Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Computer being run by Evil Klingon Hamsters on Valium

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Computer being run by Evil Klingon Hamsters on Valium

Unread postby irsslex » May 19th, 2008, 10:09 pm

This is an amazing place. I would really appreciate it if one of you spectacularly gifted chaps might take a gander at this logfile. I got a browser hijacker on my system from, I think, BitComet. I've run Ad-Aware, SpySweeper and System Mechanic AV. The browser still gets hijacked even though I've undoubtedly cleaned out a lot of other junk. Shame on me. I have met the enemy and he is me...thanks so much :roll:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:03:22, on 19-May-08
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\iAVEmailScanner.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\BitComet\tools\CometBrowser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7B6EDB1A-06DD-4768-9EC9-4761D3D4E66E} - (no file)
O2 - BHO: (no name) - {7F63FE4D-A96E-486F-8879-7E9DD667EC84} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: {7b638a8d-d213-c958-3f94-92f3d9bbe64c} - {c46ebb9d-3f29-49f3-859c-312dd8a836b7} - C:\WINDOWS\system32\kqpynjgf.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV.exe"
O4 - HKLM\..\Run: [BM9f244820] Rundll32.exe "C:\WINDOWS\system32\nvirshcy.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Road Runner PhotoShow Media Manager] C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8650384140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8650829765
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/threatcenter/App/ocx/AVCheckUp.ocx
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 13391 bytes
irsslex
Active Member
 
Posts: 4
Joined: May 19th, 2008, 9:57 pm
Advertisement
Register to Remove

Re: Computer being run by Evil Klingon Hamsters on Valium

Unread postby Shaba » May 20th, 2008, 8:13 am

Hi irsslex

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Please post contents of that file in your next reply.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.

Post:

- dss logs (taken after mbam run)
- mbam report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Computer being run by Evil Klingon Hamsters on Valium

Unread postby irsslex » May 20th, 2008, 1:38 pm

Hi -- I could not get the MBAM program to start up from the website. The link you provided was broken, but I went to the website to try to download the trial version and run it, but it would not, as I said, come up. Thank you so, so much for your help. It is most appreciated.

I did run the Deckard's System Scan, however:

Deckard's System Scanner v20071014.68
Run by I Randolph S. Shiner on 2008-05-20 10:26:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
7: 2008-05-14 00:22:32 UTC - RP139 - Software Distribution Service 3.0
6: 2008-05-14 00:22:32 UTC - RP138 - Software Distribution Service 3.0
5: 2008-05-14 00:22:32 UTC - RP137 - Installed iTunes
4: 2008-05-14 00:22:32 UTC - RP136 - Restore Operation
3: 2008-05-14 00:22:32 UTC - RP135 - Installed EPSON EasyPrintModule


-- First Restore Point --
1: 2008-05-14 00:22:32 UTC - RP133 - Configured Microsoft Office Ultimate 2007


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as I Randolph S. Shiner.exe) --------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:06, on 20-May-08
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe
C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\iAVEmailScanner.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\I Randolph S. Shiner\Local Settings\Temporary Internet Files\Content.IE5\U9IA7EBL\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\IRANDO~1.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7B6EDB1A-06DD-4768-9EC9-4761D3D4E66E} - (no file)
O2 - BHO: (no name) - {7F63FE4D-A96E-486F-8879-7E9DD667EC84} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: {7b638a8d-d213-c958-3f94-92f3d9bbe64c} - {c46ebb9d-3f29-49f3-859c-312dd8a836b7} - C:\WINDOWS\system32\kqpynjgf.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV.exe"
O4 - HKLM\..\Run: [BM9f244820] Rundll32.exe "C:\WINDOWS\system32\nvirshcy.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Road Runner PhotoShow Media Manager] C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8650384140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8650829765
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/threatcenter/App/ocx/AVCheckUp.ocx
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 13560 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.js - JSFile - shell\open\command - NOTEPAD.EXE %1
.reg - regfile - shell\open\command - NOTEPAD.EXE %1
.scr - scrfile - shell\open\command - NOTEPAD.EXE %1
.vbs - VBSFile - shell\open\command - NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 FileDisk - c:\windows\system32\drivers\filedisk.sys <Not Verified; iolo technologies, LLC (based on original work by Bo Brantén); filedisk (based on original work by Bo Brantén)>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 CTAudSvcService (Creative Audio Service) - c:\program files\creative\shared files\ctaudsvc.exe <Not Verified; Creative Technology Ltd; Creative Audio Service>
R2 sp_rssrv (Spyware Terminator Realtime Shield Service) - "c:\program files\spyware terminator\sp_rsser.exe" <Not Verified; Crawler.com; Crawler Spyware Terminator>
R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-19 22:24:16 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-20 and 2008-05-20 -----------------------------

2086-02-25 09:04:28 609 --ah----- C:\Documents and Settings\Administrator\layout.bin
2008-05-19 19:21:07 141312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-05-19 19:21:06 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Spyware Terminator
2008-05-19 19:21:06 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spyware Terminator
2008-05-19 19:21:02 0 d-------- C:\Program Files\Spyware Terminator
2008-05-19 18:47:10 0 d-------- C:\Program Files\Trend Micro
2008-05-19 15:09:17 0 d-------- C:\Program Files\PCPitstop
2008-05-19 15:05:07 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Road Runner
2008-05-19 15:04:21 327680 --a------ C:\WINDOWS\Road Runner PhotoShow.scr <Not Verified; Simple Star, Inc.; Road Runner PhotoShow Screen Saver>
2008-05-19 15:03:52 106496 --a------ C:\WINDOWS\system32\TwnLib20.dll <Not Verified; Pegasus Software; TWNLIB20>
2008-05-19 15:03:51 38912 --a------ C:\WINDOWS\system32\picn20.dll <Not Verified; Pegasus Imaging Corp.; PEGASUS>
2008-05-19 15:02:05 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Simple Star Shared
2008-05-19 15:01:59 0 d-------- C:\Program Files\Road Runner
2008-05-19 15:01:49 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Simple Star
2008-05-19 15:00:29 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Simple Star
2008-05-19 15:00:29 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Road Runner
2008-05-19 11:36:02 0 d--hs---- C:\INCINERATE
2008-05-19 10:11:17 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\iLike
2008-05-16 23:27:14 0 d-------- C:\Program Files\Lavasoft
2008-05-16 23:25:51 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-16 23:03:14 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-05-16 22:45:00 0 d--h---c- C:\WINDOWS\ie8
2008-05-16 16:07:21 90688 --a------ C:\WINDOWS\system32\bpxvviul.dll
2008-05-16 16:04:21 2112 --a------ C:\WINDOWS\system32\oovafyhv.exe
2008-05-16 16:01:32 102464 --a------ C:\WINDOWS\system32\kqpynjgf.dll
2008-05-16 15:45:29 96832 --a------ C:\WINDOWS\system32\nvirshcy.dll
2008-05-16 15:45:18 3648 --a------ C:\WINDOWS\system32\bsrrjqku.dll
2008-05-16 14:01:36 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-05-16 13:46:53 102464 --a------ C:\WINDOWS\system32\utytbbku.dll
2008-05-16 13:43:53 2112 --a------ C:\WINDOWS\system32\scqkbgjm.exe
2008-05-16 13:42:04 3648 --a------ C:\WINDOWS\system32\pkixbguy.dll
2008-05-16 13:41:56 96832 --a------ C:\WINDOWS\system32\tpujpybb.dll
2008-05-16 12:16:28 2112 --a------ C:\WINDOWS\system32\tygrsnoc.exe
2008-05-16 12:10:32 102464 --a------ C:\WINDOWS\system32\forrxril.dll
2008-05-16 12:04:28 3648 --a------ C:\WINDOWS\system32\xnnpvagv.dll
2008-05-16 12:02:07 96832 --a------ C:\WINDOWS\system32\ovughlfe.dll
2008-05-15 12:41:17 2112 --a------ C:\WINDOWS\system32\vdqodkpi.exe
2008-05-15 12:38:16 90176 --a------ C:\WINDOWS\system32\hkinrqrt.dll
2008-05-15 12:35:15 101952 --a------ C:\WINDOWS\system32\xnukidle.dll
2008-05-15 12:29:15 99904 --a------ C:\WINDOWS\system32\oeygvbir.dll
2008-05-15 12:26:15 3648 --a------ C:\WINDOWS\system32\sexteqsp.dll
2008-05-15 10:30:40 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-05-15 08:35:15 0 d-------- C:\Program Files\Spyware Doctor
2008-05-15 08:35:15 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\PC Tools
2008-05-14 12:30:32 294 ---hs---- C:\WINDOWS\system32\dhouafex.ini2
2008-05-14 12:30:24 2112 --a------ C:\WINDOWS\system32\itprpcmx.exe
2008-05-14 12:30:20 92224 --a------ C:\WINDOWS\system32\xefauohd.dll
2008-05-14 12:27:21 101440 --a------ C:\WINDOWS\system32\eghwlqeq.dll
2008-05-14 12:25:18 3648 --a------ C:\WINDOWS\system32\gcopdlgi.dll
2008-05-14 12:25:04 96832 --a------ C:\WINDOWS\system32\ktaetsvl.dll
2008-05-14 12:22:57 101440 --a------ C:\WINDOWS\system32\hjoiarnw.dll
2008-05-14 12:20:07 2112 --a------ C:\WINDOWS\system32\lougdxum.exe
2008-05-14 12:07:09 9341 --a------ C:\WINDOWS\system32\drivers\filedisk.sys <Not Verified; iolo technologies, LLC (based on original work by Bo Brantén); filedisk (based on original work by Bo Brantén)>
2008-05-14 12:07:04 22528 --a------ C:\WINDOWS\system32\smrgdf.exe
2008-05-14 12:07:04 34304 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2008-05-14 11:58:58 96832 --a------ C:\WINDOWS\system32\tolysfgw.dll
2008-05-14 11:58:42 3648 --a------ C:\WINDOWS\system32\davypeyi.dll
2008-05-13 22:07:31 100928 --a------ C:\WINDOWS\system32\xmfhberx.dll
2008-05-13 22:07:24 90688 --a------ C:\WINDOWS\system32\qgxvurnd.dll
2008-05-13 22:04:24 2112 --a------ C:\WINDOWS\system32\viffllhj.exe
2008-05-13 22:02:13 100928 -----n--- C:\WINDOWS\system32\acalshpq.dll
2008-05-13 22:02:10 3648 --a------ C:\WINDOWS\system32\fwqxsjsp.dll
2008-05-13 21:58:10 2112 --a------ C:\WINDOWS\system32\llahsjbd.exe
2008-05-13 21:52:13 100928 --a------ C:\WINDOWS\system32\vccpglov.dll
2008-05-13 21:50:55 3648 --a------ C:\WINDOWS\system32\fmrgisfn.dll
2008-05-13 05:36:07 100928 --a------ C:\WINDOWS\system32\xeygxddv.dll
2008-05-13 05:33:14 2112 --a------ C:\WINDOWS\system32\bsrqnyhj.exe
2008-05-13 05:31:45 100928 --a------ C:\WINDOWS\system32\nskasxad.dll
2008-05-13 05:31:35 3648 --a------ C:\WINDOWS\system32\ppseuyhx.dll
2008-05-13 05:19:54 162 --a------ C:\install.dat
2008-05-12 14:15:02 2112 --a------ C:\WINDOWS\system32\hidiodph.exe
2008-05-12 14:09:02 101440 --a------ C:\WINDOWS\system32\rkybhuet.dll
2008-05-12 14:03:02 3648 --a------ C:\WINDOWS\system32\gueglyes.dll
2008-05-12 14:00:45 100416 --a------ C:\WINDOWS\system32\aowjxwev.dll
2008-05-12 10:51:14 0 d-------- C:\Program Files\MagicDVDRipper
2008-05-12 10:49:46 43520 --a------ C:\WINDOWS\system32\cbXRLbYr.dll
2008-05-12 02:33:23 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\dvdcss
2008-05-11 23:56:15 42496 --a------ C:\WINDOWS\system32\mlJBQGXq.dll
2008-05-11 23:56:05 42496 --a------ C:\WINDOWS\system32\fccDWOGA.dll
2008-05-11 23:55:46 42496 --a------ C:\WINDOWS\system32\byXoNebA.dll
2008-05-11 23:55:07 42496 --a------ C:\WINDOWS\system32\pmnmMGYO.dll
2008-05-11 23:54:07 42496 --a------ C:\WINDOWS\system32\vtUnkHYO.dll
2008-05-11 23:53:36 42496 --a------ C:\WINDOWS\system32\mlJCVoLE.dll
2008-05-11 23:53:09 45056 --a------ C:\WINDOWS\system32\WNASPI32.DLL <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-05-11 23:53:09 16512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-05-11 23:52:22 0 d-------- C:\Program Files\Xilisoft
2008-05-11 23:48:30 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\BitZipper
2008-05-11 23:48:06 0 d-------- C:\Program Files\BitZipper
2008-05-11 12:24:24 0 d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-05-10 10:16:31 2560 --a------ C:\WINDOWS\system32\bitcometres.dll <Not Verified; BitComet; BitComet BCTP Helper>
2008-05-09 23:28:25 0 d-------- C:\WINDOWS\Performance
2008-05-09 23:27:59 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Corporation
2008-05-09 14:58:01 0 d-------- C:\101MITCH
2008-05-08 13:22:51 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Elaborate Bytes
2008-05-08 04:18:43 0 d-------- C:\WINDOWS\Prefetch
2008-05-08 02:13:34 0 d-------- C:\WINDOWS\system32\scripting
2008-05-08 02:13:32 0 d-------- C:\WINDOWS\l2schemas
2008-05-08 02:13:27 0 d-------- C:\WINDOWS\system32\en
2008-05-07 21:19:35 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\FLEXnet
2008-05-07 20:42:35 0 d-------- C:\Program Files\Keygens
2008-05-07 20:40:16 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Download Manager
2008-05-07 18:30:52 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Adobe
2008-05-07 17:05:02 70088 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-05-07 11:33:22 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Logitech
2008-05-07 11:32:37 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\LogiShrd
2008-05-06 15:06:21 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Ahead
2008-05-06 15:05:31 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Ahead
2008-05-06 14:58:26 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Nero
2008-04-29 20:55:33 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\CyberScrub
2008-04-29 20:33:41 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-29 20:30:16 0 d-------- C:\WINDOWS\system32\XPSViewer
2008-04-29 20:28:52 0 d-------- C:\Program Files\Reference Assemblies
2008-04-28 03:53:33 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY.001\Desktop
2008-04-27 21:00:26 0 d-------- C:\Program Files\THQ
2008-04-27 21:00:26 0 d-------- C:\Program Files\MSXML 4.0
2008-04-27 20:43:06 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-27 20:41:40 0 d-------- C:\Program Files\MSBuild
2008-04-27 20:29:12 0 d-------- C:\Program Files\Unknown Artist
2008-04-27 19:45:52 0 d-------- C:\Program Files\MSBuild(2)
2008-04-27 18:56:08 0 d-------- C:\My Music <MYMUSI~1>
2008-04-27 18:21:31 0 d-------- C:\My Music from C Office
2008-04-27 18:15:33 0 d-------- C:\ITunes Music <ITUNES~1>
2008-04-27 17:19:11 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Lasersoft Imaging
2008-04-27 17:19:11 20000 --ah----- C:\Documents and Settings\All Users.WINDOWS\Application Data\T09F8
2008-04-26 17:27:58 5767168 --a------ C:\Documents and Settings\I Randolph S. Shiner\ntuser.dat
2008-04-23 13:43:48 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\iolo
2008-04-23 13:43:37 126976 --a------ C:\WINDOWS\system32\iavlsp.dll
2008-04-23 13:38:25 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg7
2008-04-23 13:36:14 74703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-04-23 13:34:54 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\iolo
2008-04-23 13:34:54 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\iolo
2008-04-22 21:21:49 0 d-------- C:\Program Files\Elaborate Bytes
2008-04-22 19:31:53 0 d-------- C:\NVIDIA
2008-04-22 19:26:45 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\skypePM
2008-04-22 19:26:45 32 --ah----- C:\Documents and Settings\All Users.WINDOWS\Application Data\ezsid.dat
2008-04-22 19:24:43 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Skype
2008-04-22 19:21:03 0 d-------- C:\Downloads
2008-04-22 19:20:48 0 d-------- C:\Program Files\BitComet
2008-04-22 18:10:50 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Leadertech
2008-04-22 18:09:57 495616 --a------ C:\WINDOWS\system32\PICSDK2.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-04-22 18:09:57 73728 --a------ C:\WINDOWS\system32\PICSDK.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-04-22 18:09:57 77824 --a------ C:\WINDOWS\system32\PICEntry.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-04-22 18:09:57 45056 --a------ C:\WINDOWS\system32\EpPicPrt.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-04-22 18:09:57 73220 --a------ C:\WINDOWS\system32\EPPICPrinterDB.dat
2008-04-22 18:09:57 1140 --a------ C:\WINDOWS\system32\EPPICPresetData_PT.dat
2008-04-22 18:09:57 1130 --a------ C:\WINDOWS\system32\EPPICPresetData_FR.dat
2008-04-22 18:09:57 1137 --a------ C:\WINDOWS\system32\EPPICPresetData_ES.dat
2008-04-22 18:09:57 1104 --a------ C:\WINDOWS\system32\EPPICPresetData_EN.dat
2008-04-22 18:09:57 1130 --a------ C:\WINDOWS\system32\EPPICPresetData_CF.dat
2008-04-22 18:09:57 1140 --a------ C:\WINDOWS\system32\EPPICPresetData_BP.dat
2008-04-22 18:09:57 4943 --a------ C:\WINDOWS\system32\EPPICPattern6.dat
2008-04-22 18:09:57 15670 --a------ C:\WINDOWS\system32\EPPICPattern5.dat
2008-04-22 18:09:57 10673 --a------ C:\WINDOWS\system32\EPPICPattern4.dat
2008-04-22 18:09:57 21021 --a------ C:\WINDOWS\system32\EPPICPattern3.dat
2008-04-22 18:09:57 13280 --a------ C:\WINDOWS\system32\EPPICPattern2.dat
2008-04-22 18:09:57 31053 --a------ C:\WINDOWS\system32\EPPICPattern131.dat
2008-04-22 18:09:57 27417 --a------ C:\WINDOWS\system32\EPPICPattern121.dat
2008-04-22 18:09:57 29114 --a------ C:\WINDOWS\system32\EPPICPattern1.dat
2008-04-22 18:09:57 45056 --a------ C:\WINDOWS\system32\EpPicMgr.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-04-22 16:01:18 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Skype
2008-04-22 15:52:52 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Google
2008-04-22 15:52:44 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Google
2008-04-22 15:52:29 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Google Updater
2008-04-22 15:49:02 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Yahoo!
2008-04-22 13:57:30 0 d-------- C:\Program Files\MSXML 6.0
2008-04-22 13:35:55 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo!
2008-04-22 13:11:38 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\OfficeUpdate12
2008-04-22 13:11:06 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
2008-04-22 10:35:35 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Apple Computer
2008-04-22 10:34:02 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-04-22 10:33:20 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-04-22 10:02:47 0 d-------- C:\Program Files\Microsoft Small Business
2008-04-22 09:23:55 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-22 09:22:44 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-04-22 03:07:47 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY.001\Start Menu
2008-04-21 18:50:09 0 d-------- C:\WINDOWS\ServicePackFiles


-- Find3M Report ---------------------------------------------------------------

2008-05-19 15:03:56 2 --a------ C:\Documents and Settings\I Randolph S. Shiner\Application Data\7zip_progress_91378E44-F406-44E3-9F33-133668ACD985.txt
2008-05-19 15:03:49 0 d-------- C:\Program Files\Common Files\Simple Star Shared
2008-05-19 15:03:46 2 --a------ C:\Documents and Settings\I Randolph S. Shiner\Application Data\7zip_progress_98B28C71-32DC-4F77-9E8A-58B64682778F.txt
2008-05-19 10:11:08 0 d-------- C:\Program Files\iTunes
2008-05-16 23:44:02 0 d-------- C:\Program Files\Google
2008-05-16 23:26:54 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-16 23:25:32 0 d-------- C:\Program Files\Common Files\Skype
2008-05-16 23:03:13 0 d-------- C:\Program Files\Yahoo!
2008-05-16 16:15:13 0 d-------- C:\Program Files\Webroot
2008-05-16 14:48:57 0 d-------- C:\Program Files\Windows Defender
2008-05-14 12:05:57 0 d-------- C:\Program Files\iolo
2008-05-12 13:54:15 0 d-------- C:\Program Files\Windows Desktop Search
2008-05-08 02:15:24 0 d-------- C:\Program Files\Messenger
2008-05-08 02:13:24 0 d-------- C:\Program Files\Movie Maker
2008-05-08 01:59:55 0 d-------- C:\Program Files\Windows NT
2008-05-08 00:23:06 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Adobe
2008-05-07 20:57:37 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-07 11:42:53 0 d-------- C:\Program Files\Common Files\Logishrd
2008-05-06 15:03:34 0 d-------- C:\Program Files\Common Files\Ahead
2008-04-29 08:49:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-27 20:41:37 0 d-------- C:\Program Files\Microsoft Works
2008-04-27 20:37:44 0 d-------- C:\Program Files\epson
2008-04-26 17:28:17 0 d-------- C:\Program Files\iPod
2008-04-25 12:28:50 0 d-------- C:\Program Files\Apple Software Update
2008-04-22 13:57:41 0 d-------- C:\Program Files\Microsoft SQL Server
2008-04-22 10:34:55 0 d-------- C:\Program Files\Bonjour
2008-04-22 10:34:29 0 d-------- C:\Program Files\QuickTime
2008-04-22 10:01:03 0 d-------- C:\Program Files\Microsoft.NET
2008-04-19 17:02:12 0 d-------- C:\Program Files\Analog Devices
2008-04-19 17:00:42 413696 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-04-19 17:00:42 110592 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2008-04-19 17:00:13 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Creative
2008-04-19 16:52:20 0 d-------- C:\Program Files\ATI
2008-04-19 16:51:29 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-04-19 16:43:29 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Macromedia
2008-04-19 16:42:08 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-19 16:42:06 0 d-------- C:\Program Files\SystemRequirementsLab
2008-04-19 16:24:16 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Identities
2008-04-19 16:19:09 0 --a------ C:\CONFIG.SYS
2008-04-19 16:19:09 0 --a------ C:\AUTOEXEC.BAT
2008-04-19 16:16:31 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-19 09:02:27 62 --ahs---- C:\Documents and Settings\I Randolph S. Shiner\Application Data\desktop.ini
2008-03-28 21:05:00 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-03-17 14:49:26 524288 --a------ C:\WINDOWS\opuc.dll <Not Verified; Microsoft Corporation; 2007 Microsoft Office system>
2008-02-20 20:58:50 3072 --a------ C:\WINDOWS\CTXFIRES.DLL <Not Verified; ; CTxfiRes Dynamic Link Library>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B6EDB1A-06DD-4768-9EC9-4761D3D4E66E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F63FE4D-A96E-486F-8879-7E9DD667EC84}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c46ebb9d-3f29-49f3-859c-312dd8a836b7}]
16-May-08 16:01 102464 --a------ C:\WINDOWS\system32\kqpynjgf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [21-Jan-08 12:17]
"CTHelper"="CTHELPER.EXE" [20-Feb-08 20:58 C:\WINDOWS\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [20-Feb-08 20:58 C:\WINDOWS\system32\Ctxfihlp.exe]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [24-Aug-07 07:00]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01-Jan-07 14:22]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30-Mar-08 10:36]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01-Mar-07 14:57]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [17-May-07 10:53]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [11-Jan-08 19:54]
"@"="" []
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe" [06-May-08 16:48]
"iolo AntiVirus"="C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV.exe" [05-Mar-08 11:48]
"BM9f244820"="C:\WINDOWS\system32\nvirshcy.dll" [16-May-08 15:45]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [13-Apr-08 17:12]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05-Jul-07 07:44]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [23-Apr-08 17:45]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [22-Jan-08 10:13]
"Road Runner PhotoShow Media Manager"="C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe" [22-Jun-07 14:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SMRequiresRestart"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- Hosts -----------------------------------------------------------------------

127.0.0.1 http://www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 http://www.008k.com
127.0.0.1 008k.com
127.0.0.1 http://www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 http://www.032439.com
127.0.0.1 032439.com

8382 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-20 10:32:06 ------------
irsslex
Active Member
 
Posts: 4
Joined: May 19th, 2008, 9:57 pm

Re: Computer being run by Evil Klingon Hamsters on Valium

Unread postby Shaba » May 20th, 2008, 1:57 pm

Hi

Link works here fine.

Try to run it in safe mode.

If no go, we use other means :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Computer being run by Evil Klingon Hamsters on Valium

Unread postby irsslex » May 20th, 2008, 5:27 pm

It worked fine just now. Installed and ran "quick scan" - below are the results.
You guys are doing wonderful work, of which I am presently out of due to some serious health problems (I am a lawyer) but when I get back in to some money, I will send you some. I am never one to forget a favor. I do not understand why people insist on putting these Trojans, etc., on other people's computers. What is their motivation? I don't get it. I understand people that rob banks. They want money. THIS I don't get. Anyway, thank you so much.

Malwarebytes' Anti-Malware 1.12
Database version: 770

Scan type: Quick Scan
Objects scanned: 54318
Time elapsed: 7 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 27

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM9f244820 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\bpxvviul.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\luivvxpb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hkinrqrt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\trqrnikh.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qgxvurnd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dnruvxgq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xefauohd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dhouafex.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dhouafex.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bsrrjqku.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\davypeyi.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fmrgisfn.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fwqxsjsp.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gcopdlgi.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gueglyes.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pkixbguy.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ppseuyhx.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sexteqsp.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xnnpvagv.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nvirshcy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cbXRLbYr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnmMGYO.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\byXoNebA.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJBQGXq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJCVoLE.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccDWOGA.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
irsslex
Active Member
 
Posts: 4
Joined: May 19th, 2008, 9:57 pm

Re: Computer being run by Evil Klingon Hamsters on Valium

Unread postby irsslex » May 20th, 2008, 5:33 pm

Hi - Here is #2 Deckard run after MBAM quick scan:

Deckard's System Scanner v20071014.68
Run by I Randolph S. Shiner on 2008-05-20 14:28:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as I Randolph S. Shiner.exe) --------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:28:55, on 20-May-08
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe
C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\iAVEmailScanner.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\I Randolph S. Shiner\Local Settings\Temporary Internet Files\Content.IE5\4AZ5J1B9\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\IRANDO~1.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7B6EDB1A-06DD-4768-9EC9-4761D3D4E66E} - (no file)
O2 - BHO: (no name) - {7F63FE4D-A96E-486F-8879-7E9DD667EC84} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: {7b638a8d-d213-c958-3f94-92f3d9bbe64c} - {c46ebb9d-3f29-49f3-859c-312dd8a836b7} - C:\WINDOWS\system32\kqpynjgf.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Road Runner PhotoShow Media Manager] C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8650384140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8650829765
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/threatcenter/App/ocx/AVCheckUp.ocx
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 13478 bytes

-- Files created between 2008-04-20 and 2008-05-20 -----------------------------

2086-02-25 09:04:28 609 --ah----- C:\Documents and Settings\Administrator\layout.bin
2008-05-20 14:09:55 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Malwarebytes
2008-05-20 14:09:43 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-05-20 14:09:42 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-19 19:21:07 141312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-05-19 19:21:06 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Spyware Terminator
2008-05-19 19:21:06 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spyware Terminator
2008-05-19 19:21:02 0 d-------- C:\Program Files\Spyware Terminator
2008-05-19 18:47:10 0 d-------- C:\Program Files\Trend Micro
2008-05-19 15:09:17 0 d-------- C:\Program Files\PCPitstop
2008-05-19 15:05:07 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Road Runner
2008-05-19 15:04:21 327680 --a------ C:\WINDOWS\Road Runner PhotoShow.scr <Not Verified; Simple Star, Inc.; Road Runner PhotoShow Screen Saver>
2008-05-19 15:03:52 106496 --a------ C:\WINDOWS\system32\TwnLib20.dll <Not Verified; Pegasus Software; TWNLIB20>
2008-05-19 15:03:51 38912 --a------ C:\WINDOWS\system32\picn20.dll <Not Verified; Pegasus Imaging Corp.; PEGASUS>
2008-05-19 15:02:05 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Simple Star Shared
2008-05-19 15:01:59 0 d-------- C:\Program Files\Road Runner
2008-05-19 15:01:49 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Simple Star
2008-05-19 15:00:29 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Simple Star
2008-05-19 15:00:29 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Road Runner
2008-05-19 11:36:02 0 d--hs---- C:\INCINERATE
2008-05-19 10:11:17 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\iLike
2008-05-16 23:27:14 0 d-------- C:\Program Files\Lavasoft
2008-05-16 23:25:51 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-16 23:03:14 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-05-16 22:45:00 0 d--h---c- C:\WINDOWS\ie8
2008-05-16 16:04:21 2112 --a------ C:\WINDOWS\system32\oovafyhv.exe
2008-05-16 16:01:32 102464 --a------ C:\WINDOWS\system32\kqpynjgf.dll
2008-05-16 14:01:36 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-05-16 13:46:53 102464 --a------ C:\WINDOWS\system32\utytbbku.dll
2008-05-16 13:43:53 2112 --a------ C:\WINDOWS\system32\scqkbgjm.exe
2008-05-16 13:41:56 96832 --a------ C:\WINDOWS\system32\tpujpybb.dll
2008-05-16 12:16:28 2112 --a------ C:\WINDOWS\system32\tygrsnoc.exe
2008-05-16 12:10:32 102464 --a------ C:\WINDOWS\system32\forrxril.dll
2008-05-16 12:02:07 96832 --a------ C:\WINDOWS\system32\ovughlfe.dll
2008-05-15 12:41:17 2112 --a------ C:\WINDOWS\system32\vdqodkpi.exe
2008-05-15 12:35:15 101952 --a------ C:\WINDOWS\system32\xnukidle.dll
2008-05-15 12:29:15 99904 --a------ C:\WINDOWS\system32\oeygvbir.dll
2008-05-15 10:30:40 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-05-15 08:35:15 0 d-------- C:\Program Files\Spyware Doctor
2008-05-15 08:35:15 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\PC Tools
2008-05-14 12:30:24 2112 --a------ C:\WINDOWS\system32\itprpcmx.exe
2008-05-14 12:27:21 101440 --a------ C:\WINDOWS\system32\eghwlqeq.dll
2008-05-14 12:25:04 96832 --a------ C:\WINDOWS\system32\ktaetsvl.dll
2008-05-14 12:22:57 101440 --a------ C:\WINDOWS\system32\hjoiarnw.dll
2008-05-14 12:20:07 2112 --a------ C:\WINDOWS\system32\lougdxum.exe
2008-05-14 12:07:09 9341 --a------ C:\WINDOWS\system32\drivers\filedisk.sys <Not Verified; iolo technologies, LLC (based on original work by Bo Brantén); filedisk (based on original work by Bo Brantén)>
2008-05-14 12:07:04 22528 --a------ C:\WINDOWS\system32\smrgdf.exe
2008-05-14 12:07:04 34304 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2008-05-14 11:58:58 96832 --a------ C:\WINDOWS\system32\tolysfgw.dll
2008-05-13 22:07:31 100928 --a------ C:\WINDOWS\system32\xmfhberx.dll
2008-05-13 22:04:24 2112 --a------ C:\WINDOWS\system32\viffllhj.exe
2008-05-13 22:02:13 100928 -----n--- C:\WINDOWS\system32\acalshpq.dll
2008-05-13 21:58:10 2112 --a------ C:\WINDOWS\system32\llahsjbd.exe
2008-05-13 21:52:13 100928 --a------ C:\WINDOWS\system32\vccpglov.dll
2008-05-13 05:36:07 100928 --a------ C:\WINDOWS\system32\xeygxddv.dll
2008-05-13 05:33:14 2112 --a------ C:\WINDOWS\system32\bsrqnyhj.exe
2008-05-13 05:31:45 100928 --a------ C:\WINDOWS\system32\nskasxad.dll
2008-05-13 05:19:54 162 --a------ C:\install.dat
2008-05-12 14:15:02 2112 --a------ C:\WINDOWS\system32\hidiodph.exe
2008-05-12 14:09:02 101440 --a------ C:\WINDOWS\system32\rkybhuet.dll
2008-05-12 14:00:45 100416 --a------ C:\WINDOWS\system32\aowjxwev.dll
2008-05-12 10:51:14 0 d-------- C:\Program Files\MagicDVDRipper
2008-05-12 02:33:23 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\dvdcss
2008-05-11 23:54:07 42496 --a------ C:\WINDOWS\system32\vtUnkHYO.dll
2008-05-11 23:53:09 45056 --a------ C:\WINDOWS\system32\WNASPI32.DLL <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-05-11 23:53:09 16512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-05-11 23:52:22 0 d-------- C:\Program Files\Xilisoft
2008-05-11 23:48:30 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\BitZipper
2008-05-11 23:48:06 0 d-------- C:\Program Files\BitZipper
2008-05-11 12:24:24 0 d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-05-10 10:16:31 2560 --a------ C:\WINDOWS\system32\bitcometres.dll <Not Verified; BitComet; BitComet BCTP Helper>
2008-05-09 23:28:25 0 d-------- C:\WINDOWS\Performance
2008-05-09 23:27:59 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Corporation
2008-05-09 14:58:01 0 d-------- C:\101MITCH
2008-05-08 13:22:51 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Elaborate Bytes
2008-05-08 04:18:43 0 d-------- C:\WINDOWS\Prefetch
2008-05-08 02:13:34 0 d-------- C:\WINDOWS\system32\scripting
2008-05-08 02:13:32 0 d-------- C:\WINDOWS\l2schemas
2008-05-08 02:13:27 0 d-------- C:\WINDOWS\system32\en
2008-05-07 21:19:35 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\FLEXnet
2008-05-07 20:42:35 0 d-------- C:\Program Files\Keygens
2008-05-07 20:40:16 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Download Manager
2008-05-07 18:30:52 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Adobe
2008-05-07 17:05:02 70088 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-05-07 11:33:22 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Logitech
2008-05-07 11:32:37 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\LogiShrd
2008-05-06 15:06:21 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Ahead
2008-05-06 15:05:31 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Ahead
2008-05-06 14:58:26 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Nero
2008-04-29 20:55:33 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\CyberScrub
2008-04-29 20:33:41 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-29 20:30:16 0 d-------- C:\WINDOWS\system32\XPSViewer
2008-04-29 20:28:52 0 d-------- C:\Program Files\Reference Assemblies
2008-04-28 03:53:33 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY.001\Desktop
2008-04-27 21:00:26 0 d-------- C:\Program Files\THQ
2008-04-27 21:00:26 0 d-------- C:\Program Files\MSXML 4.0
2008-04-27 20:43:06 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-27 20:41:40 0 d-------- C:\Program Files\MSBuild
2008-04-27 20:29:12 0 d-------- C:\Program Files\Unknown Artist
2008-04-27 19:45:52 0 d-------- C:\Program Files\MSBuild(2)
2008-04-27 18:56:08 0 d-------- C:\My Music <MYMUSI~1>
2008-04-27 18:21:31 0 d-------- C:\My Music from C Office
2008-04-27 18:15:33 0 d-------- C:\ITunes Music <ITUNES~1>
2008-04-27 17:19:11 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Lasersoft Imaging
2008-04-27 17:19:11 20000 --ah----- C:\Documents and Settings\All Users.WINDOWS\Application Data\T09F8
2008-04-26 17:27:58 5767168 --a------ C:\Documents and Settings\I Randolph S. Shiner\ntuser.dat
2008-04-23 13:43:48 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\iolo
2008-04-23 13:43:37 126976 --a------ C:\WINDOWS\system32\iavlsp.dll
2008-04-23 13:38:25 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg7
2008-04-23 13:36:14 74703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-04-23 13:34:54 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\iolo
2008-04-23 13:34:54 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\iolo
2008-04-22 21:21:49 0 d-------- C:\Program Files\Elaborate Bytes
2008-04-22 19:31:53 0 d-------- C:\NVIDIA
2008-04-22 19:26:45 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\skypePM
2008-04-22 19:26:45 32 --ah----- C:\Documents and Settings\All Users.WINDOWS\Application Data\ezsid.dat
2008-04-22 19:24:43 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Skype
2008-04-22 19:21:03 0 d-------- C:\Downloads
2008-04-22 19:20:48 0 d-------- C:\Program Files\BitComet
2008-04-22 18:10:50 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Leadertech
2008-04-22 18:09:57 495616 --a------ C:\WINDOWS\system32\PICSDK2.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-04-22 18:09:57 73728 --a------ C:\WINDOWS\system32\PICSDK.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-04-22 18:09:57 77824 --a------ C:\WINDOWS\system32\PICEntry.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-04-22 18:09:57 45056 --a------ C:\WINDOWS\system32\EpPicPrt.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-04-22 18:09:57 73220 --a------ C:\WINDOWS\system32\EPPICPrinterDB.dat
2008-04-22 18:09:57 1140 --a------ C:\WINDOWS\system32\EPPICPresetData_PT.dat
2008-04-22 18:09:57 1130 --a------ C:\WINDOWS\system32\EPPICPresetData_FR.dat
2008-04-22 18:09:57 1137 --a------ C:\WINDOWS\system32\EPPICPresetData_ES.dat
2008-04-22 18:09:57 1104 --a------ C:\WINDOWS\system32\EPPICPresetData_EN.dat
2008-04-22 18:09:57 1130 --a------ C:\WINDOWS\system32\EPPICPresetData_CF.dat
2008-04-22 18:09:57 1140 --a------ C:\WINDOWS\system32\EPPICPresetData_BP.dat
2008-04-22 18:09:57 4943 --a------ C:\WINDOWS\system32\EPPICPattern6.dat
2008-04-22 18:09:57 15670 --a------ C:\WINDOWS\system32\EPPICPattern5.dat
2008-04-22 18:09:57 10673 --a------ C:\WINDOWS\system32\EPPICPattern4.dat
2008-04-22 18:09:57 21021 --a------ C:\WINDOWS\system32\EPPICPattern3.dat
2008-04-22 18:09:57 13280 --a------ C:\WINDOWS\system32\EPPICPattern2.dat
2008-04-22 18:09:57 31053 --a------ C:\WINDOWS\system32\EPPICPattern131.dat
2008-04-22 18:09:57 27417 --a------ C:\WINDOWS\system32\EPPICPattern121.dat
2008-04-22 18:09:57 29114 --a------ C:\WINDOWS\system32\EPPICPattern1.dat
2008-04-22 18:09:57 45056 --a------ C:\WINDOWS\system32\EpPicMgr.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-04-22 16:01:18 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Skype
2008-04-22 15:52:52 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Google
2008-04-22 15:52:44 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Google
2008-04-22 15:52:29 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Google Updater
2008-04-22 15:49:02 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Yahoo!
2008-04-22 13:57:30 0 d-------- C:\Program Files\MSXML 6.0
2008-04-22 13:35:55 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo!
2008-04-22 13:11:38 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\OfficeUpdate12
2008-04-22 13:11:06 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
2008-04-22 10:35:35 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Apple Computer
2008-04-22 10:34:02 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-04-22 10:33:20 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-04-22 10:02:47 0 d-------- C:\Program Files\Microsoft Small Business
2008-04-22 09:23:55 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-22 09:22:44 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-04-22 03:07:47 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY.001\Start Menu
2008-04-21 18:50:09 0 d-------- C:\WINDOWS\ServicePackFiles


-- Find3M Report ---------------------------------------------------------------

2008-05-19 15:03:56 2 --a------ C:\Documents and Settings\I Randolph S. Shiner\Application Data\7zip_progress_91378E44-F406-44E3-9F33-133668ACD985.txt
2008-05-19 15:03:49 0 d-------- C:\Program Files\Common Files\Simple Star Shared
2008-05-19 15:03:46 2 --a------ C:\Documents and Settings\I Randolph S. Shiner\Application Data\7zip_progress_98B28C71-32DC-4F77-9E8A-58B64682778F.txt
2008-05-19 10:11:08 0 d-------- C:\Program Files\iTunes
2008-05-16 23:44:02 0 d-------- C:\Program Files\Google
2008-05-16 23:26:54 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-16 23:25:32 0 d-------- C:\Program Files\Common Files\Skype
2008-05-16 23:03:13 0 d-------- C:\Program Files\Yahoo!
2008-05-16 16:15:13 0 d-------- C:\Program Files\Webroot
2008-05-16 14:48:57 0 d-------- C:\Program Files\Windows Defender
2008-05-14 12:05:57 0 d-------- C:\Program Files\iolo
2008-05-12 13:54:15 0 d-------- C:\Program Files\Windows Desktop Search
2008-05-08 02:15:24 0 d-------- C:\Program Files\Messenger
2008-05-08 02:13:24 0 d-------- C:\Program Files\Movie Maker
2008-05-08 01:59:55 0 d-------- C:\Program Files\Windows NT
2008-05-08 00:23:06 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Adobe
2008-05-07 20:57:37 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-07 11:42:53 0 d-------- C:\Program Files\Common Files\Logishrd
2008-05-06 15:03:34 0 d-------- C:\Program Files\Common Files\Ahead
2008-04-29 08:49:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-27 20:41:37 0 d-------- C:\Program Files\Microsoft Works
2008-04-27 20:37:44 0 d-------- C:\Program Files\epson
2008-04-26 17:28:17 0 d-------- C:\Program Files\iPod
2008-04-25 12:28:50 0 d-------- C:\Program Files\Apple Software Update
2008-04-22 13:57:41 0 d-------- C:\Program Files\Microsoft SQL Server
2008-04-22 10:34:55 0 d-------- C:\Program Files\Bonjour
2008-04-22 10:34:29 0 d-------- C:\Program Files\QuickTime
2008-04-22 10:01:03 0 d-------- C:\Program Files\Microsoft.NET
2008-04-19 17:02:12 0 d-------- C:\Program Files\Analog Devices
2008-04-19 17:00:42 413696 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-04-19 17:00:42 110592 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2008-04-19 17:00:13 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Creative
2008-04-19 16:52:20 0 d-------- C:\Program Files\ATI
2008-04-19 16:51:29 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-04-19 16:43:29 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Macromedia
2008-04-19 16:42:08 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-19 16:42:06 0 d-------- C:\Program Files\SystemRequirementsLab
2008-04-19 16:24:16 0 d-------- C:\Documents and Settings\I Randolph S. Shiner\Application Data\Identities
2008-04-19 16:19:09 0 --a------ C:\CONFIG.SYS
2008-04-19 16:19:09 0 --a------ C:\AUTOEXEC.BAT
2008-04-19 16:16:31 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-19 09:02:27 62 --ahs---- C:\Documents and Settings\I Randolph S. Shiner\Application Data\desktop.ini
2008-03-28 21:05:00 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-03-17 14:49:26 524288 --a------ C:\WINDOWS\opuc.dll <Not Verified; Microsoft Corporation; 2007 Microsoft Office system>
2008-02-20 20:58:50 3072 --a------ C:\WINDOWS\CTXFIRES.DLL <Not Verified; ; CTxfiRes Dynamic Link Library>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B6EDB1A-06DD-4768-9EC9-4761D3D4E66E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F63FE4D-A96E-486F-8879-7E9DD667EC84}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c46ebb9d-3f29-49f3-859c-312dd8a836b7}]
16-May-08 16:01 102464 --a------ C:\WINDOWS\system32\kqpynjgf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [21-Jan-08 12:17]
"CTHelper"="CTHELPER.EXE" [20-Feb-08 20:58 C:\WINDOWS\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [20-Feb-08 20:58 C:\WINDOWS\system32\Ctxfihlp.exe]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [24-Aug-07 07:00]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01-Jan-07 14:22]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30-Mar-08 10:36]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01-Mar-07 14:57]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [17-May-07 10:53]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [11-Jan-08 19:54]
"@"="" []
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe" [06-May-08 16:48]
"iolo AntiVirus"="C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV.exe" [05-Mar-08 11:48]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [13-Apr-08 17:12]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05-Jul-07 07:44]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [23-Apr-08 17:45]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [22-Jan-08 10:13]
"Road Runner PhotoShow Media Manager"="C:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe" [22-Jun-07 14:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SMRequiresRestart"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-05-20 14:31:13 ------------
irsslex
Active Member
 
Posts: 4
Joined: May 19th, 2008, 9:57 pm

Re: Computer being run by Evil Klingon Hamsters on Valium

Unread postby Shaba » May 21st, 2008, 4:33 am

Hi

"I do not understand why people insist on putting these Trojans, etc., on other people's computers. What is their motivation? I don't get it. I understand people that rob banks. They want money. THIS I don't get."

Well if malware shows ads and people click them, someone gets money. Similar to if malware advertises some rogue program and someone buys it. Whole thing is pretty cheap for these cyber criminals.

MBAM didn't get all nasties, let's remove them next manually:

You are running now DSS from IE temp folder, please save it to desktop:

C:\Documents and Settings\I Randolph S. Shiner\Local Settings\Temporary Internet Files\Content.IE5\4AZ5J1B9\dss[1].exe

Do you know what is inside these folders?

2008-05-08 02:13:34 0 d-------- C:\WINDOWS\system32\scripting
2008-05-08 02:13:32 0 d-------- C:\WINDOWS\l2schemas
2008-05-08 02:13:27 0 d-------- C:\WINDOWS\system32\en

Open HijackThis, click do a system scan only and checkmark these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {7B6EDB1A-06DD-4768-9EC9-4761D3D4E66E} - (no file)
O2 - BHO: (no name) - {7F63FE4D-A96E-486F-8879-7E9DD667EC84} - (no file)


Close all windows including browser and press fix checked.

Reboot.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: Select all
    C:\WINDOWS\system32\ezsidmv.dat
    C:\WINDOWS\system32\oovafyhv.exe
    C:\WINDOWS\system32\kqpynjgf.dll
    C:\WINDOWS\system32\utytbbku.dll
    C:\WINDOWS\system32\scqkbgjm.exe
    C:\WINDOWS\system32\tpujpybb.dll
    C:\WINDOWS\system32\tygrsnoc.exe
    C:\WINDOWS\system32\forrxril.dll
    C:\WINDOWS\system32\ovughlfe.dll
    C:\WINDOWS\system32\vdqodkpi.exe
    C:\WINDOWS\system32\xnukidle.dll
    C:\WINDOWS\system32\oeygvbir.dll
    C:\WINDOWS\system32\itprpcmx.exe
    C:\WINDOWS\system32\eghwlqeq.dll
    C:\WINDOWS\system32\ktaetsvl.dll
    C:\WINDOWS\system32\hjoiarnw.dll
    C:\WINDOWS\system32\lougdxum.exe
    C:\WINDOWS\system32\tolysfgw.dll
    C:\WINDOWS\system32\xmfhberx.dll
    C:\WINDOWS\system32\viffllhj.exe
    C:\WINDOWS\system32\acalshpq.dll
    C:\WINDOWS\system32\llahsjbd.exe
    C:\WINDOWS\system32\vccpglov.dll
    C:\WINDOWS\system32\xeygxddv.dll
    C:\WINDOWS\system32\bsrqnyhj.exe
    C:\WINDOWS\system32\nskasxad.dll
    C:\WINDOWS\system32\hidiodph.exe
    C:\WINDOWS\system32\rkybhuet.dll
    C:\WINDOWS\system32\aowjxwev.dll
    C:\WINDOWS\system32\vtUnkHYO.dll
    

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Re-run dss.

Post:

- dss log
- otmoveit2 report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Computer being run by Evil Klingon Hamsters on Valium

Unread postby Shaba » May 26th, 2008, 5:51 am

Due to Lack of Response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 57 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware