Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde is killing me!


  • This topic is locked This topic is locked
20 replies to this topic

#1 SpaceDoll

SpaceDoll

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 19 May 2009 - 08:30 PM

DDS (Ver_09-05-14.01) - NTFSx86
Run by SpaceDoll at 20:27:21.95 on Tue 05/19/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.3263.2403 [GMT -5:00]

SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe "C:\Windows\system32\appenda.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\sdra64.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\SpaceDoll\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.google.com/mail/?shva=1#
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: {D7ABB7BD-C32F-4E89-82B7-111B805CB0E0} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Dictionary.com Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\users\spaced~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\quickcam\eReg.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: NameServer = 85.255.112.233,85.255.112.19
TCP: {05AB773F-D89A-431D-BB6C-172B3AAB116A} = 85.255.112.233,85.255.112.19
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
STS: {A6C7B2A1-00F3-42BD-F434-00AABA2C8953} - No File
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\nnnkLCrr

================= FIREFOX ===================

FF - ProfilePath - c:\users\spaced~1\appdata\roaming\mozilla\firefox\profiles\0vovvyd3.spacedoll\
FF - prefs.js: browser.startup.homepage - hxxp://us.mg2.mail.yahoo.com/dc/launch?action=welcome&YY=1298549909&.rand=1jmkiel2t50b9|http://myeclassonline.com/
FF - component: c:\program files\myspace\toolbar\1.0.32.5\components\MySpaceFFoxTB.dll
FF - component: c:\users\spacedoll\appdata\roaming\mozilla\firefox\profiles\0vovvyd3.spacedoll\extensions\{f592709f-ff4a-4862-b659-4afabda56312}\components\FFExternalAlert.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-19 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
S2 lltdsvclltdsvc;Link-Layer Topology Discovery Mapper lltdsvclltdsvc;c:\windows\system32\appenda.exe srv --> c:\windows\system32\appenda.exe srv [?]
S2 msupdate;Microsoft security update service;c:\windows\system32\mssrv32.exe [2009-5-19 23040]

=============== Created Last 30 ================

2009-05-19 19:34 <DIR> --d-h--- c:\windows\PIF
2009-05-19 19:16 <DIR> --d----- C:\VundoFix Backups
2009-05-19 19:13 <DIR> --d----- c:\programdata\Malwarebytes
2009-05-19 19:13 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-19 19:13 <DIR> --d----- c:\progra~2\Malwarebytes
2009-05-19 19:00 <DIR> --d----- c:\program files\Windows Live Safety CenterRebootActions
2009-05-19 18:40 393 a------- c:\windows\st_1242776466.exe
2009-05-19 18:40 392 a------- c:\windows\st_1242794893.exe
2009-05-19 18:33 853 a--sh--- c:\windows\system32\rrCLknnn.ini2
2009-05-19 18:33 853 a--sh--- c:\windows\system32\rrCLknnn.ini
2009-05-19 18:22 393 a------- c:\windows\st_1242775384.exe
2009-05-19 18:22 392 a------- c:\windows\st_1242793811.exe
2009-05-19 18:06 393 a------- c:\windows\st_1242774432.exe
2009-05-19 18:06 392 a------- c:\windows\st_1242792862.exe
2009-05-19 17:14 182,856,085 a------- c:\windows\MEMORY.DMP
2009-05-19 17:13 97 a------- c:\windows\system32\mcrh.tmp
2009-05-19 17:12 758 a--sh--- c:\windows\system32\VCfMnnmp.ini
2009-05-19 17:12 372 a--sh--- c:\windows\system32\VCfMnnmp.ini2
2009-05-19 17:12 <DIR> --dsh--- c:\windows\system32\lowsec
2009-05-19 16:58 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-19 16:40 <DIR> --d----- c:\program files\CCleaner
2009-05-19 16:38 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-19 16:38 <DIR> -cd-h--- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-19 16:38 <DIR> -cd-h--- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-19 16:38 <DIR> --d----- c:\programdata\Lavasoft
2009-05-19 16:38 <DIR> --d----- c:\program files\Lavasoft
2009-05-19 15:10 16,384 a--sh--- c:\windows\system32\apdsu.dll
2009-05-19 15:10 330,240 a--sh--- c:\windows\system32\AERTACaph.dll
2009-05-19 15:09 <DIR> --d----- c:\windows\system32\796525
2009-05-19 15:08 40,449 a------- c:\users\spacedoll\reader_s.exe
2009-05-19 15:08 134 a--s---- c:\windows\system32\2430396404.dat
2009-05-19 15:08 36,864 ---shr-- c:\windows\system32\appenda.exe
2009-05-19 15:08 23,040 a------- c:\windows\system32\mssrv32.exe
2009-05-13 02:01 29,272 a----r-- c:\windows\system32\AdobePDF.dll
2009-05-03 21:48 <DIR> --d----- c:\users\spacedoll\Tracing
2009-05-03 21:48 <DIR> --d----- c:\program files\Microsoft
2009-05-03 21:47 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-05-03 21:45 <DIR> --d----- c:\program files\common files\Windows Live
2009-04-26 23:07 <DIR> --d-h--- c:\programdata\CanonBJ
2009-04-26 23:02 <DIR> --d----- c:\program files\Canon
2009-04-23 20:50 <DIR> --d----- c:\program files\AskBarDis
2009-04-23 01:47 198,656 a------- c:\windows\system32\CNMLM83.DLL

==================== Find3M ====================

2009-04-26 23:07 86,016 a------- c:\windows\inf\infstrng.dat
2009-04-26 23:07 51,200 a------- c:\windows\inf\infpub.dat
2009-04-26 23:07 86,016 a------- c:\windows\inf\infstor.dat
2009-03-24 03:18 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-03-19 05:46 701 a------- c:\windows\fonts\woor__.pfm
2009-03-19 05:46 701 a------- c:\windows\fonts\woor2_.pfm
2009-03-19 05:37 1,123 a------- c:\windows\fonts\TFI____.PFM
2009-03-19 05:37 1,134 a------- c:\windows\fonts\TFHI___.PFM
2009-03-19 05:37 1,116 a------- c:\windows\fonts\TFH____.PFM
2009-03-19 05:37 1,100 a------- c:\windows\fonts\TF_____.PFM
2009-03-19 05:35 1,158 a------- c:\windows\fonts\SUMI___.PFM
2009-03-19 05:35 1,152 a------- c:\windows\fonts\SUM____.PFM
2009-03-19 05:35 1,058 a------- c:\windows\fonts\SULI___.PFM
2009-03-19 05:35 1,044 a------- c:\windows\fonts\SUL____.PFM
2009-03-19 05:35 1,037 a------- c:\windows\fonts\SUDI___.PFM
2009-03-19 05:35 1,055 a------- c:\windows\fonts\SUD____.PFM
2009-03-19 05:34 1,156 a------- c:\windows\fonts\SUBI___.PFM
2009-03-19 05:34 1,150 a------- c:\windows\fonts\SUB____.PFM
2009-03-19 05:30 1,252 a------- c:\windows\fonts\gdttl_.pfm
2009-03-19 04:53 696 a------- c:\windows\fonts\ChaucerianInitials.pfm
2009-03-17 03:03 632 a------- c:\windows\fonts\MasterpieceInitials.pfm
2009-03-17 03:00 1,124 a------- c:\windows\fonts\KRRG___.PFM
2009-03-17 03:00 1,143 a------- c:\windows\fonts\KRKB___.PFM
2009-03-17 03:00 1,129 a------- c:\windows\fonts\KRB____.PFM
2009-03-16 22:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-16 22:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-16 22:38 24,064 a------- c:\windows\system32\amxread.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-02 23:46 3,599,328 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-02 23:46 3,547,632 a------- c:\windows\system32\ntoskrnl.exe
2009-03-02 23:40 827,392 a------- c:\windows\system32\wininet.dll
2009-03-02 23:39 183,296 a------- c:\windows\system32\sdohlp.dll
2009-03-02 23:39 551,424 a------- c:\windows\system32\rpcss.dll
2009-03-02 23:39 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-03-02 23:37 78,336 a------- c:\windows\system32\ieencode.dll
2009-03-02 23:37 98,304 a------- c:\windows\system32\iasrecst.dll
2009-03-02 23:37 54,784 a------- c:\windows\system32\iasads.dll
2009-03-02 23:37 44,032 a------- c:\windows\system32\iasdatastore.dll
2009-03-02 22:04 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-03-02 21:38 17,408 a------- c:\windows\system32\iashost.exe
2009-03-02 21:28 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-03-01 21:00 60,273 a------- c:\windows\system32\pthreadGC2.dll
2009-02-27 16:24 665,600 a------- c:\windows\inf\drvindex.dat
2009-02-27 16:15 4,152,184 a------- c:\windows\system32\wgaer_m.exe
2009-02-27 15:44 319,456 a------- c:\windows\DIFxAPI.dll
2008-01-20 21:41 174 a--sh--- c:\program files\desktop.ini
2006-11-02 07:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-04-09 18:35 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 20:28:07.23 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:56 PM

Posted 21 May 2009 - 08:58 PM

Hello SpaceDoll,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..

I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed :!:
This is somewhat suicidal in today's digital world. :thumbup2:
That's why I want you to install one first!!

Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus :!:

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThis log.

Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirus scan is not present which should be able to deal with most and prevent further reinfection.


BTW, you have two registry protectors on this computer: Ad-Watch and Windows Defender. You need to be running only one registry protector as two will slow your computer.
I recommend you disable one of them.

To Disable Ad-Watch

To disable Windows Defender:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

Edited by SifuMike, 21 May 2009 - 10:34 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SpaceDoll

SpaceDoll
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 21 May 2009 - 10:10 PM

I know, I know, I am very bad!

Generally, I am very careful about this sort of thing and the anti-virus programs I've used on other systems have slowed them down so much that they interfered with my on-line schooling and other apps. When I built this system recently, I just neglected to find a better one, so had none. Then I got over-excited installing a new game I had just downloaded, and didn't go through my usual checks. Of course, there are no excuses!

I had just installed Ad-Aware, and didn't realize that Ad-Watch came with the newest free version; it is now disabled. I have installed the anti-virus you recommended, but the virus won't let me run it. It comes up with a "...avcenter.exe not found" error, though the file is there; in fact, that's what I'm clicking on. Some other notes I've made trying to solve this myself:
can't run malwarebytes anti-malware
can't run spybot s & d
can't update ad-aware (which now has the virtumonde uninstaller rolled in)
can't open control panel
printer not responding (related?)
VBG finds nothing wrong
many links redirected, both search links and major product sites (in fact, I was surprised I could download Avira at all!)

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:56 PM

Posted 21 May 2009 - 10:25 PM

I've used on other systems have slowed them down so much that they interfered with my on-line schooling and other apps.



So you broke your computer because you thought it would run faster without an antivirus? :thumbup2:

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.



can't run malwarebytes anti-malware


If MBAM will not install, please rename the installer mbam-setup.exe. Example: newtool.exe
Proceed installing the renamed installer of MBAM.

If MBAM will not run, go to the program directory of MBAM (e.g. C:\Program FIles\Malwarebytes Antimalware\) then rename mbam.exe to newtool.exe, double click newtool.exe to proceed in running a quick scan.

If you can't update MBAM, manually download the database installer from http://malwarebytes.gt500.org/mbam-rules.exe
See also: http://malwarebytes.gt500.org/database.jsp

Edited by SifuMike, 21 May 2009 - 10:29 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SpaceDoll

SpaceDoll
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 21 May 2009 - 10:35 PM

Don't I know it! In fact, I am basically in charge of my family's and friends' computers, from building to security, and I would never ever let them do anything so foolish. I suppose I am learning my lesson the hard way! :thumbup2:

I was wrong, MBAM was installed, just wouldn't run. Renaming the .exe and then trying to run it results in a '0' and a '440' runtime error.

Here are the results of the Security Check:

Results of screen317's Security Check version 0.98.3
Windows Vista Service Pack 1
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Enabled!
WindowsLiveOneCaresafetyscanner
WindowsLiveOneCaresafetyscanner
AviraAntiVirPersonal-FreeAntivirus
ECHO is off.
Error obtaining update status for antivirus!
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Ad-Aware
Spybot - Search & Destroy
CCleaner (remove only)
Java™ 6 Update 13
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe is disabled!
Spybot SDHelper is disabled!
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

GREAT! (Very random)

Scan took 8 seconds.
`````````End of Log```````````

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:56 PM

Posted 21 May 2009 - 10:57 PM

Hi SpaceDoll,


Since you are very heavily infected, we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Avira AntiVir Antivirus and Windows Defender before running ComboFix, as they will prevent it from running.

To disable Windows Defender:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.


To disable Avira Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SpaceDoll

SpaceDoll
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 21 May 2009 - 11:06 PM

ARRGH!

I've downloaded ComboFix, but when I try to run it, I get a "ComboFix.exe has stopped working" error message.

ETA: when I try again, there is no response at all.

Edited by SpaceDoll, 21 May 2009 - 11:07 PM.


#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:56 PM

Posted 21 May 2009 - 11:41 PM

Hi Spacedoll,


We will try it a different way.

Delete the version of ComboFix you have on the desktop.


You need to disable your Avira AntiVir Antivirus and Windows Defender before running ComboFix, as they will prevent it from running.

To disable Windows Defender:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.


To disable Avira Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.



Download Combofix from any of the links below. You must rename it before saving it.  Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.  
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 SpaceDoll

SpaceDoll
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 22 May 2009 - 12:01 AM

It looks like Avira re-enabled after the second reboot. Actually, because it never ran or anything because of the virus, I couldn't technically disable it, but it started while ComboFix was preparing the log. I hope that wasn't a problem.


ComboFix 09-05-21.01 - SpaceDoll 05/21/2009 23:48.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.3263.2383 [GMT -5:00]
Running from: c:\users\SpaceDoll\Desktop\Combo-Fix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\SpaceDoll\reader_s.exe
c:\windows\st_1242774432.exe
c:\windows\st_1242775384.exe
c:\windows\st_1242776466.exe
c:\windows\st_1242792862.exe
c:\windows\st_1242793811.exe
c:\windows\st_1242794893.exe
c:\windows\system32\drivers\gxvxcpwpiemcrymsqytnidqibqcprucpshiet.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcitlrkbnsktxtsuxvsovmfbytuwtriaeg.dll
c:\windows\system32\gxvxcqixltvtavboybvxbebvvahuiunaaxnxm.dll
c:\windows\system32\lowsec
c:\windows\system32\mcrh.tmp
c:\windows\system32\mssrv32.exe
c:\windows\System32\rrCLknnn.ini
c:\windows\System32\rrCLknnn.ini2
c:\windows\system32\sdra64.exe
c:\windows\system32\VCfMnnmp.ini
c:\windows\system32\VCfMnnmp.ini2

----- BITS: Possible infected sites -----

hxxp://wrightcount.com
hxxp://xuri.info
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gxvxcserv.sys
-------\Service_msupdate


((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
.

2009-05-22 03:01 . 2009-03-30 15:33 96104 ----a-w c:\windows\system32\drivers\avipbb.sys
2009-05-22 03:01 . 2009-03-24 21:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-22 03:01 . 2009-05-22 03:01 -------- d-----w c:\programdata\Avira
2009-05-22 03:01 . 2009-05-22 03:01 -------- d-----w c:\program files\Avira
2009-05-20 11:58 . 2009-05-22 03:50 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-20 11:58 . 2009-05-20 11:58 -------- d-----w c:\programdata\Spybot - Search & Destroy
2009-05-20 01:43 . 2009-05-20 01:43 10134 ----a-r c:\users\SpaceDoll\AppData\Roaming\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-05-20 01:43 . 2009-05-20 01:43 -------- d-----w c:\program files\Microsoft WSE
2009-05-20 01:43 . 2006-09-28 21:05 2414360 ----a-w c:\windows\system32\d3dx9_31.dll
2009-05-20 01:38 . 2009-05-20 01:38 -------- d-----w c:\program files\Electronic Arts
2009-05-20 00:34 . 2009-05-20 00:34 -------- d--h--w c:\windows\PIF
2009-05-20 00:16 . 2009-05-20 00:16 -------- d-----w C:\VundoFix Backups
2009-05-20 00:13 . 2009-05-22 03:52 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-20 00:13 . 2009-05-20 00:13 -------- d-----w c:\programdata\Malwarebytes
2009-05-20 00:00 . 2009-05-20 00:06 -------- d-----w c:\program files\Windows Live Safety CenterRebootActions
2009-05-19 23:55 . 2009-05-19 23:57 -------- d-----w c:\program files\Windows Live Safety Center
2009-05-19 22:12 . 2009-05-22 04:48 -------- d-sh--w c:\windows\system32\lowsec
2009-05-19 21:58 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-05-19 21:40 . 2009-05-19 21:40 -------- d-----w c:\program files\CCleaner
2009-05-19 21:38 . 2009-05-19 21:38 -------- dc----w c:\windows\system32\DRVSTORE
2009-05-19 21:38 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-05-19 21:38 . 2009-05-19 21:38 -------- dc-h--w c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-19 21:38 . 2009-03-12 08:17 2902048 -c--a-w c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-05-19 21:38 . 2009-05-19 21:38 -------- d-----w c:\programdata\Lavasoft
2009-05-19 21:38 . 2009-05-19 21:38 -------- d-----w c:\program files\Lavasoft
2009-05-19 20:10 . 2009-05-19 20:10 16384 --sha-w c:\windows\system32\apdsu.dll
2009-05-19 20:10 . 2009-05-19 20:10 330240 --sha-w c:\windows\system32\AERTACaph.dll
2009-05-19 20:09 . 2009-05-19 22:20 -------- d-----w c:\windows\system32\796525
2009-05-19 20:08 . 2009-05-19 21:27 134 --s-a-w c:\windows\system32\2430396404.dat
2009-05-19 20:08 . 2009-05-19 20:08 36864 --sh--r c:\windows\system32\appenda.exe
2009-05-18 17:30 . 2009-04-14 00:39 4656976 ----a-w c:\programdata\Microsoft\Windows Defender\Definition Updates\{70CAF3E5-9445-426F-8B52-24C0D4EC6CC2}\mpengine.dll
2009-05-13 07:01 . 2007-03-23 10:05 29272 ----a-r c:\windows\system32\AdobePDF.dll
2009-05-09 01:17 . 2009-05-09 01:17 -------- d-----w c:\users\SpaceDoll\AppData\Local\Apps
2009-05-04 02:48 . 2009-05-04 21:19 -------- d-----w c:\users\SpaceDoll\Tracing
2009-05-04 02:48 . 2009-05-04 02:48 -------- d-----w c:\program files\Microsoft
2009-05-04 02:47 . 2009-05-04 02:47 -------- d-----w c:\program files\Windows Live SkyDrive
2009-05-04 02:47 . 2009-05-04 02:47 -------- d-----w c:\program files\Windows Live
2009-05-04 02:45 . 2009-05-04 02:45 -------- d-----w c:\program files\Common Files\Windows Live
2009-05-01 00:54 . 2009-05-01 00:54 1893936 ----a-w c:\users\SpaceDoll\AppData\Roaming\MySpace\Toolbar\Installers\MySpaceToolbar_Setup_1.0.32.5.exe
2009-04-27 04:17 . 2009-04-27 04:18 -------- d-----w c:\users\SpaceDoll\AppData\Roaming\Canon
2009-04-27 04:07 . 2009-04-27 04:07 -------- d--h--w c:\programdata\CanonBJ
2009-04-27 04:07 . 2009-04-27 04:07 -------- d--h--w c:\windows\system32\CanonIJ Uninstaller Information
2009-04-27 04:06 . 2009-04-27 04:06 -------- d--h--w c:\program files\CanonBJ
2009-04-27 04:02 . 2009-04-27 04:17 -------- d-----w c:\program files\Canon
2009-04-24 01:50 . 2009-04-24 01:50 -------- d-----w c:\program files\AskBarDis
2009-04-23 06:47 . 2008-04-03 01:00 198656 ----a-w c:\windows\system32\CNMLM83.DLL
2009-04-23 02:18 . 2009-04-23 02:18 -------- d-----w c:\users\SpaceDoll\AppData\Roaming\DivX
2009-04-22 06:47 . 2009-04-22 06:47 34062 ----a-w c:\users\SpaceDoll\AppData\Roaming\Move Networks\ie_bin\Uninst.exe
2009-04-22 06:47 . 2009-04-22 06:47 -------- d-----w c:\users\SpaceDoll\AppData\Roaming\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-20 22:53 . 2009-02-27 23:00 -------- d-----w c:\users\SpaceDoll\AppData\Roaming\BitTorrent
2009-05-20 01:38 . 2009-02-27 20:44 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-19 20:08 . 2009-02-27 23:00 -------- d-----w c:\users\SpaceDoll\AppData\Roaming\DNA
2009-05-17 19:03 . 2009-02-27 23:00 -------- d-----w c:\program files\DNA
2009-05-13 08:01 . 2009-02-27 23:05 -------- d-----w c:\programdata\Microsoft Help
2009-05-13 08:00 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-05-03 03:14 . 2009-03-01 01:07 -------- d-----w c:\programdata\FLEXnet
2009-04-23 03:29 . 2009-03-24 22:28 -------- d-----w c:\users\SpaceDoll\AppData\Roaming\DVD Flick
2009-04-15 17:06 . 2009-04-15 16:41 -------- d-----w c:\users\Guest\AppData\Roaming\ImgBurn
2009-04-15 16:44 . 2009-04-15 15:03 -------- d-----w c:\users\Guest\AppData\Roaming\BitTorrent
2009-04-09 17:56 . 2009-04-09 17:56 -------- d-----w c:\program files\Games
2009-04-07 17:42 . 2009-04-07 17:42 -------- d-----w c:\program files\The Adventure Company
2009-04-07 17:40 . 2009-04-07 17:29 -------- d-----w c:\program files\Syberia
2009-04-07 17:38 . 2009-04-07 17:38 -------- d-----w c:\program files\Microids
2009-04-07 17:31 . 2009-04-07 17:31 -------- d-----w c:\program files\directx
2009-04-07 17:29 . 2009-02-27 20:44 -------- d-----w c:\program files\Common Files\InstallShield
2009-04-06 20:26 . 2009-04-06 20:26 1892856 ----a-w c:\users\SpaceDoll\AppData\Roaming\MySpace\Toolbar\Installers\MySpaceToolbar_Setup_1.0.32.0.exe
2009-04-06 06:19 . 2009-04-02 17:18 -------- d-----w c:\program files\Common Files\logishrd
2009-04-06 06:18 . 2009-04-06 06:18 -------- d-----w c:\program files\Logitech
2009-04-06 06:18 . 2009-04-02 17:25 -------- d-----w c:\programdata\Logishrd
2009-04-03 18:15 . 2009-04-03 18:15 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-04-02 17:26 . 2009-04-02 17:26 -------- d-----w c:\users\SpaceDoll\AppData\Roaming\Leadertech
2009-04-02 17:25 . 2009-04-02 17:25 -------- d-----w c:\programdata\Logitech
2009-03-29 09:34 . 2009-03-29 09:33 -------- d-----w c:\users\Guest\AppData\Roaming\MySpace
2009-03-29 09:33 . 2009-03-08 01:24 180272 ----a-w c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2009-03-29 05:44 . 2009-02-28 08:18 180272 ----a-w c:\users\SpaceDoll\AppData\Local\GDIPFONTCACHEV1.DAT
2009-03-29 05:00 . 2009-03-29 05:00 -------- d-----w c:\program files\ffdshow
2009-03-29 02:46 . 2009-03-26 09:41 -------- d-----w c:\users\SpaceDoll\AppData\Roaming\MySpace
2009-03-29 02:46 . 2009-03-26 09:41 -------- d-----w c:\program files\MySpace
2009-03-29 02:46 . 2009-03-29 02:46 7040776 ----a-w c:\users\SpaceDoll\AppData\Roaming\MySpace\IM\Install\MSIMClientSetup.1.0.789.0-static-A.exe
2009-03-28 18:45 . 2009-03-24 23:18 -------- d-----w c:\users\SpaceDoll\AppData\Roaming\ImgBurn
2009-03-25 14:11 . 2009-03-31 19:23 51200 ----a-w c:\users\SpaceDoll\AppData\Roaming\Mozilla\Firefox\Profiles\0vovvyd3.SpaceDoll\extensions\{f592709f-ff4a-4862-b659-4afabda56312}\components\FFExternalAlert.dll
2009-03-25 14:11 . 2009-03-31 19:23 114688 ----a-w c:\users\SpaceDoll\AppData\Roaming\Mozilla\Firefox\Profiles\0vovvyd3.SpaceDoll\extensions\{f592709f-ff4a-4862-b659-4afabda56312}\components\npmozax.dll
2009-03-24 22:27 . 2009-03-24 22:27 -------- d-----w c:\program files\DVD Flick
2009-03-24 22:25 . 2009-03-24 22:25 -------- d-----w c:\program files\ImgBurn
2009-03-24 22:17 . 2009-03-06 09:31 -------- d-----w c:\program files\Java
2009-03-24 08:18 . 2009-03-24 08:18 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-03-23 10:02 . 2009-03-23 10:02 -------- d-----w c:\program files\DivX
2009-03-23 10:02 . 2009-03-23 10:02 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-19 10:46 . 2009-03-29 05:33 701 ----a-w c:\windows\Fonts\woor__.pfm
2009-03-19 10:46 . 2009-03-29 05:33 701 ----a-w c:\windows\Fonts\woor2_.pfm
2009-03-19 10:37 . 2009-03-29 05:40 1123 ----a-w c:\windows\Fonts\TFI____.PFM
2009-03-19 10:37 . 2009-03-29 05:40 1134 ----a-w c:\windows\Fonts\TFHI___.PFM
2009-03-19 10:37 . 2009-03-29 05:40 1116 ----a-w c:\windows\Fonts\TFH____.PFM
2009-03-19 10:37 . 2009-03-29 05:40 1100 ----a-w c:\windows\Fonts\TF_____.PFM
2009-03-19 10:35 . 2009-03-29 05:39 1158 ----a-w c:\windows\Fonts\SUMI___.PFM
2009-03-19 10:35 . 2009-03-29 05:39 1152 ----a-w c:\windows\Fonts\SUM____.PFM
2009-03-19 10:35 . 2009-03-29 05:39 1058 ----a-w c:\windows\Fonts\SULI___.PFM
2009-03-19 10:35 . 2009-03-29 05:39 1044 ----a-w c:\windows\Fonts\SUL____.PFM
2009-03-19 10:35 . 2009-03-29 05:39 1037 ----a-w c:\windows\Fonts\SUDI___.PFM
2009-03-19 10:35 . 2009-03-29 05:39 1055 ----a-w c:\windows\Fonts\SUD____.PFM
2009-03-19 10:34 . 2009-03-29 05:39 1156 ----a-w c:\windows\Fonts\SUBI___.PFM
2009-03-19 10:34 . 2009-03-29 05:39 1150 ----a-w c:\windows\Fonts\SUB____.PFM
2009-03-19 10:30 . 2009-03-29 05:36 1252 ----a-w c:\windows\Fonts\gdttl_.pfm
2009-03-19 09:53 . 2009-03-29 05:35 696 ----a-w c:\windows\Fonts\ChaucerianInitials.pfm
2009-03-17 08:03 . 2009-03-29 05:38 632 ----a-w c:\windows\Fonts\MasterpieceInitials.pfm
2009-03-17 08:00 . 2009-03-29 05:37 1124 ----a-w c:\windows\Fonts\KRRG___.PFM
2009-03-17 08:00 . 2009-03-29 05:37 1143 ----a-w c:\windows\Fonts\KRKB___.PFM
2009-03-17 08:00 . 2009-03-29 05:37 1129 ----a-w c:\windows\Fonts\KRB____.PFM
2009-03-17 03:38 . 2009-04-15 00:41 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-15 00:41 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-09 10:19 . 2009-03-06 09:31 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-03 04:46 . 2009-04-15 00:41 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-15 00:41 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:40 . 2009-04-15 00:41 827392 ----a-w c:\windows\system32\wininet.dll
2009-03-03 04:39 . 2009-04-15 00:41 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-15 00:41 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-15 00:41 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-15 00:41 78336 ----a-w c:\windows\system32\ieencode.dll
2009-03-03 04:37 . 2009-04-15 00:41 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-15 00:41 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-15 00:41 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-15 00:41 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-15 00:41 17408 ----a-w c:\windows\system32\iashost.exe
2009-03-03 02:28 . 2009-04-15 00:41 26624 ----a-w c:\windows\system32\ieUnatt.exe
2009-03-02 02:00 . 2009-03-29 05:00 60273 ----a-w c:\windows\system32\pthreadGC2.dll
2009-03-01 00:34 . 2009-03-01 00:34 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-02-27 21:50 . 2009-02-27 21:50 0 ----a-w c:\windows\nsreg.dat
2009-02-27 21:38 . 2009-02-27 21:38 10134 ----a-r c:\users\SpaceDoll\AppData\Roaming\Microsoft\Installer\{5A3E8FF2-F163-2B00-9B47-D8C84CF12C7A}\ARPPRODUCTICON.exe
2009-02-27 21:25 . 2009-02-27 21:25 0 ----a-w c:\windows\ativpsrm.bin
2009-02-27 21:24 . 2006-11-02 10:25 665600 ----a-w c:\windows\inf\drvindex.dat
2009-02-27 21:17 . 2009-02-28 08:18 680 ----a-w c:\users\SpaceDoll\AppData\Local\d3d9caps.dat
2009-02-27 21:15 . 2009-02-27 21:24 4152184 ----a-w c:\windows\system32\wgaer_m.exe
2009-02-27 20:44 . 2009-02-27 20:44 319456 ----a-w c:\windows\DIFxAPI.dll
2008-04-09 23:35 . 2008-04-09 23:35 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\users\SpaceDoll\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files\Logitech\QuickCam\eReg.exe [2008-11-7 517384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-147456001-4004979427-1077374422-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{60A177E1-3932-4A3D-BFC6-CF48F2F73646}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{4590A1E1-528D-4482-9E40-552C5DCE809C}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{25F0F99D-6B33-4B1F-9FA1-F0FEEEEE0CBC}"= UDP:c:\program files\BitTorrent\BitTorrent.exe:BitTorrent (TCP-In)
"{8F28F86D-FA93-4435-9B80-93214BA0C121}"= TCP:c:\program files\BitTorrent\BitTorrent.exe:BitTorrent (UDP-In)
"{B5ECBE22-BEA6-41CB-957B-76BDAEB805C4}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{010E2B75-E8C9-4921-B176-B93217AD3685}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{80969C2F-B356-4096-A8D7-31956117A36B}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{40711660-6605-435B-965A-65BF0A386F1A}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{9C902DEB-4AAC-488B-9A63-B295FE65BE53}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F91DDF6F-BA05-4FB3-996B-2302EC8A496D}"= UDP:3703:Adobe Version Cue CS3 Server
"{A2791226-85A7-4E6C-8F91-B4CAF05C6B31}"= UDP:3704:Adobe Version Cue CS3 Server
"{AD43B534-B569-44EC-97C8-2B3A18B7EDE6}"= UDP:50900:Adobe Version Cue CS3 Server
"{0AEE6C19-55D2-49DB-BAAF-99C092E0BECC}"= UDP:50901:Adobe Version Cue CS3 Server
"{804DF34C-C735-4921-B966-9EEBACA1717D}"= UDP:c:\program files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"{DE9D4130-8640-411C-A694-D6AAA4280664}"= TCP:c:\program files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"TCP Query User{8219130F-73AB-4C55-91B4-3C48549B32E6}c:\\program files\\adobe\\adobe dreamweaver cs3\\dreamweaver.exe"= UDP:c:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe:Adobe Dreamweaver CS3
"UDP Query User{F19C9F43-F877-4A56-ACB6-640FAB6B7ADF}c:\\program files\\adobe\\adobe dreamweaver cs3\\dreamweaver.exe"= TCP:c:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe:Adobe Dreamweaver CS3
"TCP Query User{E101CD2F-8157-4379-81C6-881B499B4CA4}c:\\program files\\dna\\btdna.exe"= UDP:c:\program files\dna\btdna.exe:DNA
"UDP Query User{24F71952-0170-4F9A-A530-20D662DBA802}c:\\program files\\dna\\btdna.exe"= TCP:c:\program files\dna\btdna.exe:DNA
"{DD210A09-3FB4-4CA7-BA6D-7990C5548CBB}"= c:\program files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"{86524D46-C437-48B2-A2F3-1057E61D4861}"= UDP:80:SYS32DLL
"{5207D641-D287-4146-9C05-27ADADEBB827}"= UDP:7171:SYS32DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [5/19/2009 4:38 PM 64160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/21/2009 10:01 PM 108289]
S2 lltdsvclltdsvc;Link-Layer Topology Discovery Mapper lltdsvclltdsvc;c:\windows\system32\appenda.exe srv --> c:\windows\system32\appenda.exe srv [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 951632]

--- Other Services/Drivers In Memory ---

*Deregistered* - sptd
.
Contents of the 'Scheduled Tasks' folder

2009-05-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]
.
- - - - ORPHANS REMOVED - - - -

BHO-{D7ABB7BD-C32F-4E89-82B7-111B805CB0E0} - (no file)
SharedTaskScheduler-{A6C7B2A1-00F3-42BD-F434-00AABA2C8953} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.google.com/mail/?shva=1#
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\SpaceDoll\AppData\Roaming\Mozilla\Firefox\Profiles\0vovvyd3.SpaceDoll\
FF - prefs.js: browser.startup.homepage - hxxp://us.mg2.mail.yahoo.com/dc/launch?action=welcome&YY=1298549909&.rand=1jmkiel2t50b9|http://myeclassonline.com/
FF - component: c:\users\SpaceDoll\AppData\Roaming\Mozilla\Firefox\Profiles\0vovvyd3.SpaceDoll\extensions\{f592709f-ff4a-4862-b659-4afabda56312}\components\FFExternalAlert.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 23:54
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(7680)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
.
**************************************************************************
.
Completion time: 2009-05-22 23:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-22 04:57

Pre-Run: 127,546,855,424 bytes free
Post-Run: 127,234,457,600 bytes free

288 --- E O F --- 2009-05-18 17:30

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:56 PM

Posted 22 May 2009 - 12:23 AM

Hi SpaceDoll,

Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the each of the following file paths into the "Suspicious files to scan"box on the top of the page:
    • c:\windows\system32\2430396404.dat
      c:\windows\system32\apdsu.dll
      c:\windows\system32\AERTACaph.dll
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SpaceDoll

SpaceDoll
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 22 May 2009 - 12:42 AM

For some reason, the copy to clipboard button there did nothing, so I just copy and pasted. Not very tidy, but I hope it works:

c:\windows\system32\2430396404.dat
no scan result (0%) so nothing to copy

c:\windows\system32\apdsu.dll
Scanner results : 18% Scanner(7/38) found malware!
Time : 2009/05/22 00:32:20 (CDT)

Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.0.0.32 20090522100434 2009-05-22
Gen.Trojan!IK
2.193
AhnLab V3 2009.05.22.00 2009.05.22 2009-05-22
-
0.732
AntiVir 8.2.0.168 7.1.4.3 2009-05-21
TR/Vundo.Gen
0.407
Antiy 2.0.18 2.0.18. 0002-18-00
-
0.124
Arcavir 2009 200905211953 2009-05-21
-
0.040
Authentium 5.1.1 200905211822 2009-05-21
-
1.162
AVAST! 4.7.4 090521-0 2009-05-21
-
0.004
AVG 8.5.286 270.12.36/2127 2009-05-22
Win32/Heur
3.373
BitDefender 7.81008.3095191 7.25554 2009-05-22
Gen:Trojan.Heur.P1058A78787
2.971
CA (VET) 9.0.0.143 31.6.6516 2009-05-22
-
4.869
ClamAV 0.95 9376 2009-05-20
-
0.002
Comodo 3.9 1182 2009-05-21
-
0.731
CP Secure 1.1.0.715 2009.05.22 2009-05-22
-
9.390
Dr.Web 4.44.0.9170 2009.05.22 2009-05-22
-
4.599
F-Prot 4.4.4.56 20090521 2009-05-21
-
1.185
F-Secure 5.51.6100 2009.05.21.01 2009-05-21
-
0.060
Fortinet 2.81-3.117 10.418 2009-05-21
-
0.275
GData 19.5309/19.337 20090521 2009-05-21
-
3.068
Ikarus T3.1.01.49 2009.05.21.72747 2009-05-21
Gen.Trojan
3.360
JiangMin 11.0.706 2009.05.21 2009-05-21
-
2.205
Kaspersky 5.5.10 2009.05.22 2009-05-22
-
0.054
KingSoft 2009.2.5.15 2009.5.22.7 2009-05-22
-
0.493
McAfee 5.3.00 5622 2009-05-21
-
2.944
Microsoft 1.4701 2009.05.21 2009-05-21
-
4.146
mks_vir 2.01 2009.05.20 2009-05-20
-
3.188
Norman 6.01.05 6.01.00 2009-05-20
-
4.010
nProtect 20090521.02 3840704 2009-05-21
-
5.523
Panda 9.05.01 2009.05.21 2009-05-21
-
1.586
Quick Heal 10.00 2009.05.22 2009-05-22
-
1.242
Rising 20.0 21.30.32.00 2009-05-21
Packer.Win32.UnkPacker.a [Suspicious]
1.020
Sophos 2.86.0 4.41 2009-05-22
Mal/EncPk-HE
2.460
Sunbelt 5145 5145 2009-05-20
-
0.835
Symantec 1.3.0.24 20090521.003 2009-05-21
-
0.090
The Hacker 6.3.4.2 v00328 2009-05-21
-
0.629
Trend Micro 8.700-1004 6.144.02 2009-05-21
-
0.027
VBA32 3.12.10.5 20090521.1402 2009-05-21
-
1.888
ViRobot 20090520 2009.05.20 2009-05-20
-
0.413
VirusBuster 4.5.11.10 10.105.34/1392920 2009-05-21
-
1.796
NOTICE: It may be false positive by some scanners when they found a malware, so you should judge it by yourself.
Copy to clipboard


c:\windows\system32\AERTACaph.dll
Scanner results : 11% Scanner(4/38) found malware!
Time : 2009/05/22 00:37:53 (CDT)
Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.0.0.32 20090522100434 2009-05-22
-
3.139
AhnLab V3 2009.05.22.00 2009.05.22 2009-05-22
-
0.714
AntiVir 8.2.0.168 7.1.4.3 2009-05-21
TR/Vundo.Gen
0.143
Antiy 2.0.18 2.0.18. 0002-18-00
-
0.117
Arcavir 2009 200905211953 2009-05-21
-
0.060
Authentium 5.1.1 200905211822 2009-05-21
-
1.241
AVAST! 4.7.4 090521-0 2009-05-21
-
0.015
AVG 8.5.286 270.12.36/2127 2009-05-22
Win32/Heur
3.265
BitDefender 7.81008.3095191 7.25554 2009-05-22
Gen:Trojan.Heur.P417986A6A6
2.872
CA (VET) 9.0.0.143 31.6.6516 2009-05-22
-
7.686
ClamAV 0.95 9376 2009-05-20
-
0.003
Comodo 3.9 1182 2009-05-21
-
0.703
CP Secure 1.1.0.715 2009.05.22 2009-05-22
-
9.358
Dr.Web 4.44.0.9170 2009.05.22 2009-05-22
-
4.600
F-Prot 4.4.4.56 20090521 2009-05-21
-
1.202
F-Secure 5.51.6100 2009.05.21.01 2009-05-21
-
5.519
Fortinet 2.81-3.117 10.418 2009-05-21
-
0.222
GData 19.5309/19.337 20090521 2009-05-21
-
4.071
Ikarus T3.1.01.49 2009.05.21.72747 2009-05-21
-
3.346
JiangMin 11.0.706 2009.05.21 2009-05-21
-
1.937
Kaspersky 5.5.10 2009.05.22 2009-05-22
-
0.052
KingSoft 2009.2.5.15 2009.5.22.7 2009-05-22
-
0.484
McAfee 5.3.00 5622 2009-05-21
-
2.900
Microsoft 1.4701 2009.05.21 2009-05-21
-
4.691
mks_vir 2.01 2009.05.20 2009-05-20
-
3.218
Norman 6.01.05 6.01.00 2009-05-20
-
4.007
nProtect 20090521.02 3840704 2009-05-21
-
5.312
Panda 9.05.01 2009.05.21 2009-05-21
-
1.611
Quick Heal 10.00 2009.05.22 2009-05-22
-
1.237
Rising 20.0 21.30.32.00 2009-05-21
Packer.Win32.UnkPacker.a [Suspicious]
0.915
Sophos 2.86.0 4.41 2009-05-22
-
2.480
Sunbelt 5145 5145 2009-05-20
-
0.799
Symantec 1.3.0.24 20090521.003 2009-05-21
-
0.050
The Hacker 6.3.4.2 v00328 2009-05-21
-
0.633
Trend Micro 8.700-1004 6.144.02 2009-05-21
-
0.030
VBA32 3.12.10.5 20090521.1402 2009-05-21
-
1.884
ViRobot 20090520 2009.05.20 2009-05-20
-
0.413
VirusBuster 4.5.11.10 10.105.34/1392920 2009-05-21
-
2.044
NOTICE: It may be false positive by some scanners when they found a malware, so you should judge it by yourself.

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:56 PM

Posted 22 May 2009 - 10:09 AM

Hello SpaceDoll,


You need to disable your Avira AntiVir Antivirus and Windows Defender before running ComboFix, as they will prevent it from running.

To disable Windows Defender:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.


To disable Avira Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.



Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\windows\system32\AERTACaph.dll
c:\windows\system32\apdsu.dll

Folder:: 
C:\VundoFix Backups

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
"AntiVirusDisableNotify"=dword:00000000


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 SpaceDoll

SpaceDoll
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 22 May 2009 - 11:09 AM

ComboFix 09-05-21.01 - SpaceDoll 05/22/2009 11:00.2 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.3263.2455 [GMT -5:00]
Running from: c:\users\SpaceDoll\Desktop\Combo-Fix.exe
Command switches used :: c:\users\SpaceDoll\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
c:\windows\system32\AERTACaph.dll
c:\windows\system32\apdsu.dll
.
PEV Error: LocalSettingsFile

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
c:\windows\system32\AERTACaph.dll
c:\windows\system32\apdsu.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds

.
((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
.

2009-05-22 04:57 . 2009-05-22 04:57 -------- d-----w c:\users\Guest\AppData\Local\temp
2009-05-22 04:52 . 2009-05-22 16:02 -------- d-----w c:\users\SpaceDoll\AppData\Local\temp
2009-05-22 03:01 . 2009-03-30 15:33 96104 ----a-w c:\windows\system32\drivers\avipbb.sys
2009-05-22 03:01 . 2009-03-24 21:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-22 03:01 . 2009-05-22 03:01 -------- d-----w c:\programdata\Avira
2009-05-22 03:01 . 2009-05-22 03:01 -------- d-----w c:\program files\Avira
2009-05-20 11:58 . 2009-05-22 03:50 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-20 11:58 . 2009-05-20 11:58 -------- d-----w c:\programdata\Spybot - Search & Destroy
2009-05-20 01:43 . 2009-05-20 01:43 10134 ----a-r c:\users\SpaceDoll\AppData\Roaming\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-05-20 01:43 . 2009-05-20 01:43 -------- d-----w c:\program files\Microsoft WSE
2009-05-20 01:43 . 2006-09-28 21:05 2414360 ----a-w c:\windows\system32\d3dx9_31.dll
2009-05-20 01:38 . 2009-05-20 01:38 -------- d-----w c:\program files\Electronic Arts
2009-05-20 00:34 . 2009-05-20 00:34 -------- d--h--w c:\windows\PIF
2009-05-20 00:13 . 2009-05-22 03:52 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-20 00:13 . 2009-05-20 00:13 -------- d-----w c:\programdata\Malwarebytes
2009-05-20 00:00 . 2009-05-20 00:06 -------- d-----w c:\program files\Windows Live Safety CenterRebootActions
2009-05-19 23:55 . 2009-05-19 23:57 -------- d-----w c:\program files\Windows Live Safety Center
2009-05-19 21:58 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-05-19 21:40 . 2009-05-19 21:40 -------- d-----w c:\program files\CCleaner
2009-05-19 21:38 . 2009-05-19 21:38 -------- dc----w c:\windows\system32\DRVSTORE
2009-05-19 21:38 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-05-19 21:38 . 2009-05-19 21:38 -------- dc-h--w c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-19 21:38 . 2009-03-12 08:17 2902048 -c--a-w c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-05-19 21:38 . 2009-05-19 21:38 -------- d-----w c:\programdata\Lavasoft
2009-05-19 21:38 . 2009-05-19 21:38 -------- d-----w c:\program files\Lavasoft
2009-05-19 20:09 . 2009-05-19 22:20 -------- d-----w c:\windows\system32\796525
2009-05-19 20:08 . 2009-05-19 21:27 134 --s-a-w c:\windows\system32\2430396404.dat
2009-05-19 20:08 . 2009-05-19 20:08 36864 --sh--r c:\windows\system32\appenda.exe
2009-05-18 17:30 . 2009-04-14 00:39 4656976 ----a-w c:\programdata\Microsoft\Windows Defender\Definition Updates\{70CAF3E5-9445-426F-8B52-24C0D4EC6CC2}\mpengine.dll
2009-05-13 07:01 . 2007-03-23 10:05 29272 ----a-r c:\windows\system32\AdobePDF.dll
2009-05-09 01:17 . 2009-05-09 01:17 -------- d-----w c:\users\SpaceDoll\AppData\Local\Apps
2009-05-04 02:48 . 2009-05-04 21:19 -------- d-----w c:\users\SpaceDoll\Tracing
2009-05-04 02:48 . 2009-05-04 02:48 -------- d-----w c:\program files\Microsoft
2009-05-04 02:47 . 2009-05-04 02:47 -------- d-----w c:\program files\Windows Live SkyDrive
2009-05-04 02:47 . 2009-05-04 02:47 -------- d-----w c:\program files\Windows Live
2009-05-04 02:45 . 2009-05-04 02:45 -------- d-----w c:\program files\Common Files\Windows Live
2009-05-01 00:54 . 2009-05-01 00:54 1893936 ----a-w c:\users\SpaceDoll\AppData\Roaming\MySpace\Toolbar\Installers\MySpaceToolbar_Setup_1.0.32.5.exe
2009-04-27 04:17 . 2009-04-27 04:18 -------- d-----w c:\users\SpaceDoll\AppData\Roaming\Canon
2009-04-27 04:07 . 2009-04-27 04:07 -------- d--h--w c:\programdata\CanonBJ
2009-04-27 04:07 . 2009-04-27 04:07 -------- d--h--w c:\windows\system32\CanonIJ Uninstaller Information
2009-04-27 04:06 . 2009-04-27 04:06 -------- d--h--w c:\program files\CanonBJ
2009-04-27 04:02 . 2009-04-27 04:17 -------- d-----w c:\program files\Canon
2009-04-24 01:50 . 2009-04-24 01:50 -------- d-----w c:\program files\AskBarDis
2009-04-23 06:47 . 2008-04-03 01:00 198656 ----a-w c:\windows\system32\CNMLM83.DLL
2009-04-23 02:18 . 2009-04-23 02:18 -------- d-----w c:\users\SpaceDoll\AppData\Roaming\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-20 22:53 . 2009-02-27 23:00 -------- d-----w c:\users\SpaceDoll\AppData\Roaming\BitTorrent
2009-05-20 01:38 . 2009-02-27 20:44 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-19 20:08 . 2009-02-27 23:00 -------- d-----w c:\users\SpaceDoll\AppData\Roaming\DNA
2009-05-17 19:03 . 2009-02-27 23:00 -------- d-----w c:\program files\DNA
2009-05-13 08:01 . 2009-02-27 23:05 -------- d-----w c:\programdata\Microsoft Help
2009-05-13 08:00 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-05-03 03:14 . 2009-03-01 01:07 -------- d-----w c:\programdata\FLEXnet
2009-04-23 03:29 . 2009-03-24 22:28 -------- d-----w c:\users\SpaceDoll\AppData\Roaming\DVD Flick
2009-04-22 06:47 . 2009-04-22 06:47 34062 ----a-w c:\users\SpaceDoll\AppData\Roaming\Move Networks\ie_bin\Uninst.exe
2009-04-22 06:47 . 2009-04-22 06:47 -------- d-----w c:\users\SpaceDoll\AppData\Roaming\Move Networks
2009-04-15 17:06 . 2009-04-15 16:41 -------- d-----w c:\users\Guest\AppData\Roaming\ImgBurn
2009-04-15 16:44 . 2009-04-15 15:03 -------- d-----w c:\users\Guest\AppData\Roaming\BitTorrent
2009-04-09 17:56 . 2009-04-09 17:56 -------- d-----w c:\program files\Games
2009-04-07 17:42 . 2009-04-07 17:42 -------- d-----w c:\program files\The Adventure Company
2009-04-07 17:40 . 2009-04-07 17:29 -------- d-----w c:\program files\Syberia
2009-04-07 17:38 . 2009-04-07 17:38 -------- d-----w c:\program files\Microids
2009-04-07 17:31 . 2009-04-07 17:31 -------- d-----w c:\program files\directx
2009-04-07 17:29 . 2009-02-27 20:44 -------- d-----w c:\program files\Common Files\InstallShield
2009-04-06 20:26 . 2009-04-06 20:26 1892856 ----a-w c:\users\SpaceDoll\AppData\Roaming\MySpace\Toolbar\Installers\MySpaceToolbar_Setup_1.0.32.0.exe
2009-04-06 06:19 . 2009-04-02 17:18 -------- d-----w c:\program files\Common Files\logishrd
2009-04-06 06:18 . 2009-04-06 06:18 -------- d-----w c:\program files\Logitech
2009-04-06 06:18 . 2009-04-02 17:25 -------- d-----w c:\programdata\Logishrd
2009-04-03 18:15 . 2009-04-03 18:15 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-04-02 17:26 . 2009-04-02 17:26 -------- d-----w c:\users\SpaceDoll\AppData\Roaming\Leadertech
2009-04-02 17:25 . 2009-04-02 17:25 -------- d-----w c:\programdata\Logitech
2009-03-29 09:34 . 2009-03-29 09:33 -------- d-----w c:\users\Guest\AppData\Roaming\MySpace
2009-03-29 09:33 . 2009-03-08 01:24 180272 ----a-w c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2009-03-29 05:44 . 2009-02-28 08:18 180272 ----a-w c:\users\SpaceDoll\AppData\Local\GDIPFONTCACHEV1.DAT
2009-03-29 05:00 . 2009-03-29 05:00 -------- d-----w c:\program files\ffdshow
2009-03-29 02:46 . 2009-03-26 09:41 -------- d-----w c:\users\SpaceDoll\AppData\Roaming\MySpace
2009-03-29 02:46 . 2009-03-26 09:41 -------- d-----w c:\program files\MySpace
2009-03-29 02:46 . 2009-03-29 02:46 7040776 ----a-w c:\users\SpaceDoll\AppData\Roaming\MySpace\IM\Install\MSIMClientSetup.1.0.789.0-static-A.exe
2009-03-28 18:45 . 2009-03-24 23:18 -------- d-----w c:\users\SpaceDoll\AppData\Roaming\ImgBurn
2009-03-25 14:11 . 2009-03-31 19:23 51200 ----a-w c:\users\SpaceDoll\AppData\Roaming\Mozilla\Firefox\Profiles\0vovvyd3.SpaceDoll\extensions\{f592709f-ff4a-4862-b659-4afabda56312}\components\FFExternalAlert.dll
2009-03-25 14:11 . 2009-03-31 19:23 114688 ----a-w c:\users\SpaceDoll\AppData\Roaming\Mozilla\Firefox\Profiles\0vovvyd3.SpaceDoll\extensions\{f592709f-ff4a-4862-b659-4afabda56312}\components\npmozax.dll
2009-03-24 22:27 . 2009-03-24 22:27 -------- d-----w c:\program files\DVD Flick
2009-03-24 22:25 . 2009-03-24 22:25 -------- d-----w c:\program files\ImgBurn
2009-03-24 22:17 . 2009-03-06 09:31 -------- d-----w c:\program files\Java
2009-03-24 08:18 . 2009-03-24 08:18 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-03-19 10:46 . 2009-03-29 05:33 701 ----a-w c:\windows\Fonts\woor__.pfm
2009-03-19 10:46 . 2009-03-29 05:33 701 ----a-w c:\windows\Fonts\woor2_.pfm
2009-03-19 10:37 . 2009-03-29 05:40 1123 ----a-w c:\windows\Fonts\TFI____.PFM
2009-03-19 10:37 . 2009-03-29 05:40 1134 ----a-w c:\windows\Fonts\TFHI___.PFM
2009-03-19 10:37 . 2009-03-29 05:40 1116 ----a-w c:\windows\Fonts\TFH____.PFM
2009-03-19 10:37 . 2009-03-29 05:40 1100 ----a-w c:\windows\Fonts\TF_____.PFM
2009-03-19 10:35 . 2009-03-29 05:39 1158 ----a-w c:\windows\Fonts\SUMI___.PFM
2009-03-19 10:35 . 2009-03-29 05:39 1152 ----a-w c:\windows\Fonts\SUM____.PFM
2009-03-19 10:35 . 2009-03-29 05:39 1058 ----a-w c:\windows\Fonts\SULI___.PFM
2009-03-19 10:35 . 2009-03-29 05:39 1044 ----a-w c:\windows\Fonts\SUL____.PFM
2009-03-19 10:35 . 2009-03-29 05:39 1037 ----a-w c:\windows\Fonts\SUDI___.PFM
2009-03-19 10:35 . 2009-03-29 05:39 1055 ----a-w c:\windows\Fonts\SUD____.PFM
2009-03-19 10:34 . 2009-03-29 05:39 1156 ----a-w c:\windows\Fonts\SUBI___.PFM
2009-03-19 10:34 . 2009-03-29 05:39 1150 ----a-w c:\windows\Fonts\SUB____.PFM
2009-03-19 10:30 . 2009-03-29 05:36 1252 ----a-w c:\windows\Fonts\gdttl_.pfm
2009-03-19 09:53 . 2009-03-29 05:35 696 ----a-w c:\windows\Fonts\ChaucerianInitials.pfm
2009-03-17 08:03 . 2009-03-29 05:38 632 ----a-w c:\windows\Fonts\MasterpieceInitials.pfm
2009-03-17 08:00 . 2009-03-29 05:37 1124 ----a-w c:\windows\Fonts\KRRG___.PFM
2009-03-17 08:00 . 2009-03-29 05:37 1143 ----a-w c:\windows\Fonts\KRKB___.PFM
2009-03-17 08:00 . 2009-03-29 05:37 1129 ----a-w c:\windows\Fonts\KRB____.PFM
2009-03-17 03:38 . 2009-04-15 00:41 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-15 00:41 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-09 10:19 . 2009-03-06 09:31 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-03 04:46 . 2009-04-15 00:41 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-15 00:41 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:40 . 2009-04-15 00:41 827392 ----a-w c:\windows\system32\wininet.dll
2009-03-03 04:39 . 2009-04-15 00:41 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-15 00:41 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-15 00:41 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-15 00:41 78336 ----a-w c:\windows\system32\ieencode.dll
2009-03-03 04:37 . 2009-04-15 00:41 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-15 00:41 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-15 00:41 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-15 00:41 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-15 00:41 17408 ----a-w c:\windows\system32\iashost.exe
2009-03-03 02:28 . 2009-04-15 00:41 26624 ----a-w c:\windows\system32\ieUnatt.exe
2009-03-02 02:00 . 2009-03-29 05:00 60273 ----a-w c:\windows\system32\pthreadGC2.dll
2009-03-01 00:34 . 2009-03-01 00:34 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-02-27 21:50 . 2009-02-27 21:50 0 ----a-w c:\windows\nsreg.dat
2009-02-27 21:38 . 2009-02-27 21:38 10134 ----a-r c:\users\SpaceDoll\AppData\Roaming\Microsoft\Installer\{5A3E8FF2-F163-2B00-9B47-D8C84CF12C7A}\ARPPRODUCTICON.exe
2009-02-27 21:25 . 2009-02-27 21:25 0 ----a-w c:\windows\ativpsrm.bin
2009-02-27 21:24 . 2006-11-02 10:25 665600 ----a-w c:\windows\inf\drvindex.dat
2009-02-27 21:17 . 2009-02-28 08:18 680 ----a-w c:\users\SpaceDoll\AppData\Local\d3d9caps.dat
2009-02-27 21:15 . 2009-02-27 21:24 4152184 ----a-w c:\windows\system32\wgaer_m.exe
2009-02-27 20:44 . 2009-02-27 20:44 319456 ----a-w c:\windows\DIFxAPI.dll
2008-04-09 23:35 . 2008-04-09 23:35 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-05-22_04.54.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-22 04:53 . 2009-05-22 04:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-05-22 04:53 . 2009-05-22 04:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-05-22 05:00 598350 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-05-21 08:45 598350 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-05-22 05:00 101988 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-05-21 08:45 101988 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\users\SpaceDoll\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files\Logitech\QuickCam\eReg.exe [2008-11-7 517384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-147456001-4004979427-1077374422-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{60A177E1-3932-4A3D-BFC6-CF48F2F73646}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{4590A1E1-528D-4482-9E40-552C5DCE809C}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{25F0F99D-6B33-4B1F-9FA1-F0FEEEEE0CBC}"= UDP:c:\program files\BitTorrent\BitTorrent.exe:BitTorrent (TCP-In)
"{8F28F86D-FA93-4435-9B80-93214BA0C121}"= TCP:c:\program files\BitTorrent\BitTorrent.exe:BitTorrent (UDP-In)
"{B5ECBE22-BEA6-41CB-957B-76BDAEB805C4}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{010E2B75-E8C9-4921-B176-B93217AD3685}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{80969C2F-B356-4096-A8D7-31956117A36B}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{40711660-6605-435B-965A-65BF0A386F1A}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{9C902DEB-4AAC-488B-9A63-B295FE65BE53}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F91DDF6F-BA05-4FB3-996B-2302EC8A496D}"= UDP:3703:Adobe Version Cue CS3 Server
"{A2791226-85A7-4E6C-8F91-B4CAF05C6B31}"= UDP:3704:Adobe Version Cue CS3 Server
"{AD43B534-B569-44EC-97C8-2B3A18B7EDE6}"= UDP:50900:Adobe Version Cue CS3 Server
"{0AEE6C19-55D2-49DB-BAAF-99C092E0BECC}"= UDP:50901:Adobe Version Cue CS3 Server
"{804DF34C-C735-4921-B966-9EEBACA1717D}"= UDP:c:\program files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"{DE9D4130-8640-411C-A694-D6AAA4280664}"= TCP:c:\program files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"TCP Query User{8219130F-73AB-4C55-91B4-3C48549B32E6}c:\\program files\\adobe\\adobe dreamweaver cs3\\dreamweaver.exe"= UDP:c:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe:Adobe Dreamweaver CS3
"UDP Query User{F19C9F43-F877-4A56-ACB6-640FAB6B7ADF}c:\\program files\\adobe\\adobe dreamweaver cs3\\dreamweaver.exe"= TCP:c:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe:Adobe Dreamweaver CS3
"TCP Query User{E101CD2F-8157-4379-81C6-881B499B4CA4}c:\\program files\\dna\\btdna.exe"= UDP:c:\program files\dna\btdna.exe:DNA
"UDP Query User{24F71952-0170-4F9A-A530-20D662DBA802}c:\\program files\\dna\\btdna.exe"= TCP:c:\program files\dna\btdna.exe:DNA
"{DD210A09-3FB4-4CA7-BA6D-7990C5548CBB}"= c:\program files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"{86524D46-C437-48B2-A2F3-1057E61D4861}"= UDP:80:SYS32DLL
"{5207D641-D287-4146-9C05-27ADADEBB827}"= UDP:7171:SYS32DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [5/19/2009 4:38 PM 64160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/21/2009 10:01 PM 108289]
S2 lltdsvclltdsvc;Link-Layer Topology Discovery Mapper lltdsvclltdsvc;c:\windows\system32\appenda.exe srv --> c:\windows\system32\appenda.exe srv [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 951632]
.
Contents of the 'Scheduled Tasks' folder

2009-05-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.google.com/mail/?shva=1#
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\SpaceDoll\AppData\Roaming\Mozilla\Firefox\Profiles\0vovvyd3.SpaceDoll\
FF - prefs.js: browser.startup.homepage - hxxp://us.mg2.mail.yahoo.com/dc/launch?action=welcome&YY=1298549909&.rand=1jmkiel2t50b9|http://myeclassonline.com/
FF - component: c:\users\SpaceDoll\AppData\Roaming\Mozilla\Firefox\Profiles\0vovvyd3.SpaceDoll\extensions\{f592709f-ff4a-4862-b659-4afabda56312}\components\FFExternalAlert.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-22 11:02
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-22 11:03
ComboFix-quarantined-files.txt 2009-05-22 16:03
ComboFix2.txt 2009-05-22 04:57

Pre-Run: 127,258,890,240 bytes free
Post-Run: 127,229,927,424 bytes free

253 --- E O F --- 2009-05-18 17:30

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:56 PM

Posted 22 May 2009 - 11:52 AM

Hi Spacedoll,

Now run Malarebytes and post its log.


Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply along with a fresh Hijackthis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 SpaceDoll

SpaceDoll
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 23 May 2009 - 03:13 PM

Yesterday, after I ran those programs, I couldn't navigate to this site. I thought it was a problem with a browser hijacker, so I also ran Spybot S&D and Ad-Aware just in case they could help (they didn't). I then asked a friend to log on for me at her house, and when she couldn't, either, I realized it wasn't my problem. Was the site down? After the malwarebytes and Avira logs, I'll put the Ad-Aware one, and then the Spybot log is attached as a pdf.

Malwarebytes' Anti-Malware 1.36
Database version: 2166
Windows 6.0.6001 Service Pack 1

5/22/2009 1:05:17 PM
mbam-log-2009-05-22 (13-05-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 312815
Time elapsed: 1 hour(s), 2 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 90
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVNT.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVWNT.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZONEALARM.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyDBG.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regtool.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2SERVICE.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGUARD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSCAN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CASECURITYCENTER.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EKRN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FAMEH32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVSERVER.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPWIN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSGK32ST.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSMA32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwadins.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArcaCheck.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arcavir.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashEnhcd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avadmin.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcls.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz4.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz_se.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdinit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caavguiscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccupdate.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpupdat.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRWEB32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fpscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxup.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSTUB.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\preupd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pskdr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfFnUp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Vba32arkit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vba32ldr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zoneband.dll (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Windows\System32\796525 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\Qoobox\Quarantine\C\Users\SpaceDoll\reader_s.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.



Avira AntiVir Personal
Report file date: Friday, May 22, 2009 13:09

Scanning for 1414672 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista
Windows version : (Service Pack 1) [6.0.6001]
Boot mode : Normally booted
Username : SYSTEM
Computer name : MOTHERSHIPMACH3

Version information:
BUILD.DAT : 9.0.0.394 17962 Bytes 4/17/2009 11:20:00
AVSCAN.EXE : 9.0.3.5 466689 Bytes 4/17/2009 14:57:30
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 16:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 17:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 16:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 02:33:26
ANTIVIR2.VDF : 7.1.4.0 2336768 Bytes 5/20/2009 18:08:25
ANTIVIR3.VDF : 7.1.4.5 34304 Bytes 5/22/2009 18:08:25
Engineversion : 8.2.0.168
AEVDF.DLL : 8.1.1.1 106868 Bytes 5/22/2009 18:08:47
AESCRIPT.DLL : 8.1.2.0 389497 Bytes 5/22/2009 18:08:47
AESCN.DLL : 8.1.2.3 127347 Bytes 5/22/2009 18:08:46
AERDL.DLL : 8.1.1.3 438645 Bytes 10/30/2008 00:24:41
AEPACK.DLL : 8.1.3.16 397686 Bytes 5/22/2009 18:08:45
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 02:01:56
AEHEUR.DLL : 8.1.0.129 1761655 Bytes 5/22/2009 18:08:44
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 02:01:56
AEGEN.DLL : 8.1.1.44 348532 Bytes 5/22/2009 18:08:41
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 20:32:40
AECORE.DLL : 8.1.6.9 176500 Bytes 5/22/2009 18:08:25
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 20:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 14:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 16:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 20:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 16:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 21:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 16:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 21:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 14:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 16:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 17:45:45
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 16:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Friday, May 22, 2009 13:09

Starting search for hidden objects.
'107340' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'WMIADAP.exe' - '1' Module(s) have been scanned
Scan process 'TrustedInstaller.exe' - '1' Module(s) have been scanned
Scan process 'WmiPrvSE.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'WmiPrvSE.exe' - '1' Module(s) have been scanned
Scan process 'unsecapp.exe' - '1' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '1' Module(s) have been scanned
Scan process 'wmpnscfg.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'dwm.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'LVPrcSrv.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SLsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'audiodg.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'lsm.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'wininit.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
46 processes with 46 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '37' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Qoobox\Quarantine\C\Windows\System32\AERTACaph.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\System32\apdsu.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\System32\mssrv32.exe.vir
[DETECTION] Contains recognition pattern of the WORM/Rbot.Gen worm
C:\Qoobox\Quarantine\C\Windows\System32\sdra64.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Windows\System32\appenda.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[WARNING] The file could not be opened!
C:\Windows\System32\drivers\sptd.sys
[WARNING] The file could not be opened!

Beginning disinfection:
C:\Qoobox\Quarantine\C\Windows\System32\AERTACaph.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a68f3e5.qua'!
C:\Qoobox\Quarantine\C\Windows\System32\apdsu.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a7af410.qua'!
C:\Qoobox\Quarantine\C\Windows\System32\mssrv32.exe.vir
[DETECTION] Contains recognition pattern of the WORM/Rbot.Gen worm
[NOTE] The file was moved to '4a89f413.qua'!
C:\Qoobox\Quarantine\C\Windows\System32\sdra64.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4a88f404.qua'!
C:\Windows\System32\appenda.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.


End of the scan: Friday, May 22, 2009 13:49
Used time: 39:34 Minute(s)

The scan has been done completely.

26011 Scanned directories
455118 Files were scanned
5 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
4 Files were moved to quarantine
0 Files were renamed
3 Files cannot be scanned
455110 Files not concerned
2574 Archives were scanned
3 Warnings
6 Notes
107340 Objects were scanned with rootkit scan
0 Hidden objects were found


Logfile created: 5/22/2009 17:42:21
Lavasoft Ad-Aware version: 8.0.4
Extended engine version: 8.1
User performing scan: SpaceDoll

*********************** Definitions database information ***********************
Lavasoft definition file: 148.35
Extended engine definition file: 8.1

******************************** Scan results: *********************************
Scan profile name: Full Scan (ID: full)
Objects scanned: 258368
Objects detected: 25


Type Detected
==========================
Processes.......: 0
Registry entries: 0
Hostfile entries: 0
Files...........: 0
Folders.........: 0
LSPs............: 0
Cookies.........: 25
Browser hijacks.: 0
MRU objects.....: 0



Removed items:
Description: *advertis* Family Name: Cookies Clean status: Success Item ID: 408918 Family ID: 0
Description: *advertising* Family Name: Cookies Clean status: Success Item ID: 409017 Family ID: 0
Description: *atdmt* Family Name: Cookies Clean status: Success Item ID: 408910 Family ID: 0
Description: *trafic* Family Name: Cookies Clean status: Success Item ID: 409119 Family ID: 0
Description: *trafficmp* Family Name: Cookies Clean status: Success Item ID: 408787 Family ID: 0
Description: *live365* Family Name: Cookies Clean status: Success Item ID: 408844 Family ID: 0
Description: *372* Family Name: Cookies Clean status: Success Item ID: 408942 Family ID: 0
Description: *2o7* Family Name: Cookies Clean status: Success Item ID: 408943 Family ID: 0
Description: *overture* Family Name: Cookies Clean status: Success Item ID: 408834 Family ID: 0
Description: *pro-market* Family Name: Cookies Clean status: Success Item ID: 408823 Family ID: 0
Description: *specificclick* Family Name: Cookies Clean status: Success Item ID: 408807 Family ID: 0
Description: *webtrends* Family Name: Cookies Clean status: Success Item ID: 599640 Family ID: 0
Description: *advertis* Family Name: Cookies Clean status: Success Item ID: 408918 Family ID: 0
Description: *advertising* Family Name: Cookies Clean status: Success Item ID: 409017 Family ID: 0
Description: *atdmt* Family Name: Cookies Clean status: Success Item ID: 408910 Family ID: 0
Description: *trafic* Family Name: Cookies Clean status: Success Item ID: 409119 Family ID: 0
Description: *trafficmp* Family Name: Cookies Clean status: Success Item ID: 408787 Family ID: 0
Description: *live365* Family Name: Cookies Clean status: Success Item ID: 408844 Family ID: 0
Description: *372* Family Name: Cookies Clean status: Success Item ID: 408942 Family ID: 0
Description: *2o7* Family Name: Cookies Clean status: Success Item ID: 408943 Family ID: 0
Description: *overture* Family Name: Cookies Clean status: Success Item ID: 408834 Family ID: 0
Description: *pro-market* Family Name: Cookies Clean status: Success Item ID: 408823 Family ID: 0
Description: *specificclick* Family Name: Cookies Clean status: Success Item ID: 408807 Family ID: 0
Description: *webtrends* Family Name: Cookies Clean status: Success Item ID: 599640 Family ID: 0
Description: *2o7* Family Name: Cookies Clean status: Success Item ID: 408943 Family ID: 0

Scan and cleaning complete: Finished correctly after 1673 seconds

*********************************** Settings ***********************************

Scan profile:
ID: full, enabled:1, value: Full Scan
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: true
ID: scanhostsfile, enabled:1, value: true
ID: scanmru, enabled:1, value: true
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: folderstoscan, enabled:1, value: C:\
ID: scanrootkits, enabled:1, value: true
ID: usespywareheuristics, enabled:1, value: true
ID: extendedengine, enabled:0, value: true
ID: useheuristics, enabled:0, value: true
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: true
ID: onlyexecutables, enabled:1, value: false
ID: skiplargerthan, enabled:1, value: 20480

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav

Scheduled scan settings:
<Empty>

Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: normal, domain: normal,off,silently
ID: displaystatus, enabled:1, value: false
ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: autodetectproxy, enabled:1, value: false
ID: useautoconfigscript, enabled:1, value: false
ID: autoconfigurl, enabled:0, value:
ID: useproxy, enabled:1, value: false
ID: proxyserver, enabled:0, value:
ID: softwareupdates, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily, enabled:1, value: Daily
ID: time, enabled:1, value: Tue May 19 16:38:00 2009
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updateweekly, enabled:1, value: Weekly
ID: time, enabled:1, value: Tue May 19 16:38:00 2009
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: true
ID: tuesday, enabled:1, value: true
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
ID: processprotection, enabled:1, value: false
ID: registryprotection, enabled:0, value: false
ID: networkprotection, enabled:0, value: false
ID: loadatstartup, enabled:1, value: true
ID: usespywareheuristics, enabled:0, value: false
ID: extendedengine, enabled:0, value: false
ID: useheuristics, enabled:0, value: false
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant


****************************** System information ******************************
Computer name: MOTHERSHIPMACH3
Processor name: Pentium® Dual-Core CPU E5200 @ 2.50GHz
Processor identifier: x86 Family 6 Model 23 Stepping 6
Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 5894, number of processors 2
Physical memory available: 2367131648 bytes
Physical memory total: 3421061120 bytes
Virtual memory available: 1961447424 bytes
Virtual memory total: 2147352576 bytes
Memory load: 30%
Microsoft Windows Vista Ultimate Edition, 32-bit Service Pack 1 (build 6001)
Windows startup mode:

Running processes:
PID: 468 name: C:\Windows\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 608 name: C:\Windows\System32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 680 name: C:\Windows\System32\wininit.exe owner: SYSTEM domain: NT AUTHORITY
PID: 692 name: C:\Windows\System32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 724 name: C:\Windows\System32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 736 name: C:\Windows\System32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 744 name: C:\Windows\System32\lsm.exe owner: SYSTEM domain: NT AUTHORITY
PID: 908 name: C:\Windows\System32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 936 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1016 name: C:\Windows\System32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1060 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1144 name: C:\Windows\System32\Ati2evxx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1172 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1228 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1256 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1364 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1388 name: C:\Windows\System32\SLsvc.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1456 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1616 name: C:\Windows\System32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1828 name: C:\Windows\System32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1852 name: C:\Program Files\Avira\AntiVir Desktop\sched.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1872 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 292 name: C:\Windows\System32\Ati2evxx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 676 name: C:\Windows\System32\dwm.exe owner: SpaceDoll domain: MothershipMach3
PID: 1112 name: C:\Windows\System32\taskeng.exe owner: SpaceDoll domain: MothershipMach3
PID: 1560 name: C:\Windows\explorer.exe owner: SpaceDoll domain: MothershipMach3
PID: 2148 name: C:\Program Files\Avira\AntiVir Desktop\avguard.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2180 name: C:\Program Files\Bonjour\mDNSResponder.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2216 name: C:\Program Files\Avira\AntiVir Desktop\avgnt.exe owner: SpaceDoll domain: MothershipMach3
PID: 2272 name: C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2432 name: C:\Windows\System32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 2444 name: C:\Windows\System32\taskeng.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2492 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 2548 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2616 name: C:\Windows\System32\SearchIndexer.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3340 name: C:\Program Files\Windows Media Player\wmpnscfg.exe owner: SpaceDoll domain: MothershipMach3
PID: 3416 name: C:\Program Files\Windows Media Player\wmpnetwk.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 3704 name: C:\Windows\System32\wbem\unsecapp.exe owner: SpaceDoll domain: MothershipMach3
PID: 3784 name: C:\Windows\System32\wbem\WmiPrvSE.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1708 name: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe owner: SpaceDoll domain: MothershipMach3
PID: 3164 name: C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1588 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3464 name: C:\Windows\System32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 124 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: SpaceDoll domain: MothershipMach3
PID: 888 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: SpaceDoll domain: MothershipMach3

Startup items:
Name: avgnt
imagepath: "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
Name: WebCheck
imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
imagepath: Component Categories cache daemon
Name: MySpaceIM
imagepath: C:\Program Files\MySpace\IM\MySpaceIM.exe
Name:
imagepath: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

Bootexecute items:
Name:
imagepath: autocheck autochk *
Name:
imagepath: lsdelete

Running services:
Name: AeLookupSvc
displayname: Application Experience
Name: AntiVirSchedulerService
displayname: Avira AntiVir Scheduler
Name: AntiVirService
displayname: Avira AntiVir Guard
Name: Ati External Event Utility
displayname: Ati External Event Utility
Name: AudioEndpointBuilder
displayname: Windows Audio Endpoint Builder
Name: Audiosrv
displayname: Windows Audio
Name: BFE
displayname: Base Filtering Engine
Name: BITS
displayname: Background Intelligent Transfer Service
Name: Bonjour Service
displayname: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##
Name: Browser
displayname: Computer Browser
Name: CryptSvc
displayname: Cryptographic Services
Name: CscService
displayname: Offline Files
Name: DcomLaunch
displayname: DCOM Server Process Launcher
Name: Dhcp
displayname: DHCP Client
Name: Dnscache
displayname: DNS Client
Name: DPS
displayname: Diagnostic Policy Service
Name: EMDMgmt
displayname: ReadyBoost
Name: Eventlog
displayname: Windows Event Log
Name: EventSystem
displayname: COM+ Event System
Name: fdPHost
displayname: Function Discovery Provider Host
Name: FDResPub
displayname: Function Discovery Resource Publication
Name: FLEXnet Licensing Service
displayname: FLEXnet Licensing Service
Name: gpsvc
displayname: Group Policy Client
Name: IKEEXT
displayname: IKE and AuthIP IPsec Keying Modules
Name: iphlpsvc
displayname: IP Helper
Name: KtmRm
displayname: KtmRm for Distributed Transaction Coordinator
Name: LanmanServer
displayname: Server
Name: LanmanWorkstation
displayname: Workstation
Name: Lavasoft Ad-Aware Service
displayname: Lavasoft Ad-Aware Service
Name: lmhosts
displayname: TCP/IP NetBIOS Helper
Name: LVPrcSrv
displayname: Process Monitor
Name: MMCSS
displayname: Multimedia Class Scheduler
Name: MpsSvc
displayname: Windows Firewall
Name: Netman
displayname: Network Connections
Name: netprofm
displayname: Network List Service
Name: NlaSvc
displayname: Network Location Awareness
Name: nsi
displayname: Network Store Interface Service
Name: PcaSvc
displayname: Program Compatibility Assistant Service
Name: PlugPlay
displayname: Plug and Play
Name: PolicyAgent
displayname: IPsec Policy Agent
Name: ProfSvc
displayname: User Profile Service
Name: RasMan
displayname: Remote Access Connection Manager
Name: RpcSs
displayname: Remote Procedure Call (RPC)
Name: SamSs
displayname: Security Accounts Manager
Name: Schedule
displayname: Task Scheduler
Name: seclogon
displayname: Secondary Logon
Name: SENS
displayname: System Event Notification Service
Name: ShellHWDetection
displayname: Shell Hardware Detection
Name: slsvc
displayname: Software Licensing
Name: Spooler
displayname: Print Spooler
Name: SSDPSRV
displayname: SSDP Discovery
Name: SstpSvc
displayname: Secure Socket Tunneling Protocol Service
Name: stisvc
displayname: Windows Image Acquisition (WIA)
Name: SysMain
displayname: Superfetch
Name: TabletInputService
displayname: Tablet PC Input Service
Name: TapiSrv
displayname: Telephony
Name: TermService
displayname: Terminal Services
Name: Themes
displayname: Themes
Name: TrkWks
displayname: Distributed Link Tracking Client
Name: upnphost
displayname: UPnP Device Host
Name: UxSms
displayname: Desktop Window Manager Session Manager
Name: W32Time
displayname: Windows Time
Name: WdiSystemHost
displayname: Diagnostic System Host
Name: WebClient
displayname: WebClient
Name: WerSvc
displayname: Windows Error Reporting Service
Name: WinDefend
displayname: Windows Defender
Name: Winmgmt
displayname: Windows Management Instrumentation
Name: WMPNetworkSvc
displayname: Windows Media Player Network Sharing Service
Name: WPDBusEnum
displayname: Portable Device Enumerator Service
Name: wscsvc
displayname: Security Center
Name: WSearch
displayname: Windows Search
Name: wuauserv
displayname: Windows Update
Name: wudfsvc
displayname: Windows Driver Foundation - User-mode Driver Framework

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users