive C: has 22 GB (38%) free of 57 GB
Total RAM: 2046 MB (73% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:17 AM, on 3/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\My Documents\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=1607
O2 - BHO: (no name) - {14C12A67-0E23-456A-864F-A0CDE98A34D5} - (no file)
O2 - BHO: (no name) - {2FB73FAC-F365-4833-975A-71F2C4E7426B} - (no file)
O2 - BHO: (no name) - {4283D105-B544-4255-B0BD-1DEB0CF6F7F0} - (no file)
O2 - BHO: (no name) - {48B4FD4F-8FF9-4BC1-8050-A7225A5F1285} - C:\WINDOWS\system32\efcBuSMF.dll (file missing)
O2 - BHO: (no name) - {53736FF9-D04E-47CA-B3CD-BB6DE480E9AE} - (no file)
O2 - BHO: (no name) - {54493747-3537-48CC-8F98-A6C459538AB3} - (no file)
O2 - BHO: (no name) - {6B2D1070-C062-44E1-918B-29AA5A17D765} - (no file)
O2 - BHO: (no name) - {6F00D177-83C7-433D-B6C5-DEEFD0617577} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7EEF84EA-52B7-4788-97CA-2F5FB3F1655E} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A18BA8FF-D065-4903-B7CA-4AD596380E1E} - (no file)
O2 - BHO: (no name) - {D895C77C-10E4-4802-A157-93B4FF86F421} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E45F03B8-E06E-4EAA-8B94-5271E9721CEE} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {EF5FE1C7-DFE2-492E-9E01-2231A5D1A876} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O20 - AppInit_DLLs: cljkoj.dll,suakq blyfgj.dll wynkzj.dll ytfqav.dll wtcwly.dll vmozsp.dll komqns.dll
O20 - Winlogon Notify: opnkhigD - C:\WINDOWS\
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/User/My%20Documents/My%20Pictures/images-1886.jpg

--
End of file - 7563 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{14C12A67-0E23-456A-864F-A0CDE98A34D5}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2FB73FAC-F365-4833-975A-71F2C4E7426B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4283D105-B544-4255-B0BD-1DEB0CF6F7F0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{48B4FD4F-8FF9-4BC1-8050-A7225A5F1285}]
C:\WINDOWS\system32\efcBuSMF.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53736FF9-D04E-47CA-B3CD-BB6DE480E9AE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54493747-3537-48CC-8F98-A6C459538AB3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6B2D1070-C062-44E1-918B-29AA5A17D765}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6F00D177-83C7-433D-B6C5-DEEFD0617577}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-12 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7EEF84EA-52B7-4788-97CA-2F5FB3F1655E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D895C77C-10E4-4802-A157-93B4FF86F421}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-12 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E45F03B8-E06E-4EAA-8B94-5271E9721CEE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-12 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF5FE1C7-DFE2-492E-9E01-2231A5D1A876}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
SITEguard

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"nwiz"=nwiz.exe /installquiet []
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-29 7401472]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-11-21 52840]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2007-03-14 125632]
"SigmatelSysTrayApp"=C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe [2007-05-10 405504]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"Uniblue RegistryBooster 2009"=C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="cljkoj.dll,suakq blyfgj.dll wynkzj.dll ytfqav.dll wtcwly.dll vmozsp.dll komqns.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2007-03-14 43712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\opnkhigD]

WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\FrostWire\FrostWire.exe"="C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"c:\program files\relevantknowledge\rlvknlg.exe"="c:\program files\relevantknowledge\rlvknlg.exe:*:Enabled:rlvknlg.exe"
"C:\Program Files\Vuze\Azureus.exe"="C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

======List of files/folders created in the last 2 months======

2009-03-18 09:43:12 ----DC---- C:\rsit
2009-03-18 09:02:00 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-03-18 09:01:37 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2009-03-18 08:56:36 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-03-18 08:56:13 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-03-18 08:55:47 ----D---- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2009-03-18 08:55:38 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2009-03-18 08:55:03 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-03-18 08:54:53 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-03-18 08:54:44 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-03-18 08:54:24 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-03-18 08:54:07 ----HDC---- C:\WINDOWS\$NtUninstallKB929399$
2009-03-18 08:52:57 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-03-18 08:52:41 ----HDC---- C:\WINDOWS\$NtUninstallKB959772_WM11$
2009-03-18 08:51:52 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-03-18 08:51:40 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-03-18 08:51:26 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-03-18 08:51:10 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-03-18 08:50:34 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2009-03-18 08:50:19 ----HDC---- C:\WINDOWS\$NtUninstallKB936782_WMP11$
2009-03-18 08:49:32 ----D---- C:\WINDOWS\LastGood
2009-03-17 20:31:50 ----HDC---- C:\Documents and Settings\All Users\Application Data\~1
2009-03-17 18:55:20 ----A---- C:\WINDOWS\system32\SET4F.tmp
2009-03-17 18:55:20 ----A---- C:\WINDOWS\system32\SET4E.tmp
2009-03-17 18:55:19 ----A---- C:\WINDOWS\system32\SET52.tmp
2009-03-17 18:55:19 ----A---- C:\WINDOWS\system32\SET46.tmp
2009-03-17 18:55:18 ----A---- C:\WINDOWS\system32\SET5B.tmp
2009-03-17 18:55:18 ----A---- C:\WINDOWS\system32\SET44.tmp
2009-03-17 18:55:17 ----A---- C:\WINDOWS\system32\SET5E.tmp
2009-03-17 18:55:17 ----A---- C:\WINDOWS\system32\SET56.tmp
2009-03-17 18:55:15 ----A---- C:\WINDOWS\system32\SET43.tmp
2009-03-17 18:55:14 ----A---- C:\WINDOWS\system32\SET45.tmp
2009-03-17 18:55:12 ----A---- C:\WINDOWS\system32\SET54.tmp
2009-03-17 18:54:25 ----A---- C:\WINDOWS\system32\SET37.tmp
2009-03-17 18:54:24 ----A---- C:\WINDOWS\system32\SET31.tmp
2009-03-17 18:45:45 ----D---- C:\Program Files\Trend Micro
2009-03-17 18:28:02 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-03-17 16:07:24 ----D---- C:\WINDOWS\pss
2009-03-16 16:17:16 ----DC---- C:\819e8097f2b5d7445861
2009-03-15 17:05:55 ----HD---- C:\WINDOWS\system32\GroupPolicy
2009-03-15 16:12:54 ----DC---- C:\Documents and Settings\User\Application Data\Ludia
2009-03-15 16:12:54 ----DC---- C:\Documents and Settings\All Users\Application Data\Ludia
2009-03-15 16:06:49 ----DC---- C:\Documents and Settings\All Users\Application Data\Free Ride Games
2009-03-14 10:01:54 ----DC---- C:\Inetpub
2009-03-10 17:37:24 ----DC---- C:\Documents and Settings\User\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-03-10 16:37:51 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-03-10 16:36:50 ----D---- C:\Program Files\Common Files\Adobe
2009-03-10 16:06:52 ----DC---- C:\Documents and Settings\All Users\Application Data\NOS
2009-03-10 16:06:52 ----D---- C:\Program Files\NOS
2009-03-10 11:52:38 ----DC---- C:\Documents and Settings\User\Application Data\Malwarebytes
2009-03-10 11:52:29 ----DC---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-03-09 21:46:33 ----A---- C:\WINDOWS\xpbsx0257.exe
2009-03-09 21:46:25 ----D---- C:\Program Files\f3setupinstall2
2009-03-09 21:46:24 ----A---- C:\WINDOWS\ugbv3006.exe
2009-03-09 21:46:11 ----A---- C:\WINDOWS\bqrd60258.exe
2009-03-09 21:46:02 ----A---- C:\WINDOWS\hqob8081.exe
2009-03-09 21:45:55 ----A---- C:\WINDOWS\kdiue732.txt
2009-03-05 23:14:05 ----A---- C:\WINDOWS\system32\d3dx9_35.dll
2009-03-05 23:14:01 ----A---- C:\WINDOWS\system32\d3dx9_31.dll
2009-03-05 23:13:55 ----D---- C:\Program Files\Virtools
2009-03-02 22:12:02 ----HDC---- C:\Documents and Settings\All Users\Application Data\~0
2009-02-28 20:48:50 ----A---- C:\WINDOWS\system32\unrar.dll
2009-02-28 20:48:45 ----A---- C:\WINDOWS\system32\yv12vfw.dll
2009-02-28 20:48:44 ----A---- C:\WINDOWS\system32\xvidcore.dll
2009-02-28 20:48:43 ----A---- C:\WINDOWS\system32\xvidvfw.dll
2009-02-28 20:48:42 ----A---- C:\WINDOWS\system32\qt-dx331.dll
2009-02-28 20:48:42 ----A---- C:\WINDOWS\system32\dpl100.dll
2009-02-28 20:48:38 ----A---- C:\WINDOWS\system32\ff_vfw.dll.manifest
2009-02-28 20:48:38 ----A---- C:\WINDOWS\system32\divx.dll
2009-02-28 20:48:37 ----A---- C:\WINDOWS\system32\ff_vfw.dll
2009-02-28 19:29:23 ----DC---- C:\Documents and Settings\User\Application Data\Media Player Classic
2009-02-28 19:07:36 ----DC---- C:\Documents and Settings\All Users\Application Data\DriverScanner
2009-02-28 19:07:36 ----D---- C:\Documents and Settings\User\Application Data\Uniblue
2009-02-28 19:02:56 ----D---- C:\Program Files\K-Lite Codec Pack
2009-02-28 16:21:35 ----D---- C:\Program Files\Incomplete
2009-02-26 00:56:47 ----A---- C:\WINDOWS\system32\stlang.dll
2009-02-26 00:56:47 ----A---- C:\WINDOWS\stsystra.exe
2009-02-25 19:24:02 ----A---- C:\WINDOWS\DelToolbox.bat
2009-02-25 14:39:33 ----A---- C:\WINDOWS\vpc32.INI
2009-02-25 14:27:01 ----A---- C:\WINDOWS\system32\S32EVNT1.DLL
2009-02-25 14:25:58 ----D---- C:\Program Files\Symantec
2009-02-25 14:25:44 ----DC---- C:\Documents and Settings\All Users\Application Data\Symantec
2009-02-25 14:25:44 ----D---- C:\Program Files\Symantec AntiVirus
2009-02-25 14:25:44 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-02-24 19:14:59 ----DC---- C:\Documents and Settings\All Users\Application Data\Azureus
2009-02-24 19:14:58 ----DC---- C:\Documents and Settings\User\Application Data\Azureus
2009-02-24 19:14:33 ----D---- C:\Program Files\Vuze
2009-02-24 19:06:41 ----DC---- C:\Documents and Settings\User\Application Data\Mozilla
2009-02-24 19:06:27 ----D---- C:\Program Files\Mozilla Firefox
2009-02-11 12:38:00 ----DC---- C:\Documents and Settings\User\Application Data\dvdcss
2009-02-11 12:29:48 ----D---- C:\Documents and Settings\User\Application Data\vlc
2009-02-11 01:26:31 ----DC---- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2009-02-09 10:59:03 ----D---- C:\WINDOWS\system32\NtmsData
2009-01-27 17:51:26 ----D---- C:\Program Files\Xilisoft
2009-01-27 17:06:21 ----HDC---- C:\WINDOWS\$NtUninstallKB926239$
2009-01-27 17:05:44 ----N---- C:\WINDOWS\system32\spmsg.dll
2009-01-27 17:05:39 ----HDC---- C:\WINDOWS\$NtUninstallMSCompPackV1$
2009-01-27 17:05:09 ----D---- C:\Program Files\Windows Media Connect 2
2009-01-27 17:04:56 ----HDC---- C:\WINDOWS\$NtUninstallwmp11$
2009-01-27 17:03:24 ----HDC---- C:\WINDOWS\$NtUninstallWudf01000$
2009-01-27 17:00:58 ----DC---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2009-01-26 01:40:08 ----DC---- C:\Documents and Settings\User\Application Data\AVS4YOU
2009-01-26 01:40:05 ----DC---- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2009-01-26 00:57:08 ----D---- C:\Program Files\Common Files\AVSMedia
2009-01-26 00:56:18 ----HDC---- C:\WINDOWS\$NtUninstallWMFDist11$
2009-01-26 00:55:26 ----A---- C:\WINDOWS\system32\msxml3a.dll
2009-01-26 00:55:26 ----A---- C:\WINDOWS\system32\msvcr70.dll
2009-01-26 00:55:26 ----A---- C:\WINDOWS\system32\msvcp70.dll
2009-01-26 00:55:26 ----A---- C:\WINDOWS\system32\mfc70.dll
2009-01-26 00:55:26 ----A---- C:\WINDOWS\system32\GdiPlus.dll
2009-01-20 22:52:07 ----D---- C:\Program Files\Smilebox
2009-01-19 18:17:31 ----D---- C:\Program Files\components
2009-01-19 17:36:00 ----DC---- C:\Documents and Settings\All Users\Application Data\Winferno
2009-01-19 17:31:39 ----DC---- C:\Documents and Settings\User\Application Data\InfraRecorder
2009-01-19 17:30:53 ----D---- C:\Program Files\InfraRecorder
2009-01-19 17:30:47 ----D---- C:\Program Files\Winferno
2009-01-19 17:30:47 ----A---- C:\WINDOWS\system32\CapiCom.dll
2009-01-19 17:30:39 ----A---- C:\WINDOWS\system32\MSVCR71.DLL
2009-01-19 17:30:39 ----A---- C:\WINDOWS\system32\MSVCP71.DLL
2009-01-19 14:56:21 ----DC---- C:\Documents and Settings\User\Application Data\Canneverbe_Limited
2009-01-19 14:56:10 ----D---- C:\Program Files\CDBurnerXP

======List of files/folders modified in the last 2 months======

2009-03-18 09:43:08 ----D---- C:\WINDOWS\Prefetch
2009-03-18 09:23:18 ----A---- C:\WINDOWS\system32\Rpcnetp.exe
2009-03-18 09:02:05 ----HD---- C:\WINDOWS\inf
2009-03-18 09:02:05 ----D---- C:\WINDOWS
2009-03-18 09:02:03 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-03-18 09:02:03 ----D---- C:\WINDOWS\system32\drivers
2009-03-18 09:02:02 ----D---- C:\WINDOWS\system32
2009-03-18 09:01:53 ----HD---- C:\WINDOWS\$hf_mig$
2009-03-18 09:01:47 ----A---- C:\WINDOWS\imsins.BAK
2009-03-18 09:01:30 ----SHD---- C:\WINDOWS\Installer
2009-03-18 09:01:28 ----HDC---- C:\Config.Msi
2009-03-18 09:00:49 ----A---- C:\WINDOWS\win.ini
2009-03-18 09:00:25 ----D---- C:\WINDOWS\Temp
2009-03-18 08:58:11 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-03-18 08:55:47 ----D---- C:\Program Files
2009-03-18 08:55:32 ----D---- C:\WINDOWS\system32\CatRoot
2009-03-18 08:55:29 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-18 08:52:27 ----D---- C:\Program Files\Internet Explorer
2009-03-17 19:36:22 ----A---- C:\WINDOWS\system32\rpcnet.dll
2009-03-17 19:34:35 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-17 18:49:47 ----D---- C:\WINDOWS\Help
2009-03-17 18:49:11 ----D---- C:\WINDOWS\system32\CatRoot_bak
2009-03-17 08:57:10 ----A---- C:\WINDOWS\system32\rpcnetp.dll
2009-03-16 11:29:40 ----HD---- C:\Program Files\InstallShield Installation Information
2009-03-15 17:05:07 ----D---- C:\Program Files\Common Files\InstallShield
2009-03-15 16:38:06 ----A---- C:\WINDOWS\system32\rpcnet.exe
2009-03-15 16:33:28 ----ADC---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-03-15 10:01:47 ----DC---- C:\DELL
2009-03-15 08:42:28 ----D---- C:\Program Files\Common Files
2009-03-14 10:02:26 ----D---- C:\WINDOWS\Cursors
2009-03-14 10:01:54 ----D---- C:\WINDOWS\system32\inetsrv
2009-03-13 16:27:58 ----DC---- C:\Documents and Settings\User\Application Data\FrostWire
2009-03-13 01:35:43 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-12 16:12:45 ----D---- C:\WINDOWS\system32\Restore
2009-03-11 16:11:37 ----SDC---- C:\Documents and Settings\User\Application Data\Microsoft
2009-03-10 16:37:54 ----DC---- C:\Documents and Settings\User\Application Data\Adobe
2009-03-10 16:37:54 ----DC---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-03-09 21:29:35 ----RSD---- C:\WINDOWS\assembly
2009-03-09 21:22:26 ----D---- C:\Program Files\Common Files\System
2009-03-06 22:58:29 ----DC---- C:\Documents and Settings\User\Application Data\Move Networks
2009-03-05 23:14:08 ----D---- C:\WINDOWS\system32\DirectX
2009-03-01 12:42:25 ----SHD---- C:\System Volume Information
2009-02-28 20:37:18 ----DC---- C:\Documents and Settings\User\Application Data\DivX
2009-02-28 19:15:48 ----D---- C:\WINDOWS\system32\config
2009-02-26 10:38:22 ----D---- C:\Program Files\WinRAR
2009-02-25 19:24:58 ----DC---- C:\Documents and Settings\All Users\Application Data\Yahoo!
2009-02-25 19:24:43 ----D---- C:\Documents and Settings\User\Application Data\Yahoo!
2009-02-25 19:17:54 ----D---- C:\WINDOWS\system32\en-US
2009-02-25 19:17:48 ----D---- C:\WINDOWS\Media
2009-02-25 19:14:06 ----DC---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2009-02-25 12:55:00 ----AC---- C:\WINDOWS\system32\MRT.exe
2009-02-24 18:56:42 ----D---- C:\Temp
2009-02-24 18:09:24 ----DC---- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2009-02-24 18:03:51 ----DC---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-24 17:40:00 ----DC---- C:\Documents and Settings\All Users\Application Data\SITEguard
2009-02-24 17:28:22 ----D---- C:\Program Files\VstPlugins
2009-02-18 11:38:25 ----A---- C:\WINDOWS\ModemLog_Communications cable between two computers.txt
2009-02-09 10:59:03 ----SDC---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-01-27 19:32:26 ----D---- C:\WINDOWS\AppPatch
2009-01-27 17:05:08 ----D---- C:\Program Files\Windows Media Player
2009-01-27 17:03:33 ----D---- C:\WINDOWS\system32\LogFiles
2009-01-26 00:55:37 ----D---- C:\WINDOWS\WinSxS

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 SAVRT;SAVRT; \??\C:\Program Files\Symantec AntiVirus\savrt.sys []
R1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys []
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2007-02-12 196752]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2004-08-04 8832]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2004-08-04 88448]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2004-08-04 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2004-08-04 55936]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2006-10-29 156160]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2004-08-12 137728]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090313.007\naveng.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090313.007\navex15.sys []
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-10-29 3595296]
R3 NWRDR;NetWare Rdr; C:\WINDOWS\system32\DRIVERS\nwrdr.sys [2006-10-13 163584]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2007-05-10 1222840]
R3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2007-02-12 24720]
R3 USBCCID;USB Smart Card reader; C:\WINDOWS\system32\DRIVERS\usbccid.sys [2006-10-29 28672]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 w39n51;Intel® PRO/Wireless 3945ABG Adapter Driver; C:\WINDOWS\system32\DRIVERS\w39n51.sys [2006-10-29 1428480]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2004-06-22 51088]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2004-06-22 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2004-06-22 21744]
S3 NPF;Netgroup Packet Filter; C:\WINDOWS\system32\drivers\npf.sys [2008-02-13 42512]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2006-11-21 169576]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2007-03-14 31424]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-12 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 NMSAccessU;NMSAccessU; C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-10-20 71096]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-29 143428]
R2 NWCWorkstation;Client Service for NetWare; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 rpcnet;Remote Procedure Call (RPC) Net; C:\WINDOWS\system32\rpcnet.exe [2009-03-15 47104]
R2 SPBBCSvc;Symantec SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2007-01-10 1160792]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2007-03-14 1816768]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S2 spupdsvc;Windows Service Pack Installer update service; C:\WINDOWS\system32\spupdsvc.exe [2008-06-12 26144]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 getPlus® Helper;getPlus® Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2009-03-03 33176]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-09-02 2528960]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2007-03-14 116416]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2007-02-12 214672]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------

Thanks again this is alot to look over.

### #5 Net_Surfer

Net_Surfer

• Banned
• 2,154 posts
• OFFLINE
•
• Gender:Male
• Local time:08:48 AM

Posted 18 March 2009 - 07:29 PM

NOTICE: These steps are for member: motherof4 ONLY. If you are a lurker, do NOT try this on your system! If you are not the topic starter and have a similar problem, do NOT post here; DO NOT follow these directions as they could damage the workings of your system. Please start your own topic.

Hi motherof4,

Thanks for posting the logs.

Before we start fixing anything you should write/print out these instructions or copy/paste them to a NotePad file.

let's do the following to see if we can get rid of your malware
.

I noticed that you are using Norton Is it up-to-date?
*If not please do so NOW!.

024 Entry Question: Is this familiar to you???:

O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/User/My%20Documents/My%20Pictures/images-1886.jpg

Do you purposely added this active desktop component???

Ok... motherof4 please take a note:

Going over your logs I noticed that you had an encounter with Trojan.Brisv.A!inf

Risk Found!Risk: Trojan.Brisv.A in File: C:\Documents and Settings\User\My Documents\My Music\other\frost wire bleep\The Riot Squad - I take it We're Through.mp3 by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description:

We recommend reviewing the details of Trojan.Brisv.A as well.

Sharing Isn’t Always Caring.

Over the past week, Symantec has been observing an increasing number of computers affected by Trojan.Brisv.A.
This particular Trojan infects .asf, .mp2, .mp3, .wma, and .wmv movie and music files with malicious code that causes Microsoft Windows Media Player to access a malicious URL when the files are played, which results in more malware being downloaded on to the compromised computer.

The impact of the Trojan has been further magnified by the appearance of infected movie and music files on file-sharing networks. In many cases, users will be unaware that their media files have been infected and may continue to share them—legally or illegally—causing further dissemination of the threat.

Symantec security products block this threat, which is detected as Trojan.Brisv.A. Infected media files are detected as Trojan.Brisv.A!inf.
Users are urged to ensure that their virus definitions are kept up-to-date to protect against possible future variants of this threat.

Also, Symantec has produced a tool to remove the Trojan and clean the infected media files.
Users should be aware that although the tool is able to remove the Trojan and repair infected media files, but it won’t prevent re-infection.

Updated symantec definition files will prevent re-infection.

I will advise to run this tool if you had not done yet. Please do so NOW!

Step #1.

Trojan.Brisv.A!inf Removal Tool Instructions.
(This tool is designed to remove the infections of Trojan.Brisv.A!inf).

Important:
• f you are on a network or have a full-time connection to the Internet, such as a DSL or cable modem, disconnect the computer from the network and Internet.
• Disable or password-protect file sharing, or set the shared files to Read Only, before reconnecting the computers to the network or to the Internet. Because this worm spreads by using shared folders on networked computers, to ensure that the worm does not reinfect the computer after it has been removed, Symantec suggests sharing with Read Only access or by using password protection.
For instructions on how to do this, refer to your Windows documentation, or the document: How to configure shared Windows folders for maximum network protection.
• If you are removing an infection from a network, first make sure that all the shares are disabled or set to Read Only.
• This tool is not designed to run on Novell NetWare servers. To remove this threat from a NetWare server, first make sure that you have the current virus definitions, and then run a full system scan with the Symantec antivirus product.
• You must have administrative rights to run this tool on Windows NT 4.0, Windows 2000, or Windows XP.
• Restart the computer in Safe mode. <-- Instructions.
• Double-click the FixBrisvA.exe file to start the removal tool.
• Click Start to begin the process, and then allow the tool to run.
• Restart the computer in Normal mode.
• Run LiveUpdate to make sure that you are using the most current virus definitions.
• Run a full scan with your Symantec security product to ensure that the system is clean.
• If you are on a network or if you have a full-time connection to the Internet, reconnect the computer to the network or to the Internet connection.

Step #2.

Uniblue RegistryBooster 2009 Warning!

I see that you have installed: Uniblue RegistryBooster 2009. We do not recommend having such tools so, I will advise you to remove it via add/remove.

P2P (Peer-to-Peer Programs Warning!!!

Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case Vuze <--> P2P (formerly Azureus)). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

Vuze <--> P2P (formerly Azureus) is a free BitTorrent client used to transfer files via the BitTorrent protocol.

It is your decision whether or not you wish to keep your peer-to-peer program(s) but I suggest you remove it via add/remove. However, please If you wish to keep them, you MUST NOT use them until your computer has been declared clean.

Now... Let's do the following:

Step #3.

ATF Cleaner 3

Note: On Windows Vista "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator."
Prefetch has been disabled on Windows Vista.Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: "Select All".
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.

Step #4.

Malwarebytes' Anti-Malware

Because some malware can be easily removed, we recommend Malwarebytes Anti-Malware be run. It's an advanced piece of software which should get a lot of what's on this machine. These guys are so on top of the latest infections it's amazing.

It's important to let me know however, if you experience any trouble getting to the site or downloading it or opening it to run. Some rootkits target MBAM and those indicators are the 'tell', if you will. We have another method of double-checking for this rootkit, which if present, will require another special tool.

*If you have not done so:
Note: On Vista, ""Run as an Administrator".
Double Click mbam-setup.exe to install the application.
• Make sure you are connected to the Internet.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
o Update Malwarebytes' Anti-Malware
o Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• On the Scanner tab:
o Make sure the"Perform Full System Scan" option is selected.
o Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log will open in Notepad and you may be prompted to Restart.(*See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Extra Note:
(*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.)

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

See this Tutorial if needed

• The MBAM report log.
• The Norton Scan report log.
and the answers to my questions.

And a description of any remaining problems.
Kind regards
Net_Surfer

### #6 motherof4

motherof4
• Topic Starter

• Members
• 21 posts
• OFFLINE
•
• Gender:Female
• Location:Florida
• Local time:11:48 AM

Posted 20 March 2009 - 03:39 PM

1. Updated norton

2. 024 Entry question answer- Ido not know Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/User/My%20Documents/My%20Pictures/images-1886.jp and I did not purposely add this active desktop component.

3.I Know about the virus it used to pull them up a lot when I first had symantec downloaded and when browsing my music folder. So I removed frostwire also uniblue a couple days before posting this. As for Vuse (azuerus) I have movie on there saved that I want to watch if I move it to my video folder and delete Vuse will my movie still work. If so I will happily delete it (a friend told me to download it).

4. Cannot find file in c drive/ sharing and security
I used folder options/view/unchecked- use simple file sharing(recommended) under firefox, does that work to stop p2p.

5. I disabled the internet,safebooted, ran Trojan.Brisv.A!inf Removal Tool it said it found Trojan.Brisv.A!inf pressed ok and it closed out all windows by itself , switched computer to normal, enabled internet and I have no idea how to pull up the report.

6. I am now on the last two steps will send those reports with my next post.

Edited by motherof4, 20 March 2009 - 04:33 PM.

### #7 motherof4

motherof4
• Topic Starter

• Members
• 21 posts
• OFFLINE
•
• Gender:Female
• Location:Florida
• Local time:11:48 AM

Posted 20 March 2009 - 06:39 PM

Malwarebytes' Anti-Malware 1.34
Database version: 1860
Windows 5.1.2600 Service Pack 2

3/20/2009 7:27:52 PM
mbam-log-2009-03-20 (19-27-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 121951
Time elapsed: 46 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of random's system information tool 1.05 (written by random/random)
Run by User at 2009-03-20 19:29:26
Microsoft Windows XP Professional Service Pack 2
System drive C: has 25 GB (44%) free of 57 GB
Total RAM: 2046 MB (75% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:29:34 PM, on 3/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Documents and Settings\User\My Documents\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\User.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=1607
O2 - BHO: (no name) - {14C12A67-0E23-456A-864F-A0CDE98A34D5} - (no file)
O2 - BHO: (no name) - {2FB73FAC-F365-4833-975A-71F2C4E7426B} - (no file)
O2 - BHO: (no name) - {4283D105-B544-4255-B0BD-1DEB0CF6F7F0} - (no file)
O2 - BHO: (no name) - {48B4FD4F-8FF9-4BC1-8050-A7225A5F1285} - C:\WINDOWS\system32\efcBuSMF.dll (file missing)
O2 - BHO: (no name) - {53736FF9-D04E-47CA-B3CD-BB6DE480E9AE} - (no file)
O2 - BHO: (no name) - {54493747-3537-48CC-8F98-A6C459538AB3} - (no file)
O2 - BHO: (no name) - {6B2D1070-C062-44E1-918B-29AA5A17D765} - (no file)
O2 - BHO: (no name) - {6F00D177-83C7-433D-B6C5-DEEFD0617577} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7EEF84EA-52B7-4788-97CA-2F5FB3F1655E} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A18BA8FF-D065-4903-B7CA-4AD596380E1E} - (no file)
O2 - BHO: (no name) - {D895C77C-10E4-4802-A157-93B4FF86F421} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E45F03B8-E06E-4EAA-8B94-5271E9721CEE} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {EF5FE1C7-DFE2-492E-9E01-2231A5D1A876} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [iCall Internet Phone] "C:\Program Files\iCall\iCall.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O20 - AppInit_DLLs: cljkoj.dll,suakq blyfgj.dll wynkzj.dll ytfqav.dll wtcwly.dll vmozsp.dll komqns.dll
O20 - Winlogon Notify: opnkhigD - C:\WINDOWS\
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/User/My%20Documents/My%20Pictures/images-1886.jpg

--
End of file - 7803 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{14C12A67-0E23-456A-864F-A0CDE98A34D5}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2FB73FAC-F365-4833-975A-71F2C4E7426B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4283D105-B544-4255-B0BD-1DEB0CF6F7F0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{48B4FD4F-8FF9-4BC1-8050-A7225A5F1285}]
C:\WINDOWS\system32\efcBuSMF.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53736FF9-D04E-47CA-B3CD-BB6DE480E9AE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54493747-3537-48CC-8F98-A6C459538AB3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6B2D1070-C062-44E1-918B-29AA5A17D765}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6F00D177-83C7-433D-B6C5-DEEFD0617577}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-12 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7EEF84EA-52B7-4788-97CA-2F5FB3F1655E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D895C77C-10E4-4802-A157-93B4FF86F421}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-12 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E45F03B8-E06E-4EAA-8B94-5271E9721CEE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-12 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF5FE1C7-DFE2-492E-9E01-2231A5D1A876}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
SITEguard

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"nwiz"=nwiz.exe /installquiet []
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-29 7401472]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-11-21 52840]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2007-03-14 125632]
"SigmatelSysTrayApp"=C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe [2007-05-10 405504]
"iCall Internet Phone"=C:\Program Files\iCall\iCall.exe [2008-12-18 1587576]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"Uniblue RegistryBooster 2009"=C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="cljkoj.dll,suakq blyfgj.dll wynkzj.dll ytfqav.dll wtcwly.dll vmozsp.dll komqns.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2007-03-14 43712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\opnkhigD]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\FrostWire\FrostWire.exe"="C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"c:\program files\relevantknowledge\rlvknlg.exe"="c:\program files\relevantknowledge\rlvknlg.exe:*:Enabled:rlvknlg.exe"
"C:\Program Files\Vuze\Azureus.exe"="C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus"
"C:\Program Files\iCall\iCall.exe"="C:\Program Files\iCall\iCall.exe:*:Enabled:iCall"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

======List of files/folders created in the last 1 months======

2009-03-18 23:37:51 ----D---- C:\Program Files\iCall
2009-03-18 20:19:04 ----DC---- C:\Documents and Settings\User\Application Data\IMVU
2009-03-18 20:18:34 ----DC---- C:\Documents and Settings\User\Application Data\IMVUClient
2009-03-18 09:43:12 ----DC---- C:\rsit
2009-03-18 09:02:00 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-03-18 09:01:37 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2009-03-18 08:56:36 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-03-18 08:56:13 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-03-18 08:55:47 ----D---- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2009-03-18 08:55:38 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2009-03-18 08:55:03 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-03-18 08:54:53 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-03-18 08:54:44 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-03-18 08:54:24 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-03-18 08:54:07 ----HDC---- C:\WINDOWS\$NtUninstallKB929399$
2009-03-18 08:52:57 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-03-18 08:52:41 ----HDC---- C:\WINDOWS\$NtUninstallKB959772_WM11$
2009-03-18 08:51:52 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-03-18 08:51:40 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-03-18 08:51:26 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-03-18 08:51:10 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-03-18 08:50:34 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2009-03-18 08:50:19 ----HDC---- C:\WINDOWS\$NtUninstallKB936782_WMP11$
2009-03-17 18:45:45 ----D---- C:\Program Files\Trend Micro
2009-03-17 18:28:02 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-03-17 16:07:24 ----D---- C:\WINDOWS\pss
2009-03-16 16:17:16 ----DC---- C:\819e8097f2b5d7445861
2009-03-15 17:05:55 ----HD---- C:\WINDOWS\system32\GroupPolicy
2009-03-15 16:12:54 ----DC---- C:\Documents and Settings\User\Application Data\Ludia
2009-03-15 16:12:54 ----DC---- C:\Documents and Settings\All Users\Application Data\Ludia
2009-03-15 16:06:49 ----DC---- C:\Documents and Settings\All Users\Application Data\Free Ride Games
2009-03-14 10:01:54 ----DC---- C:\Inetpub
2009-03-10 17:37:24 ----DC---- C:\Documents and Settings\User\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-03-10 16:37:51 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-03-10 16:36:50 ----D---- C:\Program Files\Common Files\Adobe
2009-03-10 16:06:52 ----DC---- C:\Documents and Settings\All Users\Application Data\NOS
2009-03-10 16:06:52 ----D---- C:\Program Files\NOS
2009-03-10 11:52:38 ----DC---- C:\Documents and Settings\User\Application Data\Malwarebytes
2009-03-10 11:52:29 ----DC---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-03-09 21:46:33 ----A---- C:\WINDOWS\xpbsx0257.exe
2009-03-09 21:46:25 ----D---- C:\Program Files\f3setupinstall2
2009-03-09 21:46:24 ----A---- C:\WINDOWS\ugbv3006.exe
2009-03-09 21:46:11 ----A---- C:\WINDOWS\bqrd60258.exe
2009-03-09 21:46:02 ----A---- C:\WINDOWS\hqob8081.exe
2009-03-09 21:45:55 ----A---- C:\WINDOWS\kdiue732.txt
2009-03-05 23:14:05 ----A---- C:\WINDOWS\system32\d3dx9_35.dll
2009-03-05 23:14:01 ----A---- C:\WINDOWS\system32\d3dx9_31.dll
2009-03-05 23:13:55 ----D---- C:\Program Files\Virtools
2009-03-02 22:12:02 ----HDC---- C:\Documents and Settings\All Users\Application Data\~0
2009-02-28 20:48:50 ----A---- C:\WINDOWS\system32\unrar.dll
2009-02-28 20:48:45 ----A---- C:\WINDOWS\system32\yv12vfw.dll
2009-02-28 20:48:44 ----A---- C:\WINDOWS\system32\xvidcore.dll
2009-02-28 20:48:43 ----A---- C:\WINDOWS\system32\xvidvfw.dll
2009-02-28 20:48:42 ----A---- C:\WINDOWS\system32\qt-dx331.dll
2009-02-28 20:48:42 ----A---- C:\WINDOWS\system32\dpl100.dll
2009-02-28 20:48:38 ----A---- C:\WINDOWS\system32\ff_vfw.dll.manifest
2009-02-28 20:48:38 ----A---- C:\WINDOWS\system32\divx.dll
2009-02-28 20:48:37 ----A---- C:\WINDOWS\system32\ff_vfw.dll
2009-02-28 19:29:23 ----DC---- C:\Documents and Settings\User\Application Data\Media Player Classic
2009-02-28 19:07:36 ----DC---- C:\Documents and Settings\All Users\Application Data\DriverScanner
2009-02-28 19:07:36 ----D---- C:\Documents and Settings\User\Application Data\Uniblue
2009-02-28 19:02:56 ----D---- C:\Program Files\K-Lite Codec Pack
2009-02-28 16:21:35 ----D---- C:\Program Files\Incomplete
2009-02-26 00:56:47 ----A---- C:\WINDOWS\system32\stlang.dll
2009-02-26 00:56:47 ----A---- C:\WINDOWS\stsystra.exe
2009-02-25 19:24:02 ----A---- C:\WINDOWS\DelToolbox.bat
2009-02-25 14:39:33 ----A---- C:\WINDOWS\vpc32.INI
2009-02-25 14:27:01 ----A---- C:\WINDOWS\system32\S32EVNT1.DLL
2009-02-25 14:25:58 ----D---- C:\Program Files\Symantec
2009-02-25 14:25:44 ----DC---- C:\Documents and Settings\All Users\Application Data\Symantec
2009-02-25 14:25:44 ----D---- C:\Program Files\Symantec AntiVirus
2009-02-25 14:25:44 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-02-24 19:14:59 ----DC---- C:\Documents and Settings\All Users\Application Data\Azureus
2009-02-24 19:14:58 ----DC---- C:\Documents and Settings\User\Application Data\Azureus
2009-02-24 19:14:33 ----D---- C:\Program Files\Vuze
2009-02-24 19:06:41 ----DC---- C:\Documents and Settings\User\Application Data\Mozilla
2009-02-24 19:06:27 ----D---- C:\Program Files\Mozilla Firefox

======List of files/folders modified in the last 1 months======

2009-03-20 18:30:01 ----D---- C:\WINDOWS\Temp
2009-03-20 18:29:58 ----D---- C:\WINDOWS
2009-03-20 18:29:53 ----A---- C:\WINDOWS\system32\Rpcnetp.exe
2009-03-20 18:29:51 ----A---- C:\WINDOWS\system32\rpcnet.dll
2009-03-20 17:34:30 ----D---- C:\WINDOWS\Prefetch
2009-03-20 09:18:58 ----D---- C:\WINDOWS\system32\CatRoot
2009-03-20 09:17:56 ----D---- C:\WINDOWS\system32\CatRoot_bak
2009-03-20 09:17:55 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-20 09:17:42 ----HD---- C:\WINDOWS\inf
2009-03-20 09:10:50 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-03-20 09:10:49 ----D---- C:\WINDOWS\system32
2009-03-19 02:35:24 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-18 23:38:10 ----SHD---- C:\WINDOWS\Installer
2009-03-18 23:38:10 ----HDC---- C:\Config.Msi
2009-03-18 23:38:09 ----D---- C:\WINDOWS\WinSxS
2009-03-18 23:37:51 ----D---- C:\Program Files
2009-03-18 23:19:08 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-18 23:06:28 ----A---- C:\WINDOWS\system32\rpcnetp.dll
2009-03-18 23:04:42 ----SHC---- C:\boot.ini
2009-03-18 23:04:42 ----A---- C:\WINDOWS\win.ini
2009-03-18 23:04:42 ----A---- C:\WINDOWS\system.ini
2009-03-18 09:02:03 ----D---- C:\WINDOWS\system32\drivers
2009-03-18 09:01:53 ----HD---- C:\WINDOWS\$hf_mig$
2009-03-18 09:01:47 ----A---- C:\WINDOWS\imsins.BAK
2009-03-18 08:58:11 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-03-18 08:52:27 ----D---- C:\Program Files\Internet Explorer
2009-03-17 18:49:47 ----D---- C:\WINDOWS\Help
2009-03-16 11:29:40 ----HD---- C:\Program Files\InstallShield Installation Information
2009-03-15 17:05:07 ----D---- C:\Program Files\Common Files\InstallShield
2009-03-15 16:38:06 ----A---- C:\WINDOWS\system32\rpcnet.exe
2009-03-15 16:33:28 ----ADC---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-03-15 10:01:47 ----DC---- C:\DELL
2009-03-15 08:42:28 ----D---- C:\Program Files\Common Files
2009-03-14 10:02:26 ----D---- C:\WINDOWS\Cursors
2009-03-14 10:01:54 ----D---- C:\WINDOWS\system32\inetsrv
2009-03-13 16:27:58 ----DC---- C:\Documents and Settings\User\Application Data\FrostWire
2009-03-12 16:12:45 ----D---- C:\WINDOWS\system32\Restore
2009-03-11 16:11:37 ----SDC---- C:\Documents and Settings\User\Application Data\Microsoft
2009-03-10 16:37:54 ----DC---- C:\Documents and Settings\User\Application Data\Adobe
2009-03-10 16:37:54 ----DC---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-03-09 21:29:35 ----RSD---- C:\WINDOWS\assembly
2009-03-09 21:22:26 ----D---- C:\Program Files\Common Files\System
2009-03-06 22:58:29 ----DC---- C:\Documents and Settings\User\Application Data\Move Networks
2009-03-05 23:14:08 ----D---- C:\WINDOWS\system32\DirectX
2009-03-02 09:26:08 ----D---- C:\WINDOWS\system32\NtmsData
2009-03-01 12:42:25 ----SHD---- C:\System Volume Information
2009-02-28 20:37:18 ----DC---- C:\Documents and Settings\User\Application Data\DivX
2009-02-28 19:15:48 ----D---- C:\WINDOWS\system32\config
2009-02-26 10:38:22 ----D---- C:\Program Files\WinRAR
2009-02-25 19:24:58 ----DC---- C:\Documents and Settings\All Users\Application Data\Yahoo!
2009-02-25 19:24:43 ----D---- C:\Documents and Settings\User\Application Data\Yahoo!
2009-02-25 19:17:54 ----D---- C:\WINDOWS\system32\en-US
2009-02-25 19:17:48 ----D---- C:\WINDOWS\Media
2009-02-25 19:17:48 ----D---- C:\Program Files\Winferno
2009-02-25 19:14:06 ----DC---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2009-02-25 19:10:54 ----D---- C:\Program Files\Common Files\AVSMedia
2009-02-25 12:55:00 ----AC---- C:\WINDOWS\system32\MRT.exe
2009-02-24 18:56:42 ----D---- C:\Temp
2009-02-24 18:09:24 ----DC---- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2009-02-24 18:03:51 ----DC---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-24 17:40:00 ----DC---- C:\Documents and Settings\All Users\Application Data\SITEguard
2009-02-24 17:28:22 ----D---- C:\Program Files\VstPlugins

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 SAVRT;SAVRT; \??\C:\Program Files\Symantec AntiVirus\savrt.sys []
R1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys []
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2007-02-12 196752]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2004-08-04 8832]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2004-08-04 88448]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2004-08-04 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2004-08-04 55936]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2006-10-29 156160]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2004-08-12 137728]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090318.006\naveng.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090318.006\navex15.sys []
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-10-29 3595296]
R3 NWRDR;NetWare Rdr; C:\WINDOWS\system32\DRIVERS\nwrdr.sys [2006-10-13 163584]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2007-05-10 1222840]
R3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2007-02-12 24720]
R3 USBCCID;USB Smart Card reader; C:\WINDOWS\system32\DRIVERS\usbccid.sys [2006-10-29 28672]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 w39n51;Intel® PRO/Wireless 3945ABG Adapter Driver; C:\WINDOWS\system32\DRIVERS\w39n51.sys [2006-10-29 1428480]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2004-06-22 51088]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2004-06-22 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2004-06-22 21744]
S3 NPF;Netgroup Packet Filter; C:\WINDOWS\system32\drivers\npf.sys [2008-02-13 42512]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2006-11-21 169576]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2007-03-14 31424]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-12 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 NMSAccessU;NMSAccessU; C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-10-20 71096]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-29 143428]
R2 NWCWorkstation;Client Service for NetWare; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 rpcnet;Remote Procedure Call (RPC) Net; C:\WINDOWS\system32\rpcnet.exe [2009-03-15 47104]
R2 SPBBCSvc;Symantec SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2007-01-10 1160792]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2007-03-14 1816768]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 getPlus® Helper;getPlus® Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2009-03-03 33176]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-09-02 2528960]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2007-03-14 116416]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2007-02-12 214672]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------

Is there anything else that I dont need and can erase off my computer. Thanks for your time.

### #8 Net_Surfer

Net_Surfer

• Banned
• 2,154 posts
• OFFLINE
•
• Gender:Male
• Local time:08:48 AM

Posted 22 March 2009 - 06:40 PM

NOTICE: These steps are for member: motherof4 ONLY. If you are a lurker, do NOT try this on your system! If you are not the topic starter and have a similar problem, do NOT post here; DO NOT follow these directions as they could damage the workings of your system. Please start your own topic.

Hi motherof4,

Before we start fixing anything you should write/print out these instructions or copy/paste them to a NotePad file.

let's do the following to see if we can get rid of your malware.
Step #1.

• Install ERUNT
(This tool will create a complete backup of your registry to ensure we have a safety net If something goes wrong. Do not delete the backup until we are finished).

• Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
• Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Step #2.

• Double click: RegQuery.exe to run the program.
• Copy the following registry keypath by highlighting the text in the code box and pressing CTRL+C (Do NOT copy the word: CODE)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
• Paste the text you have copied into the textbox using CRTL+V.
• Click the Query button.
• A Notepad file will open.
• Close RegQuery
Altering system files; & or modifying the registry can be risky and BleepingComputer.com and its members cannot accept liability for any adverse effects caused by following advice freely given on this site.

Step #3.

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of OTMoveIt3 fixing tool.. Please visit HERE if you don't know how...Please re-enable them back after performing all steps given..

We need to execute an OTMoveIt3 Script.
• Double click on the icon on your desktop to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right click and choose Copy.)
Do not include the word "Code".
:processes
explorer.exe

:files
C:\Documents and Settings\User\MyDocuments\MyPictures\images-1886.jpg
C:\WINDOWS\system32\efcBuSMF.dll
C:\Program Files\Uniblue
C:\WINDOWS\system32\cljkoj.dll
C:\WINDOWS\system32\blyfgj.dll
C:\WINDOWS\system32\wynkzj.dll
C:\WINDOWS\system32\ytfqav.dll
C:\WINDOWS\system32\wtcwly.dll
C:\WINDOWS\system32\vmozsp.dll
C:\WINDOWS\system32\komqns.dll
c:\program files\relevantknowledge
C:\WINDOWS\xpbsx0257.exe
C:\Program Files\f3setupinstall2
C:\WINDOWS\ugbv3006.exe
C:\WINDOWS\bqrd60258.exe
C:\WINDOWS\hqob8081.exe
C:\WINDOWS\kdiue732.txt
C:\Documents and Settings\User\Application Data\Azureus
C:\Documents and Settings\All Users\Application Data\Azureus
C:\Program Files\Vuze

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{14C12A67-0E23-456A-864F-A0CDE98A34D5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2FB73FAC-F365-4833-975A-71F2C4E7426B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4283D105-B544-4255-B0BD-1DEB0CF6F7F0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{48B4FD4F-8FF9-4BC1-8050-A7225A5F1285}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53736FF9-D04E-47CA-B3CD-BB6DE480E9AE}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54493747-3537-48CC-8F98-A6C459538AB3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6B2D1070-C062-44E1-918B-29AA5A17D765}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6F00D177-83C7-433D-B6C5-DEEFD0617577}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7EEF84EA-52B7-4788-97CA-2F5FB3F1655E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D895C77C-10E4-4802-A157-93B4FF86F421}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E45F03B8-E06E-4EAA-8B94-5271E9721CEE}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF5FE1C7-DFE2-492E-9E01-2231A5D1A876}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions registry key\{53F6FCCD-9E22-4d71-86EA-6E43136192AB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions registry key\{925DAB62-F9AC-4221-806A-057BFB1014AA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\opnkhigD]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"=""
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Vuze\Azureus.exe"=-
"C:\Program Files\FrostWire\FrostWire.exe"=-
c:\program files\relevantknowledge\rlvknlg.exe"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2009"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"HonorAutoRunSetting"=dword:00000001

:Commands
[EmptyTemp]
[Reboot]
• Return to OTMoveIt3, Then, right click under the window and choose Paste.
• Push the large button.
• Copy/Paste the contents under the line here in your next reply.
• NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
CAUTION:
The above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

OK.. motherof4,

Please take a note... and do the following:

I disabled the internet,safebooted, ran Trojan.Brisv.A!inf Removal Tool it said it found Trojan.Brisv.A!inf pressed ok and it closed out all windows by itself , switched computer to normal, enabled internet and I have no idea how to pull up the report.

What I mean here is that after you had run the removal tool, then update the definition files of Norton and run a Norton antivirus scan then, copy and paste the results of the report here.

"And about the movie".. I believe that if you had run the Tool it should be ok, Your MBAM scan was clean. but the scan of norton will be the tell if the movie is infected and I will let you know if you have to delete it. But remember The health of your Computer is First.

Step #4.

I need you to re-select the desktop wallpaper in your computer. Here is a link that will show you how to do that:
http://www.homeandlearn.co.uk/BC/bcs1p11.html

Summary of the logs I need from you in your next post:

Finally, See if you can post the report of Norton anti-virus scan. or let me know if it found anything bad.
• Also I will need the report of OTMoveIt3 you can find it in: C:\_OTMoveIt\MovedFiles , copy/paste the contents of that document back here in your next post.
• The contents of the notepad file from RegQuery.exe
• A fresh Hijackthis log.
• And a description of any remaining problems.

Kind Regards

Net_Surfer

### #9 motherof4

motherof4
• Topic Starter

• Members
• 21 posts
• OFFLINE
•
• Gender:Female
• Location:Florida
• Local time:11:48 AM

Posted 25 March 2009 - 11:51 AM

Hello Net_Surfer,
I want to start by saying my wallpaper is that my desktop componet that you were asking about if so then that was from the Florida aquarium web site you can download there picture for you wallpaper. Now I'm going to post all these logs and also I already had malware bites anti-malware and it found a lot of stuff when I first downloaded it on 3-10-09. Thank you.

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\WINDOWS\xpbsx0257.exe moved successfully.
C:\Program Files\f3setupinstall2 moved successfully.
C:\WINDOWS\ugbv3006.exe moved successfully.
C:\WINDOWS\bqrd60258.exe moved successfully.
C:\WINDOWS\hqob8081.exe moved successfully.
C:\WINDOWS\kdiue732.txt moved successfully.
C:\Documents and Settings\User\Application Data\Azureus\updates moved successfully.
C:\Documents and Settings\User\Application Data\Azureus\torrents moved successfully.
C:\Documents and Settings\User\Application Data\Azureus\tmp moved successfully.
C:\Documents and Settings\User\Application Data\Azureus\subs moved successfully.
C:\Documents and Settings\User\Application Data\Azureus\shares\cache1 moved successfully.
C:\Documents and Settings\User\Application Data\Azureus\shares moved successfully.
C:\Documents and Settings\User\Application Data\Azureus\plugins\azump\mplayer moved successfully.
C:\Documents and Settings\User\Application Data\Azureus\plugins\azump moved successfully.
C:\Documents and Settings\User\Application Data\Azureus\plugins moved successfully.
C:\Documents and Settings\User\Application Data\Azureus\net moved successfully.
C:\Documents and Settings\User\Application Data\Azureus\media\azpd moved successfully.
C:\Documents and Settings\User\Application Data\Azureus\media moved successfully.
C:\Documents and Settings\User\Application Data\Azureus\logs\save moved successfully.
C:\Documents and Settings\User\Application Data\Azureus\logs moved successfully.
C:\Documents and Settings\User\Application Data\Azureus\dht moved successfully.
C:\Documents and Settings\User\Application Data\Azureus\cache moved successfully.
C:\Documents and Settings\User\Application Data\Azureus\active moved successfully.
C:\Documents and Settings\User\Application Data\Azureus moved successfully.
C:\Documents and Settings\All Users\Application Data\Azureus moved successfully.
C:\Program Files\Vuze\plugins\azupnpav moved successfully.
C:\Program Files\Vuze\plugins\azupdater moved successfully.
C:\Program Files\Vuze\plugins\azrating moved successfully.
C:\Program Files\Vuze\plugins\azplugins moved successfully.
C:\Program Files\Vuze\plugins\azemp\mplayer moved successfully.
C:\Program Files\Vuze\plugins\azemp moved successfully.
C:\Program Files\Vuze\plugins moved successfully.
C:\Program Files\Vuze\.install4j moved successfully.
C:\Program Files\Vuze moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{14C12A67-0E23-456A-864F-A0CDE98A34D5}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2FB73FAC-F365-4833-975A-71F2C4E7426B}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4283D105-B544-4255-B0BD-1DEB0CF6F7F0}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{48B4FD4F-8FF9-4BC1-8050-A7225A5F1285}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53736FF9-D04E-47CA-B3CD-BB6DE480E9AE}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54493747-3537-48CC-8F98-A6C459538AB3}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6B2D1070-C062-44E1-918B-29AA5A17D765}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6F00D177-83C7-433D-B6C5-DEEFD0617577}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7EEF84EA-52B7-4788-97CA-2F5FB3F1655E}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A18BA8FF-D065-4903-B7CA-4AD596380E1E}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D895C77C-10E4-4802-A157-93B4FF86F421}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E45F03B8-E06E-4EAA-8B94-5271E9721CEE}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF5FE1C7-DFE2-492E-9E01-2231A5D1A876}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\opnkhigD\\ deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_DLLS"|"" /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\Program Files\Vuze\Azureus.exe deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Uniblue RegistryBooster 2009 deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\"HonorAutoRunSetting"|dword:00000001 /E : value set successfully!
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\etilqs_JX7gMjXc2Fxs4w57ltzI scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_618.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\i8h9n9eu.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\i8h9n9eu.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\i8h9n9eu.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\i8h9n9eu.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\i8h9n9eu.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\i8h9n9eu.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03252009_122427

Files moved on Reboot...
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\i8h9n9eu.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\i8h9n9eu.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\i8h9n9eu.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\i8h9n9eu.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\i8h9n9eu.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\i8h9n9eu.default\XUL.mfl moved successfully.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="cljkoj.dll,suakq blyfgj.dll wynkzj.dll ytfqav.dll wtcwly.dll vmozsp.dll komqns.dll"
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:04 PM, on 3/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=1607
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [iCall Internet Phone] "C:\Program Files\iCall\iCall.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/User/My%20Documents/My%20Pictures/images-1886.jpg

--
End of file - 6495 bytes

### #10 Net_Surfer

Net_Surfer

• Banned
• 2,154 posts
• OFFLINE
•
• Gender:Male
• Local time:08:48 AM

Posted 26 March 2009 - 03:03 PM

Hello motherof4,

Good job in following those steps. and your logs are looking better.

We do not advise to do any of the upgrades until the computer is clear of any malware and we are almost there.

There is a new version of internet explorer (Version 8). that you will need so After you follow my next set of steps and report back with the logs, I will give you the ok to upgrade if not malware is found with kaspersky online scan.

QUESTION: Did Norton anti-virus found anything bad when you scanned your system after you had run the removal tool ???.

Now I need you to do the following:

Step #1.

*Open HijackThis. Click on Do a system scan only.
Close your browser and all open windows including this one. The only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -

Ensure you have closed all windows except HijackThis and click Fix Checked.
Then close/exit HijackThis program.

Next..

Step #2.
Firewall Warning!

You are in need of a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
therefore, I strongly recommend that you install one of the following free firewalls: *PC Tool Firewall Plus or Zonealarm.

See Bleepingcomputer's excellent tutorial to help using and understanding a firewall: HERE
Important Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.

*If you choose the PC Tools Firewall Plus and you are asked to install ThreatFire Do Not do so.

Step #3.

Outdated Java Warning!

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
Please follow these steps to remove older version Java components and update:
• Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 13.
• Select your Language: "Multi-language". and then check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement."
• Click Continue and the page will refresh.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
(Vista users, right click on the jre-6u12-windows-i586-p.exe) and select "Run as an Administrator.")

-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Step #4.

Kaspersky Online Scan

Sometimes malware that is removed from your computer leaves other traces behind. These traces may not be active, but they are unwanted on your computer. Therefore, by using Kaspersky online scanner it is possible for us to find leftover or missed malware files on your computer and we can now further clean up your computer.

Therefore, Go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
• Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
You can refer to this animation by sundavis.

Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

(Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or ComboFix's Qoobox & quarantine. Kaspersky will only scan and report and it does not remove any malware files it finds.)
**Note**
To optimize scanning time and produce a more sensible report for review:
• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Summary of the logs I need from you in your next post:

• Answer to the above question.
• The Kaspersky report.
• Re-Scan with RSIT and post the log..

How is your computer now ??
Do you noticed any other problem?

Kind Regards

Net_Surfer

### #11 motherof4

motherof4
• Topic Starter

• Members
• 21 posts
• OFFLINE
•
• Gender:Female
• Location:Florida
• Local time:11:48 AM

Posted 28 March 2009 - 07:27 AM

QUESTION: Did Norton anti-virus found anything bad when you scanned your system after you had run the removal tool ???.
Answer:Ran it again and found nothing

Step #1.

Opened HijackThis. Did a system scan only.
Closed my browser and all open windows including this one. checked the following entries and click on Fix Checked.

O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -

Step #2.
Firewall Warning!

Installed Zonealarm. I have a lot of stuff trying to get into my computer example: The firewall has blocked internet access to your computer(UDP Port 9647) from 70.136.16.156(udp Port 39611) at first 3 times in 30 min

Step #3.

Outdated Java Warning!

Step #4.

Kaspersky Online Scan
It made me nervous because it found so many stuff

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, March 28, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, March 28, 2009 03:14:35
Records in database: 1978789
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 50301
Threat name: 11
Infected objects: 32
Suspicious objects: 0
Duration of the scan: 01:35:59

File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DAC0001.VBN Infected: Trojan.Win32.Monder.qgq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DAC0002\4DBE9DCD.VBN Infected: not-a-virus:FraudTool.Win32.MSAntivirus.cp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DD00000\4DFA2EDF.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.iyu 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DD00001\4DFA32F6.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.iyu 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DD00002\4DFA416D.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.iyu 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DD00003\4DFA4D5E.VBN Infected: Trojan.Win32.Agent.agzn 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DD00004\4DFA5B2D.VBN Infected: Trojan.Win32.Agent.agzn 1
C:\Documents and Settings\User\My Documents\My Music\R and B\Deborah Cox\just be good to me deborah cox - high quality.mp3 Infected: Trojan-Downloader.WMA.GetCodec.u 1

The selected area was scanned.

Logfile of random's system information tool 1.05 (written by random/random)
Run by User at 2009-03-28 08:16:30
Microsoft Windows XP Professional Service Pack 3
System drive C: has 23 GB (41%) free of 57 GB
Total RAM: 2046 MB (68% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:16:35 AM, on 3/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\iCall\iCall.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\My Documents\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=1607
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [iCall Internet Phone] "C:\Program Files\iCall\iCall.exe" /startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/User/My%20Documents/My%20Pictures/images-1886.jpg

--
End of file - 6591 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-27 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-27 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
SITEguard

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"nwiz"=nwiz.exe /installquiet []
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-29 7401472]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-11-21 52840]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2007-03-14 125632]
"SigmatelSysTrayApp"=C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe [2007-05-10 405504]
"iCall Internet Phone"=C:\Program Files\iCall\iCall.exe [2008-12-18 1587576]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2009-02-16 981384]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2007-03-14 43712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Disabled:AIM"
"C:\Program Files\iCall\iCall.exe"="C:\Program Files\iCall\iCall.exe:*:Disabled:iCall"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"c:\program files\relevantknowledge\rlvknlg.exe"="c:\program files\relevantknowledge\rlvknlg.exe:*:Disabled:rlvknlg.exe"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Disabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Disabled:Windows Live Messenger (Phone)"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-03-27 22:38:30 ----A---- C:\WINDOWS\system32\javaws.exe
2009-03-27 22:38:30 ----A---- C:\WINDOWS\system32\javaw.exe
2009-03-27 22:38:30 ----A---- C:\WINDOWS\system32\java.exe
2009-03-27 21:09:39 ----A---- C:\WINDOWS\system32\vsregexp.dll
2009-03-27 21:09:37 ----A---- C:\WINDOWS\system32\zlcommdb.dll
2009-03-27 21:09:37 ----A---- C:\WINDOWS\system32\zlcomm.dll
2009-03-27 21:09:31 ----A---- C:\WINDOWS\system32\vswmi.dll
2009-03-27 21:09:30 ----D---- C:\WINDOWS\system32\ZoneLabs
2009-03-27 21:09:30 ----D---- C:\Program Files\Zone Labs
2009-03-27 21:09:30 ----A---- C:\WINDOWS\system32\zpeng25.dll
2009-03-27 21:09:30 ----A---- C:\WINDOWS\system32\vsxml.dll
2009-03-27 21:09:30 ----A---- C:\WINDOWS\system32\vspubapi.dll
2009-03-27 21:09:29 ----A---- C:\WINDOWS\system32\vsmonapi.dll
2009-03-27 21:08:06 ----A---- C:\WINDOWS\system32\vsutil.dll
2009-03-27 21:08:06 ----A---- C:\WINDOWS\system32\vsinit.dll
2009-03-27 21:08:06 ----A---- C:\WINDOWS\system32\vsdata.dll
2009-03-27 21:08:01 ----D---- C:\WINDOWS\Internet Logs
2009-03-25 14:25:14 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2009-03-25 14:24:57 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2009-03-25 12:24:27 ----DC---- C:\_OTMoveIt
2009-03-25 12:13:20 ----AC---- C:\zyxqueryxyz.txt
2009-03-25 12:11:17 ----D---- C:\WINDOWS\ERDNT
2009-03-25 12:09:41 ----D---- C:\Program Files\ERUNT
2009-03-25 07:34:40 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-03-24 12:23:47 ----D---- C:\WINDOWS\Prefetch
2009-03-24 11:18:59 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-03-24 11:18:41 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-03-24 11:18:24 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-03-24 11:18:09 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-03-24 11:17:55 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-03-24 11:17:41 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-03-24 11:17:25 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-03-24 11:17:09 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-03-24 11:16:54 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-03-24 11:16:35 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-03-24 11:16:21 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-03-24 11:16:02 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-03-24 11:15:48 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-03-24 11:15:32 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-03-24 11:15:17 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2009-03-24 11:15:03 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-03-24 11:14:48 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2009-03-24 11:14:31 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-03-24 11:14:16 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-03-24 11:14:02 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-03-24 11:13:44 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-03-24 11:13:30 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2009-03-24 11:09:29 ----A---- C:\WINDOWS\setuplog.txt
2009-03-24 11:08:02 ----D---- C:\WINDOWS\system32\scripting
2009-03-24 11:08:01 ----D---- C:\WINDOWS\system32\en
2009-03-24 11:08:01 ----D---- C:\WINDOWS\l2schemas
2009-03-24 11:08:00 ----D---- C:\WINDOWS\system32\bits
2009-03-24 11:05:12 ----D---- C:\WINDOWS\ServicePackFiles
2009-03-24 11:02:40 ----D---- C:\WINDOWS\network diagnostic
2009-03-24 10:56:35 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-03-20 22:44:56 ----HDC---- C:\WINDOWS\$NtUninstallKB939683$
2009-03-20 09:16:20 ----N---- C:\WINDOWS\system32\wlanapi.dll
2009-03-20 09:16:05 ----N---- C:\WINDOWS\system32\tspkg.dll
2009-03-20 09:16:05 ----N---- C:\WINDOWS\system32\tsgqec.dll
2009-03-20 09:15:53 ----N---- C:\WINDOWS\system32\spupdwxp.exe
2009-03-20 09:15:51 ----A---- C:\WINDOWS\system32\spdwnwxp.exe
2009-03-20 09:15:49 ----N---- C:\WINDOWS\system32\slserv.exe
2009-03-20 09:15:49 ----N---- C:\WINDOWS\system32\slrundll.exe
2009-03-20 09:15:49 ----N---- C:\WINDOWS\system32\slgen.dll
2009-03-20 09:15:49 ----N---- C:\WINDOWS\system32\slextspk.dll
2009-03-20 09:15:49 ----N---- C:\WINDOWS\system32\slcoinst.dll
2009-03-20 09:15:49 ----N---- C:\WINDOWS\slrundll.exe
2009-03-20 09:15:45 ----N---- C:\WINDOWS\system32\setupn.exe
2009-03-20 09:15:41 ----N---- C:\WINDOWS\system32\s3gnb.dll
2009-03-20 09:15:40 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2009-03-20 09:15:37 ----N---- C:\WINDOWS\system32\rasqec.dll
2009-03-20 09:15:36 ----N---- C:\WINDOWS\system32\qutil.dll
2009-03-20 09:15:35 ----N---- C:\WINDOWS\system32\qcliprov.dll
2009-03-20 09:15:35 ----N---- C:\WINDOWS\system32\qagentrt.dll
2009-03-20 09:15:35 ----N---- C:\WINDOWS\system32\qagent.dll
2009-03-20 09:15:27 ----N---- C:\WINDOWS\system32\onex.dll
2009-03-20 09:15:16 ----N---- C:\WINDOWS\system32\napstat.exe
2009-03-20 09:15:15 ----N---- C:\WINDOWS\system32\napmontr.dll
2009-03-20 09:15:15 ----N---- C:\WINDOWS\system32\napipsec.dll
2009-03-20 09:15:15 ----N---- C:\WINDOWS\system32\mtxparhd.dll
2009-03-20 09:15:14 ----N---- C:\WINDOWS\system32\msxml6r.dll
2009-03-20 09:15:14 ----N---- C:\WINDOWS\system32\msxml6.dll
2009-03-20 09:15:11 ----N---- C:\WINDOWS\system32\msshavmsg.dll
2009-03-20 09:15:11 ----N---- C:\WINDOWS\system32\mssha.dll
2009-03-20 09:14:50 ----N---- C:\WINDOWS\system32\mmcperf.exe
2009-03-20 09:14:50 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
2009-03-20 09:14:50 ----N---- C:\WINDOWS\system32\mmcex.dll
2009-03-20 09:14:50 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2009-03-20 09:14:47 ----N---- C:\WINDOWS\system32\mdmxsdk.dll
2009-03-20 09:14:34 ----N---- C:\WINDOWS\system32\l2gpstore.dll
2009-03-20 09:14:33 ----N---- C:\WINDOWS\system32\kmsvc.dll
2009-03-20 09:14:32 ----N---- C:\WINDOWS\system32\kbdpash.dll
2009-03-20 09:14:32 ----N---- C:\WINDOWS\system32\kbdnepr.dll
2009-03-20 09:14:32 ----N---- C:\WINDOWS\system32\kbdiultn.dll
2009-03-20 09:14:32 ----N---- C:\WINDOWS\system32\kbdbhc.dll
2009-03-20 09:14:17 ----N---- C:\WINDOWS\system32\smtpapi.dll
2009-03-20 09:14:17 ----N---- C:\WINDOWS\system32\rwnh.dll
2009-03-20 09:14:12 ----N---- C:\WINDOWS\system32\comsdupd.exe
2009-03-20 09:14:06 ----N---- C:\WINDOWS\system32\hsfcisp2.dll
2009-03-20 09:13:59 ----A---- C:\WINDOWS\003231_.tmp
2009-03-20 09:13:58 ----N---- C:\WINDOWS\system32\faxpatch.exe
2009-03-20 09:13:55 ----N---- C:\WINDOWS\system32\eapsvc.dll
2009-03-20 09:13:55 ----N---- C:\WINDOWS\system32\eapqec.dll
2009-03-20 09:13:55 ----N---- C:\WINDOWS\system32\eappprxy.dll
2009-03-20 09:13:55 ----N---- C:\WINDOWS\system32\eapphost.dll
2009-03-20 09:13:55 ----N---- C:\WINDOWS\system32\eappgnui.dll
2009-03-20 09:13:54 ----N---- C:\WINDOWS\system32\eappcfg.dll
2009-03-20 09:13:54 ----N---- C:\WINDOWS\system32\eapp3hst.dll
2009-03-20 09:13:54 ----N---- C:\WINDOWS\system32\eapolqec.dll
2009-03-20 09:13:50 ----N---- C:\WINDOWS\system32\dot3ui.dll
2009-03-20 09:13:50 ----N---- C:\WINDOWS\system32\dot3svc.dll
2009-03-20 09:13:50 ----N---- C:\WINDOWS\system32\dot3msm.dll
2009-03-20 09:13:50 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
2009-03-20 09:13:50 ----N---- C:\WINDOWS\system32\dot3dlg.dll
2009-03-20 09:13:50 ----N---- C:\WINDOWS\system32\dot3cfg.dll
2009-03-20 09:13:50 ----N---- C:\WINDOWS\system32\dot3api.dll
2009-03-20 09:13:48 ----N---- C:\WINDOWS\system32\dimsroam.dll
2009-03-20 09:13:48 ----N---- C:\WINDOWS\system32\dimsntfy.dll
2009-03-20 09:13:48 ----N---- C:\WINDOWS\system32\dhcpqec.dll
2009-03-20 09:13:44 ----N---- C:\WINDOWS\system32\credssp.dll
2009-03-20 09:13:35 ----N---- C:\WINDOWS\system32\bitsprx4.dll
2009-03-20 09:13:34 ----N---- C:\WINDOWS\system32\azroles.dll
2009-03-20 09:13:33 ----N---- C:\WINDOWS\system32\ativvaxx.dll
2009-03-20 09:13:33 ----N---- C:\WINDOWS\system32\ativtmxx.dll
2009-03-20 09:13:32 ----N---- C:\WINDOWS\system32\ati3duag.dll
2009-03-20 09:13:32 ----N---- C:\WINDOWS\system32\ati3d1ag.dll
2009-03-20 09:13:31 ----N---- C:\WINDOWS\system32\ati2dvag.dll
2009-03-20 09:13:31 ----N---- C:\WINDOWS\system32\ati2dvaa.dll
2009-03-20 09:13:31 ----N---- C:\WINDOWS\system32\ati2cqag.dll
2009-03-20 09:13:22 ----N---- C:\WINDOWS\system32\aaclient.dll
2009-03-18 23:37:51 ----D---- C:\Program Files\iCall
2009-03-18 09:43:12 ----DC---- C:\rsit
2009-03-18 09:02:00 ----HDC---- C:\WINDOWS\$NtUninstallKB956803_0$
2009-03-18 09:01:37 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2009-03-18 08:56:36 ----HDC---- C:\WINDOWS\$NtUninstallKB960225_0$
2009-03-18 08:56:13 ----HDC---- C:\WINDOWS\$NtUninstallKB956841_0$
2009-03-18 08:55:47 ----D---- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2009-03-18 08:55:38 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2009-03-18 08:55:03 ----HDC---- C:\WINDOWS\$NtUninstallKB957097_0$
2009-03-18 08:54:53 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-03-18 08:54:44 ----HDC---- C:\WINDOWS\$NtUninstallKB958687_0$
2009-03-18 08:54:24 ----HDC---- C:\WINDOWS\$NtUninstallKB967715_0$
2009-03-18 08:54:07 ----HDC---- C:\WINDOWS\$NtUninstallKB929399$
2009-03-18 08:52:57 ----HDC---- C:\WINDOWS\$NtUninstallKB958690_0$
2009-03-18 08:52:41 ----HDC---- C:\WINDOWS\$NtUninstallKB959772_WM11$
2009-03-18 08:51:52 ----HDC---- C:\WINDOWS\$NtUninstallKB954600_0$
2009-03-18 08:51:40 ----HDC---- C:\WINDOWS\$NtUninstallKB958644_0$
2009-03-18 08:51:26 ----HDC---- C:\WINDOWS\$NtUninstallKB955069_0$
2009-03-18 08:51:10 ----HDC---- C:\WINDOWS\$NtUninstallKB956802_0$
2009-03-18 08:50:34 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2009-03-18 08:50:19 ----HDC---- C:\WINDOWS\$NtUninstallKB936782_WMP11$
2009-03-17 18:45:45 ----D---- C:\Program Files\Trend Micro
2009-03-17 18:28:02 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-03-17 16:07:24 ----D---- C:\WINDOWS\pss
2009-03-16 16:17:16 ----DC---- C:\819e8097f2b5d7445861
2009-03-15 17:05:55 ----HD---- C:\WINDOWS\system32\GroupPolicy
2009-03-15 16:12:54 ----DC---- C:\Documents and Settings\User\Application Data\Ludia
2009-03-15 16:12:54 ----DC---- C:\Documents and Settings\All Users\Application Data\Ludia
2009-03-15 16:06:49 ----DC---- C:\Documents and Settings\All Users\Application Data\Free Ride Games
2009-03-14 10:01:54 ----DC---- C:\Inetpub
2009-03-10 17:37:24 ----DC---- C:\Documents and Settings\User\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-03-10 16:37:51 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-03-10 16:36:50 ----D---- C:\Program Files\Common Files\Adobe
2009-03-10 16:06:52 ----DC---- C:\Documents and Settings\All Users\Application Data\NOS
2009-03-10 16:06:52 ----D---- C:\Program Files\NOS
2009-03-10 11:52:38 ----DC---- C:\Documents and Settings\User\Application Data\Malwarebytes
2009-03-10 11:52:29 ----DC---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-03-05 23:14:05 ----A---- C:\WINDOWS\system32\d3dx9_35.dll
2009-03-05 23:14:01 ----A---- C:\WINDOWS\system32\d3dx9_31.dll
2009-03-05 23:13:55 ----D---- C:\Program Files\Virtools
2009-03-02 22:12:02 ----HDC---- C:\Documents and Settings\All Users\Application Data\~0

======List of files/folders modified in the last 1 months======

2009-03-28 07:59:26 ----D---- C:\Program Files\Mozilla Firefox
2009-03-28 00:23:57 ----D---- C:\Program Files\Symantec AntiVirus
2009-03-27 22:38:38 ----SHD---- C:\WINDOWS\Installer
2009-03-27 22:38:37 ----HDC---- C:\Config.Msi
2009-03-27 22:38:34 ----D---- C:\WINDOWS\Temp
2009-03-27 22:38:31 ----D---- C:\WINDOWS\system32
2009-03-27 22:38:09 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-03-27 22:38:03 ----D---- C:\Program Files\Java
2009-03-27 22:25:34 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-27 22:20:58 ----A---- C:\WINDOWS\system32\Rpcnetp.exe
2009-03-27 22:20:49 ----A---- C:\WINDOWS\system32\rpcnet.dll
2009-03-27 22:19:13 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-27 21:09:30 ----D---- C:\Program Files
2009-03-27 21:08:05 ----D---- C:\WINDOWS\WinSxS
2009-03-27 21:08:01 ----D---- C:\WINDOWS
2009-03-26 22:40:02 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-25 14:25:21 ----HD---- C:\WINDOWS\inf
2009-03-25 14:25:18 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-03-25 14:25:07 ----A---- C:\WINDOWS\imsins.BAK
2009-03-25 07:35:27 ----HD---- C:\WINDOWS\$hf_mig$
2009-03-24 12:25:04 ----AC---- C:\WINDOWS\OEWABLog.txt
2009-03-24 12:23:04 ----D---- C:\WINDOWS\system32\Setup
2009-03-24 12:23:04 ----D---- C:\WINDOWS\AppPatch
2009-03-24 12:23:01 ----D---- C:\WINDOWS\system32\wbem
2009-03-24 12:22:58 ----RSD---- C:\WINDOWS\Fonts
2009-03-24 12:22:40 ----D---- C:\WINDOWS\system32\drivers
2009-03-24 12:21:54 ----D---- C:\WINDOWS\security
2009-03-24 11:19:05 ----D---- C:\WINDOWS\system32\CatRoot
2009-03-24 11:13:45 ----D---- C:\Program Files\Messenger
2009-03-24 11:08:17 ----D---- C:\WINDOWS\system32\inetsrv
2009-03-24 11:08:16 ----D---- C:\WINDOWS\ime
2009-03-24 11:08:16 ----D---- C:\WINDOWS\Help
2009-03-24 11:08:03 ----D---- C:\WINDOWS\system32\en-US
2009-03-24 11:08:02 ----D---- C:\WINDOWS\system32\usmt
2009-03-24 11:08:00 ----D---- C:\WINDOWS\PeerNet
2009-03-24 11:08:00 ----D---- C:\Program Files\Movie Maker
2009-03-24 11:04:57 ----D---- C:\WINDOWS\system32\Restore
2009-03-24 11:04:57 ----D---- C:\WINDOWS\system32\npp
2009-03-24 11:04:57 ----D---- C:\WINDOWS\mui
2009-03-24 11:04:55 ----D---- C:\WINDOWS\msagent
2009-03-24 11:04:54 ----D---- C:\WINDOWS\srchasst
2009-03-24 11:04:53 ----D---- C:\Program Files\NetMeeting
2009-03-24 11:04:51 ----D---- C:\WINDOWS\system32\Com
2009-03-24 11:04:49 ----D---- C:\Program Files\Windows Media Player
2009-03-24 11:04:48 ----D---- C:\Program Files\Windows NT
2009-03-24 11:04:48 ----D---- C:\Program Files\Outlook Express
2009-03-24 11:04:45 ----D---- C:\Program Files\Common Files\System
2009-03-24 11:04:23 ----D---- C:\WINDOWS\system32\oobe
2009-03-24 11:04:20 ----D---- C:\WINDOWS\system
2009-03-24 10:56:32 ----D---- C:\WINDOWS\ehome
2009-03-18 23:06:28 ----A---- C:\WINDOWS\system32\rpcnetp.dll
2009-03-18 23:04:42 ----SHC---- C:\boot.ini
2009-03-18 23:04:42 ----A---- C:\WINDOWS\win.ini
2009-03-18 23:04:42 ----A---- C:\WINDOWS\system.ini
2009-03-18 08:58:11 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-03-18 08:52:27 ----D---- C:\Program Files\Internet Explorer
2009-03-17 20:32:10 ----D---- C:\Documents and Settings\User\Application Data\Uniblue
2009-03-16 11:29:40 ----HD---- C:\Program Files\InstallShield Installation Information
2009-03-15 17:05:07 ----D---- C:\Program Files\Common Files\InstallShield
2009-03-15 16:38:06 ----A---- C:\WINDOWS\system32\rpcnet.exe
2009-03-15 16:33:28 ----ADC---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-03-15 10:01:47 ----DC---- C:\DELL
2009-03-15 09:00:01 ----D---- C:\Program Files\Incomplete
2009-03-15 08:42:28 ----D---- C:\Program Files\Common Files
2009-03-14 10:02:26 ----D---- C:\WINDOWS\Cursors
2009-03-13 16:27:58 ----DC---- C:\Documents and Settings\User\Application Data\FrostWire
2009-03-11 16:11:37 ----SDC---- C:\Documents and Settings\User\Application Data\Microsoft
2009-03-10 16:37:54 ----DC---- C:\Documents and Settings\User\Application Data\Adobe
2009-03-10 16:37:54 ----DC---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-03-09 21:29:35 ----RSD---- C:\WINDOWS\assembly
2009-03-09 21:15:35 ----DC---- C:\Documents and Settings\All Users\Application Data\DriverScanner
2009-03-06 22:58:29 ----DC---- C:\Documents and Settings\User\Application Data\Move Networks
2009-03-05 23:14:08 ----D---- C:\WINDOWS\system32\DirectX
2009-03-02 09:26:08 ----D---- C:\WINDOWS\system32\NtmsData
2009-03-01 12:42:25 ----SHD---- C:\System Volume Information

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 SAVRT;SAVRT; \??\C:\Program Files\Symantec AntiVirus\savrt.sys []
R1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys []
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2007-02-12 196752]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2009-02-16 353672]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-13 88320]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2004-08-04 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2004-08-04 55936]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2006-10-29 156160]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090327.005\naveng.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090327.005\navex15.sys []
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-10-29 3595296]
R3 NWRDR;NetWare Rdr; C:\WINDOWS\system32\DRIVERS\nwrdr.sys [2008-04-13 163584]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2007-05-10 1222840]
R3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2007-02-12 24720]
R3 USBCCID;USB Smart Card reader; C:\WINDOWS\system32\DRIVERS\usbccid.sys [2006-10-29 28672]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 w39n51;Intel® PRO/Wireless 3945ABG Adapter Driver; C:\WINDOWS\system32\DRIVERS\w39n51.sys [2006-10-29 1428480]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2004-06-22 51088]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2004-06-22 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2004-06-22 21744]
S3 NPF;Netgroup Packet Filter; C:\WINDOWS\system32\drivers\npf.sys [2008-02-13 42512]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2006-11-21 169576]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2007-03-14 31424]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-27 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 NMSAccessU;NMSAccessU; C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-10-20 71096]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-29 143428]
R2 NWCWorkstation;Client Service for NetWare; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 rpcnet;Remote Procedure Call (RPC) Net; C:\WINDOWS\system32\rpcnet.exe [2009-03-15 47104]
R2 SPBBCSvc;Symantec SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2007-01-10 1160792]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2007-03-14 1816768]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2009-02-16 2402184]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 getPlus® Helper;getPlus® Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2009-03-03 33176]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-09-02 2528960]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2007-03-14 116416]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2007-02-12 214672]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------
My problems stopped before my first post but I wanted to make sure they were gone and didn't come back.
Thank you~motherof4

### #12 Net_Surfer

Net_Surfer

• Banned
• 2,154 posts
• OFFLINE
•
• Gender:Male
• Local time:08:48 AM

Posted 29 March 2009 - 03:42 PM

Hello motherof4,

Your logs are clean except for a few files that we need to take care of it.

Installed Zonealarm. I have a lot of stuff trying to get into my computer example: The firewall has blocked internet access to your computer(UDP Port 9647) from 70.136.16.156(udp Port 39611) at first 3 times in 30 min

I did a whois to that ip and comeback to AT&T Internet Services.
You may have to grant permission to it.

Kaspersky Online Scan
It made me nervous because it found so many stuff

One was in the C:\_OTMoveIt\MovedFiles <-- this one will go when we delete OTMoveIt3

And for the ones that are already quarantined, You need to empty the quarantine vault of your Norton Anti-Virus Program.
And most of those files will be gone from your computer.
So, Please empty the vault NOW.

Then...

Use Windows explorer to find and Delete the following Files/Folders: IF PRESENT)

C:\Documents and Settings\User\My Documents\My Music\R and B\Deborah Cox\just be good to me deborah cox - high quality.mp3

As an example:
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete

Reboot when done.

If you have done all of the above, Your Computer should be Clean of Malware.
CONGRATULATIONS.

OK, motherof4, I need you to follow my next recommendations.:

If you are using Windows XP or earlier:
• Go to Start -> My Computer (Or click the My Computer icon on your desktop)
• Go to the Tools Menu -> Folder Options.
• Select the "View" tab.
• Where you see , click the radio button.
• Check "Hide extensions for known file types"
• Check "Hide protected operating system files"
• Click Ok.
• Exit/Close My Computer.
Cleanup using OTMoveit3 by OldTimer
Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

If you don't plan to use Kaspersky again, then uninstall it through Add/Remove Programs.

You can also at this time delete the files/folders of the tools we used. To assist with some of that run OTMoveIt3. This will help by automatically removing some of the tools we used.

Double-click OTMoveIt.exe to run it and click on Cleanup (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator").
(When you do this a list of malware removal programs will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.)
After the list has downloaded, you'll be asked if you want to begin cleanup process? Select Yes.

OTMoveIt will search for and delete/uninstall all the tools that we have used to fix your problems and all their backup folders and then delete itself when you next reboot. At the end of the run you will receive a prompt to reboot, but save that for the next step resetting Restore.

You may delete RSIT and any logs that any of the tools produced. Please delete RSIT.exe and the RSIT folder (C:\RSIT). I recommend keeping ATF, ERUNT and use Malwarebyte's Anti-Malware to scan your computer regularly.

Now to get you off to a good start we will clean your system restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
• Select Start > All Programs > Accessories > System tools > System Restore.
• On the dialogue box that appears select Create a Restore Point
• Click NEXT
• Enter a name e.g. Clean
• Click CREATE
You now have a clean restore point, to get rid of the bad ones:
• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
• In the Drop down box that appears select your main drive e.g. C
• Click OK
• The System will do some calculation and the display a dialogue box with TABS
• Select the More Options Tab.
• At the bottom will be a system restore box with a CLEANUP button click this
• Accept the Warning and select OK again, the program will close and you are done

Ok,, motherof4, I'm not skilled at mincing words but I believe that by now you already figure it out how you got infected. {using P2p (file sharing programs)} So, especially for you I will use my long version of my "All Clean Canned Speech".

Please take the time to read below to secure your machine and take the necessary steps to keep it Clean.
• Make sure that you keep your antivirus updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

• Install and use a firewall with outbound protection
The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.

• Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.

• Update Non-Microsoft Programs
Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.

• Make Internet Explorer More Secure
Recommended Programs

To help protect your computer in the future I would recommend the download and installation of some or all of the following free programs (if not already present), and the updating of them on a regular basis:.

• WinPatrol

This is a utility that can be downloaded and installed it from: HERE

• Good temp file cleaner that could do the job safely and without removing files that are crucial to windows.

• SpywareBlaster
SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.

• Malwarebytes' Anti-Malware or SuperAntiSpyware
These are anti-malware applications that can thoroughly remove even the most advanced malware. They include a number of features, including a built in protection monitor that blocks malicious processes before they even start.
You can download Malwarebytes' Anti-Malware from HERE. You can find a tutorial HERE.

• Hosts File
For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.

Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
If this isn't done first, the next reboot may take a VERY LONG TIME.
This is how to do it. First be sure you are signed in as a user with administrative privileges:

Stop and Disable the DNS Client Service
Go to Start, Run and type Services.msc and click OK.
Under the Extended Tab, Scroll down and find this service.
DNS Client
Right-Click on the DNS Client Service. Choose Properties
Select the General tab. Click on the Stop button.
Click the Arrow-down tab on the right-hand side at the Start-up Type box.
From the drop-down menu, click on Manual
Click the Apply tab, then click OK

• Use an alternative Internet Browser
Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
Firefox
Opera
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
• Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
• Backup regularly.
You never know when your PC will become unstable or get infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.
Alternatively, you can use 3rd-party programs to back up your data. It can be found at Bleeping Computer.

• Practice Safe Internet
One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:
• If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
• If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
• If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
• If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article: Foistware, And how to avoid it.

There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
• Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.

• Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
• When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
• Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
• Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
• DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
Visit Microsoft's Windows Update Site Frequently

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Happy Surfing again!

Stay clean and be safe

I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!

Cheers,

Net_Surfer

I'd be grateful if you could reply to this post so that I know you have read it and if you've no other questions, the thread can be closed.

### #13 Carolyn

Carolyn

Bleepin' kitten

• Members
• 2,131 posts
• OFFLINE
•
• Local time:10:48 AM

Posted 05 April 2009 - 11:52 AM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Member of ASAP (Alliance of Security Analysis Professionals)

### #14 Carolyn

Carolyn

Bleepin' kitten

• Members
• 2,131 posts
• OFFLINE
•
• Local time:10:48 AM

Posted 06 April 2009 - 04:42 AM

Topic re-opened as requested.
Member of ASAP (Alliance of Security Analysis Professionals)

### #15 motherof4

motherof4
• Topic Starter

• Members
• 21 posts
• OFFLINE
•
• Gender:Female
• Location:Florida
• Local time:11:48 AM

Posted 06 April 2009 - 07:49 AM

Thank you for the help! I have been with out a computer for a while I did everything but I did have a problem installing that Host file and I disabled the service "DNS Client" FIRST but then what?

#### 0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users