Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

browser hijacked hijack this log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

browser hijacked hijack this log

Unread postby kingdonger » April 16th, 2008, 9:01 am

gday ie7 been hijacked additional pages loading etc many thanks for any help Roger..
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:47, on 16/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Beka\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [10ab54fb] rundll32.exe "C:\WINDOWS\system32\cgmltrsh.dll",b
O4 - HKLM\..\Run: [BM13986767] Rundll32.exe "C:\WINDOWS\system32\wikfngyt.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Beka\Desktop\HijackThis.exe /startupscan
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7766713559
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 5330 bytes
kingdonger
Regular Member
 
Posts: 28
Joined: April 16th, 2008, 7:58 am
Advertisement
Register to Remove

Re: browser hijacked hijack this log

Unread postby Rodav » April 17th, 2008, 12:46 pm

Hello! :hello2: and welcome to the Malware Removal forums.
I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research so please be patient while I work on your log and I will post back here with any recommendations.
As I am still training, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts. While it shouldn't be too long, you can be assured you will get the best possible advice.

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: browser hijacked hijack this log

Unread postby kingdonger » April 17th, 2008, 4:17 pm

Hi sir many thanks for your help norton reports various trojans as well vundo etc awaiting your instructions.
best regards.
Roger...
kingdonger
Regular Member
 
Posts: 28
Joined: April 16th, 2008, 7:58 am

Re: browser hijacked hijack this log

Unread postby Rodav » April 18th, 2008, 8:53 am

Rename and Move HijackThis
There is possibly an infection hiding from HijackThis;
Navigate to HijackThis in the folder you just made for it and Right-click on HijackThis.exe & select Rename and change the name to kingdonger.exe

Your copy of HijackThis needs to be in a folder of it's own. When HJT fixes anything, it makes backups of the original files in the folder it is in. For this reason it should not be run from the desktop. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

1. Please go to your 'My Documents' folder, right-click and select 'New > Folder' then name the folder 'HJT'.

2. Copy and paste HijackThis (kingdonger.exe) to the new folder.

3. Run HijackThis (kingdonger.exe) and do a system scan and copy and paste the log into your next reply.
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: browser hijacked hijack this log

Unread postby kingdonger » April 19th, 2008, 6:08 am

Many thanks for your help here is the latest hijack this log -regards Roger...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:35, on 19/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Beka\My Documents\HJT\kingdonger.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02715E47-5A8E-495B-8F63-0D30470B8E72} - C:\WINDOWS\system32\fccyxyVL.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0D79AF24-28A3-4EB3-B785-6DBD3836A8B9} - (no file)
O2 - BHO: (no name) - {0F5F0A19-104A-436D-9C8F-87D8395841EC} - (no file)
O2 - BHO: (no name) - {3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINDOWS\system32\itqiepti.dll
O2 - BHO: (no name) - {4df90cd0-9bf1-4c76-8ace-096de7a3304b} - (no file)
O2 - BHO: (no name) - {5554DAE3-5A3F-477D-BD24-11CC17213DDF} - C:\WINDOWS\system32\tuvTlmlj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7ADF3C8A-F510-496C-9149-60C82F0A3943} - (no file)
O2 - BHO: {53a858b4-65c9-5618-a654-faba4575101a} - {a1015754-abaf-456a-8165-9c564b858a35} - C:\WINDOWS\system32\etoveunq.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [10ab54fb] rundll32.exe "C:\WINDOWS\system32\acqvehtn.dll",b
O4 - HKLM\..\Run: [BM13986767] Rundll32.exe "C:\WINDOWS\system32\lefeketv.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7766713559
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - Winlogon Notify: fccyxyVL - C:\WINDOWS\SYSTEM32\fccyxyVL.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 5905 bytes
kingdonger
Regular Member
 
Posts: 28
Joined: April 16th, 2008, 7:58 am

Re: browser hijacked hijack this log

Unread postby Rodav » April 20th, 2008, 8:02 am

Hi Roger,

Step 1:
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:
C:\WINDOWS\system32\etoveunq.dll

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

If Jotti is busy please try the same procedure at Virustotal


Step 2:
Download Vundofix from here
  • Double-click VundoFix.exe to run it.
  • When VundoFix opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note:It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

*If VundoFix gives an runtime error on startup you are most likely missing the file: comdlg32.ocx A new copy and instructions on where to put it can be found HERE


Step 3:
Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.


Logs to Post:
In your next reply please post:
  • The Vundofix report (C:\vundofix.txt)
  • main.txt
  • extra.txt
  • The Jotti/virustotal results
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: browser hijacked hijack this log

Unread postby kingdonger » April 20th, 2008, 1:36 pm

Once again thankyou for the help vunofix reported that vundo wasnt found on my system so subsequently there is no log to post here are the other logs thanks Roger..

Scan taken on 20 Apr 2008 14:13:48 (GMT)
A-Squared Found nothing
AntiVir Found TR/Vundo.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Lop
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Sus/Behav-200 (probable variant)
VirusBuster Found Adware.Vundo.Gen!Pac.21
VBA32 Found nothing

Deckard's System Scanner v20071014.68
Run by Beka on 2008-04-20 17:57:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-04-20 16:58:07 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 192 MiB (512 MiB recommended).


-- HijackThis (run as Beka.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:00:12, on 20/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Beka\Desktop\dss.exe
C:\DOCUME~1\Beka\MYDOCU~1\HJT\Beka.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02715E47-5A8E-495B-8F63-0D30470B8E72} - C:\WINDOWS\system32\fccyxyVL.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0D79AF24-28A3-4EB3-B785-6DBD3836A8B9} - (no file)
O2 - BHO: (no name) - {0F5F0A19-104A-436D-9C8F-87D8395841EC} - (no file)
O2 - BHO: (no name) - {3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINDOWS\system32\osvrrbvf.dll
O2 - BHO: (no name) - {4df90cd0-9bf1-4c76-8ace-096de7a3304b} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7ADF3C8A-F510-496C-9149-60C82F0A3943} - (no file)
O2 - BHO: {c67d74e4-6e13-fa9b-6b34-3914cd434d28} - {82d434dc-4193-43b6-b9af-31e64e47d76c} - C:\WINDOWS\system32\ookcfddt.dll
O2 - BHO: (no name) - {9B724A3E-E864-49C1-8122-53E485E50536} - C:\WINDOWS\system32\tuvTlmlj.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [10ab54fb] rundll32.exe "C:\WINDOWS\system32\acqvehtn.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BM13986767] Rundll32.exe "C:\WINDOWS\system32\pfqajdsd.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7766713559
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - Winlogon Notify: fccyxyVL - C:\WINDOWS\SYSTEM32\fccyxyVL.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6522 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 cdrbsdrv - c:\windows\system32\drivers\cdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD>
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 AnyDVD - c:\windows\system32\drivers\anydvd.sys <Not Verified; SlySoft, Inc.; AnyDVD>
R3 ElbyCDFL - c:\windows\system32\drivers\elbycdfl.sys <Not Verified; SlySoft, Inc.; CloneCD>
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 MRVW225 (54M Wireless USB Adapter Dirver for Windows XP) - c:\windows\system32\drivers\mrvw225.sys <Not Verified; ; 54M Wireless USB Adapter>

S3 als4k (Avance Audio Miniport Driver (WDM)) - c:\windows\system32\drivers\als4000.sys (file missing)
S3 MRV6X32U (Vista 32-bits Native WiFi Driver - USB) - c:\windows\system32\drivers\mrvw23b.sys <Not Verified; ; Device driver for 802.11 NIC>
S3 RT73 (Sweex Wireless Lan USB2.0 Adapter 54Mbps) - c:\windows\system32\drivers\rt73.sys <Not Verified; Ralink Technology, Corp.; Ralink 802.11 Wireless Adapters>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 PDSched (PDScheduler) - "c:\program files\raxco\perfectdisk\pdsched.exe" <Not Verified; Raxco Software, Inc.; PDSched Module>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: Multimedia Audio Controller
Device ID: PCI\VEN_4005&DEV_4000&SUBSYS_40004005&REV_00\3&61AAA01&0&48
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_4005&DEV_4000&SUBSYS_40004005&REV_00\3&61AAA01&0&48
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_70031631&REV_10\3&61AAA01&0&80
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_70031631&REV_10\3&61AAA01&0&80
Service: RTL8023xp


-- Scheduled Tasks -------------------------------------------------------------

2008-04-16 20:56:06 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-20 and 2008-04-20 -----------------------------

2008-04-20 14:17:23 88128 --a------ C:\WINDOWS\system32\vcnlitoi.dll
2008-04-20 14:14:30 94272 --a------ C:\WINDOWS\system32\ookcfddt.dll
2008-04-20 14:14:24 53312 --a------ C:\WINDOWS\system32\osvrrbvf.dll
2008-04-20 14:11:37 96320 --a------ C:\WINDOWS\system32\pfqajdsd.dll
2008-04-18 18:04:57 87616 --a------ C:\WINDOWS\system32\acqvehtn.dll
2008-04-18 18:02:03 94784 --a------ C:\WINDOWS\system32\etoveunq.dll
2008-04-18 18:01:57 53312 --a------ C:\WINDOWS\system32\itqiepti.dll
2008-04-18 18:00:54 96320 --a------ C:\WINDOWS\system32\lefeketv.dll
2008-04-18 16:02:52 0 d-------- C:\Documents and Settings\LocalService\Application Data\Help
2008-04-17 20:20:18 0 d-------- C:\VundoFix Backups
2008-04-17 20:17:01 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-04-17 20:17:01 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-17 20:17:01 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-04-17 20:17:01 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-17 20:17:01 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-17 20:17:00 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-17 20:17:00 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-17 20:17:00 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-17 20:17:00 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-04-17 20:17:00 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-17 20:17:00 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-17 20:17:00 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-17 20:17:00 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-04-17 20:17:00 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-17 17:52:19 92736 --a------ C:\WINDOWS\system32\btvyxtuo.dll
2008-04-17 17:49:36 88128 --a------ C:\WINDOWS\system32\xkhivtxk.dll
2008-04-17 13:46:52 0 d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-17 13:46:48 0 d-------- C:\Program Files\DVD Shrink
2008-04-17 13:27:02 38160 --a------ C:\WINDOWS\system32\LMRTREND.dll <Not Verified; Microsoft Corporation; Microsoft® Windows(TM) Operating System>
2008-04-17 13:26:55 182032 --a------ C:\WINDOWS\system32\dxtmsft3.dll <Not Verified; Microsoft Corporation; Microsoft® Windows(TM) Operating System>
2008-04-17 13:26:23 63488 --a------ C:\WINDOWS\system32\unam4ie.exe <Not Verified; Microsoft Corporation; DirectShow>
2008-04-17 13:26:06 10240 --a------ C:\WINDOWS\system32\vidx16.dll
2008-04-17 13:26:05 194320 --a------ C:\WINDOWS\system32\qcut.dll <Not Verified; Microsoft Corporation; DirectShow>
2008-04-17 13:26:01 4608 --a------ C:\WINDOWS\system32\w95inf32.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2008-04-17 13:26:01 2272 --a------ C:\WINDOWS\system32\w95inf16.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2008-04-17 13:25:59 0 d-------- C:\Program Files\CyberLink
2008-04-17 13:25:58 23936 --a------ C:\WINDOWS\system32\drivers\aspi32.sys <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-04-17 13:25:58 4672 --a------ C:\WINDOWS\system\wowpost.exe <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-04-17 13:25:58 5600 --a------ C:\WINDOWS\system\winaspi.dll <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-04-17 13:25:57 48128 --a------ C:\WINDOWS\system32\wnaspi32.dll <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-04-16 10:05:37 92224 --a------ C:\WINDOWS\system32\ueqgiqcn.dll
2008-04-15 16:45:11 53312 --a------ C:\WINDOWS\system32\hepsbqrx.dll
2008-04-14 20:58:24 0 d-------- C:\Documents and Settings\Beka\Application Data\Apple Computer
2008-04-14 20:56:34 0 d-------- C:\Program Files\iPod
2008-04-14 20:56:13 0 d-------- C:\Program Files\iTunes
2008-04-14 20:55:12 0 d-------- C:\Program Files\Bonjour
2008-04-14 20:50:36 0 d-------- C:\Program Files\QuickTime
2008-04-14 20:50:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-14 20:48:25 0 d-------- C:\Program Files\Apple Software Update
2008-04-14 20:47:55 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-04-14 20:46:18 0 d-------- C:\Program Files\Common Files\Apple
2008-04-14 20:46:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-14 19:20:04 0 d-------- C:\Program Files\Browser Hijack Blaster
2008-04-14 14:18:34 53312 --a------ C:\WINDOWS\system32\wgbdrmeg.dll
2008-04-14 09:06:19 0 d-------- C:\Program Files\a-squared Anti-Malware
2008-04-13 16:05:27 0 d-------- C:\WINDOWS\Sun
2008-04-13 16:05:26 0 d-------- C:\Documents and Settings\Beka\Application Data\Sun
2008-04-13 12:01:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-13 11:04:58 0 d-------- C:\Documents and Settings\Beka\Application Data\LimeWire
2008-04-12 15:58:41 0 d-------- C:\Program Files\DriverGuide Toolkit
2008-04-12 15:30:15 2916352 -----n--- C:\WINDOWS\UNNMIX.exe <Not Verified; Nero AG; Nero Web Engine>
2008-04-12 15:29:32 2916352 -----n--- C:\WINDOWS\UNNMP.exe <Not Verified; Nero AG; Nero Web Engine>
2008-04-12 15:26:05 2916352 -----n--- C:\WINDOWS\UNNeroVision.exe <Not Verified; Nero AG; Nero Web Engine>
2008-04-12 15:25:21 364544 --a------ C:\WINDOWS\system32\TwnLib4.dll <Not Verified; Pegasus Imaging Corp.; TwnLib4>
2008-04-12 15:25:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-04-12 15:25:20 38912 --a------ C:\WINDOWS\system32\picn20.dll <Not Verified; Pegasus Imaging Corp.; PEGASUS>
2008-04-12 15:20:47 106496 --a------ C:\WINDOWS\system32\TwnLib20.dll <Not Verified; Pegasus Software; TWNLIB20>
2008-04-12 15:20:42 471040 --a------ C:\WINDOWS\system32\ImagXRA7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-04-12 15:20:42 262144 --a------ C:\WINDOWS\system32\ImagXR7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-04-12 15:20:41 1568768 --a------ C:\WINDOWS\system32\ImagX7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-04-12 15:20:38 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2008-04-12 15:20:29 0 d-------- C:\Program Files\Common Files\Ahead
2008-04-12 15:20:27 0 d-------- C:\Program Files\Ahead
2008-04-12 15:18:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Raxco
2008-04-12 15:17:51 0 d-------- C:\Program Files\Common Files\Raxco
2008-04-12 15:17:20 0 d-------- C:\Program Files\Raxco
2008-04-12 14:57:29 274528 --ahs---- C:\WINDOWS\system32\jlmlTvut.ini2
2008-04-12 14:57:25 272384 -----n--- C:\WINDOWS\system32\tuvTlmlj.dll
2008-04-12 14:44:26 0 d-------- C:\Program Files\Elaborate Bytes
2008-04-12 14:44:25 39936 --a------ C:\WINDOWS\system32\fccyxyVL.dll
2008-04-12 14:43:54 0 d-------- C:\Program Files\SlySoft
2008-04-12 14:33:36 233472 --a------ C:\WINDOWS\system32\mcmp4dmux.dll <Not Verified; MainConcept AG; MainConcept® MP4 Demuxer>
2008-04-12 14:19:53 0 d-------- C:\Program Files\Java
2008-04-12 14:18:45 0 d-------- C:\Program Files\Common Files\Java
2008-04-12 14:18:09 0 d-------- C:\Program Files\LimeWire
2008-04-12 14:04:48 0 d-------- C:\Program Files\Lavalys
2008-04-12 14:02:53 0 d-------- C:\Documents and Settings\Beka\Application Data\LEAPS
2008-04-12 13:58:43 0 d-------- C:\Documents and Settings\Beka\Application Data\Pegasys Inc
2008-04-12 13:54:33 33408 --a------ C:\WINDOWS\system32\drivers\CDRBSDRV.SYS <Not Verified; B.H.A Corporation; B's Recorder GOLD>
2008-04-12 13:53:28 0 d-------- C:\Program Files\Pegasys Inc
2008-04-12 13:36:18 0 d-------- C:\Documents and Settings\Beka\Application Data\MCMPEGEnc
2008-04-12 13:35:57 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-12 13:35:48 0 d-------- C:\Program Files\MainConcept
2008-04-12 13:29:51 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-12 13:29:39 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-04-12 13:29:38 0 d-------- C:\Program Files\SpywareBlaster
2008-04-12 10:50:40 0 d-------- C:\WINDOWS\pss
2008-04-11 19:36:15 0 d-------- C:\Program Files\ACE Mega CoDecS Pack
2008-04-11 19:05:31 56 -r-hs---- C:\WINDOWS\system32\705D181CDE.sys
2008-04-11 19:05:30 11270 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-11 19:05:20 0 d-------- C:\Program Files\DivX
2008-04-11 19:03:21 414272 --a------ C:\WINDOWS\system32\DivXc32f.dll <Not Verified; Hacked with Joy !; DivX ;-) MPEG-4 Video Codec>
2008-04-11 19:03:21 414272 --a------ C:\WINDOWS\system32\DivXc32.dll <Not Verified; Hacked with Joy !; DivX ;-) MPEG-4 Video Codec>
2008-04-11 19:03:21 0 d-------- C:\Program Files\DivX_311alpha
2008-04-11 19:00:26 129024 --a------ C:\WINDOWS\UNWISE.EXE
2008-04-11 18:59:31 98304 --a------ C:\WINDOWS\IsUninst.exe
2008-04-11 13:46:27 0 d-------- C:\Documents and Settings\Beka\Application Data\BitTorrent
2008-04-11 13:46:10 0 d-------- C:\Program Files\DNA
2008-04-11 13:46:10 0 d-------- C:\Documents and Settings\Beka\Application Data\DNA
2008-04-11 13:46:09 0 d-------- C:\Program Files\BitTorrent
2008-04-11 11:53:34 4032 --a------ C:\WINDOWS\system32\SYMEVNT1.DLL <Not Verified; Symantec Corporation; SYMEVENT>
2008-04-11 11:53:34 36864 --a------ C:\WINDOWS\system32\S32EVNT1.DLL <Not Verified; Symantec Corporation; SYMEVENT>
2008-04-11 11:53:34 57696 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS <Not Verified; Symantec Corporation; SYMEVENT>
2008-04-11 11:53:17 0 d-------- C:\WINDOWS\system32\CBA
2008-04-11 11:53:16 0 d-------- C:\Program Files\Symantec
2008-04-11 11:53:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-11 11:53:09 0 d-------- C:\Program Files\NavNT
2008-04-11 11:53:09 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-11 11:52:04 0 d-------- C:\Documents and Settings\Beka\WINDOWS
2008-04-11 11:32:09 0 d-------- C:\Documents and Settings\Beka\Application Data\WinRAR
2008-04-11 10:53:19 49152 --a------ C:\WINDOWS\InstFunc.exe
2008-04-11 10:53:19 12288 --a------ C:\WINDOWS\InstFunc.dll <Not Verified; Silicon Integrated Systems Corporation; SiS (R) VGA Install Function Dynamic Link Library>
2008-04-11 10:52:53 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-04-11 08:48:10 0 d-------- C:\Program Files\MSXML 6.0
2008-04-11 08:39:06 0 d-------- C:\Program Files\MSBuild
2008-04-11 08:34:07 0 d-------- C:\WINDOWS\system32\XPSViewer
2008-04-11 08:33:18 0 d-------- C:\Program Files\Reference Assemblies
2008-04-11 08:32:14 0 d-------- C:\85cb704036125b9e81ddb279236b
2008-04-11 08:31:26 0 d-------- C:\Program Files\Windows Media Connect 2
2008-04-11 08:30:04 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-11 08:21:19 0 d-------- C:\WINDOWS\RegisteredPackages
2008-04-11 08:18:52 0 d-------- C:\WINDOWS\system32\URTTemp
2008-04-10 22:25:03 0 d-------- C:\WINDOWS\network diagnostic
2008-04-10 21:07:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-04-10 16:25:13 0 d-------- C:\WINDOWS\system32\PreInstall
2008-04-10 16:25:11 0 d--h----- C:\WINDOWS\$hf_mig$
2008-04-10 15:21:01 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-10 14:37:23 0 d-------- C:\Documents and Settings\Beka\Application Data\Macromedia
2008-04-10 14:15:15 0 d-------- C:\Documents and Settings\Beka\Application Data\AdobeUM
2008-04-10 14:15:09 0 d-------- C:\Documents and Settings\Beka\Application Data\Adobe
2008-04-10 14:14:25 299776 --a------ C:\WINDOWS\system32\drivers\MRVW225.sys <Not Verified; ; 54M Wireless USB Adapter>
2008-04-10 14:14:25 0 d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-04-10 14:14:23 0 d-------- C:\Program Files\WA-T1
2008-04-10 14:14:09 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-10 14:13:21 231040 -ra------ C:\WINDOWS\system32\drivers\MRVW23B.sys <Not Verified; ; Device driver for 802.11 NIC>
2008-04-09 19:45:44 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-04-09 19:44:35 0 d--hs---- C:\Documents and Settings\Beka\UserData
2008-04-09 19:33:19 0 d-------- C:\Documents and Settings\Beka\Application Data\Identities
2008-04-09 19:33:07 0 d--h----- C:\Documents and Settings\Beka\Templates
2008-04-09 19:33:07 0 dr------- C:\Documents and Settings\Beka\Start Menu
2008-04-09 19:33:07 0 dr-h----- C:\Documents and Settings\Beka\SendTo
2008-04-09 19:33:07 0 dr-h----- C:\Documents and Settings\Beka\Recent
2008-04-09 19:33:07 0 d--h----- C:\Documents and Settings\Beka\PrintHood
2008-04-09 19:33:07 3407872 --ah----- C:\Documents and Settings\Beka\NTUSER.DAT
2008-04-09 19:33:07 0 d--h----- C:\Documents and Settings\Beka\NetHood
2008-04-09 19:33:07 0 dr------- C:\Documents and Settings\Beka\My Documents
2008-04-09 19:33:07 0 d--h----- C:\Documents and Settings\Beka\Local Settings
2008-04-09 19:33:07 0 dr------- C:\Documents and Settings\Beka\Favorites
2008-04-09 19:33:07 0 d-------- C:\Documents and Settings\Beka\Desktop
2008-04-09 19:33:07 0 d--hs---- C:\Documents and Settings\Beka\Cookies
2008-04-09 19:33:07 0 d--h----- C:\Documents and Settings\Beka\Application Data
2008-04-09 19:30:50 0 d--hs---- C:\WINDOWS\Installer
2008-04-09 19:30:49 0 d-------- C:\Program Files\Common Files\ODBC
2008-04-09 19:30:46 0 dr------- C:\Program Files
2008-04-09 19:30:46 0 d-------- C:\Program Files\Common Files
2008-04-09 19:30:46 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-04-09 19:30:21 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-04-09 19:30:21 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-04-09 19:30:21 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-04-09 19:30:21 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-04-09 19:30:21 0 dr------- C:\Documents and Settings\All Users\Documents
2008-04-09 19:30:21 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-04-09 19:30:20 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-04-09 19:30:20 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-04-09 19:30:20 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-04-09 19:30:20 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-04-09 19:30:20 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-04-09 19:30:20 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-04-09 19:30:20 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-04-09 19:30:20 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-04-09 19:30:20 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-04-09 19:30:20 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-04-09 19:30:07 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-04-09 19:30:07 0 d-------- C:\WINDOWS\system32\CatRoot
2008-04-09 19:30:01 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-04-09 19:30:01 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-04-09 19:30:01 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-04-09 19:30:01 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-04-09 19:29:42 0 d--hs---- C:\System Volume Information
2008-04-09 19:29:42 0 d-------- C:\Documents and Settings
2008-04-09 19:22:33 0 d-------- C:\WINDOWS
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\WinSxS
2008-04-09 19:22:33 0 dr------- C:\WINDOWS\Web
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\twain_32
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\wins
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\wbem
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\usmt
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\spool
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\ShellExt
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\Setup
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\ras
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\oobe
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\npp
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\mui
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\inetsrv
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\IME
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\icsxml
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\ias
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\export
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\drivers
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-04-09 19:22:33 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\dhcp
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\config
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\3076
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\2052
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\1054
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\1042
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\1041
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\1037
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\1033
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\1031
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\1028
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\1025
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\security
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Resources
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\repair
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Provisioning
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\PeerNet
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\pchealth
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\mui
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\msapps
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\msagent
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Media
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\java
2008-04-09 19:22:33 0 d--h----- C:\WINDOWS\inf
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\ime
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Help
2008-04-09 19:22:33 0 dr--s---- C:\WINDOWS\Fonts
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\ehome
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Driver Cache
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Debug
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Cursors
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Connection Wizard
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Config
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\AppPatch
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\addins
2008-04-09 19:19:05 0 d-------- C:\Documents and Settings\David\Application Data\AdobeUM
2008-04-09 19:18:50 0 d-------- C:\Documents and Settings\David\Application Data\Adobe
2008-04-09 19:18:49 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-09 19:18:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-09 19:18:01 0 d-------- C:\WINDOWS\Cache
2008-04-09 18:53:08 252928 -ra------ C:\WINDOWS\system32\drivers\rt73.sys <Not Verified; Ralink Technology, Corp.; Ralink 802.11 Wireless Adapters>
2008-04-09 18:51:07 0 d-------- C:\Documents and Settings\David\Application Data\Identities
2008-04-09 18:50:59 0 dr------- C:\Documents and Settings\David\Favorites
2008-04-09 18:50:59 0 d-------- C:\Documents and Settings\David\Desktop
2008-04-09 18:50:59 0 d--hs---- C:\Documents and Settings\David\Cookies
2008-04-09 18:50:59 0 dr-h----- C:\Documents and Settings\David\Application Data
2008-04-09 18:50:59 0 d---s---- C:\Documents and Settings\David\Application Data\Microsoft
2008-04-09 18:50:58 0 d--h----- C:\Documents and Settings\David\Templates
2008-04-09 18:50:58 0 dr------- C:\Documents and Settings\David\Start Menu
2008-04-09 18:50:58 0 dr-h----- C:\Documents and Settings\David\SendTo
2008-04-09 18:50:58 0 dr-h----- C:\Documents and Settings\David\Recent
2008-04-09 18:50:58 0 d--h----- C:\Documents and Settings\David\PrintHood
2008-04-09 18:50:58 2359296 --ah----- C:\Documents and Settings\David\NTUSER.DAT
2008-04-09 18:50:58 0 d--h----- C:\Documents and Settings\David\NetHood
2008-04-09 18:50:58 0 dr------- C:\Documents and Settings\David\My Documents
2008-04-09 18:50:58 0 d--h----- C:\Documents and Settings\David\Local Settings
2008-04-09 18:49:27 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-04-09 18:49:25 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-04-09 18:49:25 0 d-------- C:\WINDOWS\Prefetch
2008-04-09 18:49:24 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-04-09 18:49:24 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-04-09 18:49:24 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-04-09 18:49:24 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-04-09 18:49:24 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-04-09 18:49:09 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-04-09 18:49:09 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-04-09 18:49:09 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-04-09 18:49:09 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-04-09 18:49:08 225280 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-04-09 18:44:48 0 d-------- C:\WINDOWS\system32\xircom
2008-04-09 18:44:48 0 d-------- C:\Program Files\microsoft frontpage
2008-04-09 18:44:32 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-04-09 18:44:21 0 -rahs---- C:\MSDOS.SYS
2008-04-09 18:44:21 0 -rahs---- C:\IO.SYS
2008-04-09 18:44:21 0 --a------ C:\CONFIG.SYS
2008-04-09 18:44:21 0 --a------ C:\AUTOEXEC.BAT
2008-04-09 18:42:59 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-04-09 18:42:47 0 dr------- C:\WINDOWS\Offline Web Pages
2008-04-09 18:42:47 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-04-09 18:42:33 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-09 18:42:11 0 d-------- C:\WINDOWS\system32\DirectX
2008-04-09 18:41:39 0 d---s---- C:\WINDOWS\Tasks
2008-04-09 18:41:38 0 d-------- C:\Program Files\Common Files\MSSoap
2008-04-09 18:41:35 0 d-------- C:\WINDOWS\srchasst
2008-04-09 18:41:34 0 d-------- C:\WINDOWS\system32\Macromed
2008-04-09 18:41:26 0 d-------- C:\Program Files\Movie Maker
2008-04-09 18:41:18 0 d-------- C:\WINDOWS\system32\Restore
2008-04-09 18:40:29 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-09 18:40:13 0 d-------- C:\WINDOWS\Registration
2008-04-09 18:40:05 0 d-------- C:\Program Files\Online Services
2008-04-09 18:39:56 0 d-------- C:\Program Files\Messenger
2008-04-09 18:39:52 0 d-------- C:\Program Files\MSN Gaming Zone
2008-04-09 18:39:15 0 d-------- C:\Program Files\Windows NT
2008-04-09 18:39:12 0 d-------- C:\WINDOWS\system32\MsDtc
2008-04-09 18:39:11 0 d-------- C:\WINDOWS\system32\Com


-- Find3M Report ---------------------------------------------------------------

2008-04-09 19:30:20 62 --ahs---- C:\Documents and Settings\Beka\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02715E47-5A8E-495B-8F63-0D30470B8E72}]
12/04/2008 14:44 39936 --a------ C:\WINDOWS\system32\fccyxyVL.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D79AF24-28A3-4EB3-B785-6DBD3836A8B9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F5F0A19-104A-436D-9C8F-87D8395841EC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}]
20/04/2008 14:14 53312 --a------ C:\WINDOWS\system32\osvrrbvf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4df90cd0-9bf1-4c76-8ace-096de7a3304b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7ADF3C8A-F510-496C-9149-60C82F0A3943}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82d434dc-4193-43b6-b9af-31e64e47d76c}]
20/04/2008 14:14 94272 --a------ C:\WINDOWS\system32\ookcfddt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B724A3E-E864-49C1-8122-53E485E50536}]
12/04/2008 14:57 272384 --------- C:\WINDOWS\system32\tuvTlmlj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
"vptray"="C:\Program Files\NavNT\vptray.exe" [24/09/2001 07:59]
"10ab54fb"="C:\WINDOWS\system32\acqvehtn.dll" [18/04/2008 18:04]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 23:37]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [19/05/2005 14:47]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [04/08/2004 00:56]
"BM13986767"="C:\WINDOWS\system32\pfqajdsd.dll" [20/04/2008 14:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 00:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 17:24]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [11/04/2008 13:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{02715E47-5A8E-495B-8F63-0D30470B8E72}"= C:\WINDOWS\system32\fccyxyVL.dll [12/04/2008 14:44 39936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccyxyVL]
fccyxyVL.dll 12/04/2008 14:44 39936 C:\WINDOWS\system32\fccyxyVL.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\tuvTlmlj




-- Hosts -----------------------------------------------------------------------

127.0.0.1 http://www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 http://www.008k.com
127.0.0.1 008k.com
127.0.0.1 http://www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 http://www.032439.com
127.0.0.1 032439.com

8120 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-20 18:02:17 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Celeron(R) CPU 2.80GHz
Percentage of Memory in Use: 76%
Physical Memory (total/avail): 191.48 MiB / 45.12 MiB
Pagefile Memory (total/avail): 466.94 MiB / 164.53 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1900.88 MiB

C: is Fixed (NTFS) - 74.52 GiB total, 61.56 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST380011A - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
AntivirusOverride is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Beka\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BOO-E219B7F3C80
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Beka
LOGONSERVER=\\BOO-E219B7F3C80
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Beka\LOCALS~1\Temp
TMP=C:\DOCUME~1\Beka\LOCALS~1\Temp
USERDOMAIN=BOO-E219B7F3C80
USERNAME=Beka
USERPROFILE=C:\Documents and Settings\Beka
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Beka (admin)
David (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ACE Mega CoDecS Pack - ProXP --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /M{F8EAF733-396C-4974-BDCC-F43FC7361E3B}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000002}
Ahead InCD EasyWrite Reader --> C:\WINDOWS\unmrw.exe /UNINSTALL
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
BitTorrent --> "C:\Program Files\BitTorrent\BitTorrent.exe" /UNINSTALL
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Browser Hijack Blaster v1.0 --> "C:\Program Files\Browser Hijack Blaster\unins000.exe"
CloneCD --> "C:\Program Files\SlySoft\CloneCD\ccd-uninst.exe" /D="C:\Program Files\SlySoft\CloneCD"
CloneDVD2 --> "C:\Program Files\Elaborate Bytes\CloneDVD2\CloneDVD2-uninst.exe" /D="C:\Program Files\Elaborate Bytes\CloneDVD2"
DNA --> "C:\Program Files\DNA\btdna.exe" /UNINSTALL
DriverGuide Toolkit --> C:\Program Files\DriverGuide Toolkit\uninstall.exe
DVD Shrink 3.1.6 --> "C:\Program Files\DVD Shrink\unins000.exe"
EVEREST Ultimate Edition v3.00 --> "C:\Program Files\Lavalys\EVEREST Ultimate Edition\unins000.exe"
HijackThis 2.0.2 --> "C:\Documents and Settings\Beka\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java(TM) 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LimeWire PRO 4.17.1 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveUpdate 1.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
MainConcept MPEG Encoder --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{706D4B72-1A56-4A5A-920B-20F2C68546EA} /l1033
MainConcept Reference 1.1.1 --> C:\PROGRA~1\MAINCO~1\REFERE~1\UNWISE.EXE C:\PROGRA~1\MAINCO~1\REFERE~1\INSTALL.LOG
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Nero Digital --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
Nero Media Player --> C:\WINDOWS\UNNMP.exe /UNINSTALL
Nero Mega Plugin Pack --> MsiExec.exe /I{EF901A4B-A25A-4962-83C6-C6691D062ED9}
NeroMIX --> C:\WINDOWS\UNNMIX.exe /UNINSTALL
Norton AntiVirus Corporate Edition --> MsiExec.exe /I{BD12EB47-DBDF-11D3-BEEA-00A0CC272509}
PerfectDisk --> MsiExec.exe /I{C190CB55-817E-4713-84F4-0BBB8961CED9}
PowerDVD --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\CyberLink\PowerDVD\Uninst.isu"
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
setup (Remove only) --> C:\WINDOWS\rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\setup.inf,DefaultUninstall
SpywareBlaster 4.0 --> "C:\Program Files\SpywareBlaster\unins000.exe"
TMPGEnc DVD Author 3 with DivX Authoring --> MsiExec.exe /I{3E9F2540-DD55-42FB-8EB6-5508EEC54013}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type1256 / Error
Event Submitted/Written: 04/20/2008 02:32:16 PM
Event ID/Source: 5 / Norton AntiVirus
Event Description:
Virus Found!Virus name: Trojan.KillAV in File: C:\windows\system32\ylvpbaem.dll by: Realtime Protection scan. Action: Clean failed : Quarantine succeeded : Access denied

Event Record #/Type1255 / Error
Event Submitted/Written: 04/20/2008 02:31:49 PM
Event ID/Source: 5 / Norton AntiVirus
Event Description:
Virus Found!Virus name: Trojan.KillAV in File: C:\windows\system32\vkylykcl.dll by: Realtime Protection scan. Action: Clean failed : Quarantine succeeded : Access denied

Event Record #/Type1254 / Error
Event Submitted/Written: 04/20/2008 02:31:13 PM
Event ID/Source: 5 / Norton AntiVirus
Event Description:
Virus Found!Virus name: Trojan.KillAV in File: C:\windows\system32\rgudeiug.dll by: Realtime Protection scan. Action: Clean failed : Quarantine succeeded : Access denied

Event Record #/Type1253 / Error
Event Submitted/Written: 04/20/2008 02:30:26 PM
Event ID/Source: 5 / Norton AntiVirus
Event Description:
Virus Found!Virus name: Trojan.Vundo in File: C:\windows\system32\jkbxjgsi.dll by: Realtime Protection scan. Action: Clean failed : Quarantine succeeded : Access denied

Event Record #/Type1234 / Error
Event Submitted/Written: 04/19/2008 11:42:28 AM / 04/19/2008 11:42:29 AM
Event ID/Source: 5 / Norton AntiVirus
Event Description:
Virus Found!Virus name: Downloader in File: C:\Documents and Settings\Beka\Local Settings\Temporary Internet Files\Content.IE5\WYQ7EIRR\5_swp[1].htm by: Realtime Protection scan. Action: Clean failed : Quarantine succeeded : Access denied



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2504 / Error
Event Submitted/Written: 04/20/2008 06:00:24 PM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The SmartLinkService service has reported an invalid current state 0.

Event Record #/Type2445 / Warning
Event Submitted/Written: 04/20/2008 02:08:08 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00B08C014A7E. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type2308 / Error
Event Submitted/Written: 04/17/2008 08:58:05 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type2307 / Error
Event Submitted/Written: 04/17/2008 08:57:41 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type2306 / Error
Event Submitted/Written: 04/17/2008 08:20:49 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip



-- End of Deckard's System Scanner: finished at 2008-04-20 18:02:17 ------------
kingdonger
Regular Member
 
Posts: 28
Joined: April 16th, 2008, 7:58 am

Re: browser hijacked hijack this log

Unread postby Rodav » April 21st, 2008, 7:08 am

Hi Roger

P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

BitTorrent
Limewire


I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

If you wish to keep them, please do not use them until your computer is cleaned.


Step 1:
To enable the viewing of Hidden files follow these steps:
  1. Close all programs so that you are at your desktop.
  2. Double-click on the My Computer icon (or click Start, then select My Computer)
  3. Select the Tools menu and click Folder Options.
  4. After the new window appears select the View tab.
  5. Put a checkmark in the checkbox labeled Display the contents of system folders.
  6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
  9. Press the Apply button and then the OK button and shutdown My Computer.
    Now your computer is configured to show all hidden files.


Step 2:
  • Download ERUNT
  • Save it to your desktop. Run and install this program.
  • In the box that opens only choose System registry
  • Then click OK.
  • Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.



Step 3:
Open Notepad!
Copy and Paste everything from the Quote box into Notepad:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02715E47-5A8E-495B-8F63-0D30470B8E72}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0D79AF24-28A3-4EB3-B785-6DBD3836A8B9}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0F5F0A19-104A-436D-9C8F-87D8395841EC}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4df90cd0-9bf1-4c76-8ace-096de7a3304b}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7ADF3C8A-F510-496C-9149-60C82F0A3943}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{82d434dc-4193-43b6-b9af-31e64e47d76c}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B724A3E-E864-49C1-8122-53E485E50536}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"10ab54fb"=-
"BM13986767"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{02715E47-5A8E-495B-8F63-0D30470B8E72}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccyxyVL]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

[-HKEY_CLASSES_ROOT\CLSID\{02715E47-5A8E-495B-8F63-0D30470B8E72}]

[-HKEY_CLASSES_ROOT\CLSID\{0D79AF24-28A3-4EB3-B785-6DBD3836A8B9}]

[-HKEY_CLASSES_ROOT\CLSID\{0F5F0A19-104A-436D-9C8F-87D8395841EC}]

[-HKEY_CLASSES_ROOT\CLSID\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}]

[-HKEY_CLASSES_ROOT\CLSID\{4df90cd0-9bf1-4c76-8ace-096de7a3304b}]

[-HKEY_CLASSES_ROOT\CLSID\{7ADF3C8A-F510-496C-9149-60C82F0A3943}]

[-HKEY_CLASSES_ROOT\CLSID\{82d434dc-4193-43b6-b9af-31e64e47d76c}]

[-HKEY_CLASSES_ROOT\CLSID\{9B724A3E-E864-49C1-8122-53E485E50536}]



Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Go to File > Save As
Save File name as Fix.reg
Change Save as Type to All Files and save the file to your desktop, then close Notepad.


Step 4:
  • Download UnDLL by ESET from here
  • Unzip/extact it to a folder on the desktop
  • Double click on UNDLL.EXE to start UnDLL
  • Click on Select infected DLL
  • Locate and select this file:
    Code: Select all
    C:\WINDOWS\system32\fccyxyVL.dll
  • Click Open
  • UnDLL will now attempt to delete the DLL file
  • If asked to restart your PC, click No
  • Repeat the above steps for the following files:
    Code: Select all
    C:\WINDOWS\system32\osvrrbvf.dll
    C:\WINDOWS\system32\ookcfddt.dll
    C:\WINDOWS\system32\tuvTlmlj.dll
    C:\WINDOWS\system32\acqvehtn.dll
    C:\WINDOWS\system32\pfqajdsd.dll


Step 5:
Double-click Fix.reg (the file created in Step 3) on your Desktop. When it asks if you want to merge the info to the registry, hit YES/OK. Reboot the computer.


Step 6:
Run dss.exe (Deckard's System Scanner) again and post the log it produces in your next reply.
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: browser hijacked hijack this log

Unread postby kingdonger » April 21st, 2008, 4:49 pm

Deckard's System Scanner v20071014.68
Run by Beka on 2008-04-21 21:37:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 76% (more than 75%).
Total Physical Memory: 192 MiB (512 MiB recommended).


-- HijackThis (run as Beka.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:37:51, on 21/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Beka\Desktop\dss.exe
C:\DOCUME~1\Beka\MYDOCU~1\HJT\Beka.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {be29f6e3-7937-591b-9554-4e37d7f8d2dd} - {dd2d8f7d-73e4-4559-b195-73973e6f92eb} - C:\WINDOWS\system32\vhwjoprl.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [BM13986767] Rundll32.exe "C:\WINDOWS\system32\vltmnusv.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7766713559
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 5847 bytes

-- Files created between 2008-03-21 and 2008-04-21 -----------------------------

2008-04-21 19:02:25 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-21 19:02:09 0 d-------- C:\Documents and Settings\Beka\Application Data\Mozilla
2008-04-21 14:22:06 94272 --a------ C:\WINDOWS\system32\vhwjoprl.dll
2008-04-21 14:19:06 88128 --a------ C:\WINDOWS\system32\lgqvtvbt.dll
2008-04-21 14:16:06 97344 --a------ C:\WINDOWS\system32\vltmnusv.dll
2008-04-21 14:13:07 53312 --a------ C:\WINDOWS\system32\corjwqta.dll
2008-04-20 14:17:23 88128 --a------ C:\WINDOWS\system32\vcnlitoi.dll
2008-04-18 18:02:03 94784 --a------ C:\WINDOWS\system32\etoveunq.dll
2008-04-18 18:01:57 53312 --a------ C:\WINDOWS\system32\itqiepti.dll
2008-04-18 18:00:54 96320 --a------ C:\WINDOWS\system32\lefeketv.dll
2008-04-18 16:02:52 0 d-------- C:\Documents and Settings\LocalService\Application Data\Help
2008-04-17 20:20:18 0 d-------- C:\VundoFix Backups
2008-04-17 20:17:01 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-04-17 20:17:01 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-17 20:17:01 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-04-17 20:17:01 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-17 20:17:01 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-17 20:17:00 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-17 20:17:00 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-17 20:17:00 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-17 20:17:00 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-04-17 20:17:00 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-17 20:17:00 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-17 20:17:00 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-17 20:17:00 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-04-17 20:17:00 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-17 17:52:19 92736 --a------ C:\WINDOWS\system32\btvyxtuo.dll
2008-04-17 17:49:36 88128 --a------ C:\WINDOWS\system32\xkhivtxk.dll
2008-04-17 13:46:52 0 d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-17 13:46:48 0 d-------- C:\Program Files\DVD Shrink
2008-04-17 13:27:02 38160 --a------ C:\WINDOWS\system32\LMRTREND.dll <Not Verified; Microsoft Corporation; Microsoft® Windows(TM) Operating System>
2008-04-17 13:26:55 182032 --a------ C:\WINDOWS\system32\dxtmsft3.dll <Not Verified; Microsoft Corporation; Microsoft® Windows(TM) Operating System>
2008-04-17 13:26:23 63488 --a------ C:\WINDOWS\system32\unam4ie.exe <Not Verified; Microsoft Corporation; DirectShow>
2008-04-17 13:26:06 10240 --a------ C:\WINDOWS\system32\vidx16.dll
2008-04-17 13:26:05 194320 --a------ C:\WINDOWS\system32\qcut.dll <Not Verified; Microsoft Corporation; DirectShow>
2008-04-17 13:26:01 4608 --a------ C:\WINDOWS\system32\w95inf32.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2008-04-17 13:26:01 2272 --a------ C:\WINDOWS\system32\w95inf16.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2008-04-17 13:25:59 0 d-------- C:\Program Files\CyberLink
2008-04-17 13:25:58 23936 --a------ C:\WINDOWS\system32\drivers\aspi32.sys <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-04-17 13:25:58 4672 --a------ C:\WINDOWS\system\wowpost.exe <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-04-17 13:25:58 5600 --a------ C:\WINDOWS\system\winaspi.dll <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-04-17 13:25:57 48128 --a------ C:\WINDOWS\system32\wnaspi32.dll <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-04-16 10:05:37 92224 --a------ C:\WINDOWS\system32\ueqgiqcn.dll
2008-04-15 16:45:11 53312 --a------ C:\WINDOWS\system32\hepsbqrx.dll
2008-04-14 20:58:24 0 d-------- C:\Documents and Settings\Beka\Application Data\Apple Computer
2008-04-14 20:56:34 0 d-------- C:\Program Files\iPod
2008-04-14 20:56:13 0 d-------- C:\Program Files\iTunes
2008-04-14 20:55:12 0 d-------- C:\Program Files\Bonjour
2008-04-14 20:50:36 0 d-------- C:\Program Files\QuickTime
2008-04-14 20:50:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-14 20:48:25 0 d-------- C:\Program Files\Apple Software Update
2008-04-14 20:47:55 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-04-14 20:46:18 0 d-------- C:\Program Files\Common Files\Apple
2008-04-14 20:46:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-14 19:20:04 0 d-------- C:\Program Files\Browser Hijack Blaster
2008-04-14 14:18:34 53312 --a------ C:\WINDOWS\system32\wgbdrmeg.dll
2008-04-14 09:06:19 0 d-------- C:\Program Files\a-squared Anti-Malware
2008-04-13 16:05:27 0 d-------- C:\WINDOWS\Sun
2008-04-13 16:05:26 0 d-------- C:\Documents and Settings\Beka\Application Data\Sun
2008-04-13 12:01:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-13 11:04:58 0 d-------- C:\Documents and Settings\Beka\Application Data\LimeWire
2008-04-12 15:58:41 0 d-------- C:\Program Files\DriverGuide Toolkit
2008-04-12 15:30:15 2916352 -----n--- C:\WINDOWS\UNNMIX.exe <Not Verified; Nero AG; Nero Web Engine>
2008-04-12 15:29:32 2916352 -----n--- C:\WINDOWS\UNNMP.exe <Not Verified; Nero AG; Nero Web Engine>
2008-04-12 15:26:05 2916352 -----n--- C:\WINDOWS\UNNeroVision.exe <Not Verified; Nero AG; Nero Web Engine>
2008-04-12 15:25:21 364544 --a------ C:\WINDOWS\system32\TwnLib4.dll <Not Verified; Pegasus Imaging Corp.; TwnLib4>
2008-04-12 15:25:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-04-12 15:25:20 38912 --a------ C:\WINDOWS\system32\picn20.dll <Not Verified; Pegasus Imaging Corp.; PEGASUS>
2008-04-12 15:20:47 106496 --a------ C:\WINDOWS\system32\TwnLib20.dll <Not Verified; Pegasus Software; TWNLIB20>
2008-04-12 15:20:42 471040 --a------ C:\WINDOWS\system32\ImagXRA7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-04-12 15:20:42 262144 --a------ C:\WINDOWS\system32\ImagXR7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-04-12 15:20:41 1568768 --a------ C:\WINDOWS\system32\ImagX7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-04-12 15:20:38 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2008-04-12 15:20:29 0 d-------- C:\Program Files\Common Files\Ahead
2008-04-12 15:20:27 0 d-------- C:\Program Files\Ahead
2008-04-12 15:18:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Raxco
2008-04-12 15:17:51 0 d-------- C:\Program Files\Common Files\Raxco
2008-04-12 15:17:20 0 d-------- C:\Program Files\Raxco
2008-04-12 14:57:29 277247 --ahs---- C:\WINDOWS\system32\jlmlTvut.ini2
2008-04-12 14:44:26 0 d-------- C:\Program Files\Elaborate Bytes
2008-04-12 14:43:54 0 d-------- C:\Program Files\SlySoft
2008-04-12 14:33:36 233472 --a------ C:\WINDOWS\system32\mcmp4dmux.dll <Not Verified; MainConcept AG; MainConcept® MP4 Demuxer>
2008-04-12 14:19:53 0 d-------- C:\Program Files\Java
2008-04-12 14:18:45 0 d-------- C:\Program Files\Common Files\Java
2008-04-12 14:18:09 0 d-------- C:\Program Files\LimeWire
2008-04-12 14:04:48 0 d-------- C:\Program Files\Lavalys
2008-04-12 14:02:53 0 d-------- C:\Documents and Settings\Beka\Application Data\LEAPS
2008-04-12 13:58:43 0 d-------- C:\Documents and Settings\Beka\Application Data\Pegasys Inc
2008-04-12 13:54:33 33408 --a------ C:\WINDOWS\system32\drivers\CDRBSDRV.SYS <Not Verified; B.H.A Corporation; B's Recorder GOLD>
2008-04-12 13:53:28 0 d-------- C:\Program Files\Pegasys Inc
2008-04-12 13:36:18 0 d-------- C:\Documents and Settings\Beka\Application Data\MCMPEGEnc
2008-04-12 13:35:57 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-12 13:35:48 0 d-------- C:\Program Files\MainConcept
2008-04-12 13:29:51 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-12 13:29:39 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-04-12 13:29:38 0 d-------- C:\Program Files\SpywareBlaster
2008-04-12 10:50:40 0 d-------- C:\WINDOWS\pss
2008-04-11 19:36:15 0 d-------- C:\Program Files\ACE Mega CoDecS Pack
2008-04-11 19:05:31 56 -r-hs---- C:\WINDOWS\system32\705D181CDE.sys
2008-04-11 19:05:30 11270 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-11 19:05:20 0 d-------- C:\Program Files\DivX
2008-04-11 19:03:21 414272 --a------ C:\WINDOWS\system32\DivXc32f.dll <Not Verified; Hacked with Joy !; DivX ;-) MPEG-4 Video Codec>
2008-04-11 19:03:21 414272 --a------ C:\WINDOWS\system32\DivXc32.dll <Not Verified; Hacked with Joy !; DivX ;-) MPEG-4 Video Codec>
2008-04-11 19:03:21 0 d-------- C:\Program Files\DivX_311alpha
2008-04-11 19:00:26 129024 --a------ C:\WINDOWS\UNWISE.EXE
2008-04-11 18:59:31 98304 --a------ C:\WINDOWS\IsUninst.exe
2008-04-11 13:46:27 0 d-------- C:\Documents and Settings\Beka\Application Data\BitTorrent
2008-04-11 13:46:10 0 d-------- C:\Program Files\DNA
2008-04-11 13:46:10 0 d-------- C:\Documents and Settings\Beka\Application Data\DNA
2008-04-11 13:46:09 0 d-------- C:\Program Files\BitTorrent
2008-04-11 11:53:34 4032 --a------ C:\WINDOWS\system32\SYMEVNT1.DLL <Not Verified; Symantec Corporation; SYMEVENT>
2008-04-11 11:53:34 36864 --a------ C:\WINDOWS\system32\S32EVNT1.DLL <Not Verified; Symantec Corporation; SYMEVENT>
2008-04-11 11:53:34 57696 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS <Not Verified; Symantec Corporation; SYMEVENT>
2008-04-11 11:53:17 0 d-------- C:\WINDOWS\system32\CBA
2008-04-11 11:53:16 0 d-------- C:\Program Files\Symantec
2008-04-11 11:53:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-11 11:53:09 0 d-------- C:\Program Files\NavNT
2008-04-11 11:53:09 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-11 11:52:04 0 d-------- C:\Documents and Settings\Beka\WINDOWS
2008-04-11 11:32:09 0 d-------- C:\Documents and Settings\Beka\Application Data\WinRAR
2008-04-11 10:53:19 49152 --a------ C:\WINDOWS\InstFunc.exe
2008-04-11 10:53:19 12288 --a------ C:\WINDOWS\InstFunc.dll <Not Verified; Silicon Integrated Systems Corporation; SiS (R) VGA Install Function Dynamic Link Library>
2008-04-11 10:52:53 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-04-11 08:48:10 0 d-------- C:\Program Files\MSXML 6.0
2008-04-11 08:39:06 0 d-------- C:\Program Files\MSBuild
2008-04-11 08:34:07 0 d-------- C:\WINDOWS\system32\XPSViewer
2008-04-11 08:33:18 0 d-------- C:\Program Files\Reference Assemblies
2008-04-11 08:32:14 0 d-------- C:\85cb704036125b9e81ddb279236b
2008-04-11 08:31:26 0 d-------- C:\Program Files\Windows Media Connect 2
2008-04-11 08:30:04 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-11 08:21:19 0 d-------- C:\WINDOWS\RegisteredPackages
2008-04-11 08:18:52 0 d-------- C:\WINDOWS\system32\URTTemp
2008-04-10 22:25:03 0 d-------- C:\WINDOWS\network diagnostic
2008-04-10 21:07:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-04-10 16:25:13 0 d-------- C:\WINDOWS\system32\PreInstall
2008-04-10 16:25:11 0 d--h----- C:\WINDOWS\$hf_mig$
2008-04-10 15:21:01 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-10 14:37:23 0 d-------- C:\Documents and Settings\Beka\Application Data\Macromedia
2008-04-10 14:15:15 0 d-------- C:\Documents and Settings\Beka\Application Data\AdobeUM
2008-04-10 14:15:09 0 d-------- C:\Documents and Settings\Beka\Application Data\Adobe
2008-04-10 14:14:25 299776 --a------ C:\WINDOWS\system32\drivers\MRVW225.sys <Not Verified; ; 54M Wireless USB Adapter>
2008-04-10 14:14:25 0 d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-04-10 14:14:23 0 d-------- C:\Program Files\WA-T1
2008-04-10 14:14:09 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-10 14:13:21 231040 -ra------ C:\WINDOWS\system32\drivers\MRVW23B.sys <Not Verified; ; Device driver for 802.11 NIC>
2008-04-09 19:45:44 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-04-09 19:44:35 0 d--hs---- C:\Documents and Settings\Beka\UserData
2008-04-09 19:33:19 0 d-------- C:\Documents and Settings\Beka\Application Data\Identities
2008-04-09 19:33:07 0 d--h----- C:\Documents and Settings\Beka\Templates
2008-04-09 19:33:07 0 dr------- C:\Documents and Settings\Beka\Start Menu
2008-04-09 19:33:07 0 dr-h----- C:\Documents and Settings\Beka\SendTo
2008-04-09 19:33:07 0 dr-h----- C:\Documents and Settings\Beka\Recent
2008-04-09 19:33:07 0 d--h----- C:\Documents and Settings\Beka\PrintHood
2008-04-09 19:33:07 3407872 --ah----- C:\Documents and Settings\Beka\NTUSER.DAT
2008-04-09 19:33:07 0 d--h----- C:\Documents and Settings\Beka\NetHood
2008-04-09 19:33:07 0 dr------- C:\Documents and Settings\Beka\My Documents
2008-04-09 19:33:07 0 d--h----- C:\Documents and Settings\Beka\Local Settings
2008-04-09 19:33:07 0 dr------- C:\Documents and Settings\Beka\Favorites
2008-04-09 19:33:07 0 d-------- C:\Documents and Settings\Beka\Desktop
2008-04-09 19:33:07 0 d--hs---- C:\Documents and Settings\Beka\Cookies
2008-04-09 19:33:07 0 d--h----- C:\Documents and Settings\Beka\Application Data
2008-04-09 19:30:50 0 d--hs---- C:\WINDOWS\Installer
2008-04-09 19:30:49 0 d-------- C:\Program Files\Common Files\ODBC
2008-04-09 19:30:46 0 dr------- C:\Program Files
2008-04-09 19:30:46 0 d-------- C:\Program Files\Common Files
2008-04-09 19:30:46 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-04-09 19:30:21 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-04-09 19:30:21 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-04-09 19:30:21 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-04-09 19:30:21 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-04-09 19:30:21 0 dr------- C:\Documents and Settings\All Users\Documents
2008-04-09 19:30:21 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-04-09 19:30:20 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-04-09 19:30:20 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-04-09 19:30:20 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-04-09 19:30:20 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-04-09 19:30:20 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-04-09 19:30:20 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-04-09 19:30:20 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-04-09 19:30:20 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-04-09 19:30:20 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-04-09 19:30:20 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-04-09 19:30:07 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-04-09 19:30:07 0 d-------- C:\WINDOWS\system32\CatRoot
2008-04-09 19:30:01 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-04-09 19:30:01 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-04-09 19:30:01 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-04-09 19:30:01 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-04-09 19:29:42 0 d--hs---- C:\System Volume Information
2008-04-09 19:29:42 0 d-------- C:\Documents and Settings
2008-04-09 19:22:33 0 d-------- C:\WINDOWS
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\WinSxS
2008-04-09 19:22:33 0 dr------- C:\WINDOWS\Web
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\twain_32
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\wins
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\wbem
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\usmt
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\spool
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\ShellExt
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\Setup
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\ras
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\oobe
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\npp
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\mui
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\inetsrv
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\IME
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\icsxml
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\ias
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\export
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\drivers
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-04-09 19:22:33 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\dhcp
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\config
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\3076
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\2052
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\1054
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\1042
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\1041
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\1037
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\1033
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\1031
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\1028
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\1025
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\security
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Resources
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\repair
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Provisioning
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\PeerNet
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\pchealth
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\mui
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\msapps
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\msagent
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Media
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\java
2008-04-09 19:22:33 0 d--h----- C:\WINDOWS\inf
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\ime
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Help
2008-04-09 19:22:33 0 dr--s---- C:\WINDOWS\Fonts
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\ehome
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Driver Cache
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Debug
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Cursors
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Connection Wizard
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Config
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\AppPatch
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\addins
2008-04-09 19:19:05 0 d-------- C:\Documents and Settings\David\Application Data\AdobeUM
2008-04-09 19:18:50 0 d-------- C:\Documents and Settings\David\Application Data\Adobe
2008-04-09 19:18:49 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-09 19:18:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-09 19:18:01 0 d-------- C:\WINDOWS\Cache
2008-04-09 18:53:08 252928 -ra------ C:\WINDOWS\system32\drivers\rt73.sys <Not Verified; Ralink Technology, Corp.; Ralink 802.11 Wireless Adapters>
2008-04-09 18:51:07 0 d-------- C:\Documents and Settings\David\Application Data\Identities
2008-04-09 18:50:59 0 dr------- C:\Documents and Settings\David\Favorites
2008-04-09 18:50:59 0 d-------- C:\Documents and Settings\David\Desktop
2008-04-09 18:50:59 0 d--hs---- C:\Documents and Settings\David\Cookies
2008-04-09 18:50:59 0 dr-h----- C:\Documents and Settings\David\Application Data
2008-04-09 18:50:59 0 d---s---- C:\Documents and Settings\David\Application Data\Microsoft
2008-04-09 18:50:58 0 d--h----- C:\Documents and Settings\David\Templates
2008-04-09 18:50:58 0 dr------- C:\Documents and Settings\David\Start Menu
2008-04-09 18:50:58 0 dr-h----- C:\Documents and Settings\David\SendTo
2008-04-09 18:50:58 0 dr-h----- C:\Documents and Settings\David\Recent
2008-04-09 18:50:58 0 d--h----- C:\Documents and Settings\David\PrintHood
2008-04-09 18:50:58 2359296 --ah----- C:\Documents and Settings\David\NTUSER.DAT
2008-04-09 18:50:58 0 d--h----- C:\Documents and Settings\David\NetHood
2008-04-09 18:50:58 0 dr------- C:\Documents and Settings\David\My Documents
2008-04-09 18:50:58 0 d--h----- C:\Documents and Settings\David\Local Settings
2008-04-09 18:49:27 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-04-09 18:49:25 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-04-09 18:49:25 0 d-------- C:\WINDOWS\Prefetch
2008-04-09 18:49:24 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-04-09 18:49:24 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-04-09 18:49:24 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-04-09 18:49:24 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-04-09 18:49:24 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-04-09 18:49:09 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-04-09 18:49:09 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-04-09 18:49:09 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-04-09 18:49:09 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-04-09 18:49:08 225280 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-04-09 18:44:48 0 d-------- C:\WINDOWS\system32\xircom
2008-04-09 18:44:48 0 d-------- C:\Program Files\microsoft frontpage
2008-04-09 18:44:32 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-04-09 18:44:21 0 -rahs---- C:\MSDOS.SYS
2008-04-09 18:44:21 0 -rahs---- C:\IO.SYS
2008-04-09 18:44:21 0 --a------ C:\CONFIG.SYS
2008-04-09 18:44:21 0 --a------ C:\AUTOEXEC.BAT
2008-04-09 18:42:59 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-04-09 18:42:47 0 dr------- C:\WINDOWS\Offline Web Pages
2008-04-09 18:42:47 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-04-09 18:42:33 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-09 18:42:11 0 d-------- C:\WINDOWS\system32\DirectX
2008-04-09 18:41:39 0 d---s---- C:\WINDOWS\Tasks
2008-04-09 18:41:38 0 d-------- C:\Program Files\Common Files\MSSoap
2008-04-09 18:41:35 0 d-------- C:\WINDOWS\srchasst
2008-04-09 18:41:34 0 d-------- C:\WINDOWS\system32\Macromed
2008-04-09 18:41:26 0 d-------- C:\Program Files\Movie Maker
2008-04-09 18:41:18 0 d-------- C:\WINDOWS\system32\Restore
2008-04-09 18:40:29 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-09 18:40:13 0 d-------- C:\WINDOWS\Registration
2008-04-09 18:40:05 0 d-------- C:\Program Files\Online Services
2008-04-09 18:39:56 0 d-------- C:\Program Files\Messenger
2008-04-09 18:39:52 0 d-------- C:\Program Files\MSN Gaming Zone
2008-04-09 18:39:15 0 d-------- C:\Program Files\Windows NT
2008-04-09 18:39:12 0 d-------- C:\WINDOWS\system32\MsDtc
2008-04-09 18:39:11 0 d-------- C:\WINDOWS\system32\Com


-- Find3M Report ---------------------------------------------------------------

2008-04-09 19:30:20 62 --ahs---- C:\Documents and Settings\Beka\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dd2d8f7d-73e4-4559-b195-73973e6f92eb}]
21/04/2008 14:22 94272 --a------ C:\WINDOWS\system32\vhwjoprl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
"vptray"="C:\Program Files\NavNT\vptray.exe" [24/09/2001 07:59]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 23:37]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [19/05/2005 14:47]
"BM13986767"="C:\WINDOWS\system32\vltmnusv.dll" [21/04/2008 14:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 00:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 17:24]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [11/04/2008 13:46]

C:\Documents and Settings\Beka\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [20/10/2005 12:04:08]




-- End of Deckard's System Scanner: finished at 2008-04-21 21:39:16 ------------


just to let you know i have had a nightmare trying to get to post on here ie would not load the page and firefox wouldnt also -Roger..
kingdonger
Regular Member
 
Posts: 28
Joined: April 16th, 2008, 7:58 am

Re: browser hijacked hijack this log

Unread postby Rodav » April 22nd, 2008, 11:16 am

Step 1:
  • Double click on UNDLL.EXE to start UnDLL
  • Click on Select infected DLL
  • Locate and select this file:
    Code: Select all
    C:\WINDOWS\system32\vhwjoprl.dll
  • Click Open
  • UnDLL will now attempt to delete the DLL file
  • If asked to restart your PC, click No
  • Repeat the above steps for the following file:
    Code: Select all
    C:\WINDOWS\system32\vltmnusv.dll


Step 2:
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O2 - BHO: {be29f6e3-7937-591b-9554-4e37d7f8d2dd} - {dd2d8f7d-73e4-4559-b195-73973e6f92eb} - C:\WINDOWS\system32\vhwjoprl.dll
    O4 - HKLM\..\Run: [BM13986767] Rundll32.exe "C:\WINDOWS\system32\vltmnusv.dll",s


  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application and Restart your computer.


Step 3:
Run dss.exe (Deckard's System Scanner) again and post the log it produces in your next reply.
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: browser hijacked hijack this log

Unread postby kingdonger » April 22nd, 2008, 12:30 pm

once again many thanks for your time here is the latest log Roger..

Deckard's System Scanner v20071014.68
Run by Beka on 2008-04-22 17:26:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 87% (more than 75%).
Total Physical Memory: 192 MiB (512 MiB recommended).


-- HijackThis (run as Beka.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:26:22, on 22/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Beka\Desktop\dss.exe
C:\DOCUME~1\Beka\MYDOCU~1\HJT\Beka.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [BM13986767] Rundll32.exe "C:\WINDOWS\system32\vltmnusv.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.malwareremoval.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7766713559
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 5776 bytes

-- Files created between 2008-03-22 and 2008-04-22 -----------------------------

2008-04-22 09:13:54 0 d-------- C:\Documents and Settings\Beka\Application Data\Opera
2008-04-22 09:13:30 0 d-------- C:\Program Files\Opera
2008-04-21 19:02:25 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-21 19:02:09 0 d-------- C:\Documents and Settings\Beka\Application Data\Mozilla
2008-04-21 14:19:06 88128 --a------ C:\WINDOWS\system32\lgqvtvbt.dll
2008-04-21 14:13:07 53312 --a------ C:\WINDOWS\system32\corjwqta.dll
2008-04-20 14:17:23 88128 --a------ C:\WINDOWS\system32\vcnlitoi.dll
2008-04-18 18:02:03 94784 --a------ C:\WINDOWS\system32\etoveunq.dll
2008-04-18 18:01:57 53312 --a------ C:\WINDOWS\system32\itqiepti.dll
2008-04-18 18:00:54 96320 --a------ C:\WINDOWS\system32\lefeketv.dll
2008-04-18 16:02:52 0 d-------- C:\Documents and Settings\LocalService\Application Data\Help
2008-04-17 20:20:18 0 d-------- C:\VundoFix Backups
2008-04-17 20:17:01 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-04-17 20:17:01 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-17 20:17:01 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-04-17 20:17:01 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-17 20:17:01 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-17 20:17:00 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-17 20:17:00 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-17 20:17:00 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-17 20:17:00 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-04-17 20:17:00 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-17 20:17:00 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-17 20:17:00 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-17 20:17:00 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-04-17 20:17:00 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-17 17:52:19 92736 --a------ C:\WINDOWS\system32\btvyxtuo.dll
2008-04-17 17:49:36 88128 --a------ C:\WINDOWS\system32\xkhivtxk.dll
2008-04-17 13:46:52 0 d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-17 13:46:48 0 d-------- C:\Program Files\DVD Shrink
2008-04-17 13:27:02 38160 --a------ C:\WINDOWS\system32\LMRTREND.dll <Not Verified; Microsoft Corporation; Microsoft® Windows(TM) Operating System>
2008-04-17 13:26:55 182032 --a------ C:\WINDOWS\system32\dxtmsft3.dll <Not Verified; Microsoft Corporation; Microsoft® Windows(TM) Operating System>
2008-04-17 13:26:23 63488 --a------ C:\WINDOWS\system32\unam4ie.exe <Not Verified; Microsoft Corporation; DirectShow>
2008-04-17 13:26:06 10240 --a------ C:\WINDOWS\system32\vidx16.dll
2008-04-17 13:26:05 194320 --a------ C:\WINDOWS\system32\qcut.dll <Not Verified; Microsoft Corporation; DirectShow>
2008-04-17 13:26:01 4608 --a------ C:\WINDOWS\system32\w95inf32.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2008-04-17 13:26:01 2272 --a------ C:\WINDOWS\system32\w95inf16.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2008-04-17 13:25:59 0 d-------- C:\Program Files\CyberLink
2008-04-17 13:25:58 23936 --a------ C:\WINDOWS\system32\drivers\aspi32.sys <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-04-17 13:25:58 4672 --a------ C:\WINDOWS\system\wowpost.exe <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-04-17 13:25:58 5600 --a------ C:\WINDOWS\system\winaspi.dll <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-04-17 13:25:57 48128 --a------ C:\WINDOWS\system32\wnaspi32.dll <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-04-16 10:05:37 92224 --a------ C:\WINDOWS\system32\ueqgiqcn.dll
2008-04-15 16:45:11 53312 --a------ C:\WINDOWS\system32\hepsbqrx.dll
2008-04-14 20:58:24 0 d-------- C:\Documents and Settings\Beka\Application Data\Apple Computer
2008-04-14 20:56:34 0 d-------- C:\Program Files\iPod
2008-04-14 20:56:13 0 d-------- C:\Program Files\iTunes
2008-04-14 20:55:12 0 d-------- C:\Program Files\Bonjour
2008-04-14 20:50:36 0 d-------- C:\Program Files\QuickTime
2008-04-14 20:50:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-14 20:48:25 0 d-------- C:\Program Files\Apple Software Update
2008-04-14 20:47:55 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-04-14 20:46:18 0 d-------- C:\Program Files\Common Files\Apple
2008-04-14 20:46:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-14 14:18:34 53312 --a------ C:\WINDOWS\system32\wgbdrmeg.dll
2008-04-14 09:06:19 0 d-------- C:\Program Files\a-squared Anti-Malware
2008-04-13 16:05:27 0 d-------- C:\WINDOWS\Sun
2008-04-13 16:05:26 0 d-------- C:\Documents and Settings\Beka\Application Data\Sun
2008-04-13 12:01:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-13 11:04:58 0 d-------- C:\Documents and Settings\Beka\Application Data\LimeWire
2008-04-12 15:58:41 0 d-------- C:\Program Files\DriverGuide Toolkit
2008-04-12 15:30:15 2916352 -----n--- C:\WINDOWS\UNNMIX.exe <Not Verified; Nero AG; Nero Web Engine>
2008-04-12 15:29:32 2916352 -----n--- C:\WINDOWS\UNNMP.exe <Not Verified; Nero AG; Nero Web Engine>
2008-04-12 15:26:05 2916352 -----n--- C:\WINDOWS\UNNeroVision.exe <Not Verified; Nero AG; Nero Web Engine>
2008-04-12 15:25:21 364544 --a------ C:\WINDOWS\system32\TwnLib4.dll <Not Verified; Pegasus Imaging Corp.; TwnLib4>
2008-04-12 15:25:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-04-12 15:25:20 38912 --a------ C:\WINDOWS\system32\picn20.dll <Not Verified; Pegasus Imaging Corp.; PEGASUS>
2008-04-12 15:20:47 106496 --a------ C:\WINDOWS\system32\TwnLib20.dll <Not Verified; Pegasus Software; TWNLIB20>
2008-04-12 15:20:42 471040 --a------ C:\WINDOWS\system32\ImagXRA7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-04-12 15:20:42 262144 --a------ C:\WINDOWS\system32\ImagXR7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-04-12 15:20:41 1568768 --a------ C:\WINDOWS\system32\ImagX7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-04-12 15:20:38 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2008-04-12 15:20:29 0 d-------- C:\Program Files\Common Files\Ahead
2008-04-12 15:20:27 0 d-------- C:\Program Files\Ahead
2008-04-12 15:18:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Raxco
2008-04-12 15:17:51 0 d-------- C:\Program Files\Common Files\Raxco
2008-04-12 15:17:20 0 d-------- C:\Program Files\Raxco
2008-04-12 14:57:29 277247 --ahs---- C:\WINDOWS\system32\jlmlTvut.ini2
2008-04-12 14:44:26 0 d-------- C:\Program Files\Elaborate Bytes
2008-04-12 14:43:54 0 d-------- C:\Program Files\SlySoft
2008-04-12 14:33:36 233472 --a------ C:\WINDOWS\system32\mcmp4dmux.dll <Not Verified; MainConcept AG; MainConcept® MP4 Demuxer>
2008-04-12 14:19:53 0 d-------- C:\Program Files\Java
2008-04-12 14:18:45 0 d-------- C:\Program Files\Common Files\Java
2008-04-12 14:18:09 0 d-------- C:\Program Files\LimeWire
2008-04-12 14:04:48 0 d-------- C:\Program Files\Lavalys
2008-04-12 14:02:53 0 d-------- C:\Documents and Settings\Beka\Application Data\LEAPS
2008-04-12 13:58:43 0 d-------- C:\Documents and Settings\Beka\Application Data\Pegasys Inc
2008-04-12 13:54:33 33408 --a------ C:\WINDOWS\system32\drivers\CDRBSDRV.SYS <Not Verified; B.H.A Corporation; B's Recorder GOLD>
2008-04-12 13:53:28 0 d-------- C:\Program Files\Pegasys Inc
2008-04-12 13:36:18 0 d-------- C:\Documents and Settings\Beka\Application Data\MCMPEGEnc
2008-04-12 13:35:57 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-12 13:35:48 0 d-------- C:\Program Files\MainConcept
2008-04-12 13:29:51 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-12 13:29:39 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-04-12 13:29:38 0 d-------- C:\Program Files\SpywareBlaster
2008-04-12 10:50:40 0 d-------- C:\WINDOWS\pss
2008-04-11 19:36:15 0 d-------- C:\Program Files\ACE Mega CoDecS Pack
2008-04-11 19:05:31 56 -r-hs---- C:\WINDOWS\system32\705D181CDE.sys
2008-04-11 19:05:30 11270 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-11 19:05:20 0 d-------- C:\Program Files\DivX
2008-04-11 19:03:21 414272 --a------ C:\WINDOWS\system32\DivXc32f.dll <Not Verified; Hacked with Joy !; DivX ;-) MPEG-4 Video Codec>
2008-04-11 19:03:21 414272 --a------ C:\WINDOWS\system32\DivXc32.dll <Not Verified; Hacked with Joy !; DivX ;-) MPEG-4 Video Codec>
2008-04-11 19:03:21 0 d-------- C:\Program Files\DivX_311alpha
2008-04-11 19:00:26 129024 --a------ C:\WINDOWS\UNWISE.EXE
2008-04-11 18:59:31 98304 --a------ C:\WINDOWS\IsUninst.exe
2008-04-11 13:46:27 0 d-------- C:\Documents and Settings\Beka\Application Data\BitTorrent
2008-04-11 13:46:10 0 d-------- C:\Program Files\DNA
2008-04-11 13:46:10 0 d-------- C:\Documents and Settings\Beka\Application Data\DNA
2008-04-11 13:46:09 0 d-------- C:\Program Files\BitTorrent
2008-04-11 11:53:34 4032 --a------ C:\WINDOWS\system32\SYMEVNT1.DLL <Not Verified; Symantec Corporation; SYMEVENT>
2008-04-11 11:53:34 36864 --a------ C:\WINDOWS\system32\S32EVNT1.DLL <Not Verified; Symantec Corporation; SYMEVENT>
2008-04-11 11:53:34 57696 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS <Not Verified; Symantec Corporation; SYMEVENT>
2008-04-11 11:53:17 0 d-------- C:\WINDOWS\system32\CBA
2008-04-11 11:53:16 0 d-------- C:\Program Files\Symantec
2008-04-11 11:53:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-11 11:53:09 0 d-------- C:\Program Files\NavNT
2008-04-11 11:53:09 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-11 11:52:04 0 d-------- C:\Documents and Settings\Beka\WINDOWS
2008-04-11 11:32:09 0 d-------- C:\Documents and Settings\Beka\Application Data\WinRAR
2008-04-11 10:53:19 49152 --a------ C:\WINDOWS\InstFunc.exe
2008-04-11 10:53:19 12288 --a------ C:\WINDOWS\InstFunc.dll <Not Verified; Silicon Integrated Systems Corporation; SiS (R) VGA Install Function Dynamic Link Library>
2008-04-11 10:52:53 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-04-11 08:48:10 0 d-------- C:\Program Files\MSXML 6.0
2008-04-11 08:39:06 0 d-------- C:\Program Files\MSBuild
2008-04-11 08:34:07 0 d-------- C:\WINDOWS\system32\XPSViewer
2008-04-11 08:33:18 0 d-------- C:\Program Files\Reference Assemblies
2008-04-11 08:32:14 0 d-------- C:\85cb704036125b9e81ddb279236b
2008-04-11 08:31:26 0 d-------- C:\Program Files\Windows Media Connect 2
2008-04-11 08:30:04 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-11 08:21:19 0 d-------- C:\WINDOWS\RegisteredPackages
2008-04-11 08:18:52 0 d-------- C:\WINDOWS\system32\URTTemp
2008-04-10 22:25:03 0 d-------- C:\WINDOWS\network diagnostic
2008-04-10 21:07:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-04-10 16:25:13 0 d-------- C:\WINDOWS\system32\PreInstall
2008-04-10 16:25:11 0 d--h----- C:\WINDOWS\$hf_mig$
2008-04-10 15:21:01 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-10 14:37:23 0 d-------- C:\Documents and Settings\Beka\Application Data\Macromedia
2008-04-10 14:15:15 0 d-------- C:\Documents and Settings\Beka\Application Data\AdobeUM
2008-04-10 14:15:09 0 d-------- C:\Documents and Settings\Beka\Application Data\Adobe
2008-04-10 14:14:25 299776 --a------ C:\WINDOWS\system32\drivers\MRVW225.sys <Not Verified; ; 54M Wireless USB Adapter>
2008-04-10 14:14:25 0 d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-04-10 14:14:23 0 d-------- C:\Program Files\WA-T1
2008-04-10 14:14:09 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-10 14:13:21 231040 -ra------ C:\WINDOWS\system32\drivers\MRVW23B.sys <Not Verified; ; Device driver for 802.11 NIC>
2008-04-09 19:45:44 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-04-09 19:44:35 0 d--hs---- C:\Documents and Settings\Beka\UserData
2008-04-09 19:33:19 0 d-------- C:\Documents and Settings\Beka\Application Data\Identities
2008-04-09 19:33:07 0 d--h----- C:\Documents and Settings\Beka\Templates
2008-04-09 19:33:07 0 dr------- C:\Documents and Settings\Beka\Start Menu
2008-04-09 19:33:07 0 dr-h----- C:\Documents and Settings\Beka\SendTo
2008-04-09 19:33:07 0 dr-h----- C:\Documents and Settings\Beka\Recent
2008-04-09 19:33:07 0 d--h----- C:\Documents and Settings\Beka\PrintHood
2008-04-09 19:33:07 3670016 --ah----- C:\Documents and Settings\Beka\NTUSER.DAT
2008-04-09 19:33:07 0 d--h----- C:\Documents and Settings\Beka\NetHood
2008-04-09 19:33:07 0 dr------- C:\Documents and Settings\Beka\My Documents
2008-04-09 19:33:07 0 d--h----- C:\Documents and Settings\Beka\Local Settings
2008-04-09 19:33:07 0 dr------- C:\Documents and Settings\Beka\Favorites
2008-04-09 19:33:07 0 d-------- C:\Documents and Settings\Beka\Desktop
2008-04-09 19:33:07 0 d--hs---- C:\Documents and Settings\Beka\Cookies
2008-04-09 19:33:07 0 d--h----- C:\Documents and Settings\Beka\Application Data
2008-04-09 19:30:50 0 d--hs---- C:\WINDOWS\Installer
2008-04-09 19:30:49 0 d-------- C:\Program Files\Common Files\ODBC
2008-04-09 19:30:46 0 dr------- C:\Program Files
2008-04-09 19:30:46 0 d-------- C:\Program Files\Common Files
2008-04-09 19:30:46 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-04-09 19:30:21 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-04-09 19:30:21 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-04-09 19:30:21 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-04-09 19:30:21 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-04-09 19:30:21 0 dr------- C:\Documents and Settings\All Users\Documents
2008-04-09 19:30:21 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-04-09 19:30:20 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-04-09 19:30:20 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-04-09 19:30:20 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-04-09 19:30:20 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-04-09 19:30:20 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-04-09 19:30:20 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-04-09 19:30:20 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-04-09 19:30:20 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-04-09 19:30:20 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-04-09 19:30:20 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-04-09 19:30:07 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-04-09 19:30:07 0 d-------- C:\WINDOWS\system32\CatRoot
2008-04-09 19:30:01 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-04-09 19:30:01 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-04-09 19:30:01 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-04-09 19:30:01 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-04-09 19:29:42 0 d--hs---- C:\System Volume Information
2008-04-09 19:29:42 0 d-------- C:\Documents and Settings
2008-04-09 19:22:33 0 d-------- C:\WINDOWS
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\WinSxS
2008-04-09 19:22:33 0 dr------- C:\WINDOWS\Web
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\twain_32
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\wins
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\wbem
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\usmt
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\spool
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\ShellExt
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\Setup
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\ras
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\oobe
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\npp
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\mui
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\inetsrv
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\IME
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\icsxml
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\ias
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\export
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\drivers
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-04-09 19:22:33 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\dhcp
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\config
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\3076
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\2052
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\1054
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\1042
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\1041
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\1037
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\1033
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\1031
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\1028
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system32\1025
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\system
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\security
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Resources
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\repair
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Provisioning
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\PeerNet
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\pchealth
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\mui
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\msapps
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\msagent
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Media
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\java
2008-04-09 19:22:33 0 d--h----- C:\WINDOWS\inf
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\ime
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Help
2008-04-09 19:22:33 0 dr--s---- C:\WINDOWS\Fonts
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\ehome
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Driver Cache
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Debug
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Cursors
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Connection Wizard
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\Config
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\AppPatch
2008-04-09 19:22:33 0 d-------- C:\WINDOWS\addins
2008-04-09 19:19:05 0 d-------- C:\Documents and Settings\David\Application Data\AdobeUM
2008-04-09 19:18:50 0 d-------- C:\Documents and Settings\David\Application Data\Adobe
2008-04-09 19:18:49 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-09 19:18:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-09 19:18:01 0 d-------- C:\WINDOWS\Cache
2008-04-09 18:53:08 252928 -ra------ C:\WINDOWS\system32\drivers\rt73.sys <Not Verified; Ralink Technology, Corp.; Ralink 802.11 Wireless Adapters>
2008-04-09 18:51:07 0 d-------- C:\Documents and Settings\David\Application Data\Identities
2008-04-09 18:50:59 0 dr------- C:\Documents and Settings\David\Favorites
2008-04-09 18:50:59 0 d-------- C:\Documents and Settings\David\Desktop
2008-04-09 18:50:59 0 d--hs---- C:\Documents and Settings\David\Cookies
2008-04-09 18:50:59 0 dr-h----- C:\Documents and Settings\David\Application Data
2008-04-09 18:50:59 0 d---s---- C:\Documents and Settings\David\Application Data\Microsoft
2008-04-09 18:50:58 0 d--h----- C:\Documents and Settings\David\Templates
2008-04-09 18:50:58 0 dr------- C:\Documents and Settings\David\Start Menu
2008-04-09 18:50:58 0 dr-h----- C:\Documents and Settings\David\SendTo
2008-04-09 18:50:58 0 dr-h----- C:\Documents and Settings\David\Recent
2008-04-09 18:50:58 0 d--h----- C:\Documents and Settings\David\PrintHood
2008-04-09 18:50:58 2359296 --ah----- C:\Documents and Settings\David\NTUSER.DAT
2008-04-09 18:50:58 0 d--h----- C:\Documents and Settings\David\NetHood
2008-04-09 18:50:58 0 dr------- C:\Documents and Settings\David\My Documents
2008-04-09 18:50:58 0 d--h----- C:\Documents and Settings\David\Local Settings
2008-04-09 18:49:27 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-04-09 18:49:25 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-04-09 18:49:25 0 d-------- C:\WINDOWS\Prefetch
2008-04-09 18:49:24 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-04-09 18:49:24 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-04-09 18:49:24 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-04-09 18:49:24 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-04-09 18:49:24 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-04-09 18:49:09 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-04-09 18:49:09 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-04-09 18:49:09 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-04-09 18:49:09 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-04-09 18:49:08 225280 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-04-09 18:44:48 0 d-------- C:\WINDOWS\system32\xircom
2008-04-09 18:44:48 0 d-------- C:\Program Files\microsoft frontpage
2008-04-09 18:44:32 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-04-09 18:44:21 0 -rahs---- C:\MSDOS.SYS
2008-04-09 18:44:21 0 -rahs---- C:\IO.SYS
2008-04-09 18:44:21 0 --a------ C:\CONFIG.SYS
2008-04-09 18:44:21 0 --a------ C:\AUTOEXEC.BAT
2008-04-09 18:42:59 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-04-09 18:42:47 0 dr------- C:\WINDOWS\Offline Web Pages
2008-04-09 18:42:47 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-04-09 18:42:33 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-09 18:42:11 0 d-------- C:\WINDOWS\system32\DirectX
2008-04-09 18:41:39 0 d---s---- C:\WINDOWS\Tasks
2008-04-09 18:41:38 0 d-------- C:\Program Files\Common Files\MSSoap
2008-04-09 18:41:35 0 d-------- C:\WINDOWS\srchasst
2008-04-09 18:41:34 0 d-------- C:\WINDOWS\system32\Macromed
2008-04-09 18:41:26 0 d-------- C:\Program Files\Movie Maker
2008-04-09 18:41:18 0 d-------- C:\WINDOWS\system32\Restore
2008-04-09 18:40:29 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-09 18:40:13 0 d-------- C:\WINDOWS\Registration
2008-04-09 18:40:05 0 d-------- C:\Program Files\Online Services
2008-04-09 18:39:56 0 d-------- C:\Program Files\Messenger
2008-04-09 18:39:52 0 d-------- C:\Program Files\MSN Gaming Zone
2008-04-09 18:39:15 0 d-------- C:\Program Files\Windows NT
2008-04-09 18:39:12 0 d-------- C:\WINDOWS\system32\MsDtc
2008-04-09 18:39:11 0 d-------- C:\WINDOWS\system32\Com


-- Find3M Report ---------------------------------------------------------------

2008-04-09 19:30:20 62 --ahs---- C:\Documents and Settings\Beka\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
"vptray"="C:\Program Files\NavNT\vptray.exe" [24/09/2001 07:59]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 23:37]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [19/05/2005 14:47]
"BM13986767"="C:\WINDOWS\system32\vltmnusv.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 00:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 17:24]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [11/04/2008 13:46]

C:\Documents and Settings\Beka\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [20/10/2005 12:04:08]




-- End of Deckard's System Scanner: finished at 2008-04-22 17:27:23 ------------
kingdonger
Regular Member
 
Posts: 28
Joined: April 16th, 2008, 7:58 am

Re: browser hijacked hijack this log

Unread postby Rodav » April 23rd, 2008, 4:18 am

Hi Roger,

Step 1:
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: Select all
    C:\WINDOWS\system32\lgqvtvbt.dll
    C:\WINDOWS\system32\corjwqta.dll
    C:\WINDOWS\system32\vcnlitoi.dll
    C:\WINDOWS\system32\etoveunq.dll
    C:\WINDOWS\system32\itqiepti.dll
    C:\WINDOWS\system32\lefeketv.dll
    C:\WINDOWS\system32\btvyxtuo.dll
    C:\WINDOWS\system32\xkhivtxk.dll
    C:\WINDOWS\system32\ueqgiqcn.dll
    C:\WINDOWS\system32\hepsbqrx.dll
    C:\WINDOWS\system32\wgbdrmeg.dll
    C:\WINDOWS\system32\jlmlTvut.ini2
    

  • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Step 2:
I see you have added malwareremoval.com (a very fine site it is too ;) )to your Trusted Zone, while malwareremoval.com is of course a safe site, it offers no more benefits having it there than out of it. The Trusted Zone has the lowest security and allows scripts and applications from sites in this zone to run freely, so as such it is my recommendation that you would not add any website to it.
I have added the Trusted Zone line to be fixed with HijackThis in Red you can do so if you wish.
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O4 - HKLM\..\Run: [BM13986767] Rundll32.exe "C:\WINDOWS\system32\vltmnusv.dll",s
    O15 - Trusted Zone: http://www.malwareremoval.com

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application and Restart your computer.


Step 3:
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system.

  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):

    Java(TM) 6 Update 4
    Java(TM) 6 Update 5


  • Then Restart your computer.
Afterwards download the latest version of Java Runtime Environment(JRE) and install it to your computer.


Step 4:
Run Kaspersky Online AV Scanner
Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply.


Logs to Post:
Run HijackThis (kingdonger.exe) and do a system scan and in your next reply please post:
  • The OTMoveIt2 report
  • The Online Kaspersky log
  • The new HijackThis log

Also let me know how your computer is running.
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: browser hijacked hijack this log

Unread postby kingdonger » April 25th, 2008, 7:26 am

once again thanks for the help here are the log files -Roger...

DllUnregisterServer procedure not found in C:\WINDOWS\system32\lgqvtvbt.dll
C:\WINDOWS\system32\lgqvtvbt.dll NOT unregistered.
C:\WINDOWS\system32\lgqvtvbt.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\corjwqta.dll
C:\WINDOWS\system32\corjwqta.dll NOT unregistered.
C:\WINDOWS\system32\corjwqta.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\vcnlitoi.dll
C:\WINDOWS\system32\vcnlitoi.dll NOT unregistered.
C:\WINDOWS\system32\vcnlitoi.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\etoveunq.dll
C:\WINDOWS\system32\etoveunq.dll NOT unregistered.
C:\WINDOWS\system32\etoveunq.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\itqiepti.dll
C:\WINDOWS\system32\itqiepti.dll NOT unregistered.
C:\WINDOWS\system32\itqiepti.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\lefeketv.dll
C:\WINDOWS\system32\lefeketv.dll NOT unregistered.
C:\WINDOWS\system32\lefeketv.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\btvyxtuo.dll
C:\WINDOWS\system32\btvyxtuo.dll NOT unregistered.
C:\WINDOWS\system32\btvyxtuo.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\xkhivtxk.dll
C:\WINDOWS\system32\xkhivtxk.dll NOT unregistered.
C:\WINDOWS\system32\xkhivtxk.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ueqgiqcn.dll
C:\WINDOWS\system32\ueqgiqcn.dll NOT unregistered.
C:\WINDOWS\system32\ueqgiqcn.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\hepsbqrx.dll
C:\WINDOWS\system32\hepsbqrx.dll NOT unregistered.
C:\WINDOWS\system32\hepsbqrx.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\wgbdrmeg.dll
C:\WINDOWS\system32\wgbdrmeg.dll NOT unregistered.
C:\WINDOWS\system32\wgbdrmeg.dll moved successfully.
C:\WINDOWS\system32\jlmlTvut.ini2 moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04242008_161144

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:11, on 25/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Beka\My Documents\HJT\kingdonger.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7766713559
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 5769 bytes


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 25, 2008 12:12:17 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/04/2008
Kaspersky Anti-Virus database records: 725312
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 29348
Number of viruses found: 7
Number of infected objects: 17
Number of suspicious objects: 0
Duration of the scan process: 00:46:30

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06480000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.okj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FDC0000.VBN Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FE00000.VBN Infected: Trojan.Win32.KillAV.rf skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FE40000.VBN Infected: Trojan.Win32.KillAV.rf skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FE80000.VBN Infected: Trojan.Win32.KillAV.rf skipped
C:\Documents and Settings\Beka\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-28c94cf2/MagicApplet.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped
C:\Documents and Settings\Beka\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-28c94cf2/OwnClassLoader.class Infected: Trojan.Java.ClassLoader.au skipped
C:\Documents and Settings\Beka\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-28c94cf2/Installer.class Infected: Trojan-Downloader.Java.Agent.a skipped
C:\Documents and Settings\Beka\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-28c94cf2 ZIP: infected - 3 skipped
C:\Documents and Settings\Beka\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Beka\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Beka\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Beka\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Beka\Local Settings\Temp\~DFE62E.tmp Object is locked skipped
C:\Documents and Settings\Beka\Local Settings\Temp\~DFE653.tmp Object is locked skipped
C:\Documents and Settings\Beka\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Beka\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Beka\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{606B674B-2DB8-4013-B0D7-49397444FDF9}\RP1\A0000103.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{606B674B-2DB8-4013-B0D7-49397444FDF9}\RP1\A0000108.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{606B674B-2DB8-4013-B0D7-49397444FDF9}\RP1\A0000109.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{606B674B-2DB8-4013-B0D7-49397444FDF9}\RP7\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\04242008_161144\WINDOWS\system32\corjwqta.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\_OTMoveIt\MovedFiles\04242008_161144\WINDOWS\system32\hepsbqrx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\_OTMoveIt\MovedFiles\04242008_161144\WINDOWS\system32\itqiepti.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\_OTMoveIt\MovedFiles\04242008_161144\WINDOWS\system32\ueqgiqcn.dll Infected: Packed.Win32.Monder.gen skipped
C:\_OTMoveIt\MovedFiles\04242008_161144\WINDOWS\system32\wgbdrmeg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped

Scan process completed.
kingdonger
Regular Member
 
Posts: 28
Joined: April 16th, 2008, 7:58 am

Re: browser hijacked hijack this log

Unread postby kingdonger » April 25th, 2008, 7:31 am

sorry forgot to add the computor is running a lot better, though excessing this forum is extremely hard its like i am being denied, though other web pages load freely...
best regards Roger...
kingdonger
Regular Member
 
Posts: 28
Joined: April 16th, 2008, 7:58 am

Re: browser hijacked hijack this log

Unread postby Rodav » April 26th, 2008, 4:53 am

Hi Roger,

though excessing this forum is extremely hard its like i am being denied, though other web pages load freely...
Unfortunately the server that hosts this website is under a DDoS attack so accessibility of late has been a bit sporadic, though our server support team are working tirelessly to rectify it.

Step 1:
Please empty your Java cache by following instructions here:
http://www.java.com/en/download/help/5000020300.xml


Step 2:
Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.

  • Double-click OTMoveIt2.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Also please delete UnDLL.


Step 3:
This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select drive will open. Click OK
  • Either a scan will open up and take a few minutes or it will go directly to Disk Cleanup for ...
  • Select the More options tab
  • Find System Restore. Click Clean up


Your logs are now clean. :D :D
If you still feel you are having any issues please let me know now, otherwise read through and proceed with the following:


Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  • Install and use a firewall with outbound protection
    While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
    I therefore strongly recommend that you install one of the following free firewalls: Comodo Firewallor Online armor
    See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
    Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  • Install and use Spybot Search & Destroy
    Instructions are located here
    Make sure you update, reimmunize & scan regularly
  • Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
    Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
    • Run Spybot Search & Destroy
    • Click on Mode, and then place a tick next to Advanced mode
    • Click Yes
    • In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
    • Click on Add Spybot-S&D hosts list
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
    For a more detailed explanation of the HOSTS file, click here
  • Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date

Please reply to this topic one more time so I know you have read through it or with any questions you may have.
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 29 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware