Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Is Something Going On...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Is Something Going On...

Unread postby BenJr » April 27th, 2008, 12:20 pm

Hi Guys,

Thank you so much for reading this thread.
I started getting flagged by my security program because of some weird .dll's.
Any assistance is greatly appreciated.

BenJr
_____________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:14 AM, on 4/27/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Qliner Hotkeys\HotKeys.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Lexmark 9300 Series\lxcqmon.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Windows\system32\lxcqcoms.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Clock Tray Skins\ClockTraySkins.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\dllhost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Actual Window Manager\ActualWindowManagerCenter.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\Cursor Hider\CursorHider.exe
C:\Program Files\ePrompter\ePrompter.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\TeamViewer3\TeamViewer_Host.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\Program Files\iFinger\iFinger.exe
C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\ATnotes\ATnotes.exe
C:\Program Files\USB Safely Remove\USBSafelyRemove.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Taskbar Activate\TaskbarActivate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Windows\system32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Windows\System32\msdtc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox 3 Beta 4\firefox.exe
C:\Program Files\OWANotify\OWANotify.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\System32\wsqmcons.exe
C:\Program Files\ProcessExplorer\procexp.exe
C:\Windows\system32\DllHost.exe
C:\Users\Ben\Desktop\HJTInstall.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: (no name) - {C14E6230-757D-4246-81CE-B34E2940C722} - C:\Windows\system32\xxyxXOgh.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [00Hotkeys] "C:\Program Files\Qliner Hotkeys\HotKeys.exe"
O4 - HKLM\..\Run: [lxcqmon.exe] "C:\Program Files\Lexmark 9300 Series\lxcqmon.exe"
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LXCQCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCQtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\xxyxXOgh.dll,#1
O4 - HKCU\..\Run: [SkinClock] "C:\Program Files\Clock Tray Skins\ClockTraySkins.exe"
O4 - HKCU\..\Run: [Actual Window Manager] "C:\Program Files\Actual Window Manager\ActualWindowManagerCenter.exe"
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Cursor Hider.lnk = C:\Program Files\Cursor Hider\CursorHider.exe
O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
O4 - Startup: Minimize.ahk
O4 - Startup: Music AlarmClock v2.lnk = C:\Program Files\Music AlarmClock v2\macv2.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcq_device - - C:\Windows\system32\lxcqcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: TeamViewer 3 (TeamViewer) - Unknown owner - C:\Program Files\TeamViewer3\TeamViewer_Host.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

--
End of file - 11645 bytes
BenJr
Active Member
 
Posts: 8
Joined: April 27th, 2008, 11:54 am
Advertisement
Register to Remove

Re: Is Something Going On...

Unread postby km2357 » April 27th, 2008, 3:42 pm

Hello and welcome to Malware Removal.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


I will be back as soon as possible with your first instructions!
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Is Something Going On...

Unread postby km2357 » April 27th, 2008, 4:01 pm

Step # 1 Download CCleaner

Download CCleaner from here to clean temp files from your computer.
  • Right-click on the ccsetup.exe file and choose Run as Administrator to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location.
  • Under Install Options, choose all the default settings except I would recommend that you unclick/untick install the Yahoo! Toolbar, unless you want it. You can also Uncheck the 'Automatically check for updates' box.
  • Click Install then finish to complete installation.


Step # 2 Retrieve the Installed Programs List from CCleaner

Open CCleaner if it's not already running.
In the Left Pane, click Tools
Verify that Uninstall is highlighted in color, or click on it.
In the lower Right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt
Click Save
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.


Step # 3: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to save ComboFix.exe to your Desktop

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleaning the system:

CCleaner Uninstall List
C:\ComboFix.txt
New HijackThis log.



Use multiple posts if you can't fit everything into one post.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Is Something Going On...

Unread postby BenJr » April 27th, 2008, 9:41 pm

Thank you so much km2357 for taking the time to help me out.
You're the best.

Uninstall List:

2007 Microsoft Office Suite Service Pack 1 (SP1)
3Planesoft Screensaver Manager 1.1
ABBYY FineReader 6.0 Sprint
Actual Window Manager 4.3
Adobe Flash Player Plugin
Adobe Reader 8.1.2
AI RoboForm (All Users)
Apple Mobile Device Support
Apple Software Update
ATnotes Version 9.5
AutoHotkey 1.0.47.06
AVG Anti-Spyware 7.5
Avira AntiVir PersonalEdition Classic
Behavior Guard Add-on 5.5
CCleaner (remove only)
Citrix Presentation Server Client - Web Only
Clock Tray Skins 4
CrossLoop 2.11
Cursor Hider
DeskScapes
Driver Magician 3.18
ePrompter
FileMenu Tools
Firefox Preloader
GIMP 2.4.5
GOM Player
GTK+ 2.10.6-1 runtime environment
HijackThis 2.0.2
iFinger
Intel(R) Graphics Media Accelerator Driver
Intelligent Shutdown 1.26
iTunes
Lexmark 9300 Series
LiveUpdate 3.2 (Symantec Corporation)
LogonStudio Vista
Magic ISO Maker v5.4 (build 0239)
Microsoft IntelliType Pro 6.1
Microsoft Money 2007
Microsoft Money Shared Libraries
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C Runtime
Microsoft XML Parser
Mozilla Firefox (2.0.0.11)
Mozilla Firefox (3.0b4)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
Music AlarmClock v2.1.0
Mx Monitor 1.29 Eb
Nero 7 Premium
neroxml
Norton Ghost
PC Tools Firewall Plus 3.0
PowerISO
Presto! Forms 3.50.02
Presto! PageManager 7.12.10
Qliner Hotkeys 2.0
QuickTime
RealArcade
Registry Mechanic 7.0
Security Update for CAPICOM (KB931906)
Security Update for Excel 2007 (KB946974)
Security Update for Office 2007 (KB947801)
Security Update for Outlook 2007 (KB946983)
Security Update for Visio 2007 (KB947590)
SereneScreen Marine Aquarium 2
SigmaTel Audio
SmartFTP Client 2.5 Setup Files (remove only)
SnagIt 8
Spyware Doctor 5.5
Startup Delayer v2.3 (build 125)
Startup Explorer ver. 5.0.0.25
Super Fast Shutdown 1.0
Synaptics Pointing Device Driver
SyncBack
Taskbar Activate
TeamViewer 3
The Lost Watch 3D Screensaver 1.0
The Weather Channel Desktop 6
Trillian
UltimateDefrag
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb949037)
USB Safely Remove 3.3
VCRedistSetup
VersionTracker Pro Windows
VistaGlazz
WavePad Uninstall
Weather Services
Windows Media Player Firefox Plugin
Windows Sidebar Styler
WinZip 11.2
WordWeb
Your Uninstaller! 2008 Version 6.0

ComboFix 08-04-26.5 - Ben 2008-04-27 20:47:38.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.283 [GMT -4:00]
Running from: C:\Users\Ben\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\byXRLCRL.dll
C:\Windows\system32\efcYRHbb.dll
C:\Windows\System32\LRCLRXyb.ini
C:\Windows\System32\LRCLRXyb.ini2
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

2008-04-27 12:47 . 2008-04-27 12:50 <DIR> d-------- C:\Program Files\Startup Explorer
2008-04-27 00:08 . 2008-04-27 00:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-27 00:01 . 2008-04-27 00:01 11,432 --a------ C:\Windows\System32\drivers\PROCEXP100.SYS
2008-04-22 20:47 . 2008-04-27 20:35 54,156 --ah----- C:\Windows\QTFont.qfn
2008-04-22 20:47 . 2008-04-22 20:47 1,409 --a------ C:\Windows\QTFont.for
2008-04-21 23:41 . 2008-04-21 23:41 <DIR> d-------- C:\Users\All Users\TechSmith
2008-04-21 23:41 . 2008-04-21 23:41 <DIR> d-------- C:\ProgramData\TechSmith
2008-04-21 23:41 . 2008-04-21 23:41 <DIR> d-------- C:\Program Files\TechSmith
2008-04-21 23:37 . 2008-04-21 23:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-21 22:40 . 2008-04-21 22:40 <DIR> d-------- C:\Program Files\WordWeb
2008-04-21 22:40 . 2007-12-01 18:01 1,049,720 --a------ C:\Windows\wweb32.dll
2008-04-21 01:13 . 2008-04-21 01:13 <DIR> d-------- C:\Users\Ben\AppData\Roaming\SmartFTP
2008-04-21 01:12 . 2008-04-21 23:23 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-04-21 01:10 . 2008-04-21 01:10 <DIR> d-------- C:\Program Files\SmartFTP Client 2.5 Setup Files
2008-04-20 03:03 . 2008-02-05 08:40 51,520 --a------ C:\Windows\System32\drivers\TfFsMon.sys
2008-04-20 03:03 . 2008-02-05 08:41 40,768 --a------ C:\Windows\System32\drivers\TfSysMon.sys
2008-04-20 03:03 . 2008-02-05 08:41 33,600 --a------ C:\Windows\System32\drivers\TfNetMon.sys
2008-04-20 03:03 . 2008-02-05 08:40 12,608 --a------ C:\Windows\System32\drivers\TfKbMon.sys
2008-04-20 02:36 . 2007-12-10 13:53 81,288 --a------ C:\Windows\System32\drivers\iksyssec.sys
2008-04-20 02:36 . 2007-12-10 13:53 66,952 --a------ C:\Windows\System32\drivers\iksysflt.sys
2008-04-20 02:36 . 2008-02-01 11:55 42,376 --a------ C:\Windows\System32\drivers\ikfilesec.sys
2008-04-20 02:36 . 2007-12-10 13:53 29,576 --a------ C:\Windows\System32\drivers\kcom.sys
2008-04-20 02:35 . 2008-04-20 02:35 <DIR> d-------- C:\Users\Ben\AppData\Roaming\PC Tools
2008-04-20 02:35 . 2008-04-27 20:27 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-18 23:25 . 2008-04-18 23:30 <DIR> d-------- C:\Users\Ben\AppData\Roaming\Windows Sidebar Styler
2008-04-18 23:25 . 2008-04-18 23:25 <DIR> d-------- C:\Program Files\Windows Sidebar Styler
2008-04-18 02:35 . 2008-04-18 02:35 29 --a------ C:\Windows\.wb4
2008-04-18 02:33 . 2007-09-12 17:58 58,792 --------- C:\Windows\System32\wbload.dll
2008-04-18 02:33 . 2007-07-11 14:06 42,672 --------- C:\Windows\System32\wbsys.dll
2008-04-18 01:53 . 2008-04-18 02:16 <DIR> d-------- C:\Program Files\Common Files\stardock
2008-04-18 01:34 . 1995-07-14 00:00 146,321 --a------ C:\Windows\System32\plus!.hlp
2008-04-18 01:34 . 1995-07-14 00:00 37,888 --a------ C:\Windows\System32\plustab.dll
2008-04-18 01:34 . 1995-06-01 12:00 1,300 --a------ C:\Windows\System32\cool.dll
2008-04-17 23:44 . 2000-10-20 01:05 25,088 --a------ C:\Windows\System32\msxml3a.dll
2008-04-15 23:32 . 2008-04-15 23:32 <DIR> d-------- C:\Program Files\Cursor Hider
2008-04-14 20:18 . 2008-04-14 20:18 21,735,936 --a------ C:\Windows\System32\imageres.dll
2008-04-14 14:43 . 2008-04-14 14:43 <DIR> d-------- C:\Program Files\The Weather Channel FW
2008-04-14 00:08 . 2008-04-14 20:14 <DIR> d-------- C:\Program Files\Trillian
2008-04-13 23:39 . 2008-04-14 00:05 <DIR> d-------- C:\Program Files\ICQ6
2008-04-13 01:59 . 2008-04-13 01:59 <DIR> d-------- C:\PFiles
2008-04-11 00:55 . 2008-04-11 00:55 <DIR> d-------- C:\Users\Ben\AppData\Roaming\Stardock
2008-04-11 00:55 . 2008-04-22 03:37 <DIR> d--h----- C:\Users\All Users\{4D84A86B-BFC2-4B9B-B3C4-207F5860E952}
2008-04-11 00:55 . 2008-04-22 03:37 <DIR> d--h----- C:\ProgramData\{4D84A86B-BFC2-4B9B-B3C4-207F5860E952}
2008-04-10 18:52 . 2008-04-10 18:54 <DIR> d-------- C:\Users\Ben\AppData\Roaming\ICAClient
2008-04-09 00:28 . 1997-07-19 16:55 1,347,344 --a------ C:\Windows\System32\msvbvm50.dll
2008-04-08 23:33 . 2008-04-08 23:33 <DIR> d-------- C:\Program Files\NCH Software
2008-04-08 21:25 . 2008-02-22 00:57 295,936 --a------ C:\Windows\System32\gdi32.dll
2008-04-08 21:24 . 2008-02-29 03:14 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-08 21:23 . 2008-02-29 03:11 988,216 --a------ C:\Windows\System32\winload.exe
2008-04-08 21:23 . 2008-02-29 03:11 927,288 --a------ C:\Windows\System32\winresume.exe
2008-04-08 21:23 . 2008-02-22 01:05 615,992 --a------ C:\Windows\System32\ci.dll
2008-04-08 21:23 . 2008-02-29 02:53 378,368 --a------ C:\Windows\System32\srcore.dll
2008-04-08 21:23 . 2008-02-29 00:12 318,464 --a------ C:\Windows\System32\rstrui.exe
2008-04-08 21:23 . 2008-02-29 02:53 46,592 --a------ C:\Windows\System32\setbcdlocale.dll
2008-04-08 21:23 . 2008-02-29 02:53 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-08 21:23 . 2008-02-29 00:12 14,848 --a------ C:\Windows\System32\srdelayed.exe
2008-04-08 21:22 . 2008-02-29 02:35 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-08 21:21 . 2008-02-29 00:21 2,032,128 --a------ C:\Windows\System32\win32k.sys
2008-04-08 21:12 . 2008-02-21 22:50 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-04-08 21:12 . 2008-02-22 01:01 826,880 --a------ C:\Windows\System32\wininet.dll
2008-04-07 23:02 . 2008-04-07 23:07 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-04-07 22:12 . 2008-04-07 22:12 0 --a------ C:\Windows\Irremote.ini
2008-04-07 13:10 . 2008-04-07 13:10 <DIR> d--h----- C:\Windows\PIF
2008-04-07 00:06 . 2008-04-21 17:53 <DIR> d-------- C:\Program Files\SyncBack
2008-04-06 13:26 . 2008-04-06 13:26 <DIR> d-------- C:\Users\All Users\Avira
2008-04-06 13:26 . 2008-04-06 13:26 <DIR> d-------- C:\ProgramData\Avira
2008-04-06 13:26 . 2008-04-06 13:26 <DIR> d-------- C:\Program Files\Avira
2008-04-06 02:48 . 2008-04-21 19:18 <DIR> d-------- C:\BackUps
2008-04-06 02:31 . 2008-04-06 02:31 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-04-06 02:01 . 2008-04-06 02:01 <DIR> d-------- C:\Program Files\AutoHotkey
2008-04-06 01:47 . 2008-04-06 01:47 <DIR> d-------- C:\Program Files\iPod
2008-04-06 01:46 . 2008-04-06 01:47 <DIR> d-------- C:\Program Files\iTunes
2008-04-05 12:04 . 2007-10-31 09:32 172,032 --a------ C:\Windows\System32\igfxres.dll
2008-04-05 11:43 . 2008-04-05 12:37 <DIR> d-------- C:\Users\Ben\AppData\Roaming\VersionTracker Pro
2008-04-05 11:40 . 2008-04-05 11:45 <DIR> d-------- C:\Program Files\VersionTracker Pro
2008-04-05 11:18 . 2008-04-05 11:18 <DIR> d-------- C:\Program Files\Intel
2008-04-05 11:18 . 2007-07-26 16:15 53,248 --a------ C:\Windows\System32\CSVer.dll
2008-04-05 03:04 . 2008-04-05 03:04 <DIR> d-------- C:\Program Files\Citrix
2008-04-05 02:58 . 2008-04-05 02:58 <DIR> d-------- C:\Program Files\FileMenu Tools
2008-04-04 05:21 . 2008-04-04 05:22 <DIR> d-------- C:\Program Files\QuickTime
2008-04-03 13:33 . 2008-04-03 13:33 <DIR> d-------- C:\Windows\System32\IE updates
2008-04-03 13:33 . 2008-04-03 13:33 886,784 --a------ C:\Windows\ebook_library.dll
2008-04-03 13:24 . 2008-04-03 13:25 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-03 04:26 . 2008-04-03 14:54 81,984 --a------ C:\Windows\System32\bdod.bin
2008-04-03 04:21 . 2008-04-03 14:55 <DIR> d-------- C:\Program Files\Common Files\Softwin
2008-04-03 04:06 . 2008-04-03 04:36 <DIR> d-------- C:\Program Files\Your Uninstaller 2008
2008-04-03 04:05 . 2008-04-03 04:05 <DIR> d-------- C:\Windows\Profiles
2008-04-03 03:25 . 2008-04-03 03:25 <DIR> d-------- C:\Program Files\FirefoxPreloader
2008-04-03 03:25 . 2005-01-18 22:15 28,672 --a------ C:\Windows\System32\regclass.dll
2008-04-03 02:30 . 2008-04-03 02:33 <DIR> d-------- C:\Program Files\Super Fast Shutdown
2008-04-03 01:59 . 2007-12-20 17:13 136,416 --a------ C:\Windows\System32\drivers\symsnap.sys
2008-04-03 01:59 . 2008-01-19 20:12 128,104 --a------ C:\Windows\System32\drivers\WimFltr.sys
2008-04-03 01:59 . 2008-01-19 19:45 38,112 --a------ C:\Windows\System32\drivers\v2imount.sys
2008-04-03 01:59 . 2008-01-19 19:40 15,088 --a------ C:\Windows\System32\drivers\vproeventmonitor.sys
2008-04-03 01:57 . 2008-04-03 01:57 <DIR> d-------- C:\Program Files\Norton Ghost
2008-04-03 01:44 . 2008-04-03 01:44 <DIR> dr------- C:\Windows\System32\config\systemprofile\Videos
2008-04-03 01:44 . 2008-04-03 01:44 <DIR> dr------- C:\Windows\System32\config\systemprofile\Searches
2008-04-03 01:44 . 2008-04-03 01:44 <DIR> dr------- C:\Windows\System32\config\systemprofile\Saved Games
2008-04-03 01:44 . 2008-04-03 01:44 <DIR> dr------- C:\Windows\System32\config\systemprofile\Pictures
2008-04-03 01:44 . 2008-04-03 01:44 <DIR> dr------- C:\Windows\System32\config\systemprofile\Links
2008-04-03 01:44 . 2008-04-03 01:44 <DIR> dr------- C:\Windows\System32\config\systemprofile\Downloads
2008-04-03 01:44 . 2008-04-03 01:44 <DIR> dr------- C:\Windows\System32\config\systemprofile\Documents
2008-04-03 00:43 . 2008-04-27 20:44 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 4
2008-04-03 00:06 . 2008-04-20 03:04 <DIR> d-------- C:\Users\All Users\PC Tools
2008-04-03 00:06 . 2008-04-20 03:04 <DIR> d-------- C:\ProgramData\PC Tools
2008-04-02 23:09 . 2008-04-02 22:49 152,576 --a------ C:\Windows\System32\SPWizUI.dll
2008-04-02 23:09 . 2008-04-02 22:49 47,560 --a------ C:\Windows\System32\SPReview.exe
2008-04-02 22:54 . 2008-01-18 23:33 599,552 --a------ C:\Windows\System32\vsp1cln.exe
2008-04-02 22:54 . 2008-01-18 23:33 193,024 --a------ C:\Windows\System32\recdisc.exe
2008-04-02 22:54 . 2008-01-18 23:36 142,336 --a------ C:\Windows\System32\spp.dll
2008-04-02 22:54 . 2008-01-18 23:36 28,160 --a------ C:\Windows\System32\sxproxy.dll
2008-04-02 22:54 . 2008-01-18 23:36 6,656 --a------ C:\Windows\System32\sdspres.dll
2008-04-02 22:49 . 2008-04-02 23:10 49,152 --a------ C:\Windows\SPInstall.etl
2008-04-02 22:49 . 2008-01-18 23:33 44,032 --a------ C:\Windows\System32\cbsra.exe
2008-04-02 22:32 . 2008-04-02 22:32 <DIR> d-------- C:\Users\All Users\Avg7
2008-04-02 22:32 . 2008-04-02 22:32 <DIR> d-------- C:\ProgramData\Avg7
2008-04-02 22:27 . 2007-12-20 08:10 995,383 --a------ C:\Windows\System32\temp.004
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\Windows\System32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 00:55 --------- d---a-w C:\ProgramData\TEMP
2008-04-28 00:53 --------- d-----w C:\Users\Ben\AppData\Roaming\uTorrent
2008-04-28 00:50 --------- d-----w C:\Program Files\ePrompter
2008-04-28 00:46 --------- d-----w C:\Users\Ben\AppData\Roaming\SiteAdvisor
2008-04-28 00:35 --------- d-----w C:\Program Files\Lx_cats
2008-04-24 23:46 --------- d-----w C:\Users\Ben\AppData\Roaming\gtk-2.0
2008-04-19 06:52 --------- d-----w C:\ProgramData\WinZip
2008-04-19 03:25 --------- d-----w C:\Program Files\Windows Sidebar
2008-04-18 05:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-14 00:39 --------- d-----w C:\Program Files\MxMonitor
2008-04-10 19:14 159,880 ----a-w C:\Windows\system32\drivers\pctfw2.sys
2008-04-09 06:04 --------- d-----w C:\Users\Ben\AppData\Roaming\TeamViewer
2008-04-09 02:28 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-09 02:10 --------- d-----w C:\Program Files\Windows Mail
2008-04-08 03:02 --------- d-----w C:\ProgramData\Nero
2008-04-08 02:26 --------- d-----w C:\Program Files\Common Files\Nero
2008-04-07 22:15 --------- d-----w C:\ProgramData\Stardock
2008-04-07 17:31 --------- d-----w C:\Program Files\USB Safely Remove
2008-04-07 07:41 --------- d-----w C:\Program Files\PC Tools Firewall Plus
2008-04-06 05:46 --------- d-----w C:\ProgramData\Apple Computer
2008-04-05 07:05 --------- d-----w C:\Program Files\PowerISO
2008-04-05 06:05 --------- d-----w C:\Program Files\Clock Tray Skins
2008-04-03 19:58 --------- d-----w C:\Users\Ben\AppData\Roaming\r2 Studios
2008-04-03 16:53 --------- d-----w C:\Program Files\CrossLoop
2008-04-03 08:06 --------- d-----w C:\Users\Ben\AppData\Roaming\URSoft
2008-04-03 07:14 --------- d-----w C:\Program Files\Actual Window Manager
2008-04-03 06:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-03 05:57 --------- d-----w C:\ProgramData\Symantec
2008-04-03 04:07 --------- d-----w C:\Program Files\Common Files\PC Tools
2008-04-03 03:36 174 --sha-w C:\Program Files\desktop.ini
2008-04-03 03:25 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-04-03 03:25 --------- d-----w C:\Program Files\Windows Journal
2008-04-03 03:25 --------- d-----w C:\Program Files\Windows Defender
2008-04-03 03:25 --------- d-----w C:\Program Files\Windows Collaboration
2008-04-03 03:25 --------- d-----w C:\Program Files\Windows Calendar
2008-04-03 02:32 --------- d-----w C:\ProgramData\Grisoft
2007-11-30 15:08 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-08-17 04:37 218,416 ----a-w C:\Program Files\lxcq.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkinClock"="C:\Program Files\Clock Tray Skins\ClockTraySkins.exe" [2008-01-22 17:54 1329664]
"Actual Window Manager"="C:\Program Files\Actual Window Manager\ActualWindowManagerCenter.exe" [2006-12-15 04:03 850432]
"DW6"="C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-03-17 13:08 801904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartupDelayer"="C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe" [2007-07-12 05:35 25600]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 01:58 815104]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 20:08 813912]
"00Hotkeys"="C:\Program Files\Qliner Hotkeys\HotKeys.exe" [2006-12-01 20:13 45056]
"lxcqmon.exe"="C:\Program Files\Lexmark 9300 Series\lxcqmon.exe" [2006-10-23 10:51 286720]
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [2008-03-28 14:37 2570136]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-11-12 15:07 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-11-12 15:07 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-11-12 15:07 133656]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"LXCQCATS"="C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCQtime.dll" [2006-10-15 21:25 106496]

C:\Users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Cursor Hider.lnk - C:\Program Files\Cursor Hider\CursorHider.exe [2008-02-28 08:57:45 571904]
ePrompter.lnk - C:\Program Files\ePrompter\ePrompter.exe [2007-09-06 11:51:28 1134592]
Minimize.ahk [2008-04-06 02:05:38 576]
Music AlarmClock v2.lnk - C:\Program Files\Music AlarmClock v2\macv2.exe [2007-09-06 11:27:47 2420736]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2007-05-01 11:11:48 6395464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWinKeys"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm
"msacm.l3codec"= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-340049275-3702439742-4184287854-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C5DAF990-BBE2-4170-A7C2-A5148CE43CA3}"= UDP:C:\Windows\System32\lxcqcoms.exe:Lexmark Communications System
"{D85BF49C-EC63-4CC8-8917-3D30B7845826}"= TCP:C:\Windows\System32\lxcqcoms.exe:Lexmark Communications System
"{79E22280-8051-4024-A447-C13EE4BE7E73}"= Disabled:UDP:135:TCP Port 135
"{627E8DA3-EEE7-4006-B540-3186321CC525}"= Disabled:UDP:5000:TCP Port 5000
"{7788BA36-CC70-42C7-870A-E5E5C76E2F6F}"= Disabled:UDP:5001:TCP Port 5001
"{F122D52D-DBD0-43BA-8FBA-3FD54C434D9E}"= Disabled:UDP:5002:TCP Port 5002
"{14EFF643-B1C7-4005-8EB9-FAA796057DCB}"= Disabled:UDP:5003:TCP Port 5003
"{515DA81D-290A-4D42-85AF-7AF13D179F56}"= Disabled:UDP:5004:TCP Port 5004
"{F42C6A84-ED09-4230-8CAA-C751A1FA34F2}"= Disabled:UDP:5005:TCP Port 5005
"{EAC6C89B-AE63-4E1F-ADFB-59CFB1FECB73}"= Disabled:UDP:5006:TCP Port 5006
"{F2633306-2D46-421D-9C76-6D1272FD2067}"= Disabled:UDP:5007:TCP Port 5007
"{A4120EF8-E6A9-499A-9DB8-A4B76E03C2C4}"= Disabled:UDP:5008:TCP Port 5008
"{490749FA-6197-4ADA-A0DC-E8A1767651C5}"= Disabled:UDP:5009:TCP Port 5009
"{A62962DA-11FD-4D31-9FD4-149A5AAF550F}"= Disabled:UDP:5010:TCP Port 5010
"{A43B1BCA-F01E-49BE-B987-012468C15FE7}"= Disabled:UDP:5011:TCP Port 5011
"{2AE6973D-215E-475A-99FC-42B10472572D}"= Disabled:UDP:5012:TCP Port 5012
"{0EBD61A9-4521-4135-8FE1-8457365B6049}"= Disabled:UDP:5013:TCP Port 5013
"{342731DB-AA90-42FB-95BE-B16B3B98469F}"= Disabled:UDP:5014:TCP Port 5014
"{93BAA9FA-2245-48E9-829F-3B156AB375A6}"= Disabled:UDP:5015:TCP Port 5015
"{529A69FB-290A-46EA-BB0E-6FCE78888E07}"= Disabled:UDP:5016:TCP Port 5016
"{87CBD8C8-41B3-4020-8C3C-BAE779E84861}"= Disabled:UDP:5017:TCP Port 5017
"{7BAD5C47-E264-46DC-B726-AD846EF9D8C2}"= Disabled:UDP:5018:TCP Port 5018
"{1E449634-9B11-4802-B09F-4FE1C21042E5}"= Disabled:UDP:5019:TCP Port 5019
"{F9CEEEBE-C43B-4151-86B0-6B209429A03E}"= Disabled:UDP:5020:TCP Port 5020
"{1F4E207B-8BC0-4322-9D4F-B3B482D3965A}"= UDP:C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe:UltimateDefrag V1.61
"{7998F1C2-ED4A-41F7-927B-1DF8E25BB9AB}"= TCP:C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe:UltimateDefrag V1.61
"{87FDCB9E-F331-423D-8629-1040B699576E}"= UDP:F:\BackUps\BenJrFiles\System Programs\utorrent.exe:µTorrent
"{34396144-DC53-4A91-8AE1-5D4CAC134803}"= TCP:F:\BackUps\BenJrFiles\System Programs\utorrent.exe:µTorrent
"{7FF53C94-AC1E-4A27-AC8C-087ECED96F6B}"= UDP:C:\Program Files\utorrent\utorrent.exe:µTorrent
"{A95AB031-2804-4265-BEE5-429AF1B92305}"= TCP:C:\Program Files\utorrent\utorrent.exe:µTorrent
"{48E70622-6460-4629-9013-7D7AA2179D82}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{A9E60C0D-C836-4920-A614-D4C7847206AD}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 TfFsMon;TfFsMon;C:\Windows\system32\drivers\TfFsMon.sys [2008-02-05 08:40]
R0 TfSysMon;TfSysMon;C:\Windows\system32\drivers\TfSysMon.sys [2008-02-05 08:41]
R1 pctfw2;pctfw2;C:\Windows\System32\drivers\pctfw2.sys [2008-04-10 15:14]
R1 pctmp;PC Tools Firewall Memory Protection Driver;C:\Windows\system32\drivers\pctmp.sys [2007-11-09 17:00]
R1 pctssipc;PC Tools Security Suite IPC Driver;C:\Windows\system32\drivers\pctssipc.sys [2007-11-09 17:00]
R2 lxcq_device;lxcq_device;C:\Windows\system32\lxcqcoms.exe [2006-11-06 12:21]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;C:\Windows\system32\dllhost.exe [2006-11-02 05:45]
R2 TeamViewer;TeamViewer 3;"C:\Program Files\TeamViewer3\TeamViewer_Host.exe" -service []
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-10-31 09:47]
R3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;C:\Windows\system32\DRIVERS\RTL8187.sys [2007-11-19 07:59]
R3 SymSnapService;SymSnapService;"C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe" [2007-12-20 17:13]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 03:30]
S3 TfNetMon;TfNetMon;C:\Windows\system32\drivers\TfNetMon.sys [2008-02-05 08:41]
S3 ThreatFire;ThreatFire;C:\Program Files\Spyware Doctor\TFEngine\TFService.exe service []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{542b9508-bc93-11dc-b1ab-806e6f6e6963}]
\shell\AutoRun\command - I:\backup.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6a8bbcc-0329-11dd-87c4-00e0b8c60c72}]
\shell\AutoRun\command - H:\backup.bat

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 20:55:14
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\Clock Tray Skins\Clock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Windows\System32\audiodg.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\System32\igfxsrvc.exe
C:\Program Files\TechSmith\SnagIt 8\TscHelp.exe
C:\Windows\System32\msdtc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\Program Files\iFinger\iFinger.exe
C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Mozilla Firefox 3 Beta 4\firefox.exe
C:\Program Files\ATnotes\ATnotes.exe
C:\Program Files\USB Safely Remove\USBSafelyRemove.exe
C:\Program Files\Taskbar Activate\TaskbarActivate.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
**************************************************************************
.
Completion time: 2008-04-27 21:02:10 - machine was rebooted [Ben]
ComboFix-quarantined-files.txt 2008-04-28 01:01:43

Pre-Run: 95,172,034,560 bytes free
Post-Run: 98,441,760,768 bytes free

323 --- E O F --- 2008-04-16 03:47:00

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:02 PM, on 4/27/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Qliner Hotkeys\HotKeys.exe
C:\Program Files\Lexmark 9300 Series\lxcqmon.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Clock Tray Skins\ClockTraySkins.exe
C:\Program Files\Actual Window Manager\ActualWindowManagerCenter.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\Cursor Hider\CursorHider.exe
C:\Program Files\ePrompter\ePrompter.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\Program Files\iFinger\iFinger.exe
C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Mozilla Firefox 3 Beta 4\firefox.exe
C:\Program Files\ATnotes\ATnotes.exe
C:\Program Files\USB Safely Remove\USBSafelyRemove.exe
C:\Program Files\Taskbar Activate\TaskbarActivate.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Windows\System32\wsqmcons.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [00Hotkeys] "C:\Program Files\Qliner Hotkeys\HotKeys.exe"
O4 - HKLM\..\Run: [lxcqmon.exe] "C:\Program Files\Lexmark 9300 Series\lxcqmon.exe"
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LXCQCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCQtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Clock Tray Skins\ClockTraySkins.exe
O4 - HKCU\..\Run: [Actual Window Manager] "C:\Program Files\Actual Window Manager\ActualWindowManagerCenter.exe"
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Cursor Hider.lnk = C:\Program Files\Cursor Hider\CursorHider.exe
O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
O4 - Startup: Minimize.ahk
O4 - Startup: Music AlarmClock v2.lnk = C:\Program Files\Music AlarmClock v2\macv2.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcq_device - - C:\Windows\system32\lxcqcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: TeamViewer 3 (TeamViewer) - Unknown owner - C:\Program Files\TeamViewer3\TeamViewer_Host.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

--
End of file - 8977 bytes
BenJr
Active Member
 
Posts: 8
Joined: April 27th, 2008, 11:54 am

Re: Is Something Going On...

Unread postby km2357 » April 28th, 2008, 2:34 am

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

utorrent

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


Do you recongize the following two files?:

I:\backup.bat
H:\backup.bat


Step # 1 Upload Files


Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
C:\Windows\System32\cool.dll
Click Submit.
Please post the results of this scan to this thread.

Repeat the above steps with the following files:

C:\Windows\System32\cbsra.exe

If Jotti is busy, Go to VirusTotal and scan the file(s) there.



Step # 2: Run CFScript

Please delete the version of ComboFix you have on your computer, I need you to download the latest version of ComboFix by sUBs here and save it to your Desktop.




  • Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    KillAll::
    
    Folder::
    
    C:\Users\Ben\AppData\Roaming\uTorrent
    C:\Program Files\utorrent
    
    Registry::
    
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
    "{87FDCB9E-F331-423D-8629-1040B699576E}"=-
    "{34396144-DC53-4A91-8AE1-5D4CAC134803}"=-
    "{7FF53C94-AC1E-4A27-AC8C-087ECED96F6B}"=-
    "{A95AB031-2804-4265-BEE5-429AF1B92305}"=-
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{542b9508-bc93-11dc-b1ab-806e6f6e6963}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6a8bbcc-0329-11dd-87c4-00e0b8c60c72}]



  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    Image



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


In your next post/reply, I need to see the following:

1. Answer to my question about the two backup.bat files
2. Jotti/VirusTotal results
3. ComboFix Log that appears after Step 2 has been done
4. A fresh HiJackThis Log taken after Step 2 has been done.

Use multiple posts if you can't fit everything into one post.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Is Something Going On...

Unread postby BenJr » April 28th, 2008, 9:45 pm

Hi km2357,

Those batch files are files that I made myself. They sit on my flash drives. They add an option for me to automatically back-up the flash drive to the hard drive in the AutoPlay.
The two files you had me scan (cool.dll and cbsra.exe) came up clean.
Now this is where I'm running into a problem. So I drag the CFScript file onto the new ComboFix, The scan starts, then my computer crashes. I get the Blue Screen Of Death. I think. It's the blue screen that tells you that Windows is about to crash, memory dump and everything.
What should I do now.

Thanks Again,
BenJr
BenJr
Active Member
 
Posts: 8
Joined: April 27th, 2008, 11:54 am

Re: Is Something Going On...

Unread postby km2357 » April 28th, 2008, 10:33 pm

Try booting into Safe Mode and dragging the CFScript.txt onto ComboFix.exe from there.

Let me know what happens.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Is Something Going On...

Unread postby BenJr » April 28th, 2008, 11:19 pm

Same thing happens in Safe Mode.
What next...
BenJr
Active Member
 
Posts: 8
Joined: April 27th, 2008, 11:54 am

Re: Is Something Going On...

Unread postby km2357 » April 29th, 2008, 2:33 am

Let's try another way to do what the CFScript was trying to do.

Show All Files And Folders in Vista
First, you need to show all files and folders
  • Click Start.
  • Open My Computer.
  • Select the Organise menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck Hide file extensions for known file types
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.


Be sure to re-hide your files once you are finished cleaning your computer.

Step # 1: Deleting Files/Folders

I need you to use Windows Explorer to delete the folders I have marked in Red(if found):

C:\Users\Ben\AppData\Roaming\uTorrent
C:\Program Files\utorrent


Step # 2: Download and run ERUNT
  • You will be downloading ERUNT, a registry backup tool.
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.


Click Erunt.exe to backup your registry to the folder of your choice.

Note:to restore your registry, go to the folder and start ERDNT.exe

Open Notepad!
Copy and Paste everything from the Quote box into Notepad:

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{87FDCB9E-F331-423D-8629-1040B699576E}"=-
"{34396144-DC53-4A91-8AE1-5D4CAC134803}"=-
"{7FF53C94-AC1E-4A27-AC8C-087ECED96F6B}"=-
"{A95AB031-2804-4265-BEE5-429AF1B92305}"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{542b9508-bc93-11dc-b1ab-806e6f6e6963}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6a8bbcc-0329-11dd-87c4-00e0b8c60c72}]



Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Go to File > Save As
Save File name as Fix.reg
Change Save as Type to All Files and save the file to your desktop.

Close Notepad, and double-click Fix.reg on your Desktop. When it asks if you want to merge the info to the registry, hit YES/OK. Reboot the computer.


Step # 3 Run CCleaner

CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!

  • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
  • Then select the items you wish to clean up.
  • In the Windows Tab:
  • Clean all entries in the Internet Explorer section except Cookies
  • Clean all the entries in the Windows Explorer section
  • Clean all entries in the System section
  • Clean all entries in the Advanced section
  • Clean any others that you choose
  • In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it
  • Clean all in the Opera section if you use it
  • Clean Sun Java in the Internet Section
  • Clean any others that you choose
  • Click the Run Cleaner button.
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK and it will scan and clean your system.
  • Click exit when done.
  • If it asks you to reboot at the end, click NO

Step # 4 Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Right-click mbam-setup.exe and choose Run as Administrator and follow the prompts to install the program.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
  • Next click the Scanner tab and select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.


In your next post/reply, I need to see the following:

1. MalwareBytes' Log
2. A fresh HiJackThis Log
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Is Something Going On...

Unread postby BenJr » April 30th, 2008, 7:05 am

OK km2357,

Here are the logs you requested.
Thanks!

Malwarebytes' Anti-Malware 1.11
Database version: 700

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 165154
Time elapsed: 1 hour(s), 15 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\Windows\System32\byXRLCRL.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:54:33 AM, on 2008-04-30
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\lxcqcoms.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Qliner Hotkeys\HotKeys.exe
C:\Program Files\Lexmark 9300 Series\lxcqmon.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Actual Window Manager\ActualWindowManagerCenter.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\dllhost.exe
C:\Program Files\TeamViewer3\TeamViewer_Host.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\Cursor Hider\CursorHider.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\Music AlarmClock v2\macv2.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\iFinger\iFinger.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Windows\System32\msdtc.exe
C:\Program Files\ATnotes\ATnotes.exe
C:\Program Files\USB Safely Remove\USBSafelyRemove.exe
C:\Program Files\Taskbar Activate\TaskbarActivate.exe
C:\Program Files\Java\jre1.6.0_04\bin\jucheck.exe
C:\Windows\Explorer.EXE
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\ePrompter\ePrompter.exe
C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox 3 Beta 4\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [00Hotkeys] "C:\Program Files\Qliner Hotkeys\HotKeys.exe"
O4 - HKLM\..\Run: [lxcqmon.exe] "C:\Program Files\Lexmark 9300 Series\lxcqmon.exe"
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LXCQCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCQtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Clock Tray Skins\ClockTraySkins.exe
O4 - HKCU\..\Run: [Actual Window Manager] "C:\Program Files\Actual Window Manager\ActualWindowManagerCenter.exe"
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Cursor Hider.lnk = C:\Program Files\Cursor Hider\CursorHider.exe
O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
O4 - Startup: Minimize.ahk
O4 - Startup: Music AlarmClock v2.lnk = C:\Program Files\Music AlarmClock v2\macv2.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcq_device - - C:\Windows\system32\lxcqcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: TeamViewer 3 (TeamViewer) - Unknown owner - C:\Program Files\TeamViewer3\TeamViewer_Host.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

--
End of file - 11182 bytes
BenJr
Active Member
 
Posts: 8
Joined: April 27th, 2008, 11:54 am

Re: Is Something Going On...

Unread postby km2357 » April 30th, 2008, 1:56 pm

Step # 1 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u6.
  • Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications.".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Remove the following old versions of Java:

  • Java Runtime Environment 6 Update 4

  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • From your desktop double-click on the download to install the newest version.


Step # 2: Run Kaspersky Online Scan
Please do an online scan with Kaspersky WebScanner

You must be using Internet Explorer, Kaspersky does not work with Firefox

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    • Scan using the following Anti-Virus database:


      Extended (if available otherwise Standard)


    • Scan Options:


      Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan:

      Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.

    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.


In your next post/reply, I need to see the following:

1. Kaspersky results (KAV.txt)
2. A fresh HiJackThis Log
3. How is your computer doing, any problems?

Use multiple posts if you can't fit everything into one post.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Is Something Going On...

Unread postby km2357 » May 3rd, 2008, 4:20 pm

BenJr? How's it coming along?
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Is Something Going On...

Unread postby BenJr » May 5th, 2008, 9:07 pm

Sorry, things got crazy at work.
I might need another day.
My computer seems fine.
I will post again soon.
BenJr
Active Member
 
Posts: 8
Joined: April 27th, 2008, 11:54 am

Re: Is Something Going On...

Unread postby BenJr » May 5th, 2008, 11:35 pm

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-05-05 11:30:28 PM
Operating System: Microsoft Windows Vista Home Edition, Service Pack 1 (Build 6001)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/05/2008
Kaspersky Anti-Virus database records: 741463
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 116370
Number of viruses found: 5
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 01:59:35

Infected Object Name / Virus Name / Last Action
C:\Boot\BCD Object is locked skipped
C:\Boot\BCD.LOG Object is locked skipped
C:\Program Files\CrossLoop\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\Program Files\CrossLoop\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h skipped
C:\Program Files\PC Tools Firewall Plus\FirewallWrapper.txt Object is locked skipped
C:\Program Files\PC Tools Firewall Plus\FWService.txt Object is locked skipped
C:\Program Files\Super Fast Shutdown\SHUTDOWN.EXE Infected: not-a-virus:RiskTool.Win32.Shutdown.c skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.30.Crwl Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.30.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.ci Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wsb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000E.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010011.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010012.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010013.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010018.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010019.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001A.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001B.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy64.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf160F.tmp Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf1610.tmp Object is locked skipped
C:\ProgramData\PC Tools\ThreatFire\Orig.db Object is locked skipped
C:\QooBox\Quarantine\C\Windows\System32\efcYRHbb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.oax skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\Users\Ben\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Ben\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db Object is locked skipped
C:\Users\Ben\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db Object is locked skipped
C:\Users\Ben\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db Object is locked skipped
C:\Users\Ben\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db Object is locked skipped
C:\Users\Ben\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db Object is locked skipped
C:\Users\Ben\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db Object is locked skipped
C:\Users\Ben\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Ben\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Ben\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Ben\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Ben\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Ben\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Ben\AppData\Local\Microsoft\Windows\UsrClass.dat{1652ae3c-617c-11dc-8501-000000000000}.TM.blf Object is locked skipped
C:\Users\Ben\AppData\Local\Microsoft\Windows\UsrClass.dat{1652ae3c-617c-11dc-8501-000000000000}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Ben\AppData\Local\Microsoft\Windows\UsrClass.dat{1652ae3c-617c-11dc-8501-000000000000}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Ben\AppData\Local\Temp\~DF1B46.tmp Object is locked skipped
C:\Users\Ben\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Ben\AppData\Roaming\PCToolsFirewallPlus\FirewallGUI.txt Object is locked skipped
C:\Users\Ben\AppData\Roaming\PCToolsFirewallPlus\FWPlugin.txt Object is locked skipped
C:\Users\Ben\Downloads\Cursor.Hider.v1.5.0.6.Incl.Keygen-UNiQUE\keygen.exe Infected: Trojan.Win32.Delf.bqj skipped
C:\Users\Ben\NTUSER.DAT Object is locked skipped
C:\Users\Ben\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Ben\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Ben\NTUSER.DAT{1652ae3a-617c-11dc-8501-000000000000}.TM.blf Object is locked skipped
C:\Users\Ben\NTUSER.DAT{1652ae3a-617c-11dc-8501-000000000000}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Ben\NTUSER.DAT{1652ae3a-617c-11dc-8501-000000000000}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2E29DD49-7786-417E-AF4F-AE234F48F44C}.crmlog Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{1652ae38-617c-11dc-8501-000000000000}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{1652ae38-617c-11dc-8501-000000000000}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{1652ae38-617c-11dc-8501-000000000000}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{1652ae36-617c-11dc-8501-000000000000}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{1652ae36-617c-11dc-8501-000000000000}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{1652ae36-617c-11dc-8501-000000000000}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
C:\Windows\System32\config\RegBack\SAM Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTm.blf Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped
C:\Windows\System32\Msdtc\MSDTC.LOG Object is locked skipped
C:\Windows\System32\Msdtc\Trace\dtctrace.log Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\wbem\Repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.003 Object is locked skipped
C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Metrics.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
D:\System Recovery\Folder.htt Object is locked skipped
D:\System Recovery\Protect.ed Object is locked skipped
D:\System Volume Information\autorun.inf Object is locked skipped
D:\System Volume Information\desktop.ini Object is locked skipped
D:\System Volume Information\Folder.htt Object is locked skipped
D:\System Volume Information\info.exe Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\Protect.ed Object is locked skipped
D:\System Volume Information\warning.bmp Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:30 PM, on 2008-05-05
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\lxcqcoms.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Lexmark 9300 Series\lxcqmon.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Actual Window Manager\ActualWindowManagerCenter.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\dllhost.exe
C:\Program Files\TeamViewer3\TeamViewer_Host.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\Cursor Hider\CursorHider.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\iFinger\iFinger.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Windows\System32\msdtc.exe
C:\Program Files\ATnotes\ATnotes.exe
C:\Program Files\Taskbar Activate\TaskbarActivate.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Clock Tray Skins\ClockTraySkins.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\USB Safely Remove\usrunlocker.exe
C:\Program Files\USB Safely Remove\USBSafelyRemove.exe
C:\Windows\Explorer.EXE
C:\Program Files\OWANotify\OWANotify.exe
C:\Program Files\Qliner Hotkeys\HotKeys.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\ePrompter\ePrompter.exe
C:\Program Files\Mozilla Firefox 3 Beta 4\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [00Hotkeys] "C:\Program Files\Qliner Hotkeys\HotKeys.exe"
O4 - HKLM\..\Run: [lxcqmon.exe] "C:\Program Files\Lexmark 9300 Series\lxcqmon.exe"
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LXCQCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCQtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Clock Tray Skins\ClockTraySkins.exe
O4 - HKCU\..\Run: [Actual Window Manager] "C:\Program Files\Actual Window Manager\ActualWindowManagerCenter.exe"
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Cursor Hider.lnk = C:\Program Files\Cursor Hider\CursorHider.exe
O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
O4 - Startup: Minimize.ahk
O4 - Startup: Music AlarmClock v2.lnk = C:\Program Files\Music AlarmClock v2\macv2.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Extract Flash Video with Bytescout... - C:\Program Files\Bytescout Movies Extractor Scout\flashextract_ie.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Extract Flash Video with Bytescout... - {1AECDD80-6DC4-4378-8EA0-8B2B7CA38229} - C:\Program Files\Bytescout Movies Extractor Scout\flashextract_ie.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {7238E6D2-EE35-4C1B-8A6B-FF81CF8F0091} - C:\Program Files\Bytescout Movies Extractor Scout\flashextract_ie.html
O9 - Extra 'Tools' menuitem: Extract Flash Video with Bytescout... - {7238E6D2-EE35-4C1B-8A6B-FF81CF8F0091} - C:\Program Files\Bytescout Movies Extractor Scout\flashextract_ie.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcq_device - - C:\Windows\system32\lxcqcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: TeamViewer 3 (TeamViewer) - Unknown owner - C:\Program Files\TeamViewer3\TeamViewer_Host.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

--
End of file - 11726 bytes
BenJr
Active Member
 
Posts: 8
Joined: April 27th, 2008, 11:54 am

Re: Is Something Going On...

Unread postby km2357 » May 6th, 2008, 2:33 am

Your last HJT log appears to be clean and just a few things to take care of from the Kaspersky Log. Otherwise you are good to go. :)

Uninstall the following program from your computer:

Cursor Hider

The version you downloaded was infected. Reboot your computer once you have removed it.

Using Windows Explorer, find and delete the following folder, if found:

C:\Users\Ben\Downloads\Cursor.Hider.v1.5.0.6.Incl.Keygen-UNiQUE\


You can remove ComboFix, to do so do the following:

Open up the Run command by pressing the Windows Button and R button at the same time. The Windows Button is at the bottom left of the keyboard between the Ctrl and Alt buttons.

Once the Run command window opens type in ComboFix /u & click OK.

Empty your Recycle Bin.

Please take the time to read my All Clean Post.

Hide system files

  1. Right click on the Start menu and select Explore.
  2. Press the Alt button
  3. Click on Tools > Folder Options....
  4. Select the View tab.
  5. Under Hidden files and folders, select Do not show hidden files and folders.
  6. Check (tick) these two boxes:
      Hide extensions for known file types
      Hide protected operating system files (Recommended)
  7. Click Yes when Windows prompts.
  8. Click OK to apply the settings.

Flush the system restore points

  1. Click on Start.
  2. Right click on Computer and select Properties.
  3. Click on System Protection under Tasks section.
  4. Uncheck (untick) all the boxes under Create restore points automatically on the selected disks section.
  5. Click OK.
  6. Restart your computer.

After restarting your computer, follow these steps:

  1. Click on Start.
  2. Right click on Computer and select Properties.
  3. Click on System Protection under Tasks section.
  4. Check (tick) all the boxes under Create restore points automatically on the selected disks section.
  5. Click OK.
  6. Restart your computer.

Note: Do this only ONCE, don't flush it regularly.

Enable UAC

While UAC in Vista is certainly annoying to some extent, it offers some protection for Windows. Here's an explanation - http://www.dcr.net/~w-clayton/Vista/UAC ... zation.htm

  1. Click on Start > Control Panel.
  2. Double click on User Accounts.
  3. Under Make changes to your user account, click on Turn User Account Control on or off.
  4. Check (tick) this box: Use User Account Control (UAC) to help protect the computer.
  5. Click OK.

Keep your system updated

Update Windows

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows, click on Start > Windows Update (or Start > All Programs > Windows Update if you are using the new Vista Start Menu). If the Windows Update is not found there, go to this link - http://update.microsoft.com/ .

Besides Windows that needs regular updating, antivirus, anti-spyware and firewall programs update regularly too.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Be careful when opening attachments and downloading files.

  1. Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
  2. Never open emails from unknown senders.
  3. Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
  4. Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this article to learn how to backup. To restore them, see this article.

If you are using Vista Business, Vista Ultimate or Vista Enterprise, you might want to back up your whole computer instead. See here on how to do it.

To restore, see this tutorial.

Make your Internet Explorer safer

Please read this article to configure Internet Explorer 7 properly.

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

Prevent a re-infection

  1. Winpatrol
    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.
  2. Hosts File
    A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

    Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

    Here are some Hosts files:

    MVPS Hosts File
    Bluetack's Hosts File
    Bluetack's Host Manager
    hpHosts

    A tutorial about Hosts File can be found at Malware Removal.

    Before downloading any anti-spyware programs, always check the Rogue/Suspect list of anti-spyware programs and Malwarebytes RogueNET. This will save you from a lot of trouble. If in doubt, don't ever download it.

Use an alternative Internet Browser

Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead.

Firefox
Opera
K-Meleon

Use an alternative email client

If you are using Outlook Express as your default email client, try using Thunderbird or Pegasus Mail instead.

Here are some more things to read about:

List of clean and infected download managers
Configuring Skype
Greater email safety
Phishing - what is it?
Configuring Outlook Express
The Unofficial Cookie FAQ
Securing your home wireless network
80 Super Security Tips
The different classes of security softwares


Please reply one last time so that I know you have read my post and this thread can be closed.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 47 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware