Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan Problem

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trojan Problem

Unread postby sin_fury » June 11th, 2008, 1:58 am

BitDefender theoretically goes after this trojan, but it is still lurking around. AdAware comes up with lots of critical objects on each scan, McAfee and BitDefender sometimes say they block the trojan when I'm online, but I just want it completely gone. Thanks in advance for any help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:24 AM, on 6/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NewDotNet\nnrun.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iconix\OEAddOn\OEdmn_3.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\NewDotNet\nnrun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hXXp://www.ac coona.com/search?q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - Default URLSearchHook is missing
O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FordForErrorPeak] C:\Documents and Settings\All Users\Application Data\FiveVcFordFor\thunkdumb.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IconixOEAddOn] "C:\Program Files\Iconix\OEAddOn\OEdmn_3.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Team camp] C:\DOCUME~1\ADMINI~1\APPLIC~1\FILMHO~1\TRAY CAKE.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\smss.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Administrator\smss.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra 'Tools' menuitem: Email ID Preferences - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra 'Tools' menuitem: About Email ID - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O21 - SSODL: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - C:\WINDOWS\system32\gwquvw.dll (file missing)
O22 - SharedTaskScheduler: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - C:\WINDOWS\system32\gwquvw.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe
O23 - Service: NNServ - New.net, Inc. - C:\Program Files\NewDotNet\nnrun.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 8998 bytes
sin_fury
Regular Member
 
Posts: 46
Joined: June 11th, 2008, 1:52 am
Advertisement
Register to Remove

Re: Trojan Problem

Unread postby silver » June 13th, 2008, 11:28 pm

Hi sin_fury,

It appears that you have two antivirus programs running - McAfee and BitDefender. Running one antivirus program is essential, but having two can cause conflicts, slow your system down and even cause stability problems without improving your security. You should use just one antivirus program and if you want an "2nd opinion", use an online scanner like Kaspersky's.

If you have two antivirus programs installed, then before proceeding, please remove one of them.
Please make sure you choose one currently capable of receiving updates, because an antivirus program without updates cannot protect your system effectively. If you have any problems, please stop and let me know.

------------------------------------------------------------------------

Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%\SDFix
(Drive that contains the Windows Directory, typically C:\SDFix)
Don't use this program yet!

Please print/save a copy of the following instructions because we will be using Safe Mode, during which time you won't have access to the internet.

Now reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

Then, open HijackThis, choose Do a system scan only and place a checkmark next to the following lines:
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hxxp://www.ac coona.com/search?q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [FordForErrorPeak] C:\Documents and Settings\All Users\Application Data\FiveVcFordFor\thunkdumb.exe
O4 - HKCU\..\Run: [Team camp] C:\DOCUME~1\ADMINI~1\APPLIC~1\FILMHO~1\TRAY CAKE.exe
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\smss.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Administrator\smss.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O21 - SSODL: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - C:\WINDOWS\system32\gwquvw.dll (file missing)
O22 - SharedTaskScheduler: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - C:\WINDOWS\system32\gwquvw.dll (file missing)
Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

  • Open the extracted SDFix folder (usually Start->My Computer->C:->SDFix and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).

------------------------------------------------------------------------

Download Deljob.exe and save it to your desktop.
Doubleclick Deljob.exe to start the program.
A file called logit.txt should appear on your Desktop and should open in Notepad, post the contents of this file in your next response.

------------------------------------------------------------------------

Download Deckard's System Scanner (DSS) to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Make sure Format->Word Wrap is unchecked
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your reply

Once complete, please post the SDFix report, the logit.txt output and both DSS logs, you won't need to produce a new HijackThis log as DSS produces one for you.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Re: Trojan Problem

Unread postby sin_fury » June 14th, 2008, 2:37 pm

Thanks for the reply. I'm having problems booting into safe mode, and I think it's because of my abit guru program. Right after the first beep a screen pops up talking about abit. It says Press tab to show Post Screen, or Del to enter Setup. I tried just pressing f8 after the first beep, but it didn't work. Any suggestions?

Edit : I finally was able to get into safe mode, ran Runthis.bat from SDFix, and after I pressed a key, the computer shut down instead of rebooted. I turned it back on, logged into my main account (not in safe mode) and the Fixtool did restart, but it is taking a long time. It has said:
Final Check

Starting Catchme rootkit scan

Please be patient as the scan may take up to 5 minutes


For over half an hour (I'm on a different computer now, still letting it finish up). Just wondering if it is normal for the final check to go that long
sin_fury
Regular Member
 
Posts: 46
Joined: June 11th, 2008, 1:52 am

Re: Trojan Problem

Unread postby sin_fury » June 14th, 2008, 5:18 pm

Alright...here are the logs. Once again, thanks for the help.

SDFix: Version 1.192
Run by SiN_Fury on Sat 06/14/2008 at 02:31 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
msupdate

Path :
c:\windows\system32\mssrv32.exe

msupdate - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\urqPgghH.dll - Deleted
C:\Documents and Settings\Administrator\Favorites\Online Security Test.url - Deleted
C:\WINDOWS\smdat32a.sys - Deleted
C:\WINDOWS\system32\WinCtrl32.dl_ - Deleted


Could Not Remove C:\WINDOWS\system32\Px.ax
Could Not Remove C:\WINDOWS\system32\WinCtrl32.dll



Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 15:15:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\dxdiag.exe"="C:\\WINDOWS\\system32\\dxdiag.exe:*:Enabled:Microsoft DirectX Diagnostic Tool"
"C:\\Program Files\\SlurpySoft\\Wulfram\\wulfram2.exe"="C:\\Program Files\\SlurpySoft\\Wulfram\\wulfram2.exe:*:Enabled:wulfram2"
"C:\\Program Files\\WinMX\\WinMX.exe"="C:\\Program Files\\WinMX\\WinMX.exe:*:Enabled:WinMX Application"
"C:\\Program Files\\ABIT\\ABIT uGuru\\FlashMenu.exe"="C:\\Program Files\\ABIT\\ABIT uGuru\\FlashMenu.exe:*:Enabled:ABIT FlashMenu Application"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Warez P2P Client\\warez.exe"="C:\\Program Files\\Warez P2P Client\\warez.exe:*:Enabled:warez"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:wmplayer"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Documents and Settings\\Administrator\\My Documents\\My Downloads\\utorrent.exe"="C:\\Documents and Settings\\Administrator\\My Documents\\My Downloads\\utorrent.exe:*:Enabled:utorrent"
"C:\\Program Files\\Turbine\\Dungeons & Dragons Online - Stormreach\\dndclient.exe"="C:\\Program Files\\Turbine\\Dungeons & Dragons Online - Stormreach\\dndclient.exe:*:Enabled:dndclient"
"C:\\Program Files\\Swarmcast\\swarmcast.exe"="C:\\Program Files\\Swarmcast\\swarmcast.exe:*:Enabled:swarmcast"
"C:\\Program Files\\Black Isle\\BGII - SoA\\BGMain.exe"="C:\\Program Files\\Black Isle\\BGII - SoA\\BGMain.exe:*:Enabled:Baldur's Gate II - Shadows of Amn - Throne of Bhaal"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\mirc-mod4\\mirc.exe"="C:\\mirc-mod4\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Warez\\Warez.exe"="C:\\Program Files\\Warez\\Warez.exe:*:Enabled:Warez3"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe:*:Enabled:Render Manager"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe:*:Enabled:Studio"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe:*:Enabled:umi"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"="C:\\Program Files\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade 1.01"
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe:*:Enabled:QuickTime Player"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\Program Files\\VentSrv\\ventrilo_srv.exe"="C:\\Program Files\\VentSrv\\ventrilo_srv.exe:*:Enabled:ventrilo_srv"
"C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe"="C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe:*:Enabled:P2P Networking"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Enabled:Kazaa"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

Remaining Files :

C:\WINDOWS\system32\Px.ax Found
C:\WINDOWS\system32\WinCtrl32.dll Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Tue 14 Aug 2007 12,884 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Thu 6 Oct 2005 115 A..HR --- "C:\WINDOWS\system32\NTICDMK32.dll"
Tue 11 Oct 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 15 Aug 2007 96 A..H. --- "C:\Program Files\ATI Multimedia\RemCtrl\x10prod.sys"
Tue 20 Mar 2007 869 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti9.tmp"
Thu 24 May 2007 115,712 ...H. --- "C:\Documents and Settings\Administrator\My Documents\Watcher's Keep\~WRL0005.tmp"
Fri 27 Jul 2007 122,880 ...H. --- "C:\Documents and Settings\Administrator\My Documents\Watcher's Keep\~WRL1159.tmp"
Fri 27 Jul 2007 125,440 ...H. --- "C:\Documents and Settings\Administrator\My Documents\Watcher's Keep\~WRL2300.tmp"
Fri 27 Jul 2007 121,856 ...H. --- "C:\Documents and Settings\Administrator\My Documents\Watcher's Keep\~WRL2848.tmp"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT3.tmp"
Tue 11 Oct 2005 4,348 ...H. --- "C:\Documents and Settings\Administrator\My Documents\My Music\License Backup\drmv1key.bak"
Wed 5 Apr 2006 20 A..H. --- "C:\Documents and Settings\Administrator\My Documents\My Music\License Backup\drmv1lic.bak"
Mon 5 Dec 2005 400 A.SH. --- "C:\Documents and Settings\Administrator\My Documents\My Music\License Backup\drmv2key.bak"
Sat 14 Jun 2008 6,004 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE2.tmp"

Finished!


SDFix: Version 1.192
Run by SiN_Fury on Sat 06/14/2008 at 02:31 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
msupdate

Path :
c:\windows\system32\mssrv32.exe

msupdate - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\urqPgghH.dll - Deleted
C:\Documents and Settings\Administrator\Favorites\Online Security Test.url - Deleted
C:\WINDOWS\smdat32a.sys - Deleted
C:\WINDOWS\system32\WinCtrl32.dl_ - Deleted


Could Not Remove C:\WINDOWS\system32\Px.ax
Could Not Remove C:\WINDOWS\system32\WinCtrl32.dll



Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 15:15:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\dxdiag.exe"="C:\\WINDOWS\\system32\\dxdiag.exe:*:Enabled:Microsoft DirectX Diagnostic Tool"
"C:\\Program Files\\SlurpySoft\\Wulfram\\wulfram2.exe"="C:\\Program Files\\SlurpySoft\\Wulfram\\wulfram2.exe:*:Enabled:wulfram2"
"C:\\Program Files\\WinMX\\WinMX.exe"="C:\\Program Files\\WinMX\\WinMX.exe:*:Enabled:WinMX Application"
"C:\\Program Files\\ABIT\\ABIT uGuru\\FlashMenu.exe"="C:\\Program Files\\ABIT\\ABIT uGuru\\FlashMenu.exe:*:Enabled:ABIT FlashMenu Application"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Warez P2P Client\\warez.exe"="C:\\Program Files\\Warez P2P Client\\warez.exe:*:Enabled:warez"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:wmplayer"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Documents and Settings\\Administrator\\My Documents\\My Downloads\\utorrent.exe"="C:\\Documents and Settings\\Administrator\\My Documents\\My Downloads\\utorrent.exe:*:Enabled:utorrent"
"C:\\Program Files\\Turbine\\Dungeons & Dragons Online - Stormreach\\dndclient.exe"="C:\\Program Files\\Turbine\\Dungeons & Dragons Online - Stormreach\\dndclient.exe:*:Enabled:dndclient"
"C:\\Program Files\\Swarmcast\\swarmcast.exe"="C:\\Program Files\\Swarmcast\\swarmcast.exe:*:Enabled:swarmcast"
"C:\\Program Files\\Black Isle\\BGII - SoA\\BGMain.exe"="C:\\Program Files\\Black Isle\\BGII - SoA\\BGMain.exe:*:Enabled:Baldur's Gate II - Shadows of Amn - Throne of Bhaal"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\mirc-mod4\\mirc.exe"="C:\\mirc-mod4\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Warez\\Warez.exe"="C:\\Program Files\\Warez\\Warez.exe:*:Enabled:Warez3"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe:*:Enabled:Render Manager"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe:*:Enabled:Studio"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe:*:Enabled:umi"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"="C:\\Program Files\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade 1.01"
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe:*:Enabled:QuickTime Player"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\Program Files\\VentSrv\\ventrilo_srv.exe"="C:\\Program Files\\VentSrv\\ventrilo_srv.exe:*:Enabled:ventrilo_srv"
"C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe"="C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe:*:Enabled:P2P Networking"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Enabled:Kazaa"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

Remaining Files :

C:\WINDOWS\system32\Px.ax Found
C:\WINDOWS\system32\WinCtrl32.dll Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Tue 14 Aug 2007 12,884 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Thu 6 Oct 2005 115 A..HR --- "C:\WINDOWS\system32\NTICDMK32.dll"
Tue 11 Oct 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 15 Aug 2007 96 A..H. --- "C:\Program Files\ATI Multimedia\RemCtrl\x10prod.sys"
Tue 20 Mar 2007 869 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti9.tmp"
Thu 24 May 2007 115,712 ...H. --- "C:\Documents and Settings\Administrator\My Documents\Watcher's Keep\~WRL0005.tmp"
Fri 27 Jul 2007 122,880 ...H. --- "C:\Documents and Settings\Administrator\My Documents\Watcher's Keep\~WRL1159.tmp"
Fri 27 Jul 2007 125,440 ...H. --- "C:\Documents and Settings\Administrator\My Documents\Watcher's Keep\~WRL2300.tmp"
Fri 27 Jul 2007 121,856 ...H. --- "C:\Documents and Settings\Administrator\My Documents\Watcher's Keep\~WRL2848.tmp"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT3.tmp"
Tue 11 Oct 2005 4,348 ...H. --- "C:\Documents and Settings\Administrator\My Documents\My Music\License Backup\drmv1key.bak"
Wed 5 Apr 2006 20 A..H. --- "C:\Documents and Settings\Administrator\My Documents\My Music\License Backup\drmv1lic.bak"
Mon 5 Dec 2005 400 A.SH. --- "C:\Documents and Settings\Administrator\My Documents\My Music\License Backup\drmv2key.bak"
Sat 14 Jun 2008 6,004 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE2.tmp"

Finished!
Deckard's System Scanner v20071014.68
Run by SiN_Fury on 2008-06-14 16:32:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
137: 2008-06-14 21:32:46 UTC - RP730 - Deckard's System Scanner Restore Point
136: 2008-06-14 17:13:50 UTC - RP729 - Removed BitDefender Antivirus 2008
135: 2008-06-11 06:58:20 UTC - RP728 - Removed SnagIt 8
134: 2008-06-11 06:54:02 UTC - RP727 - Removed Camtasia Studio 5
133: 2008-06-09 01:50:32 UTC - RP726 - System Checkpoint


-- First Restore Point --
1: 2008-06-03 05:05:55 UTC - RP594 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as SiN_Fury.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:33:48 PM, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NewDotNet\nnrun.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\NewDotNet\nnrun.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iconix\OEAddOn\OEdmn_3.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\Documents and Settings\Administrator\My Documents\My Downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SiN_Fury.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5655C2DF-B293-F28F-4981-A1AF2A93700D} - C:\DOCUME~1\ADMINI~1\APPLIC~1\ITCHBA~1\thirdmpeg.exe (file missing)
O2 - BHO: (no name) - {6FA560AC-974D-4A8A-968F-0E45969F0300} - C:\WINDOWS\system32\pmnlijkK.dll
O2 - BHO: IconixBHOClass Class - {761233B6-F228-49E4-8F6B-668499D4E55A} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IconixOEAddOn] "C:\Program Files\Iconix\OEAddOn\OEdmn_3.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra 'Tools' menuitem: Email ID Preferences - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra 'Tools' menuitem: About Email ID - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service aspnet_stateCiSvc (aspnet_stateCiSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COM+ Event System EventSystemAppMgmt (EventSystemAppMgmt) - Unknown owner - C:\WINDOWS\
O23 - Service: Help and Support helpsvcUPS (helpsvcUPS) - Unknown owner - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NNServ - New.net, Inc. - C:\Program Files\NewDotNet\nnrun.exe
O23 - Service: Windows Time W32TimeERSvc (W32TimeERSvc) - Unknown owner - C:\WINDOWS\

--
End of file - 7856 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080614-142235-141 O4 - HKCU\..\Run: [Team camp] C:\DOCUME~1\ADMINI~1\APPLIC~1\FILMHO~1\TRAY CAKE.exe
backup-20080614-142235-238 O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
backup-20080614-142235-340 O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\smss.exe
backup-20080614-142235-440 O21 - SSODL: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - C:\WINDOWS\system32\gwquvw.dll (file missing)
backup-20080614-142235-447 O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
backup-20080614-142235-494 O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Administrator\smss.exe
backup-20080614-142235-757 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080614-142235-840 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hxxp://www.ac coona.com/search?q=%s
backup-20080614-142235-842 R3 - Default URLSearchHook is missing
backup-20080614-142235-874 O4 - HKLM\..\Run: [FordForErrorPeak] C:\Documents and Settings\All Users\Application Data\FiveVcFordFor\thunkdumb.exe
backup-20080614-142236-667 O22 - SharedTaskScheduler: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - C:\WINDOWS\system32\gwquvw.dll (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 uGuru - c:\windows\system32\drivers\uguru.sys <Not Verified; ABIT Computer Corporation; uGuru V2.0 device driver>
R0 Winfj62 - c:\windows\system32\drivers\winfj62.sys
R1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
R2 ProcObsrv - c:\windows\system32\drivers\procobsrv.sys <Not Verified; ABIT Computer Corp.; ProcObsrv>
R3 ASAPIW2k - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; Pinnacle Systems GmbH; asapi>
R3 ATI Remote Wonder II - c:\windows\system32\drivers\atirwvd.sys <Not Verified; Jungo; WinDriver Device Driver>
R3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
R3 MarvinBus (Pinnacle Marvin Bus) - c:\windows\system32\drivers\marvinbus.sys <Not Verified; Pinnacle Systems GmbH; Pinnacle Marvin Discrete>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >

S0 Winlg68 - c:\windows\system32\drivers\winlg68.sys (file missing)
S0 Winol55 - c:\windows\system32\drivers\winol55.sys (file missing)
S0 Winut12 - c:\windows\system32\drivers\winut12.sys (file missing)
S0 wnS52 - c:\windows\system32\drivers\wns52.sys (file missing)
S3 AC2003 - c:\windows\system32\drivers\ac2003.sys <Not Verified; ABIT Computer Corp.; AC2003 Device Driver>
S3 APLMp50 (APLMp50 NDIS Protocol Driver) - c:\windows\system32\drivers\aplmp50.sys (file missing)
S3 Memctl - c:\program files\abit\abit uguru\memctl.sys
S3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys (file missing)
S3 Profos - c:\program files\common files\bitdefender\bitdefender threat scanner\profos.sys (file missing)
S3 Trufos - c:\program files\common files\bitdefender\bitdefender threat scanner\trufos.sys (file missing)
S3 Winflash - c:\program files\abit\abit uguru\winflash.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 NNServ - "c:\program files\newdotnet\nnrun.exe" "c:\program files\newdotnet\nncore.dll" servicestart <Not Verified; New.net, Inc.; New.net runner>

S2 aspnet_stateCiSvc (ASP.NET State Service aspnet_stateCiSvc) - ð%€|x srv (file missing)
S2 EventSystemAppMgmt (COM+ Event System EventSystemAppMgmt) - ð%€|x srv (file missing)
S2 helpsvcUPS (Help and Support helpsvcUPS) - ð%€|x srv (file missing)
S2 W32TimeERSvc (Windows Time W32TimeERSvc) - ð%€|x srv (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-14 16:03:04 266 --a------ C:\WINDOWS\Tasks\Disk Cleanup.job
2008-06-14 15:31:00 306 --a------ C:\WINDOWS\Tasks\Ad-Aware SE Personal.job
2008-06-05 23:34:33 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-14 and 2008-06-14 -----------------------------

2008-06-14 16:30:26 0 d-------- C:\deljob
2008-06-14 14:41:34 15360 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2008-06-14 14:24:02 0 d-------- C:\WINDOWS\ERUNT
2008-06-14 11:50:50 92544 --a------ C:\WINDOWS\system32\lffouncn.dll
2008-06-14 11:49:22 92544 --a------ C:\WINDOWS\system32\baauyxhf.dll
2008-06-13 14:04:09 32 --a-s---- C:\WINDOWS\system32\3572050806.dat
2008-06-12 16:35:54 0 d-------- C:\VundoFix Backups
2008-06-11 23:07:54 92544 --a------ C:\WINDOWS\system32\wrfchfqj.dll
2008-06-10 23:09:14 93056 --a------ C:\WINDOWS\system32\vcqrpvko.dll
2008-06-08 19:42:38 92544 --a------ C:\WINDOWS\system32\cicashqq.dll
2008-06-07 19:40:42 92544 --a------ C:\WINDOWS\system32\fvobmqjh.dll
2008-06-07 00:35:29 0 d-------- C:\Program Files\Trend Micro
2008-06-05 23:40:07 30912 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-05 23:36:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-06-05 23:35:52 0 d-------- C:\Program Files\Safari
2008-06-05 23:34:47 0 d-------- C:\Program Files\Bonjour
2008-06-05 23:34:12 0 d-------- C:\Program Files\Apple Software Update
2008-06-05 23:34:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-03 14:28:27 0 d-------- C:\Documents and Settings\Administrator\.onion
2008-06-03 13:59:57 0 d-------- C:\Program Files\BitDefender
2008-06-03 13:54:54 0 d-------- C:\Program Files\Common Files\BitDefender
2008-06-03 00:02:33 33920 --a------ C:\WINDOWS\system32\vtUlJaxy.dll
2008-06-03 00:01:57 240325 --ahs---- C:\WINDOWS\system32\Kkjilnmp.ini2
2008-06-03 00:01:18 324352 --a------ C:\WINDOWS\system32\pmnlijkK.dll


-- Find3M Report ---------------------------------------------------------------

2008-06-11 13:39:11 0 d-------- C:\Program Files\Sonic Foundry
2008-06-11 02:02:19 0 d-------- C:\Program Files\Super DVD Ripper
2008-06-11 01:59:34 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-11 01:54:50 0 d-------- C:\Program Files\TechSmith
2008-06-11 01:54:30 0 d-------- C:\Program Files\Common Files
2008-06-11 01:52:39 0 d-------- C:\Program Files\Any Video Converter
2008-06-11 01:52:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Any Video Converter
2008-06-11 00:56:11 0 d-------- C:\Program Files\Sonic Foundry Setup
2008-06-06 19:57:15 0 d-------- C:\Program Files\AdorageI-SAL
2008-06-05 01:57:56 38368 --a----c- C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-06-03 23:28:48 0 d-------- C:\Program Files\GameSpy Arcade
2008-06-03 23:01:52 0 d-------- C:\Program Files\RXToolBar
2008-06-03 16:20:43 0 d-------- C:\Program Files\Messenger
2008-06-03 16:20:42 0 d-------- C:\Program Files\iPhox
2008-06-03 16:20:42 0 d-------- C:\Program Files\DivX
2008-06-03 16:20:41 0 d-------- C:\Program Files\Blaze Media Pro
2008-06-03 16:20:40 0 d-------- C:\Program Files\AIM
2008-06-03 14:35:05 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-03 14:35:02 0 d-------- C:\Program Files\Kazaa
2008-05-30 14:57:02 0 d-------- C:\Program Files\Common Files\Iconix
2008-05-29 13:42:12 0 d-------- C:\Program Files\Iconix
2008-05-12 13:49:42 10 --a------ C:\WINDOWS\smdat32m.sys
2008-05-11 15:44:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-05-09 11:39:16 0 d-a-s---- C:\Program Files\NewDotNet
2008-04-27 03:26:16 0 d-------- C:\Program Files\Steam
2008-04-26 15:53:33 0 d-------- C:\Program Files\Riva
2008-04-24 01:21:02 4 --a----c- C:\WINDOWS\system32\micro.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5655C2DF-B293-F28F-4981-A1AF2A93700D}]
C:\DOCUME~1\ADMINI~1\APPLIC~1\ITCHBA~1\thirdmpeg.exe

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6FA560AC-974D-4A8A-968F-0E45969F0300}]
06/03/2008 12:01 AM 324352 --a------ C:\WINDOWS\system32\pmnlijkK.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F}"= C:\Program Files\Video ActiveX Object\iesplugin.dll [ ]

[-HKEY_CLASSES_ROOT\CLSID\{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/10/2004 03:04 AM]
"SoundMan"="SOUNDMAN.EXE" [05/14/2004 02:47 AM C:\WINDOWS\SOUNDMAN.EXE]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [06/03/2004 03:51 AM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [06/03/2004 03:50 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [11/09/2006 04:07 PM]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [08/31/2005 12:40 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [11/28/2005 07:08 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/14/2005 06:13 PM]
"IconixOEAddOn"="C:\Program Files\Iconix\OEAddOn\OEdmn_3.exe" [01/17/2008 01:50 PM]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 11:46 PM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [10/16/2007 09:50 PM]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [10/25/2007 11:04 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [11/04/2004 05:16 PM]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [08/25/2004 05:28 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 07:00 AM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [8/31/2005 12:40:36 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 06/14/2008 02:47 PM 15360 C:\WINDOWS\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnlijkK

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfj62.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlg68.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winol55.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winut12.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wnS52.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^BAMMediaPlayerUpdater.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\BAMMediaPlayerUpdater.lnk
backup=C:\WINDOWS\pss\BAMMediaPlayerUpdater.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABIT uGuru]
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiVerminser]
C:\Program Files\AntiVerminser\AntiVerminser.exe /h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Warez]
"C:\Program Files\Warez\Warez.exe" /minimized


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
AutoRun\command- C:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\baldur.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8e5c343-2030-11da-8a9a-806d6172696f}]
AutoRun\command- F:\baldur.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b497cd14-202f-11da-93d9-806d6172696f}]
AutoRun\command- C:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7d09e48-53a7-11dc-9754-00508d6587a7}]
Auto\command- boot.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe




-- End of Deckard's System Scanner: finished at 2008-06-14 16:36:02 ------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 3.40GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 3.40GHz
Percentage of Memory in Use: 54%
Physical Memory (total/avail): 1023.48 MiB / 468.95 MiB
Pagefile Memory (total/avail): 2462.06 MiB / 2064 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1936.7 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 149.04 GiB total, 33.43 GiB free.
D: is Fixed (NTFS) - 149.04 GiB total, 139.02 GiB free.
E: is CDROM (No Media)
F: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - WDC WD1600JD-00HBB0 - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 149.04 GiB - C:

\\.\PHYSICALDRIVE1 - WDC WD1600JD-00HBB0 - 149.05 GiB - 1 partition
\PARTITION0 - Installable File System - 149.04 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: McAfee VirusScan Enterprise v8.5.0.781 (McAfee, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\dxdiag.exe"="C:\\WINDOWS\\system32\\dxdiag.exe:*:Enabled:Microsoft DirectX Diagnostic Tool"
"C:\\Program Files\\SlurpySoft\\Wulfram\\wulfram2.exe"="C:\\Program Files\\SlurpySoft\\Wulfram\\wulfram2.exe:*:Enabled:wulfram2"
"C:\\Program Files\\WinMX\\WinMX.exe"="C:\\Program Files\\WinMX\\WinMX.exe:*:Enabled:WinMX Application"
"C:\\Program Files\\ABIT\\ABIT uGuru\\FlashMenu.exe"="C:\\Program Files\\ABIT\\ABIT uGuru\\FlashMenu.exe:*:Enabled:ABIT FlashMenu Application"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Warez P2P Client\\warez.exe"="C:\\Program Files\\Warez P2P Client\\warez.exe:*:Enabled:warez"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:wmplayer"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Documents and Settings\\Administrator\\My Documents\\My Downloads\\utorrent.exe"="C:\\Documents and Settings\\Administrator\\My Documents\\My Downloads\\utorrent.exe:*:Enabled:utorrent"
"C:\\Program Files\\Turbine\\Dungeons & Dragons Online - Stormreach\\dndclient.exe"="C:\\Program Files\\Turbine\\Dungeons & Dragons Online - Stormreach\\dndclient.exe:*:Enabled:dndclient"
"C:\\Program Files\\Swarmcast\\swarmcast.exe"="C:\\Program Files\\Swarmcast\\swarmcast.exe:*:Enabled:swarmcast"
"C:\\Program Files\\Black Isle\\BGII - SoA\\BGMain.exe"="C:\\Program Files\\Black Isle\\BGII - SoA\\BGMain.exe:*:Enabled:Baldur's Gate II - Shadows of Amn - Throne of Bhaal"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\mirc-mod4\\mirc.exe"="C:\\mirc-mod4\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Warez\\Warez.exe"="C:\\Program Files\\Warez\\Warez.exe:*:Enabled:Warez3"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe:*:Enabled:Render Manager"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe:*:Enabled:Studio"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe:*:Enabled:umi"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"="C:\\Program Files\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade 1.01"
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe:*:Enabled:QuickTime Player"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\Program Files\\VentSrv\\ventrilo_srv.exe"="C:\\Program Files\\VentSrv\\ventrilo_srv.exe:*:Enabled:ventrilo_srv"
"C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe"="C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe:*:Enabled:P2P Networking"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Enabled:Kazaa"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CDROM1=E:
CDROM2=F:
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BRIAN
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\BRIAN
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\ATI Technologies\ATI.ACE\;C:\Program Files\Pinnacle\Shared Files;C:\Program Files\Pinnacle\Shared Files\Filter
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=BRIAN
USERNAME=SiN_Fury
USERPROFILE=C:\Documents and Settings\Administrator
VSEDEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Administrator (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\W2Tool\uninstall.exe"
--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABIT uGuru --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF8500E6-EA0D-11D7-8755-0080C8F92A32}\Setup.exe" -l0x9
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Advanced MP3 Converter 1.81 --> "C:\Program Files\Advanced MP3 Converter\unins000.exe"
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{F8313341-8D53-4D84-8BEB-F82D556B21CD}
ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Decoder --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{471E555C-08AC-4DF1-BAAA-D8D818136297} /l1033
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HFX Pack --> C:\WINDOWS\unvise32.exe C:\WINDOWS\unhfxati.log
ATI Multimedia Center 9.03 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{8988F5D0-C83F-41F4-B41B-86031F9B37F5} /l1033
ATI Remote Wonder 2.5 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{8F36E44A-E6E7-41B7-B6F6-4637BF84EFA5} /l1033
Baldur's Gate --> C:\WINDOWS\IsUninst.exe -fd:\Uninst.isu
Baldur's Gate(TM) II - Throne of Bhaal (TM) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8C3B479-1716-11D5-968A-0050BA84F5F7}\Setup.exe"
BioWare Premium Module: Neverwinter Nights(TM) Kingmaker --> C:\NeverwinterNights\NWN\premium\uninst Neverwinter Nights(TM) Kingmaker.exe
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Diablo II --> C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat
DiscAPI (Studio 10) --> MsiExec.exe /X{A77F3C2D-50CC-4A29-A1FB-1E018BE4DCA2}
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD-TO-AVI V2.2 --> "C:\Program Files\Dvd-to-avi\unins001.exe"
GameSpy Arcade --> C:\PROGRA~1\GAMESP~1\UNWISE.EXE C:\PROGRA~1\GAMESP~1\INSTALL.LOG
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Video Player --> "C:\Program Files\Google\Google Video Player\Uninstall.exe"
Heroes of Might and Magic® III Complete --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\3DO\Heroes 3 Complete\Heroes of Might and Magic® III.isu" -c"C:\Program Files\Common Files\3DO Shared\3DOUnInst.dll
Heroes(TM) II Gold --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\3DO\Heroes II Gold\Uninst.isu"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Iconix™ eMail ID --> "C:\Program Files\Iconix\Iconix_Uninstaller.exe"
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
McAfee VirusScan Enterprise --> MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
Microsoft Office XP Professional --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0050048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
mIRC --> "C:\mirc-mod4\mirc.exe" -uninstall
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
Nero Suite --> C:\Program Files\Common Files\Ahead\Uninstall\Setup.exe /uninstall
Neverwinter Nights --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1583439-B034-4881-819C-D52A0587662B}\setup.exe" -l0x9
New.net Domains 8.0 build 842 --> C:\Program Files\NewDotNet\uninstall.exe
NTI CD-Maker 6 Platinum --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C438B7C4-B4F8-49C5-A4DF-FF6F1F242778}
PConPoint v2.0 --> "C:\Program Files\PConPoint\unins000.exe"
Public Messenger ver 2.03 --> "C:\Program Files\Video ActiveX Object\pmuninst.exe"
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RAPID (Studio 10) --> MsiExec.exe /X{EEECE229-49F6-4851-A73A-99B058221F8C}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\setup.exe" -l0x9 REMOVE
Rhapsody Player Engine --> MsiExec.exe /I{6A136B9A-1895-436F-83F8-30D9C68BB6EA}
Safari --> MsiExec.exe /X{40589552-3892-409E-B92C-9F5032A4B2F0}
Search Plugin --> C:\DOCUME~1\ADMINI~1\APPLIC~1\FILMHO~1\TRAY CAKE.exe -uninstall
Sibelius 2 --> C:\PROGRA~1\SIBELI~1\SIBELI~1\UNWISE.EXE C:\PROGRA~1\SIBELI~1\SIBELI~1\INSTALL.LOG
Sonic Foundry ACID 4.0 --> MsiExec.exe /I{2A38B5AA-EA84-4F87-9937-2FB23982243A}
Sony DVD Architect 2.0 --> MsiExec.exe /I{47786B84-92C1-4706-BDDD-5CFFA6720C18}
Sony Vegas 5.0a --> MsiExec.exe /I{784DF107-2945-4B65-ADE3-A58ECD6C37A9}
Studio 10 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3CB05291-F546-458E-A796-B5BCF5A3CDC4}\Setup2.exe" -l0x9 UNINSTALL
Studio 10 Bonus DVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6A012D9C-2E2E-405A-B87C-E909F5297C3F}\Setup.exe" -l0x9 UNINSTALL
System Alert Popup --> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\laf4F.tmp /del
TBS WMP Plug-in --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{4CE88F4D-B74E-4F92-9DA4-ECEB60ED362A}
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Ventrilo Server --> MsiExec.exe /I{1D46A3A0-B37D-423A-91C2-101A49E2FF80}
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
XviD MPEG-4 Video Codec --> C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection Remove_XviD 132 C:\WINDOWS\INF\xvid.inf


-- Application Event Log -------------------------------------------------------

Event Record #/Type15778 / Warning
Event Submitted/Written: 06/14/2008 04:29:19 PM
Event ID/Source: 258 / McLogEvent
Event Description:
The file C:\WINDOWS\SYSTEM32\PMNLIJKK.DLL contains Vundo.gen.d Trojan. The file was successfully deleted.

Event Record #/Type15777 / Warning
Event Submitted/Written: 06/14/2008 04:27:25 PM
Event ID/Source: 258 / McLogEvent
Event Description:
The file C:\WINDOWS\SYSTEM32\PMNLIJKK.DLL contains Vundo.gen.d Trojan. The file was successfully deleted.

Event Record #/Type15776 / Warning
Event Submitted/Written: 06/14/2008 04:25:24 PM
Event ID/Source: 258 / McLogEvent
Event Description:
The file C:\WINDOWS\SYSTEM32\PMNLIJKK.DLL contains Vundo.gen.d Trojan. The file was successfully deleted.

Event Record #/Type15775 / Warning
Event Submitted/Written: 06/14/2008 04:23:19 PM
Event ID/Source: 258 / McLogEvent
Event Description:
The file C:\WINDOWS\SYSTEM32\PMNLIJKK.DLL contains Vundo.gen.d Trojan. The file was successfully deleted.

Event Record #/Type15774 / Warning
Event Submitted/Written: 06/14/2008 04:21:24 PM
Event ID/Source: 258 / McLogEvent
Event Description:
The file C:\WINDOWS\SYSTEM32\PMNLIJKK.DLL contains Vundo.gen.d Trojan. The file was successfully deleted.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5415 / Error
Event Submitted/Written: 06/14/2008 02:47:26 PM / 06/14/2008 02:47:57 PM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type

Event Record #/Type5411 / Error
Event Submitted/Written: 06/14/2008 02:45:56 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type5410 / Error
Event Submitted/Written: 06/14/2008 02:45:24 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type5409 / Error
Event Submitted/Written: 06/14/2008 02:44:26 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type5408 / Error
Event Submitted/Written: 06/14/2008 02:44:23 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
Fips
intelppm
IPSec
mfetdik
MRxSmb
NetBIOS
NetBT
PCLEPCI
RasAcd
Rdbss
Tcpip



-- End of Deckard's System Scanner: finished at 2008-06-14 16:36:02 ------------
sin_fury
Regular Member
 
Posts: 46
Joined: June 11th, 2008, 1:52 am

Re: Trojan Problem

Unread postby silver » June 15th, 2008, 1:11 am

Hi sin_fury,

Backup Your Registry:
  • Download ERUNT to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Right-click erunt.zip, choose Extract All... and follow the prompts to unzip the program
  • Open the erunt folder on your Desktop and double-click ERUNT.exe to start the program
  • OK all the prompts to back up your registry to the default location.
Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

------------------------------------------------------------------------

Open Notepad: press Start->Run, type notepad into the box and press OK
Select Format from the top menu and make sure Word Wrap is NOT checked.
Then, copy/paste the contents of the following code box into Notepad:
Code: Select all
@echo off
FOR %%A IN (
aspnet_stateCiSvc
EventSystemAppMgmt
helpsvcUPS
W32TimeERSvc
Winfj62
Winlg68
Winol55
Winut12
wnS52
) DO (
sc stop %%A >> results.txt 2>>&1
sc delete %%A >> results.txt 2>>&1
)
dir "c:\boot.exe" /a /s >> results.txt 2>>&1
del runme.bat

Select File and Save as
Save it to your Desktop as "runme.bat" (you MUST type the quotes)
Locate runme.bat on your Desktop and double-click it.
A black box should open and close after a little while, this is normal.
Another text file should appear on your Desktop called results.txt, do not open it until the black box has closed.
Post the contents of this file in your next response.

------------------------------------------------------------------------

Make hidden/system files and folders visible:
Click Start -> My Computer
Select the Tools menu, click Folder Options and select the View tab
Under the Hidden files and folders heading SELECT Show hidden files and folders
UNCHECK the Hide extensions for known file types option
UNCHECK the Hide protected operating system files (recommended) option
Click Yes to confirm and press OK

------------------------------------------------------------------------

Open Notepad (press Start->Run, enter notepad and press OK)
Copy everything inside the code box below (Starting with REGEDIT4) and paste it into a new notepad file.
Note: Please copy and paste all the text at once, and check that there is NO blank line above REGEDIT4 and one blank line at the bottom.
Code: Select all
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfj62.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlg68.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winol55.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winut12.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wnS52.sys]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiVerminser]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Warez]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Warez P2P Client\\warez.exe"=-
"C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7d09e48-53a7-11dc-9754-00508d6587a7}]

Select File and Save as
Save it to your Desktop as "fix.reg" (you MUST type the quotes)
Locate fix.reg on your Desktop, if you did it right it should look like this:Image
Do not use this file yet!

------------------------------------------------------------------------

Download UnDLL by Eset to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Right-click undll.zip, select Extract All... and follow the prompts to extract UNDLL.EXE to a new folder on your Desktop
  • Open the new folder and double-click UNDLL.EXE to start the program
  • Click the Select infected DLL button, then browse and select this file:
    C:\WINDOWS\system32\pmnlijkK.dll
  • UnDLL will now attempt to delete the file
  • If prompted to reboot your computer, say No
  • Repeat the above steps for these file:
    C:\WINDOWS\SYSTEM32\WinCtrl32.dll
  • Locate fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click Yes. You should then receive confirmation that the file was merged successfully.
  • Now reboot your computer

------------------------------------------------------------------------

Then, make a new main.txt with DSS:
  • Make sure DSS.exe is on your Desktop
  • Press the Start->Run, copy/paste the following command into the box and press OK:
    "%userprofile%\desktop\dss.exe" /config
  • A configuration box will appear, make sure all boxes are checked in the Main Log section, then un-check everything in the Extra Log section and press Scan!

Once complete, please post the results.txt output and the new DSS main.txt report.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Re: Trojan Problem

Unread postby sin_fury » June 15th, 2008, 2:05 am

[SC] ControlService FAILED 1062:

The service has not been started.


[SC] DeleteService SUCCESS
[SC] ControlService FAILED 1062:

The service has not been started.


[SC] DeleteService SUCCESS
[SC] ControlService FAILED 1062:

The service has not been started.


[SC] DeleteService SUCCESS
[SC] ControlService FAILED 1062:

The service has not been started.


[SC] DeleteService SUCCESS
[SC] ControlService FAILED 1052:

The requested control is not valid for this service.


[SC] DeleteService SUCCESS
[SC] ControlService FAILED 1062:

The service has not been started.


[SC] DeleteService SUCCESS
[SC] ControlService FAILED 1062:

The service has not been started.


[SC] DeleteService SUCCESS
[SC] ControlService FAILED 1062:

The service has not been started.


[SC] DeleteService SUCCESS
[SC] ControlService FAILED 1062:

The service has not been started.


[SC] DeleteService SUCCESS
Volume in drive C has no label.
Volume Serial Number is 4CA4-3F2A
File Not Found

Deckard's System Scanner v20071014.68
Run by SiN_Fury on 2008-06-15 01:22:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
137: 2008-06-14 21:32:46 UTC - RP730 - Deckard's System Scanner Restore Point
136: 2008-06-14 17:13:50 UTC - RP729 - Removed BitDefender Antivirus 2008
135: 2008-06-11 06:58:20 UTC - RP728 - Removed SnagIt 8
134: 2008-06-11 06:54:02 UTC - RP727 - Removed Camtasia Studio 5
133: 2008-06-09 01:50:32 UTC - RP726 - System Checkpoint


-- First Restore Point --
1: 2008-06-03 05:05:55 UTC - RP594 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as SiN_Fury.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:10 AM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NewDotNet\nnrun.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\NewDotNet\nnrun.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iconix\OEAddOn\OEdmn_3.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Safari\Safari.exe
C:\Documents and Settings\Administrator\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SiN_Fury.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5655C2DF-B293-F28F-4981-A1AF2A93700D} - C:\DOCUME~1\ADMINI~1\APPLIC~1\ITCHBA~1\thirdmpeg.exe (file missing)
O2 - BHO: IconixBHOClass Class - {761233B6-F228-49E4-8F6B-668499D4E55A} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IconixOEAddOn] "C:\Program Files\Iconix\OEAddOn\OEdmn_3.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra 'Tools' menuitem: Email ID Preferences - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra 'Tools' menuitem: About Email ID - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Task Manager McTaskManagerIDriverT (McTaskManagerIDriverT) - Unknown owner - C:\WINDOWS\
O23 - Service: NNServ - New.net, Inc. - C:\Program Files\NewDotNet\nnrun.exe

--
End of file - 7370 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080614-142235-141 O4 - HKCU\..\Run: [Team camp] C:\DOCUME~1\ADMINI~1\APPLIC~1\FILMHO~1\TRAY CAKE.exe
backup-20080614-142235-238 O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
backup-20080614-142235-340 O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\smss.exe
backup-20080614-142235-440 O21 - SSODL: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - C:\WINDOWS\system32\gwquvw.dll (file missing)
backup-20080614-142235-447 O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
backup-20080614-142235-494 O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Administrator\smss.exe
backup-20080614-142235-757 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080614-142235-840 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hxxp://www.ac coona.com/search?q=%s
backup-20080614-142235-842 R3 - Default URLSearchHook is missing
backup-20080614-142235-874 O4 - HKLM\..\Run: [FordForErrorPeak] C:\Documents and Settings\All Users\Application Data\FiveVcFordFor\thunkdumb.exe
backup-20080614-142236-667 O22 - SharedTaskScheduler: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - C:\WINDOWS\system32\gwquvw.dll (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 uGuru - c:\windows\system32\drivers\uguru.sys <Not Verified; ABIT Computer Corporation; uGuru V2.0 device driver>
R0 Winfj62 - c:\windows\system32\drivers\winfj62.sys
R1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
R2 ProcObsrv - c:\windows\system32\drivers\procobsrv.sys <Not Verified; ABIT Computer Corp.; ProcObsrv>
R3 ASAPIW2k - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; Pinnacle Systems GmbH; asapi>
R3 ATI Remote Wonder II - c:\windows\system32\drivers\atirwvd.sys <Not Verified; Jungo; WinDriver Device Driver>
R3 MarvinBus (Pinnacle Marvin Bus) - c:\windows\system32\drivers\marvinbus.sys <Not Verified; Pinnacle Systems GmbH; Pinnacle Marvin Discrete>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >

S3 AC2003 - c:\windows\system32\drivers\ac2003.sys <Not Verified; ABIT Computer Corp.; AC2003 Device Driver>
S3 APLMp50 (APLMp50 NDIS Protocol Driver) - c:\windows\system32\drivers\aplmp50.sys (file missing)
S3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
S3 Memctl - c:\program files\abit\abit uguru\memctl.sys
S3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys (file missing)
S3 Profos - c:\program files\common files\bitdefender\bitdefender threat scanner\profos.sys (file missing)
S3 Trufos - c:\program files\common files\bitdefender\bitdefender threat scanner\trufos.sys (file missing)
S3 Winflash - c:\program files\abit\abit uguru\winflash.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 NNServ - "c:\program files\newdotnet\nnrun.exe" "c:\program files\newdotnet\nncore.dll" servicestart <Not Verified; New.net, Inc.; New.net runner>

S2 McTaskManagerIDriverT (McAfee Task Manager McTaskManagerIDriverT) - ð%€|x srv (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 696)
2007-04-16 10:52:53 984576 --a------ C:\WINDOWS\system32\kernel32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-15 01:16:09 15360 --a------ C:\WINDOWS\system32\WinCtrl32.dll

C:\WINDOWS\system32\svchost.exe (pid 964)
2007-04-16 10:52:53 984576 --a------ C:\WINDOWS\system32\kernel32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

C:\WINDOWS\system32\svchost.exe (pid 1168)
2007-04-16 10:52:53 984576 --a------ C:\WINDOWS\system32\kernel32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

C:\WINDOWS\explorer.exe (pid 640)
2007-04-16 10:52:53 984576 --a------ C:\WINDOWS\system32\kernel32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-07 13:50:32 524288 --a------ C:\Program Files\NewDotNet\nncore.dll <Not Verified; New.net, Inc.; New.net Domains>
2007-10-25 16:06:00 106496 --a------ C:\Program Files\McAfee\Common Framework\JrMac.dll <Not Verified; McAfee, Inc.; McAfee Common Framework>

C:\WINDOWS\system32\svchost.exe (pid 1304)
2007-04-16 10:52:53 984576 --a------ C:\WINDOWS\system32\kernel32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

C:\WINDOWS\system32\svchost.exe (pid 1312)
2007-04-16 10:52:53 984576 --a------ C:\WINDOWS\system32\kernel32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-24 15:17:08 147456 --a------ C:\Program Files\Bonjour\mdnsNSP.dll <Not Verified; Apple Inc.; Bonjour>

C:\WINDOWS\system32\svchost.exe (pid 2156)
2007-04-16 10:52:53 984576 --a------ C:\WINDOWS\system32\kernel32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Scheduled Tasks -------------------------------------------------------------

2008-06-14 16:03:04 266 --a------ C:\WINDOWS\Tasks\Disk Cleanup.job
2008-06-14 15:31:00 306 --a------ C:\WINDOWS\Tasks\Ad-Aware SE Personal.job
2008-06-05 23:34:33 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-15 and 2008-06-15 -----------------------------

2008-06-14 16:30:26 0 d-------- C:\deljob
2008-06-14 14:41:34 15360 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2008-06-14 14:24:02 0 d-------- C:\WINDOWS\ERUNT
2008-06-14 11:50:50 92544 --a------ C:\WINDOWS\system32\lffouncn.dll
2008-06-14 11:49:22 92544 --a------ C:\WINDOWS\system32\baauyxhf.dll
2008-06-13 14:04:09 32 --a-s---- C:\WINDOWS\system32\3572050806.dat
2008-06-12 16:35:54 0 d-------- C:\VundoFix Backups
2008-06-11 23:07:54 92544 --a------ C:\WINDOWS\system32\wrfchfqj.dll
2008-06-10 23:09:14 93056 --a------ C:\WINDOWS\system32\vcqrpvko.dll
2008-06-08 19:42:38 92544 --a------ C:\WINDOWS\system32\cicashqq.dll
2008-06-07 19:40:42 92544 --a------ C:\WINDOWS\system32\fvobmqjh.dll
2008-06-07 00:35:29 0 d-------- C:\Program Files\Trend Micro
2008-06-05 23:40:07 30912 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-05 23:36:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-06-05 23:35:52 0 d-------- C:\Program Files\Safari
2008-06-05 23:34:47 0 d-------- C:\Program Files\Bonjour
2008-06-05 23:34:12 0 d-------- C:\Program Files\Apple Software Update
2008-06-05 23:34:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-03 14:28:27 0 d-------- C:\Documents and Settings\Administrator\.onion
2008-06-03 13:59:57 0 d-------- C:\Program Files\BitDefender
2008-06-03 13:54:54 0 d-------- C:\Program Files\Common Files\BitDefender
2008-06-03 00:02:33 33920 --a------ C:\WINDOWS\system32\vtUlJaxy.dll
2008-06-03 00:01:57 240401 --ahs---- C:\WINDOWS\system32\Kkjilnmp.ini2


-- Find3M Report ---------------------------------------------------------------

2008-06-11 13:39:11 0 d-------- C:\Program Files\Sonic Foundry
2008-06-11 02:02:19 0 d-------- C:\Program Files\Super DVD Ripper
2008-06-11 01:59:34 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-11 01:54:50 0 d-------- C:\Program Files\TechSmith
2008-06-11 01:54:30 0 d-------- C:\Program Files\Common Files
2008-06-11 01:52:39 0 d-------- C:\Program Files\Any Video Converter
2008-06-11 01:52:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Any Video Converter
2008-06-11 00:56:11 0 d-------- C:\Program Files\Sonic Foundry Setup
2008-06-06 19:57:15 0 d-------- C:\Program Files\AdorageI-SAL
2008-06-05 01:57:56 38368 --a----c- C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-06-03 23:28:48 0 d-------- C:\Program Files\GameSpy Arcade
2008-06-03 23:01:52 0 d-------- C:\Program Files\RXToolBar
2008-06-03 16:20:43 0 d-------- C:\Program Files\Messenger
2008-06-03 16:20:42 0 d-------- C:\Program Files\iPhox
2008-06-03 16:20:42 0 d-------- C:\Program Files\DivX
2008-06-03 16:20:41 0 d-------- C:\Program Files\Blaze Media Pro
2008-06-03 16:20:40 0 d-------- C:\Program Files\AIM
2008-06-03 14:35:05 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-03 14:35:02 0 d-------- C:\Program Files\Kazaa
2008-05-30 14:57:02 0 d-------- C:\Program Files\Common Files\Iconix
2008-05-29 13:42:12 0 d-------- C:\Program Files\Iconix
2008-05-12 13:49:42 10 --a------ C:\WINDOWS\smdat32m.sys
2008-05-11 15:44:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-05-09 11:39:16 0 d-a-s---- C:\Program Files\NewDotNet
2008-04-27 03:26:16 0 d-------- C:\Program Files\Steam
2008-04-26 15:53:33 0 d-------- C:\Program Files\Riva
2008-04-24 01:21:02 4 --a----c- C:\WINDOWS\system32\micro.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5655C2DF-B293-F28F-4981-A1AF2A93700D}]
C:\DOCUME~1\ADMINI~1\APPLIC~1\ITCHBA~1\thirdmpeg.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F}"= C:\Program Files\Video ActiveX Object\iesplugin.dll [ ]

[-HKEY_CLASSES_ROOT\CLSID\{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/10/2004 03:04 AM]
"SoundMan"="SOUNDMAN.EXE" [05/14/2004 02:47 AM C:\WINDOWS\SOUNDMAN.EXE]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [06/03/2004 03:51 AM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [06/03/2004 03:50 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [11/09/2006 04:07 PM]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [08/31/2005 12:40 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [11/28/2005 07:08 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/14/2005 06:13 PM]
"IconixOEAddOn"="C:\Program Files\Iconix\OEAddOn\OEdmn_3.exe" [01/17/2008 01:50 PM]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 11:46 PM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [10/16/2007 09:50 PM]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [10/25/2007 11:04 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [11/04/2004 05:16 PM]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [08/25/2004 05:28 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 07:00 AM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [8/31/2005 12:40:36 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 06/15/2008 01:16 AM 15360 C:\WINDOWS\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfj62.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^BAMMediaPlayerUpdater.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\BAMMediaPlayerUpdater.lnk
backup=C:\WINDOWS\pss\BAMMediaPlayerUpdater.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABIT uGuru]
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
AutoRun\command- C:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\baldur.exe




-- End of Deckard's System Scanner: finished at 2008-06-15 01:24:52 ------------
sin_fury
Regular Member
 
Posts: 46
Joined: June 11th, 2008, 1:52 am

Re: Trojan Problem

Unread postby silver » June 15th, 2008, 2:27 am

Hi sin_fury,

Most of that worked OK but one of the files wasn't successfully deleted so we need to try again:

Open Notepad: press Start->Run, type notepad into the box and press OK
Select Format from the top menu and make sure Word Wrap is NOT checked.
Then, copy/paste the contents of the following code box into Notepad:
Code: Select all
@echo off
sc stop Winfj62 
sc delete Winfj62 
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfj62.sys" /f
del runme.bat

Select File and Save as
Save it to your Desktop as "runme.bat" (you MUST type the quotes)
Locate runme.bat on your Desktop and double-click it.
A black box should open and close after a short time, this is normal.

------------------------------------------------------------------------

Clean with UnDLL:
  • Open the UnDLL folder and double-click UNDLL.EXE to start the program
  • Click the Select infected DLL button, then browse and select this file:
    C:\WINDOWS\SYSTEM32\WinCtrl32.dll
  • If prompted to reboot your computer, say Yes and allow the reboot

------------------------------------------------------------------------

Also, please post the deljob report, if you can't locate it then please run the program again:

Download Deljob.exe and save it to your desktop.
Doubleclick Deljob.exe to start the program.
A file called logit.txt should appear on your Desktop and should open in Notepad, post the contents of this file in your next response.

------------------------------------------------------------------------

Then, make a new main.txt with DSS:
  • Make sure DSS.exe is on your Desktop
  • Press the Start->Run, copy/paste the following command into the box and press OK:
    "%userprofile%\desktop\dss.exe" /config
  • A configuration box will appear, make sure all boxes are checked in the Main Log section, then un-check everything in the Extra Log section and press Scan!

Once complete, please post the deljob output and a new DSS main.txt report.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Re: Trojan Problem

Unread postby sin_fury » June 15th, 2008, 2:49 am

Thanks for the quick replies. It said it fixed it this time. Couple of things though. When I restarted and logged into my main account, all my icons loaded, and some items on the taskbar did, but not all of them, and whenever I put my mouse over the taskbar or the start menu, it turns into an hourglass and stays like that for a long time. I Ctrl+Alt+Del, logged off, and signed right back in and everything loaded within a minute. Also, both times I logged in I got messages about explorer having an error and I was given the option to send an error report. I also got an error report opportunity with Dr. Watson PostMortem Debugger (don't know what that is). Anyway, here are the logs you asked for.
--------------------------------------------------------
Backups created in C:\deljob

AEDD624791B713B3.job
--------------------------------------------------------
Files in Windows Tasks folder

Ad-Aware SE Personal.job
AppleSoftwareUpdate.job
Disk Cleanup.job
--------------------------------------------------------
Export App Data folders
--------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 4CA4-3F2A

Directory of C:\Documents and Settings\Administrator\Application Data

06/14/2008 12:21 PM <DIR> .
06/14/2008 12:21 PM <DIR> ..
07/03/2007 08:51 AM <DIR> Adobe
07/03/2007 08:51 AM <DIR> AdobeAUM
03/18/2007 02:58 AM <DIR> AdobeUM
09/16/2005 07:12 PM <DIR> Ahead
09/20/2005 09:08 AM <DIR> Aim
06/11/2008 01:52 AM <DIR> ANYVID~1 Any Video Converter
06/05/2008 11:36 PM <DIR> APPLEC~1 Apple Computer
10/11/2005 08:57 AM <DIR> ATI
10/11/2005 09:00 AM <DIR> ATIMMC~1 ATI MMC
08/18/2007 12:33 PM <DIR> CiscoCAA
11/22/2005 06:14 PM <DIR> COPYTO~1 CopyToDvd
09/15/2005 06:44 PM <DIR> CYBERL~1 CyberLink
02/03/2006 08:54 AM <DIR> FILMHO~1 Film Hole More
12/09/2005 11:09 PM <DIR> fltk.org
11/29/2005 05:12 PM <DIR> Google
09/15/2005 06:49 PM <DIR> Help
05/11/2007 04:47 AM <DIR> Iconix
09/07/2005 05:27 PM <DIR> IDENTI~1 Identities
02/18/2007 03:26 PM <DIR> INSTAL~2 InstallShield
02/17/2007 11:34 PM <DIR> INSTAL~1 InstallShield Installation Information
02/03/2006 08:54 AM <DIR> ITCHBA~1 Itch bags surf
09/14/2005 08:03 PM <DIR> Lavasoft
08/23/2007 06:22 PM <DIR> LEADER~1 Leadertech
05/11/2008 03:44 PM <DIR> LimeWire
09/15/2005 07:43 PM <DIR> MACROM~1 Macromedia
07/16/2007 10:16 PM <DIR> MICROS~1 Microsoft
09/14/2005 05:53 PM <DIR> Mozilla
09/27/2005 10:44 PM <DIR> NETMED~1 NetMedia Providers
12/01/2005 07:19 PM <DIR> PROPEL~1 Propellerhead Software
09/27/2005 10:44 PM <DIR> PUBLIS~1 Publish Providers
11/28/2005 07:10 PM <DIR> Real
07/27/2007 04:57 PM <DIR> SCREEN~1 Screenshot Studio Files
09/28/2005 05:40 AM <DIR> SONICF~1 Sonic Foundry
10/26/2005 08:44 AM <DIR> Sony
09/19/2005 01:37 AM <DIR> Sun
02/18/2007 11:00 PM <DIR> Symantec
10/14/2005 07:48 PM <DIR> Talkback
01/09/2006 03:26 AM <DIR> uTorrent
11/01/2006 01:05 AM <DIR> Ventrilo
01/31/2007 05:22 PM <DIR> Warez
09/05/2006 08:54 PM <DIR> WAREZG~1 WarezGhost
04/26/2007 12:53 AM <DIR> X10COM~1 X10 Commander
0 File(s) 0 bytes
44 Dir(s) 34,850,144,256 bytes free
Volume in drive C has no label.
Volume Serial Number is 4CA4-3F2A

Directory of C:\Documents and Settings\All Users\Application Data

06/14/2008 12:21 PM <DIR> .
06/14/2008 12:21 PM <DIR> ..
03/05/2008 10:21 AM <DIR> Adobe
06/05/2008 11:34 PM <DIR> Apple
05/22/2008 02:24 PM <DIR> ATIMMC~1 ATI MMC
02/03/2006 08:52 AM <DIR> FIVEVC~1 FiveVcFordFor
11/16/2007 05:53 PM <DIR> Iconix
06/15/2008 01:38 AM <DIR> Lavasoft
01/29/2004 05:39 PM <DIR> MACROV~1 Macrovision
01/14/2008 01:10 PM <DIR> McAfee
08/15/2007 12:14 PM <DIR> MICROS~1 Microsoft
02/17/2007 11:41 PM <DIR> Pinnacle
02/17/2007 11:42 PM <DIR> PINNAC~1 Pinnacle Studio
12/01/2005 07:19 PM <DIR> PROPEL~1 Propellerhead Software
11/21/2005 08:35 PM <DIR> QUICKT~1 QuickTime
07/27/2007 04:53 PM <DIR> SCREEN~1 Screenshot Studio
08/18/2007 12:38 PM <DIR> Symantec
06/06/2008 03:17 PM <DIR> TEMP
09/19/2006 02:22 PM <DIR> WINDOW~1 Windows Genuine Advantage
10/14/2007 03:07 PM <DIR> {CFAB4~1 {CFAB4006-0AE0-414D-866A-DCB2C46553CF}
0 File(s) 0 bytes
20 Dir(s) 34,850,140,160 bytes free
--------------------------------------------------------
All User Accounts
--------------------------------------------------------
Administrator
All Users
Guest
--------------------------------------------------------

Deckard's System Scanner v20071014.68
Run by SiN_Fury on 2008-06-15 02:05:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
139: 2008-06-15 07:05:54 UTC - RP732 - Deckard's System Scanner Restore Point
138: 2008-06-15 06:38:17 UTC - RP731 - Installed Ad-Aware
137: 2008-06-14 21:32:46 UTC - RP730 - Deckard's System Scanner Restore Point
136: 2008-06-14 17:13:50 UTC - RP729 - Removed BitDefender Antivirus 2008
135: 2008-06-11 06:58:20 UTC - RP728 - Removed SnagIt 8


-- First Restore Point --
1: 2008-06-03 05:05:55 UTC - RP594 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as SiN_Fury.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:06:29 AM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NewDotNet\nnrun.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\NewDotNet\nnrun.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iconix\OEAddOn\OEdmn_3.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Safari\Safari.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Administrator\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SiN_Fury.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5655C2DF-B293-F28F-4981-A1AF2A93700D} - C:\DOCUME~1\ADMINI~1\APPLIC~1\ITCHBA~1\thirdmpeg.exe (file missing)
O2 - BHO: IconixBHOClass Class - {761233B6-F228-49E4-8F6B-668499D4E55A} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IconixOEAddOn] "C:\Program Files\Iconix\OEAddOn\OEdmn_3.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra 'Tools' menuitem: Email ID Preferences - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra 'Tools' menuitem: About Email ID - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Task Manager McTaskManagerIDriverT (McTaskManagerIDriverT) - Unknown owner - C:\WINDOWS\
O23 - Service: NNServ - New.net, Inc. - C:\Program Files\NewDotNet\nnrun.exe

--
End of file - 7522 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080614-142235-141 O4 - HKCU\..\Run: [Team camp] C:\DOCUME~1\ADMINI~1\APPLIC~1\FILMHO~1\TRAY CAKE.exe
backup-20080614-142235-238 O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
backup-20080614-142235-340 O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\smss.exe
backup-20080614-142235-440 O21 - SSODL: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - C:\WINDOWS\system32\gwquvw.dll (file missing)
backup-20080614-142235-447 O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
backup-20080614-142235-494 O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Administrator\smss.exe
backup-20080614-142235-757 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080614-142235-840 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hxxp://www.ac coona.com/search?q=%s
backup-20080614-142235-842 R3 - Default URLSearchHook is missing
backup-20080614-142235-874 O4 - HKLM\..\Run: [FordForErrorPeak] C:\Documents and Settings\All Users\Application Data\FiveVcFordFor\thunkdumb.exe
backup-20080614-142236-667 O22 - SharedTaskScheduler: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - C:\WINDOWS\system32\gwquvw.dll (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 uGuru - c:\windows\system32\drivers\uguru.sys <Not Verified; ABIT Computer Corporation; uGuru V2.0 device driver>
R0 Winfj62 - c:\windows\system32\drivers\winfj62.sys
R1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
R2 ProcObsrv - c:\windows\system32\drivers\procobsrv.sys <Not Verified; ABIT Computer Corp.; ProcObsrv>
R3 ASAPIW2k - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; Pinnacle Systems GmbH; asapi>
R3 ATI Remote Wonder II - c:\windows\system32\drivers\atirwvd.sys <Not Verified; Jungo; WinDriver Device Driver>
R3 MarvinBus (Pinnacle Marvin Bus) - c:\windows\system32\drivers\marvinbus.sys <Not Verified; Pinnacle Systems GmbH; Pinnacle Marvin Discrete>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >

S3 AC2003 - c:\windows\system32\drivers\ac2003.sys <Not Verified; ABIT Computer Corp.; AC2003 Device Driver>
S3 APLMp50 (APLMp50 NDIS Protocol Driver) - c:\windows\system32\drivers\aplmp50.sys (file missing)
S3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
S3 Memctl - c:\program files\abit\abit uguru\memctl.sys
S3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys (file missing)
S3 Profos - c:\program files\common files\bitdefender\bitdefender threat scanner\profos.sys (file missing)
S3 Trufos - c:\program files\common files\bitdefender\bitdefender threat scanner\trufos.sys (file missing)
S3 Winflash - c:\program files\abit\abit uguru\winflash.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 NNServ - "c:\program files\newdotnet\nnrun.exe" "c:\program files\newdotnet\nncore.dll" servicestart <Not Verified; New.net, Inc.; New.net runner>

S2 McTaskManagerIDriverT (McAfee Task Manager McTaskManagerIDriverT) - ð%€|x srv (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 704)
2007-04-16 10:52:53 984576 --a------ C:\WINDOWS\system32\kernel32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-15 01:54:22 15360 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2008-05-07 13:50:32 524288 --a------ C:\Program Files\NewDotNet\nncore.dll <Not Verified; New.net, Inc.; New.net Domains>

C:\WINDOWS\system32\svchost.exe (pid 976)
2007-04-16 10:52:53 984576 --a------ C:\WINDOWS\system32\kernel32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

C:\WINDOWS\system32\svchost.exe (pid 1160)
2007-04-16 10:52:53 984576 --a------ C:\WINDOWS\system32\kernel32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

C:\WINDOWS\system32\svchost.exe (pid 176)
2007-04-16 10:52:53 984576 --a------ C:\WINDOWS\system32\kernel32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

C:\WINDOWS\system32\svchost.exe (pid 2656)
2007-04-16 10:52:53 984576 --a------ C:\WINDOWS\system32\kernel32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

C:\WINDOWS\explorer.exe (pid 2504)
2007-04-16 10:52:53 984576 --a------ C:\WINDOWS\system32\kernel32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-07 13:50:32 524288 --a------ C:\Program Files\NewDotNet\nncore.dll <Not Verified; New.net, Inc.; New.net Domains>
2007-10-25 16:06:00 106496 --a------ C:\Program Files\McAfee\Common Framework\JrMac.dll <Not Verified; McAfee, Inc.; McAfee Common Framework>


-- Scheduled Tasks -------------------------------------------------------------

2008-06-14 16:03:04 266 --a------ C:\WINDOWS\Tasks\Disk Cleanup.job
2008-06-14 15:31:00 306 --a------ C:\WINDOWS\Tasks\Ad-Aware SE Personal.job
2008-06-05 23:34:33 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-15 and 2008-06-15 -----------------------------

2008-06-15 01:38:21 0 d-------- C:\Program Files\Lavasoft
2008-06-15 01:38:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-14 16:30:26 0 d-------- C:\deljob
2008-06-14 14:41:34 15360 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2008-06-14 14:24:02 0 d-------- C:\WINDOWS\ERUNT
2008-06-14 11:50:50 92544 --a------ C:\WINDOWS\system32\lffouncn.dll
2008-06-14 11:49:22 92544 --a------ C:\WINDOWS\system32\baauyxhf.dll
2008-06-13 14:04:09 32 --a-s---- C:\WINDOWS\system32\3572050806.dat
2008-06-12 16:35:54 0 d-------- C:\VundoFix Backups
2008-06-11 23:07:54 92544 --a------ C:\WINDOWS\system32\wrfchfqj.dll
2008-06-10 23:09:14 93056 --a------ C:\WINDOWS\system32\vcqrpvko.dll
2008-06-08 19:42:38 92544 --a------ C:\WINDOWS\system32\cicashqq.dll
2008-06-07 19:40:42 92544 --a------ C:\WINDOWS\system32\fvobmqjh.dll
2008-06-07 00:35:29 0 d-------- C:\Program Files\Trend Micro
2008-06-05 23:40:07 30912 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-05 23:36:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-06-05 23:35:52 0 d-------- C:\Program Files\Safari
2008-06-05 23:34:47 0 d-------- C:\Program Files\Bonjour
2008-06-05 23:34:12 0 d-------- C:\Program Files\Apple Software Update
2008-06-05 23:34:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-03 14:28:27 0 d-------- C:\Documents and Settings\Administrator\.onion
2008-06-03 13:59:57 0 d-------- C:\Program Files\BitDefender
2008-06-03 13:54:54 0 d-------- C:\Program Files\Common Files\BitDefender
2008-06-03 00:02:33 33920 --a------ C:\WINDOWS\system32\vtUlJaxy.dll
2008-06-03 00:01:57 240401 --ahs---- C:\WINDOWS\system32\Kkjilnmp.ini2


-- Find3M Report ---------------------------------------------------------------

2008-06-15 01:37:27 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-15 01:37:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-06-11 13:39:11 0 d-------- C:\Program Files\Sonic Foundry
2008-06-11 02:02:19 0 d-------- C:\Program Files\Super DVD Ripper
2008-06-11 01:54:50 0 d-------- C:\Program Files\TechSmith
2008-06-11 01:54:30 0 d-------- C:\Program Files\Common Files
2008-06-11 01:52:39 0 d-------- C:\Program Files\Any Video Converter
2008-06-11 01:52:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Any Video Converter
2008-06-11 00:56:11 0 d-------- C:\Program Files\Sonic Foundry Setup
2008-06-06 19:57:15 0 d-------- C:\Program Files\AdorageI-SAL
2008-06-05 01:57:56 38368 --a----c- C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-06-03 23:28:48 0 d-------- C:\Program Files\GameSpy Arcade
2008-06-03 23:01:52 0 d-------- C:\Program Files\RXToolBar
2008-06-03 16:20:43 0 d-------- C:\Program Files\Messenger
2008-06-03 16:20:42 0 d-------- C:\Program Files\iPhox
2008-06-03 16:20:42 0 d-------- C:\Program Files\DivX
2008-06-03 16:20:41 0 d-------- C:\Program Files\Blaze Media Pro
2008-06-03 16:20:40 0 d-------- C:\Program Files\AIM
2008-06-03 14:35:05 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-03 14:35:02 0 d-------- C:\Program Files\Kazaa
2008-05-30 14:57:02 0 d-------- C:\Program Files\Common Files\Iconix
2008-05-29 13:42:12 0 d-------- C:\Program Files\Iconix
2008-05-12 13:49:42 10 --a------ C:\WINDOWS\smdat32m.sys
2008-05-11 15:44:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-05-09 11:39:16 0 d-a-s---- C:\Program Files\NewDotNet
2008-04-27 03:26:16 0 d-------- C:\Program Files\Steam
2008-04-26 15:53:33 0 d-------- C:\Program Files\Riva
2008-04-24 01:21:02 4 --a----c- C:\WINDOWS\system32\micro.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5655C2DF-B293-F28F-4981-A1AF2A93700D}]
C:\DOCUME~1\ADMINI~1\APPLIC~1\ITCHBA~1\thirdmpeg.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F}"= C:\Program Files\Video ActiveX Object\iesplugin.dll [ ]

[-HKEY_CLASSES_ROOT\CLSID\{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/10/2004 03:04 AM]
"SoundMan"="SOUNDMAN.EXE" [05/14/2004 02:47 AM C:\WINDOWS\SOUNDMAN.EXE]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [06/03/2004 03:51 AM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [06/03/2004 03:50 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [11/09/2006 04:07 PM]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [08/31/2005 12:40 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [11/28/2005 07:08 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/14/2005 06:13 PM]
"IconixOEAddOn"="C:\Program Files\Iconix\OEAddOn\OEdmn_3.exe" [01/17/2008 01:50 PM]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 11:46 PM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [10/16/2007 09:50 PM]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [10/25/2007 11:04 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [11/04/2004 05:16 PM]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [08/25/2004 05:28 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 07:00 AM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [8/31/2005 12:40:36 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 06/15/2008 01:54 AM 15360 C:\WINDOWS\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfj62.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^BAMMediaPlayerUpdater.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\BAMMediaPlayerUpdater.lnk
backup=C:\WINDOWS\pss\BAMMediaPlayerUpdater.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABIT uGuru]
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
AutoRun\command- C:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\baldur.exe

*Newly Created Service* - MCTASKMANAGERIDRIVERT



-- End of Deckard's System Scanner: finished at 2008-06-15 02:08:31 ------------
sin_fury
Regular Member
 
Posts: 46
Joined: June 11th, 2008, 1:52 am

Re: Trojan Problem

Unread postby silver » June 15th, 2008, 3:15 am

Hi sin_fury,

Unfortunately, the malware is still active which may explain the symptoms you describe, we will have to use a different approach so please hang in there and hopefully the symptoms will abate shortly.

Clean with ComboFix:
Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Once complete, please post the ComboFix report and a new HijackThis log.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Re: Trojan Problem

Unread postby sin_fury » June 15th, 2008, 3:22 am

Alright, I'll print the instructions out tomorrow... I'm going to bed right now. Thanks for all the helps so far.
sin_fury
Regular Member
 
Posts: 46
Joined: June 11th, 2008, 1:52 am

Re: Trojan Problem

Unread postby sin_fury » June 15th, 2008, 12:47 pm

Every time I try to download ComboFix, McAfee deletes it saying the detection type is Remote Administrator.
sin_fury
Regular Member
 
Posts: 46
Joined: June 11th, 2008, 1:52 am

Re: Trojan Problem

Unread postby silver » June 15th, 2008, 9:25 pm

Hi sin_fury,

It's not unusual for ComboFix to be detected as malware, but you can be certain that it is not. You will need to temporarily disable your real-time protection in order to use this tool. These instructions may work:

MCAFEE ANTIVIRUS
Please navigate to the system tray on the bottom right hand corner and look for a Image sign.
  • right-click it -> chose "Exit."
  • a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You succesfully disabled the McAfee Guard.

Please try again and let me know how you get on.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Re: Trojan Problem

Unread postby sin_fury » June 15th, 2008, 11:17 pm

ComboFix 08-06-15.4 - SiN_Fury 2008-06-15 21:45:35.1 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\newdotnet
C:\Program Files\newdotnet\nncore.dll
C:\Program Files\newdotnet\nnrun.exe
C:\Program Files\newdotnet\readme.html
C:\Program Files\newdotnet\uninstall.exe
C:\setup.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\baauyxhf.dll
C:\WINDOWS\system32\cicashqq.dll
C:\WINDOWS\system32\drivers\Winfj62.sys
C:\WINDOWS\system32\fekrwkyr.ini
C:\WINDOWS\system32\fhxyuaab.ini
C:\WINDOWS\system32\fvjcvqrq.ini
C:\WINDOWS\system32\fvobmqjh.dll
C:\WINDOWS\system32\heotsewr.ini
C:\WINDOWS\system32\hjqmbovf.ini
C:\WINDOWS\system32\irdvtnuk.ini
C:\WINDOWS\system32\jqfhcfrw.ini
C:\WINDOWS\system32\Kkjilnmp.ini
C:\WINDOWS\system32\Kkjilnmp.ini2
C:\WINDOWS\system32\lffouncn.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\micro.dll
C:\WINDOWS\system32\ncnuoffl.ini
C:\WINDOWS\system32\okvprqcv.ini
C:\WINDOWS\system32\qqhsacic.ini
C:\WINDOWS\system32\tlbdareo.ini
C:\WINDOWS\system32\vcqrpvko.dll
C:\WINDOWS\system32\vtUlJaxy.dll
C:\WINDOWS\system32\WinCtrl32.dl_
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\wrfchfqj.dll
C:\WINDOWS\system32\wslabalv.ini
C:\WINDOWS\system32\ysscacrw.ini

----- BITS: Possible infected sites -----

hxxp://mlb.mlb.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NNSERV
-------\Legacy_WINFJ62
-------\Service_NNServ
-------\Service_Winfj62


((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.

2008-06-15 12:25 . 2008-06-15 12:25 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-15 12:25 . 2008-06-15 12:25 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-15 02:51 . 2008-06-15 02:51 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-15 02:24 . 2008-04-14 06:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-15 02:24 . 2008-04-14 06:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-15 01:38 . 2008-06-15 01:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-15 01:38 . 2008-06-15 01:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-14 16:32 . 2008-06-14 16:32 <DIR> d-------- C:\Deckard
2008-06-14 16:30 . 2008-06-14 16:30 <DIR> d-------- C:\deljob
2008-06-14 14:24 . 2008-06-14 14:24 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-14 11:56 . 2008-06-14 16:24 <DIR> d-------- C:\SDFix
2008-06-13 14:04 . 2008-06-13 14:04 32 --a-s---- C:\WINDOWS\system32\3572050806.dat
2008-06-12 16:35 . 2008-06-12 16:35 <DIR> d-------- C:\VundoFix Backups
2008-06-07 00:35 . 2008-06-07 00:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-05 23:40 . 2008-06-05 23:40 30,912 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-05 23:36 . 2008-06-05 23:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-06-05 23:35 . 2008-06-05 23:36 <DIR> d-------- C:\Program Files\Safari
2008-06-05 23:34 . 2008-06-05 23:34 <DIR> d-------- C:\Program Files\Bonjour
2008-06-05 23:34 . 2008-06-05 23:34 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-05 23:34 . 2008-06-05 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-03 17:23 . 2008-06-06 19:57 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-06-03 14:28 . 2008-06-03 14:28 <DIR> d-------- C:\Documents and Settings\Administrator\.onion
2008-06-03 14:20 . 2008-06-12 13:18 121 --a------ C:\WINDOWS\bdagent.INI
2008-06-03 13:59 . 2008-06-03 13:59 <DIR> d-------- C:\Program Files\BitDefender
2008-06-03 13:54 . 2008-06-03 14:00 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-15 06:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-15 06:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-06-11 18:39 --------- d-----w C:\Program Files\Sonic Foundry
2008-06-11 07:02 --------- d-----w C:\Program Files\Super DVD Ripper
2008-06-11 06:54 --------- d-----w C:\Program Files\TechSmith
2008-06-11 06:52 --------- d-----w C:\Program Files\Any Video Converter
2008-06-11 06:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Any Video Converter
2008-06-11 05:56 --------- d-----w C:\Program Files\Sonic Foundry Setup
2008-06-07 00:57 --------- d-----w C:\Program Files\AdorageI-SAL
2008-06-06 20:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-05 06:57 38,368 -c--a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-06-04 04:28 --------- d-----w C:\Program Files\GameSpy Arcade
2008-06-04 04:01 --------- d-----w C:\Program Files\RXToolBar
2008-06-03 21:20 --------- d-----w C:\Program Files\iPhox
2008-06-03 21:20 --------- d-----w C:\Program Files\DivX
2008-06-03 21:20 --------- d-----w C:\Program Files\Blaze Media Pro
2008-06-03 21:20 --------- d-----w C:\Program Files\AIM
2008-06-03 19:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-30 19:57 --------- d-----w C:\Program Files\Common Files\Iconix
2008-05-29 18:42 --------- d-----w C:\Program Files\Iconix
2008-05-22 19:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-05-11 20:44 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-29 16:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 16:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 16:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-27 08:26 --------- d-----w C:\Program Files\Steam
2008-04-26 20:53 --------- d-----w C:\Program Files\Riva
2006-10-01 18:26 308,331,087 -c--a-w C:\Program Files\Sony Media (Vegas 6, Sound Forge 8, DVD Architect 3, CD Architect 5, Acid Pro 5+Music Studio 5).incl.KeyGen.rar
2006-09-06 09:11 42,903,040 -c--a-w C:\Program Files\Sibelius 2 Full (1).exe
2006-07-14 16:31 2,262,475 -c--a-w C:\Program Files\KaraokeGuide401.pdf
2006-07-08 23:48 4,949 -c--a-w C:\Program Files\Read_Me_First!.htm
2006-03-11 09:56 438,272 ----a-w C:\Program Files\Mpeg2DecFilter.ax
2005-09-15 21:33 1,899 -c--a-w C:\Program Files\Microsoft Keyboard.lnk
2005-09-15 21:33 1,868 -c--a-w C:\Program Files\Microsoft Mouse.lnk
2005-06-18 22:31 136 -c--a-w C:\Program Files\KaraokeInfo Support Site.url
2003-11-12 03:53 507 -c--a-w C:\Program Files\ActivationFile.htm
2007-08-15 03:26 12,884 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2005-05-25 14:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-10 07:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-09-27 22:23 359808 14143695e27b2718dee96ea2e50428b3 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-02-17 17:56 359808 eb98d5e55321cefd803e8173dbb000db C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-06-14 12:32 359808 ba57942c0029b0878afba052a3e33689 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 12:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 12:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5655C2DF-B293-F28F-4981-A1AF2A93700D}]
C:\DOCUME~1\ADMINI~1\APPLIC~1\ITCHBA~1\thirdmpeg.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F}"= C:\Program Files\Video ActiveX Object\iesplugin.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{0d045baa-4bd3-4c94-be8b-21536bd6bd9f}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2004-11-04 17:16 106573]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2004-08-25 17:28 1871872]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 03:04 59392]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 02:47 67072 C:\WINDOWS\SOUNDMAN.EXE]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 03:51 172032]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 03:50 204800]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07 49263]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-31 00:40 57344]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-28 19:08 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-09-14 18:13 98304]
"IconixOEAddOn"="C:\Program Files\Iconix\OEAddOn\OEdmn_3.exe" [2008-01-17 13:50 281872]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [ ]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-10-16 21:50 111952]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 11:04 136512]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-31 00:40:36 57344]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VCR2"= ATIVCR2.DLL
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.VCR1"= ATIVCR1.DLL
"VIDC.YV12"= ATIYUV12.DLL
"VIDC.YU12"= ATIYUV12.DLL
"VIDC.MJPX"= PICVideo MJPEG Codec

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^BAMMediaPlayerUpdater.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\BAMMediaPlayerUpdater.lnk
backup=C:\WINDOWS\pss\BAMMediaPlayerUpdater.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABIT uGuru]
--a--c--- 2004-05-21 15:07 1695830 C:\Program Files\ABIT\ABIT uGuru\uGuru.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 14:08 67160 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
--a--c--- 2004-11-04 17:13 69707 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]
--a------ 2004-08-26 22:51 200704 C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-11-03 20:10 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-09-14 18:13 98304 C:\Program Files\QuickTime\qttask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\Program Files\\SlurpySoft\\Wulfram\\wulfram2.exe"=
"C:\\Program Files\\ABIT\\ABIT uGuru\\FlashMenu.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Black Isle\\BGII - SoA\\BGMain.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\mirc-mod4\\mirc.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 uGuru;uGuru;C:\WINDOWS\system32\Drivers\uGuru.sys [2004-02-26 16:52]
S3 AC2003;AC2003;C:\WINDOWS\system32\Drivers\AC2003.sys [2003-12-10 02:21]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys []
S3 Memctl;Memctl;C:\Program Files\ABIT\ABIT uGuru\Memctl.sys [2001-11-29 18:49]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\baldur.exe

*Newly Created Service* - MHNLMHOSTS
.
Contents of the 'Scheduled Tasks' folder
"2008-06-14 20:31:00 C:\WINDOWS\Tasks\Ad-Aware SE Personal.job"
- C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
"2008-06-06 04:34:33 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-14 21:03:04 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 22:08:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McTaskManagerIDriverT]
"ImagePath"="ð%€|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MHNLmHosts]
"ImagePath"="ð%€|x\01\09 srv"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehRecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
.
**************************************************************************
.
Completion time: 2008-06-15 22:28:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-16 03:27:14

Pre-Run: 34,452,856,832 bytes free
Post-Run: 34,749,063,168 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

309 --- E O F --- 2008-06-15 07:51:45

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:39 PM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iconix\OEAddOn\OEdmn_3.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5655C2DF-B293-F28F-4981-A1AF2A93700D} - C:\DOCUME~1\ADMINI~1\APPLIC~1\ITCHBA~1\thirdmpeg.exe (file missing)
O2 - BHO: IconixBHOClass Class - {761233B6-F228-49E4-8F6B-668499D4E55A} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IconixOEAddOn] "C:\Program Files\Iconix\OEAddOn\OEdmn_3.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra 'Tools' menuitem: Email ID Preferences - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra 'Tools' menuitem: About Email ID - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Task Manager McTaskManagerIDriverT (McTaskManagerIDriverT) - Unknown owner - C:\WINDOWS\
O23 - Service: MHN MHNLmHosts (MHNLmHosts) - Unknown owner - C:\WINDOWS\

--
End of file - 7618 bytes
sin_fury
Regular Member
 
Posts: 46
Joined: June 11th, 2008, 1:52 am

Re: Trojan Problem

Unread postby silver » June 16th, 2008, 12:42 am

Hi sin_fury,

Please open Start->Control Panel->Add/Remove Programs, and remove the following:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
These are out of date and now a security risk, you can get the latest update (Java Runtime Environment (JRE) 6 Update 6) from here

------------------------------------------------------------------------

Now open HijackThis, select Open the Misc Tools section
Press the Open Uninstall Manager... button
Scroll down the list and find this entry:
New.net Domains 8.0 build 842
Click it to highlight it, then press Delete this entry
Repeat for these entries:
Public Messenger ver 2.03
Search Plugin
System Alert Popup
Then close HijackThis

------------------------------------------------------------------------

Check that ComboFix.exe is on your Desktop
  • Then open Notepad: press Start->Run, type notepad and click OK
  • Copy/paste the contents of the below code box into Notepad:
    Code: Select all
    File::
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\laf4F.tmp 
    C:\WINDOWS\system32\drivers\smss.exe
    C:\Documents and Settings\Administrator\smss.exe
    C:\WINDOWS\system32\gwquvw.dll
    C:\WINDOWS\system32\gwquvw.dll
    C:\WINDOWS\system32\Px.ax
    C:\WINDOWS\system32\pmnlijkK.dll
    c:\windows\system32\drivers\winlg68.sys
    c:\windows\system32\drivers\winol55.sys
    c:\windows\system32\drivers\winut12.sys
    c:\windows\system32\drivers\wns52.sys
    Folder::
    C:\Documents and Settings\All Users\Application Data\FiveVcFordFor
    C:\DOCUME~1\ADMINI~1\APPLIC~1\FILMHO~1
    C:\Program Files\SpyNoMore
    C:\Program Files\RXToolBar
    C:\Program Files\Kazaa
    C:\Program Files\Video ActiveX Object
    Driver::
    McTaskManagerIDriverT 
    MHNLmHosts
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5655C2DF-B293-F28F-4981-A1AF2A93700D}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F}"=-
    [-HKEY_CLASSES_ROOT\clsid\{0d045baa-4bd3-4c94-be8b-21536bd6bd9f}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SNM"=-
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegedit"=-
    Suspect::[32]
    C:\WINDOWS\system32\drivers\tcpip.sys
    C:\WINDOWS\system32\3572050806.dat
    DirLook::
    C:\Documents and Settings\Administrator\Application Data\WarezGhost
  • Save this to your Desktop as CFScript.

    Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, ComboFix will ask you to upload malware files for further analysis, when your browser opens, copy and paste the file and path which appears on the screen and press Send File
  • ComboFix will also produce a log, please copy and paste the contents of the log in your next reply.
Note: Do not click ComboFix's window while it's running - it may cause it to stall!

Once complete, please post the new ComboFix report and a new HijackThis log.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Re: Trojan Problem

Unread postby sin_fury » June 16th, 2008, 1:58 am

Couple of things. First off, I couldn't find

New.net Domains 8.0 build 842

or
Search Plugin

in the HJT Uninstall Manager. However I did delete the other two you mentioned.

I'm also kind of confused on the last step. A web browser came up that said "Safari can't open the specified address." Now I realize this is the file location you want me to copy, paste and send... but I don't know where you want me to paste it, and I don't know what Send File button you're talking about. Sorry if this is an obvious answer in front of my face... it's getting late and I have work in the morning.

On a brighter note (hopefully), here are the logs.


ComboFix 08-06-15.4 - SiN_Fury 2008-06-16 0:24:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.495 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\laf4F.tmp
C:\Documents and Settings\Administrator\smss.exe
C:\WINDOWS\system32\drivers\smss.exe
c:\windows\system32\drivers\winlg68.sys
c:\windows\system32\drivers\winol55.sys
c:\windows\system32\drivers\winut12.sys
c:\windows\system32\drivers\wns52.sys
C:\WINDOWS\system32\gwquvw.dll
C:\WINDOWS\system32\pmnlijkK.dll
C:\WINDOWS\system32\Px.ax
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ADMINI~1\APPLIC~1\FILMHO~1
C:\DOCUME~1\ADMINI~1\APPLIC~1\FILMHO~1\39AF9BFB
C:\Documents and Settings\All Users\Application Data\FiveVcFordFor
C:\Documents and Settings\All Users\Application Data\FiveVcFordFor\exit test dash
C:\Documents and Settings\All Users\Application Data\FiveVcFordFor\roam spam multi
C:\Program Files\RXToolBar
C:\Program Files\RXToolBar\CacheCatalog.rx
C:\Program Files\RXToolBar\graphics\additional.gif
C:\Program Files\RXToolBar\graphics\additional_active.gif
C:\Program Files\RXToolBar\graphics\background.jpg
C:\Program Files\RXToolBar\graphics\blue_hr_horz.GIF
C:\Program Files\RXToolBar\graphics\gray_hr_horz.GIF
C:\Program Files\RXToolBar\graphics\thumbtack.gif
C:\Program Files\RXToolBar\graphics\thumbtack_active.gif
C:\Program Files\RXToolBar\graphics\thumbtack_click.gif
C:\Program Files\RXToolBar\HTML\content.htm
C:\Program Files\RXToolBar\HTML\main.htm
C:\Program Files\RXToolBar\rx.xml
C:\Program Files\RXToolBar\rxtoolbar.cfg
C:\Program Files\RXToolBar\rxwebsearches.xsl
C:\Program Files\RXToolBar\sfcont.bin
C:\WINDOWS\system32\Px.ax

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MCTASKMANAGERIDRIVERT
-------\Legacy_MHNLMHOSTS
-------\Service_McTaskManagerIDriverT
-------\Service_MHNLmHosts


((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.

2008-06-16 00:18 . 2008-06-16 00:18 <DIR> d-------- C:\Program Files\Sun
2008-06-16 00:17 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-16 00:15 . 2008-06-16 00:15 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-15 12:25 . 2008-06-15 12:25 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-15 12:25 . 2008-06-15 12:25 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-15 02:51 . 2008-06-15 02:51 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-15 02:24 . 2008-04-14 06:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-15 02:24 . 2008-04-14 06:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-15 01:38 . 2008-06-15 01:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-15 01:38 . 2008-06-15 01:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-14 16:32 . 2008-06-14 16:32 <DIR> d-------- C:\Deckard
2008-06-14 16:30 . 2008-06-14 16:30 <DIR> d-------- C:\deljob
2008-06-14 14:24 . 2008-06-14 14:24 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-14 11:56 . 2008-06-14 16:24 <DIR> d-------- C:\SDFix
2008-06-13 14:04 . 2008-06-13 14:04 32 --a-s---- C:\WINDOWS\system32\3572050806.dat
2008-06-12 16:35 . 2008-06-12 16:35 <DIR> d-------- C:\VundoFix Backups
2008-06-07 00:35 . 2008-06-07 00:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-05 23:40 . 2008-06-05 23:40 30,912 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-05 23:36 . 2008-06-05 23:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-06-05 23:35 . 2008-06-05 23:36 <DIR> d-------- C:\Program Files\Safari
2008-06-05 23:34 . 2008-06-05 23:34 <DIR> d-------- C:\Program Files\Bonjour
2008-06-05 23:34 . 2008-06-05 23:34 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-05 23:34 . 2008-06-05 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-03 17:23 . 2008-06-06 19:57 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-06-03 14:28 . 2008-06-03 14:28 <DIR> d-------- C:\Documents and Settings\Administrator\.onion
2008-06-03 14:20 . 2008-06-12 13:18 121 --a------ C:\WINDOWS\bdagent.INI
2008-06-03 13:59 . 2008-06-03 13:59 <DIR> d-------- C:\Program Files\BitDefender
2008-06-03 13:54 . 2008-06-03 14:00 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-16 05:17 --------- d-----w C:\Program Files\Java
2008-06-15 06:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-15 06:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-06-11 18:39 --------- d-----w C:\Program Files\Sonic Foundry
2008-06-11 07:02 --------- d-----w C:\Program Files\Super DVD Ripper
2008-06-11 06:54 --------- d-----w C:\Program Files\TechSmith
2008-06-11 06:52 --------- d-----w C:\Program Files\Any Video Converter
2008-06-11 06:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Any Video Converter
2008-06-11 05:56 --------- d-----w C:\Program Files\Sonic Foundry Setup
2008-06-07 00:57 --------- d-----w C:\Program Files\AdorageI-SAL
2008-06-06 20:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-05 06:57 38,368 -c--a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-06-04 04:28 --------- d-----w C:\Program Files\GameSpy Arcade
2008-06-03 21:20 --------- d-----w C:\Program Files\iPhox
2008-06-03 21:20 --------- d-----w C:\Program Files\DivX
2008-06-03 21:20 --------- d-----w C:\Program Files\Blaze Media Pro
2008-06-03 21:20 --------- d-----w C:\Program Files\AIM
2008-06-03 19:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-30 19:57 --------- d-----w C:\Program Files\Common Files\Iconix
2008-05-29 18:42 --------- d-----w C:\Program Files\Iconix
2008-05-22 19:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-05-11 20:44 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-29 16:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 16:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 16:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-27 08:26 --------- d-----w C:\Program Files\Steam
2008-04-26 20:53 --------- d-----w C:\Program Files\Riva
2006-10-01 18:26 308,331,087 -c--a-w C:\Program Files\Sony Media (Vegas 6, Sound Forge 8, DVD Architect 3, CD Architect 5, Acid Pro 5+Music Studio 5).incl.KeyGen.rar
2006-09-06 09:11 42,903,040 -c--a-w C:\Program Files\Sibelius 2 Full (1).exe
2006-07-14 16:31 2,262,475 -c--a-w C:\Program Files\KaraokeGuide401.pdf
2006-07-08 23:48 4,949 -c--a-w C:\Program Files\Read_Me_First!.htm
2006-03-11 09:56 438,272 ----a-w C:\Program Files\Mpeg2DecFilter.ax
2005-09-15 21:33 1,899 -c--a-w C:\Program Files\Microsoft Keyboard.lnk
2005-09-15 21:33 1,868 -c--a-w C:\Program Files\Microsoft Mouse.lnk
2005-06-18 22:31 136 -c--a-w C:\Program Files\KaraokeInfo Support Site.url
2003-11-12 03:53 507 -c--a-w C:\Program Files\ActivationFile.htm
2007-08-15 03:26 12,884 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\Administrator\Application Data\WarezGhost ----

2006-09-05 20:59 411138 --a--c--- C:\Documents and Settings\Administrator\Application Data\WarezGhost\Storage\efs.dat
2006-09-05 20:54 604 --a--c--- C:\Documents and Settings\Administrator\Application Data\WarezGhost\RoutingTree.bin
2006-09-05 20:44 1282 --a--c--- C:\Documents and Settings\Administrator\Application Data\WarezGhost\warez.ini
2006-09-05 20:44 12 --a--c--- C:\Documents and Settings\Administrator\Application Data\WarezGhost\Storage\dup.dat
2006-09-05 20:44 12 --a--c--- C:\Documents and Settings\Administrator\Application Data\WarezGhost\Storage\dup.bak
2006-09-05 20:44 0 --a--c--- C:\Documents and Settings\Administrator\Application Data\WarezGhost\Storage\storages.dat


------- Sigcheck -------

2005-05-25 14:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-10 07:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-09-27 22:23 359808 14143695e27b2718dee96ea2e50428b3 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-02-17 17:56 359808 eb98d5e55321cefd803e8173dbb000db C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-06-14 12:32 359808 ba57942c0029b0878afba052a3e33689 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 12:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 12:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-06-15_22.26.42.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-16 03:04:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-16 05:32:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2006-11-09 19:28:20 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 06:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2006-11-09 19:28:30 53,346 -c--a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 06:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2006-11-09 21:07:32 127,078 -c--a-w C:\WINDOWS\system32\javaws.exe
+ 2008-03-25 07:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2004-11-04 17:16 106573]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2004-08-25 17:28 1871872]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 03:04 59392]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 02:47 67072 C:\WINDOWS\SOUNDMAN.EXE]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 03:51 172032]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 03:50 204800]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-31 00:40 57344]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-28 19:08 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-09-14 18:13 98304]
"IconixOEAddOn"="C:\Program Files\Iconix\OEAddOn\OEdmn_3.exe" [2008-01-17 13:50 281872]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-10-16 21:50 111952]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 11:04 136512]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-31 00:40:36 57344]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VCR2"= ATIVCR2.DLL
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.VCR1"= ATIVCR1.DLL
"VIDC.YV12"= ATIYUV12.DLL
"VIDC.YU12"= ATIYUV12.DLL
"VIDC.MJPX"= PICVideo MJPEG Codec

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^BAMMediaPlayerUpdater.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\BAMMediaPlayerUpdater.lnk
backup=C:\WINDOWS\pss\BAMMediaPlayerUpdater.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABIT uGuru]
--a--c--- 2004-05-21 15:07 1695830 C:\Program Files\ABIT\ABIT uGuru\uGuru.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 14:08 67160 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
--a--c--- 2004-11-04 17:13 69707 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]
--a------ 2004-08-26 22:51 200704 C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-11-03 20:10 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-09-14 18:13 98304 C:\Program Files\QuickTime\qttask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\Program Files\\SlurpySoft\\Wulfram\\wulfram2.exe"=
"C:\\Program Files\\ABIT\\ABIT uGuru\\FlashMenu.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Black Isle\\BGII - SoA\\BGMain.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\mirc-mod4\\mirc.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 uGuru;uGuru;C:\WINDOWS\system32\Drivers\uGuru.sys [2004-02-26 16:52]
S3 AC2003;AC2003;C:\WINDOWS\system32\Drivers\AC2003.sys [2003-12-10 02:21]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys []
S3 Memctl;Memctl;C:\Program Files\ABIT\ABIT uGuru\Memctl.sys [2001-11-29 18:49]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\baldur.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-14 20:31:00 C:\WINDOWS\Tasks\Ad-Aware SE Personal.job"
- C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
"2008-06-06 04:34:33 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-14 21:03:04 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 00:35:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehRecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
.
**************************************************************************
.
Completion time: 2008-06-16 0:50:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-16 05:49:35
ComboFix2.txt 2008-06-16 03:28:31

Pre-Run: 34,551,316,480 bytes free
Post-Run: 34,539,110,400 bytes free

304 --- E O F --- 2008-06-16 03:53:01

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:19:25 AM, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iconix\OEAddOn\OEdmn_3.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IconixBHOClass Class - {761233B6-F228-49E4-8F6B-668499D4E55A} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IconixOEAddOn] "C:\Program Files\Iconix\OEAddOn\OEdmn_3.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra 'Tools' menuitem: Email ID Preferences - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra 'Tools' menuitem: About Email ID - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 7207 bytes
sin_fury
Regular Member
 
Posts: 46
Joined: June 11th, 2008, 1:52 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 57 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware