Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virtumonde help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Virtumonde help

Unread postby rboarman » June 26th, 2008, 11:39 am

Hello,

I have been struggling with removing Virtumonde from my system. Here are the steps I have taken so far:

- SpyBot S & D was able to locate and remove the infection. However, it keeps coming back and now SpyBot does not report any infected files.
- Installed and ran Spyware Doctor. At first it was able to locate and repair infected files. Now it tells me that my system is clean.
- VundoFix does not find any infected files.
- Kaspersky Online Scanner finds these infected files:

C:\Windows\system32\mlJbXNGX.dll/C:\Windows\system32\mlJbXNGX.dll Infected: Trojan.Win32.Monder.acx 1
winlogon.exe\wvUnNfeE.dll/winlogon.exe\wvUnNfeE.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.xae 1
C:\Windows\system32\wvUnNfeE.dll/C:\Windows\system32\wvUnNfeE.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.uky 1
C:\Windows\system32\vgbbhcpi.dll/C:\Windows\system32\vgbbhcpi.dll Infected: Trojan.Win32.Monder.acy 26

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:49 AM, on 6/26/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\rick.MATRIX6\AppData\Local\Temp\jkos-rick\binaries\ScanningProcess.exe
C:\Users\rick.MATRIX6\AppData\Local\Temp\jkos-rick\binaries\ScanningProcess.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netvibes.com/#General
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 208.39.81.113 dbiddb04
O1 - Hosts: 208.39.81.109 dbiddb05
O1 - Hosts: 208.39.81.94 dbidutil01
O1 - Hosts: 208.39.81.92 dbidxml01
O1 - Hosts: 208.39.81.84 dbidweb08
O1 - Hosts: 208.39.81.85 dbidweb09
O1 - Hosts: 208.39.81.83 dbidweb10
O1 - Hosts: 208.39.81.110 dbidapp03
O1 - Hosts: 208.39.81.111 dbidapp04
O1 - Hosts: 208.39.81.112 dbiddm01
O1 - Hosts: 208.39.81.108 dbidadc01
O1 - Hosts: 208.39.81.117 dbidapp05
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {197AE0D6-306F-4E94-811B-2219F514BC17} - (no file)
O2 - BHO: (no name) - {5B22A14E-2E73-43E1-9049-F02F26CC3A52} - (no file)
O2 - BHO: (no name) - {641BCE62-222E-4957-87CE-E8630F9118B3} - C:\Windows\system32\mlJbXNGX.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [GBMPro8Agent] C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\wvUnNfeE.dll,#1
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [BMa748361b] Rundll32.exe "C:\Windows\system32\vgbbhcpi.dll",s
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [GBMPro8Agent] C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')
O4 - Startup: MagicDisc.lnk.disabled
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_de ... Plugin.ocx
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.itaggit.com/Items/Controls/I ... oader4.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/L ... nstall.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Matrix6.local
O17 - HKLM\Software\..\Telephony: DomainName = Matrix6.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Matrix6.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Matrix6.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 14709 bytes


Help!! What are my next steps?

Thanks in advance!

Rick
rboarman
Active Member
 
Posts: 14
Joined: June 25th, 2008, 9:30 pm
Advertisement
Register to Remove

Re: Virtumonde help

Unread postby Shaba » June 27th, 2008, 4:00 am

Hi rboarman

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

Post:

- dss logs (taken after mbam run)
- mbam report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Virtumonde help

Unread postby rboarman » June 28th, 2008, 2:13 pm

Hello,

Thank you for your assistance. Prior to your post I went ahead and ran ComboFix. Below is the log file. I will post the results of the other scans in a moment.

Thank you again,

Rick

ComboFix 08-06-20.4 - rick 2008-06-27 9:03:21.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1180 [GMT -7:00]
Running from: C:\Users\rick.MATRIX6\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\agcddgrq.ini
C:\Windows\system32\atnyesoe.ini
C:\Windows\system32\awtttSIB.dll
C:\Windows\system32\brdxrhgs.ini
C:\Windows\system32\cwvhnhgr.ini
C:\Windows\System32\eMUFefii.ini
C:\Windows\System32\eMUFefii.ini2
C:\Windows\system32\ihlfgcfm.ini
C:\Windows\system32\kTwadfii.ini
C:\Windows\System32\kTwadfii.ini2
C:\Windows\System32\QtuBedMp.ini
C:\Windows\System32\QtuBedMp.ini2
C:\Windows\system32\rqrPJARh.dll
C:\Windows\system32\vcxlicfv.ini
C:\Windows\system32\w3url.dll
C:\Windows\system32\xxywTLCt.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-28 )))))))))))))))))))))))))))))))
.

2008-06-26 17:42 . 2008-01-18 23:34 888,320 --a------ C:\Windows\System32\qomjiIBQ.dll
2008-06-26 16:53 . 2008-06-26 16:53 524,288 --ahs---- C:\ntuser.dat{ce33fa67-43d3-11dd-9089-d8860555e289}.TMContainer00000000000000000002.regtrans-ms
2008-06-26 16:53 . 2008-06-27 08:58 524,288 --ahs---- C:\ntuser.dat{ce33fa67-43d3-11dd-9089-d8860555e289}.TMContainer00000000000000000001.regtrans-ms
2008-06-26 16:53 . 2008-06-26 16:53 524,288 --ahs---- C:\ntuser.dat{ce33fa63-43d3-11dd-9089-d8860555e289}.TMContainer00000000000000000002.regtrans-ms
2008-06-26 16:53 . 2008-06-26 16:53 524,288 --ahs---- C:\ntuser.dat{ce33fa63-43d3-11dd-9089-d8860555e289}.TMContainer00000000000000000001.regtrans-ms
2008-06-26 16:53 . 2008-06-27 08:58 262,144 --a------ C:\ntuser.dat
2008-06-26 16:53 . 2008-06-27 08:58 65,536 --ahs---- C:\ntuser.dat{ce33fa67-43d3-11dd-9089-d8860555e289}.TM.blf
2008-06-26 16:53 . 2008-06-26 16:53 65,536 --ahs---- C:\ntuser.dat{ce33fa63-43d3-11dd-9089-d8860555e289}.TM.blf
2008-06-26 16:53 . 2008-06-27 08:58 5,120 --ah----- C:\ntuser.dat.LOG1
2008-06-26 16:53 . 2008-06-26 16:53 0 --ah----- C:\ntuser.dat.LOG2
2008-06-26 15:42 . 2008-06-26 15:42 345 --ahs---- C:\Windows\System32\XGNXbJlm.ini
2008-06-26 15:30 . 2008-06-26 15:30 345 --ahs---- C:\Windows\System32\nXGjknpo.ini
2008-06-26 15:27 . 2008-06-26 15:27 91,648 --a------ C:\Windows\System32\wgrfawbk.dll
2008-06-25 18:30 . 2008-06-25 18:30 91,136 --a------ C:\Windows\System32\vgbbhcpi.dll
2008-06-25 17:22 . 2008-06-25 17:22 91,136 --a------ C:\Windows\System32\yedbcfhq.dll
2008-06-25 17:21 . 2008-06-25 17:21 106,496 --a------ C:\Windows\System32\uyyryyvy.dll
2008-06-25 17:21 . 2008-06-25 17:21 81,920 --a------ C:\Windows\System32\eoseynta.dll
2008-06-25 17:18 . 2008-06-25 17:18 91,136 --a------ C:\Windows\System32\hpqiemyt.dll
2008-06-25 17:18 . 2008-06-25 18:12 345 --ahs---- C:\Windows\System32\DKlooYxx.ini
2008-06-25 16:51 . 2008-06-25 16:51 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\PC Tools
2008-06-25 16:51 . 2008-06-26 16:14 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-25 16:51 . 2008-06-10 21:22 81,288 --a------ C:\Windows\System32\drivers\iksyssec.sys
2008-06-25 16:51 . 2008-06-02 15:19 66,952 --a------ C:\Windows\System32\drivers\iksysflt.sys
2008-06-25 16:51 . 2008-06-02 15:19 42,376 --a------ C:\Windows\System32\drivers\ikfilesec.sys
2008-06-25 16:51 . 2008-06-02 15:19 29,576 --a------ C:\Windows\System32\drivers\kcom.sys
2008-06-25 15:30 . 2008-06-25 15:30 81,920 --a------ C:\Windows\System32\rghnhvwc.dll
2008-06-25 15:27 . 2008-06-25 15:27 106,496 --a------ C:\Windows\System32\bssepcsx.dll
2008-06-25 15:21 . 2008-06-25 15:21 91,136 --a------ C:\Windows\System32\arxbegbn.dll
2008-06-25 14:04 . 2008-06-25 14:05 <DIR> d-------- C:\Program Files\Java
2008-06-25 14:03 . 2008-06-25 14:03 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-25 13:51 . 2008-06-25 13:57 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-06-25 13:32 . 2008-06-25 13:32 106,496 --a------ C:\Windows\System32\amjookvf.dll
2008-06-25 13:32 . 2008-06-25 13:32 81,920 --a------ C:\Windows\System32\mfcgflhi.dll
2008-06-25 13:31 . 2008-06-25 13:31 91,136 --a------ C:\Windows\System32\umrxwksy.dll
2008-06-25 13:08 . 2008-06-25 13:08 106,496 --a------ C:\Windows\System32\ajkhtfbg.dll
2008-06-25 13:08 . 2008-06-25 13:08 91,136 --a------ C:\Windows\System32\rwiksqtr.dll
2008-06-25 11:41 . 2008-06-25 11:41 <DIR> d-------- C:\VundoFix Backups
2008-06-25 10:46 . 2008-06-25 10:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-25 10:02 . 2008-06-25 13:32 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-06-25 10:02 . 2008-06-25 13:32 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-06-25 10:02 . 2008-06-25 13:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-25 09:58 . 2008-06-25 09:58 91,136 --a------ C:\Windows\System32\spdohtwy.dll
2008-06-25 09:23 . 2008-06-25 09:23 106,496 --a------ C:\Windows\System32\pnljisoq.dll
2008-06-25 09:23 . 2008-06-25 09:23 91,136 --a------ C:\Windows\System32\aelxlqyt.dll
2008-06-24 22:16 . 2008-06-24 22:28 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Sony
2008-06-24 22:16 . 2008-06-24 22:16 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Publish Providers
2008-06-24 22:16 . 2008-06-24 22:28 156 --a------ C:\Windows\Twunk001.MTX
2008-06-24 22:16 . 2008-06-24 22:28 2 --a------ C:\Windows\Twain001.Mtx
2008-06-24 22:16 . 2008-06-24 22:16 0 --a------ C:\Windows\Twunk002.MTX
2008-06-24 22:11 . 2008-06-24 22:26 <DIR> d-------- C:\Users\All Users\Sony
2008-06-24 22:11 . 2008-06-24 22:26 <DIR> d-------- C:\ProgramData\Sony
2008-06-24 22:11 . 2008-06-24 22:11 <DIR> d-------- C:\Program Files\Vstplugins
2008-06-24 22:11 . 2008-06-24 22:25 <DIR> d-------- C:\Program Files\Sony Setup
2008-06-24 22:11 . 2008-06-24 22:26 <DIR> d-------- C:\Program Files\Sony
2008-06-24 21:24 . 2008-06-24 21:24 81,920 --------- C:\Windows\System32\vfcilxcv.dll
2008-06-24 21:20 . 2008-06-25 10:01 345 --ahs---- C:\Windows\System32\WGfiQXyb.ini
2008-06-21 10:20 . 2008-06-21 10:20 <DIR> d-------- C:\Users\All Users\Genie-Soft
2008-06-21 10:20 . 2008-06-21 10:20 <DIR> d-------- C:\ProgramData\Genie-Soft
2008-06-21 10:18 . 2008-06-21 10:18 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Genie-soft
2008-06-21 10:15 . 2008-06-21 10:15 <DIR> d-------- C:\Program Files\Common Files\PX Storage Engine
2008-06-21 10:15 . 2006-11-02 00:50 128,104 --------- C:\Windows\System32\drivers\WimFltr.sys
2008-06-21 10:14 . 2008-06-21 10:14 <DIR> d-------- C:\Program Files\Genie-Soft
2008-06-20 12:13 . 2008-06-20 12:13 <DIR> d-------- C:\Program Files\MSECache
2008-06-19 15:21 . 2008-06-19 15:21 <DIR> d-------- C:\Program Files\Microsoft Expression
2008-06-16 18:01 . 2008-06-16 18:01 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\J River
2008-06-15 19:43 . 2008-03-07 19:08 4,240,384 --------- C:\Windows\System32\GameUXLegacyGDFs.dll
2008-06-15 19:43 . 2008-03-07 21:21 1,695,744 --------- C:\Windows\System32\gameux.dll
2008-06-15 19:43 . 2008-04-22 21:42 428,544 --------- C:\Windows\System32\EncDec.dll
2008-06-15 19:43 . 2008-04-22 21:42 293,376 --------- C:\Windows\System32\psisdecd.dll
2008-06-15 19:43 . 2008-04-22 21:41 218,624 --------- C:\Windows\System32\psisrndr.ax
2008-06-15 19:43 . 2008-04-22 21:41 57,856 --------- C:\Windows\System32\MSDvbNP.ax
2008-06-11 08:54 . 2008-04-24 19:12 1,383,424 --------- C:\Windows\System32\mshtml.tlb
2008-06-11 08:54 . 2008-04-26 01:08 1,314,816 --------- C:\Windows\System32\quartz.dll
2008-06-11 08:54 . 2008-04-24 21:35 826,880 --------- C:\Windows\System32\wininet.dll
2008-06-11 08:54 . 2008-05-09 18:33 113,664 --------- C:\Windows\System32\drivers\rmcast.sys
2008-06-09 11:22 . 2007-12-20 14:10 129,520 --------- C:\Windows\System32\pxafs.dll
2008-06-09 11:21 . 2008-06-09 11:22 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Winamp
2008-06-09 11:21 . 2008-06-09 11:22 <DIR> d-------- C:\Program Files\Winamp
2008-06-09 11:10 . 2008-06-09 11:10 <DIR> d-------- C:\Program Files\J River
2008-06-09 11:10 . 2008-03-13 08:58 585,728 --------- C:\Windows\System32\AReadyLB.dll
2008-06-09 11:10 . 2008-03-13 08:58 229,376 --------- C:\Windows\System32\AudDevicePlugin.dll
2008-06-09 11:10 . 2008-03-13 08:58 183,129 --------- C:\Windows\System32\AM Install1.INF
2008-06-09 10:09 . 2008-06-15 19:46 <DIR> d-------- C:\Program Files\Windows Live
2008-06-09 10:09 . 2008-06-09 10:12 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-09 10:08 . 2008-06-09 10:08 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-06-09 10:08 . 2008-06-09 10:08 <DIR> d-------- C:\ProgramData\WLInstaller
2008-06-03 07:58 . 2008-06-03 07:58 <DIR> d-------- C:\Users\alexi\AppData\Roaming\Ulead Systems
2008-05-30 11:23 . 2008-05-30 11:24 222,425,481 --------- C:\Windows\MEMORY.DMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 16:01 --------- d---a-w C:\ProgramData\TEMP
2008-06-25 21:07 --------- d-----w C:\Program Files\Trillian
2008-06-25 05:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-25 05:10 --------- d-----w C:\ProgramData\Ulead Systems
2008-06-25 04:14 --------- d-----w C:\Program Files\PowerArchiver
2008-06-23 03:10 --------- d-----w C:\ProgramData\NVIDIA
2008-06-20 14:49 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-06-19 20:18 --------- d-----w C:\ProgramData\Microsoft Help
2008-06-19 20:18 --------- d-----w C:\Program Files\Microsoft Visual Studio 9.0
2008-06-19 20:17 --------- d-----w C:\Program Files\Microsoft SDKs
2008-06-18 16:44 --------- d-----w C:\Program Files\DivX
2008-06-16 05:41 --------- d-----w C:\Program Files\Windows Mail
2008-06-09 23:47 --------- d-----w C:\Program Files\World of Warcraft
2008-06-09 17:12 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-06-04 02:39 --------- d-----w C:\Users\rick.MATRIX6\AppData\Roaming\Ventrilo
2008-06-03 14:56 --------- d-----w C:\ProgramData\eFax Messenger 4.3 Output
2008-05-30 23:22 823,296 ------w C:\Windows\System32\divx_xx0c.dll
2008-05-30 23:22 823,296 ------w C:\Windows\System32\divx_xx07.dll
2008-05-30 23:22 815,104 ------w C:\Windows\System32\divx_xx0a.dll
2008-05-30 23:22 802,816 ------w C:\Windows\System32\divx_xx11.dll
2008-05-30 23:22 683,520 ------w C:\Windows\System32\DivX.dll
2008-05-30 23:22 593,920 ------w C:\Windows\System32\dpuGUI11.dll
2008-05-30 23:22 57,344 ------w C:\Windows\System32\dpv11.dll
2008-05-30 23:22 53,248 ------w C:\Windows\System32\dpuGUI10.dll
2008-05-30 23:22 344,064 ------w C:\Windows\System32\dpus11.dll
2008-05-30 23:22 294,912 ------w C:\Windows\System32\dpu11.dll
2008-05-30 23:22 294,912 ------w C:\Windows\System32\dpu10.dll
2008-05-29 04:49 --------- d-----w C:\Program Files\Flickr Uploadr
2008-05-27 20:49 --------- d-----w C:\Program Files\StarterKits
2008-05-26 18:39 --------- d-----w C:\ProgramData\FLEXnet
2008-05-26 18:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-26 18:13 --------- d-----w C:\Program Files\Bonjour
2008-05-26 18:09 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-05-26 18:04 --------- d-----w C:\Users\rick.MATRIX6\AppData\Roaming\Ulead Systems
2008-05-26 17:58 0 ---h--w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-05-26 17:56 --------- d-----w C:\Program Files\Windows Media Components
2008-05-26 17:56 --------- d-----w C:\Program Files\Common Files\InterVideo
2008-05-26 17:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-22 22:22 524,288 ------w C:\Windows\System32\DivXsm.exe
2008-05-22 22:22 3,596,288 ------w C:\Windows\System32\qt-dx331.dll
2008-05-22 22:20 200,704 ------w C:\Windows\System32\ssldivx.dll
2008-05-22 22:20 1,044,480 ------w C:\Windows\System32\libdivx.dll
2008-05-22 22:19 81,920 ------w C:\Windows\System32\dpl100.dll
2008-05-22 22:19 196,608 ------w C:\Windows\System32\dtu100.dll
2008-05-22 22:19 161,096 ------w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-05-22 22:18 12,288 ------w C:\Windows\System32\DivXWMPExtType.dll
2008-05-22 01:35 --------- d--h--w C:\ProgramData\{5553977E-AF8B-4870-AEB6-53B6C1BC822D}
2008-05-22 01:32 --------- d-----w C:\Program Files\Stardock Games
2008-05-21 00:10 --------- d-----w C:\Users\rick.MATRIX6\AppData\Roaming\vlc
2008-05-21 00:09 --------- d-----w C:\Program Files\VideoLAN
2008-05-20 16:20 --------- d-----w C:\Program Files\Windows NT Backup - Restore Utility
2008-05-10 01:49 --------- d-----w C:\Program Files\Vodei
2008-05-05 21:53 --------- d-----w C:\Users\rick.MATRIX6\AppData\Roaming\eFax Messenger
2008-05-05 21:53 --------- d-----w C:\ProgramData\eFax Messenger 4.3 Setup
2008-05-05 21:53 --------- d-----w C:\Program Files\eFax Messenger 4.3
2008-05-03 00:47 --------- d-----w C:\Users\rick.MATRIX6\AppData\Roaming\Bioshock
2008-05-02 17:13 0 ---h--w C:\Windows\system32\drivers\Msft_User_LgLcdSSDriver_01_00_00.Wdf
2008-05-02 17:13 --------- d-----w C:\ProgramData\Logitech
2008-05-02 17:13 --------- d-----w C:\Program Files\Logitech
2008-05-02 12:59 122,368 ----a-w C:\Windows\system32\drivers\Rtlh86.sys
2008-05-01 00:27 442,368 ------w C:\Windows\System32\NVUNINST.EXE
2008-04-26 07:12 107,888 ------w C:\Windows\System32\CmdLineExt.dll
2008-04-12 00:23 38,400 ------w C:\Windows\System32\SoundSchemes.exe
2008-04-09 05:54 174 --sh--w C:\Program Files\desktop.ini
2008-04-09 05:30 413,696 ------w C:\Windows\System32\wrap_oal.dll
2008-04-09 05:30 110,592 ------w C:\Windows\System32\OpenAL32.dll
2008-04-09 05:21 82,432 ------w C:\Windows\System32\axaltocm.dll
2008-04-09 05:21 101,888 ------w C:\Windows\System32\ifxcardm.dll
2008-04-09 05:01 47,560 ------w C:\Windows\System32\SPReview.exe
2008-04-09 05:01 152,576 ------w C:\Windows\System32\SPWizUI.dll
2008-03-06 01:32 32 ------w C:\Users\All Users\ezsid.dat
2008-03-06 01:32 32 ------w C:\ProgramData\ezsid.dat
2008-02-03 07:49 22,328 ------w C:\Users\rick.MATRIX6\AppData\Roaming\PnkBstrK.sys
2008-03-07 05:21 32,768 --sh--w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008030620080307\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{197AE0D6-306F-4E94-811B-2219F514BC17}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{232C2641-F618-425F-9413-1836B216C295}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B22A14E-2E73-43E1-9049-F02F26CC3A52}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{627C7723-6E7A-44A5-9D3D-42478FF8F4F1}]
C:\Windows\system32\mlJbXNGX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6e0b6c34-c19f-4afd-93c3-83c799e0c36e}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-18 23:33 1233920]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-07 16:35 68856]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-01-07 19:25 160592]
"GBMPro8Agent"="C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-01-27 09:55 230016]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 18:12 107112]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-11-28 07:34 134808]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 08:55 61440]
"Launch LCDMon"="C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 17:43 2051096]
"Launch LGDCore"="C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 17:57 2095640]
"GBMPro8Agent"="C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-01-27 09:55 230016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-05-02 22:46 92704]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"BMa748361b"="C:\Windows\system32\wgrfawbk.dll" [2008-06-26 15:27 91648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="C:\Windows\system32\READREG" [ ]
"CtxfiReg"="CTXFIREG.exe" [2007-10-25 22:52 43520 C:\Windows\System32\CTXFIREG.EXE]

C:\Users\rick.MATRIX6\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk.disabled [2008-01-07 23:11:22 798]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2007-05-01 12:11:48 6395464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2AA0726C-95B7-4216-AA43-B5BDD524892F}"= C:\Windows\system32\awtrRICV.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= divxa32.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"CTHelper"=CTHELPER.EXE
"CTxfiHlp"=CTXFIHLP.EXE
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
"NvCplDaemon"=RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{569D53C3-706A-4456-B5DA-E1BD72FE7E91}"= UDP:C:\Windows\System32\migwiz\migwiz.exe:Windows Easy Transfer
"{F18DE565-6EA1-4630-87DE-A0C8D4036CD5}"= TCP:C:\Windows\System32\migwiz\migwiz.exe:Windows Easy Transfer
"TCP Query User{7F76A358-63CF-46E4-8AF8-346CC0DEFC64}C:\\users\\rick.matrix6\\documents\\visual studio 2008\\projects\\gameserverservice\\gameservertestapp\\bin\\debug\\gameservertestapp.exe"= UDP:C:\users\rick.matrix6\documents\visual studio 2008\projects\gameserverservice\gameservertestapp\bin\debug\gameservertestapp.exe:gameservertestapp.exe
"UDP Query User{2A8DC694-EDBA-430B-8E54-568DCAE98DD2}C:\\users\\rick.matrix6\\documents\\visual studio 2008\\projects\\gameserverservice\\gameservertestapp\\bin\\debug\\gameservertestapp.exe"= TCP:C:\users\rick.matrix6\documents\visual studio 2008\projects\gameserverservice\gameservertestapp\bin\debug\gameservertestapp.exe:gameservertestapp.exe
"TCP Query User{56C1193A-DCF7-414A-B91D-2DF9BCD084B2}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{13ED714D-8851-4AA2-8A11-8B507492FB51}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{1441EED2-19F8-48E7-9D37-9319F7EDABEF}C:\\users\\rick.matrix6\\documents\\visual studio 2008\\projects\\gameserverservice\\gameservertestapp\\bin\\debug\\gameservertestapp.vshost.exe"= UDP:C:\users\rick.matrix6\documents\visual studio 2008\projects\gameserverservice\gameservertestapp\bin\debug\gameservertestapp.vshost.exe:gameservertestapp.vshost.exe
"UDP Query User{39CED5C9-1D29-47D5-B950-BCD64CED3D4C}C:\\users\\rick.matrix6\\documents\\visual studio 2008\\projects\\gameserverservice\\gameservertestapp\\bin\\debug\\gameservertestapp.vshost.exe"= TCP:C:\users\rick.matrix6\documents\visual studio 2008\projects\gameserverservice\gameservertestapp\bin\debug\gameservertestapp.vshost.exe:gameservertestapp.vshost.exe
"{F234B377-A305-4B89-9789-FAC613F0AB53}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{913AC9CB-A469-4241-9A64-DA088A219799}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{FE80938A-9132-478F-BC2D-595521ABCEBE}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{79C88D88-66DE-4DC2-BC4E-B0F950884EC3}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{C19915FB-BB9A-4992-83C2-FE68DAAE7DC0}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{B7033A8E-B7CC-4223-8976-F27E76851EAB}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{ACBE0E22-6DD4-4596-863A-276D448401F0}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{02A2F050-DC6A-43D1-A480-42A49F818D19}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"TCP Query User{71C22B22-FDA2-4723-96BB-9A8C1311C549}C:\\windows\\system32\\ftp.exe"= UDP:C:\windows\system32\ftp.exe:File Transfer Program
"UDP Query User{A1E7A201-8BB2-4DC1-A633-734292F36F67}C:\\windows\\system32\\ftp.exe"= TCP:C:\windows\system32\ftp.exe:File Transfer Program
"{5407455A-286A-4784-B98B-28038757A191}"= UDP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{114A0A80-0F24-487C-A74D-6C68D858005C}"= TCP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{561578AD-5632-47B4-A624-67FDF2A1C661}"= UDP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{E1469D84-059A-4B0E-86A3-CB5F06EFD5C9}"= TCP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{402134E8-C9F7-4FC1-8E33-8D551B47C1CD}"= Disabled:UDP:C:\Program Files\Adobe\Photoshop Elements 5.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{F896FCBE-BCB9-4455-B1FE-648C34EBBD9A}"= Disabled:TCP:C:\Program Files\Adobe\Photoshop Elements 5.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"TCP Query User{E432EE64-FCBC-4DAB-A175-E349295D84F9}C:\\program files\\reallusion\\crazytalk for skype\\ct4skype.exe"= UDP:C:\program files\reallusion\crazytalk for skype\ct4skype.exe:CrazyTalk
"UDP Query User{69F7DF09-CCC2-4758-B432-86A87E93F7AD}C:\\program files\\reallusion\\crazytalk for skype\\ct4skype.exe"= TCP:C:\program files\reallusion\crazytalk for skype\ct4skype.exe:CrazyTalk
"{19B0CE24-11DA-4655-9114-1569C8AB0B5E}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{72D730A3-CB26-4D00-9A9B-230A0A4F474D}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{C6C75529-2063-49CD-8B07-D9F4BE99823C}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{9D348DE3-9F0C-4335-8890-0EF1760CE955}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"TCP Query User{14CB1A57-2EDB-4322-B910-E70DC8D76B5A}C:\\program files\\world of warcraft\\repair.exe"= UDP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"UDP Query User{958372C2-2FB8-4F10-B9E5-04E0EE92211D}C:\\program files\\world of warcraft\\repair.exe"= TCP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"{AD5B00EF-200F-4B5F-BC06-1E67F14CB324}"= UDP:C:\Program Files\Stardock Games\Sins of a Solar Empire Demo\Sins of a Solar Empire.exe:Sins of a Solar Empire Demo
"{41A3127D-9712-4887-B3D3-C7A187F020A0}"= TCP:C:\Program Files\Stardock Games\Sins of a Solar Empire Demo\Sins of a Solar Empire.exe:Sins of a Solar Empire Demo
"TCP Query User{E7C85640-0E49-4A56-9F94-ACA31F16AB6B}C:\\program files\\trillian\\trillian.exe"= UDP:C:\program files\trillian\trillian.exe:Trillian
"UDP Query User{8DBC632B-7AFF-4113-A265-00393317097D}C:\\program files\\trillian\\trillian.exe"= TCP:C:\program files\trillian\trillian.exe:Trillian

R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R3 ha20x2k;Creative 20X HAL Driver;C:\Windows\system32\drivers\ha20x2k.sys [2007-10-26 00:33]
S3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2008-02-25 22:53]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
S4 msvsmon90;Visual Studio 2008 Remote Debugger;"c:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon90 []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
GPSvcGroup REG_MULTI_SZ GPSvc
rsmsvcs REG_MULTI_SZ ntmssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL H:\Servers\splash.hta *DVD*


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
"2008-06-28 06:42:00 C:\Windows\Tasks\User_Feed_Synchronization-{31B90036-0669-4958-AA20-50CC211610BD}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 23:42:03
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Windows\system32\wgrfawbk.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\nvvsvc.exe
C:\Windows\System32\Ati2evxx.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\System32\audiodg.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Windows\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\microsoft shared\VS7Debug\MDM.EXE
C:\Windows\System32\PnkBstrA.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\Ati2evxx.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\TechSmith\SnagIt 8\TscHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\Windows\System32\dllhost.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
.
**************************************************************************
.
Completion time: 2008-06-27 23:44:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-28 06:44:46

Pre-Run: 149,117,652,992 bytes free
Post-Run: 145,103,118,336 bytes free

354 --- E O F --- 2008-06-24 15:54:19
rboarman
Active Member
 
Posts: 14
Joined: June 25th, 2008, 9:30 pm

Re: Virtumonde help

Unread postby rboarman » June 28th, 2008, 2:14 pm

mbam-log-6-28-2008 (09-15-22):

Malwarebytes' Anti-Malware 1.18
Database version: 898

09:15:32 2008-06-28
mbam-log-6-28-2008 (09-15-22).txt

Scan type: Full Scan (C:\|)
Objects scanned: 211319
Time elapsed: 46 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMa748361b (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\wgrfawbk.dll (Trojan.Agent) -> No action taken.
C:\Windows\System32\clkcnt.txt (Trojan.Vundo) -> No action taken.
rboarman
Active Member
 
Posts: 14
Joined: June 25th, 2008, 9:30 pm

Re: Virtumonde help

Unread postby rboarman » June 28th, 2008, 2:16 pm

DSS logs:

Deckard's System Scanner v20071014.68
Run by rick on 2008-06-28 10:48:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 4 Restore Point(s) --
4: 2008-06-28 04:50:14 UTC - RP157 - Scheduled Checkpoint
3: 2008-06-27 16:02:23 UTC - RP156 - ComboFix created restore point
2: 2008-06-26 19:31:56 UTC - RP155 - Scheduled Checkpoint
1: 2008-06-25 21:03:12 UTC - RP154 - Installed Java(TM) 6 Update 6


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as rick.exe) ------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-28 10:54:07
Platform: Windows Vista Service Pack 1 (6.00.6001)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\System32\taskeng.exe
C:\Windows\System32\dwm.exe
C:\Windows\explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\TechSmith\SnagIt 8\TscHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Users\rick.MATRIX6\Desktop\dss.exe
C:\Program Files\Trend Micro\HijackThis\rick.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netvibes.com/#General
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {627C7723-6E7A-44A5-9D3D-42478FF8F4F1} - C:\Windows\system32\mlJbXNGX.dll (file missing)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [GBMPro8Agent] C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [GBMPro8Agent] C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CtxfiReg] CTXFIREG.exe /FAIL1 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [CtxfiReg] CTXFIREG.exe /FAIL1 (User 'Default user')
O4 - Startup: MagicDisc.lnk.disabled = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O15 - Trusted Zone: https://online.musicmatch.com (HKLM)
O15 - Trusted Zone: http://www.msi.com.tw (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/ ... ontrol.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_de ... Plugin.ocx
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab Class) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.itaggit.com/Items/Controls/I ... oader4.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/L ... nstall.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\Software\..\Telephony: DomainName = Matrix6.local
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = Matrix6.local
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: Domain = Matrix6.local
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = Matrix6.local
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\microsoft shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\microsoft shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\microsoft shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\System32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\System32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\System32\PnkBstrA.exe
O23 - Service: SavRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


--
End of file - 12679 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>

S3 SRTSPL - c:\windows\system32\drivers\srtspl.sys <Not Verified; Symantec Corporation; AutoProtect>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AdobeActiveFileMonitor5.0 (Adobe Active File Monitor V5) - c:\program files\adobe\photoshop elements 5.0\photoshopelementsfileagent.exe
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}
Description: Standard PS/2 Keyboard
Device ID: ACPI\PNP0303\4&46769B1&0
Manufacturer: (Standard keyboards)
Name: Standard PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&46769B1&0
Service: i8042prt

Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&46769B1&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&46769B1&0
Service: i8042prt


-- Scheduled Tasks -------------------------------------------------------------

2008-06-28 10:50:39 444 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{31B90036-0669-4958-AA20-50CC211610BD}.job


-- Files created between 2008-05-28 and 2008-06-28 -----------------------------

2008-06-28 08:20:06 0 d-------- C:\Users\All Users\Malwarebytes
2008-06-28 08:20:06 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-27 09:01:57 68096 --a------ C:\Windows\zip.exe
2008-06-27 09:01:57 49152 --a------ C:\Windows\VFind.exe
2008-06-27 09:01:57 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-27 09:01:57 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-27 09:01:57 98816 --a------ C:\Windows\sed.exe
2008-06-27 09:01:57 80412 --a------ C:\Windows\grep.exe
2008-06-27 09:01:57 89504 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-27 09:00:34 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-26 16:53:51 262144 --a------ C:\ntuser.dat
2008-06-25 18:30:47 91136 --a------ C:\Windows\system32\vgbbhcpi.dll
2008-06-25 17:22:10 91136 --a------ C:\Windows\system32\yedbcfhq.dll
2008-06-25 17:18:43 91136 --a------ C:\Windows\system32\hpqiemyt.dll
2008-06-25 16:51:24 0 d-------- C:\Program Files\Spyware Doctor
2008-06-25 15:21:31 91136 --a------ C:\Windows\system32\arxbegbn.dll
2008-06-25 14:04:26 0 d-------- C:\Program Files\Java
2008-06-25 14:03:43 0 d-------- C:\Program Files\Common Files\Java
2008-06-25 13:51:45 0 d-------- C:\Program Files\Windows Live Safety Center
2008-06-25 13:31:56 91136 --a------ C:\Windows\system32\umrxwksy.dll
2008-06-25 13:08:02 91136 --a------ C:\Windows\system32\rwiksqtr.dll
2008-06-25 11:41:16 0 d-------- C:\VundoFix Backups
2008-06-25 10:46:16 0 d-------- C:\Program Files\Trend Micro
2008-06-25 10:02:34 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-06-25 09:58:49 91136 --a------ C:\Windows\system32\spdohtwy.dll
2008-06-25 09:23:28 91136 --a------ C:\Windows\system32\aelxlqyt.dll
2008-06-24 22:16:19 0 -rahs---- C:\MSDOS.SYS
2008-06-24 22:16:19 0 -rahs---- C:\IO.SYS
2008-06-24 22:11:58 0 d-------- C:\Program Files\Vstplugins
2008-06-24 22:11:50 0 d-------- C:\Users\All Users\Sony
2008-06-24 22:11:40 0 d-------- C:\Program Files\Sony
2008-06-24 22:11:09 0 d-------- C:\Program Files\Sony Setup
2008-06-21 10:20:05 0 d-------- C:\Users\All Users\Genie-Soft
2008-06-21 10:15:03 0 d-------- C:\Program Files\Common Files\PX Storage Engine
2008-06-21 10:14:59 0 d-------- C:\Program Files\Genie-Soft
2008-06-20 12:13:19 0 d-------- C:\Program Files\MSECache
2008-06-19 15:21:33 0 d-------- C:\Program Files\Microsoft Expression
2008-06-09 11:21:57 0 d-------- C:\Program Files\Winamp
2008-06-09 11:10:24 229376 -----n--- C:\Windows\system32\AudDevicePlugin.dll <Not Verified; Audible Inc.; Audible Device Plugin>
2008-06-09 11:10:24 585728 -----n--- C:\Windows\system32\AReadyLB.dll <Not Verified; Audible Inc.; AReadyLB Library>
2008-06-09 11:10:24 0 d-------- C:\Program Files\J River
2008-06-09 10:09:28 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-09 10:09:23 0 d-------- C:\Program Files\Windows Live
2008-06-09 10:08:56 0 d-------- C:\Users\All Users\WLInstaller
2008-05-30 16:22:48 802816 -----n--- C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 16:22:48 823296 -----n--- C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 16:22:48 823296 -----n--- C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 16:22:46 815104 -----n--- C:\Windows\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 16:22:46 683520 -----n--- C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>


-- Find3M Report ---------------------------------------------------------------

2008-06-28 08:20:08 0 d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Malwarebytes
2008-06-25 16:51:24 0 d-------- C:\Users\rick.MATRIX6\AppData\Roaming\PC Tools
2008-06-25 14:07:39 0 d-------- C:\Program Files\Trillian
2008-06-25 14:03:43 0 d-------- C:\Program Files\Common Files
2008-06-24 22:28:02 0 d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Sony
2008-06-24 22:16:17 0 d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Publish Providers
2008-06-24 22:10:59 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-24 21:14:34 0 d-------- C:\Program Files\PowerArchiver
2008-06-24 17:27:26 127711 --a------ C:\Users\rick.MATRIX6\AppData\Roaming\Cosmos Prefs
2008-06-21 10:18:07 0 d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Genie-soft
2008-06-20 07:49:35 0 d-------- C:\Program Files\Microsoft Silverlight
2008-06-19 13:18:06 0 d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-06-19 13:17:48 0 d-------- C:\Program Files\Microsoft SDKs
2008-06-18 09:44:48 0 d-------- C:\Program Files\DivX
2008-06-18 07:16:33 0 d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Mozilla
2008-06-16 18:01:20 0 d-------- C:\Users\rick.MATRIX6\AppData\Roaming\J River
2008-06-15 22:41:27 0 d-------- C:\Program Files\Windows Mail
2008-06-09 16:47:59 0 d-------- C:\Program Files\World of Warcraft
2008-06-09 11:22:18 0 d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Winamp
2008-06-09 10:12:35 0 d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-06-04 15:41:03 0 d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Adobe
2008-06-03 19:39:24 0 d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Ventrilo
2008-05-28 21:49:18 0 d-------- C:\Program Files\Flickr Uploadr
2008-05-27 13:49:47 0 d-------- C:\Program Files\StarterKits
2008-05-26 11:22:17 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-26 11:13:35 0 d-------- C:\Program Files\Bonjour
2008-05-26 11:09:16 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-26 11:04:26 0 d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Ulead Systems
2008-05-26 10:56:55 0 d-------- C:\Program Files\Common Files\InterVideo
2008-05-26 10:56:45 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-26 10:56:20 0 d-------- C:\Program Files\Windows Media Components
2008-05-22 15:22:18 3596288 -----n--- C:\Windows\system32\qt-dx331.dll
2008-05-22 15:19:46 196608 -----n--- C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-22 15:19:46 81920 -----n--- C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-22 15:18:54 12288 -----n--- C:\Windows\system32\DivXWMPExtType.dll
2008-05-21 18:32:24 0 d-------- C:\Program Files\Stardock Games
2008-05-20 17:10:26 0 d-------- C:\Users\rick.MATRIX6\AppData\Roaming\vlc
2008-05-20 17:09:36 0 d-------- C:\Program Files\VideoLAN
2008-05-20 09:20:34 0 d-------- C:\Program Files\Windows NT Backup - Restore Utility
2008-05-09 18:49:17 0 d-------- C:\Program Files\Vodei
2008-05-05 14:53:51 0 d-------- C:\Program Files\eFax Messenger 4.3
2008-05-05 14:53:42 0 d-------- C:\Users\rick.MATRIX6\AppData\Roaming\eFax Messenger
2008-05-05 14:53:33 0 -----n--- C:\Windows\system32\eFax_4_3_Port
2008-05-02 17:47:47 0 d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Bioshock
2008-05-02 10:13:08 0 d-------- C:\Program Files\Logitech
2008-04-11 17:23:54 38400 -----n--- C:\Windows\system32\SoundSchemes.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-08 22:54:28 174 ---hs---- C:\Program Files\desktop.ini
2008-04-08 22:30:43 413696 -----n--- C:\Windows\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-04-08 22:30:43 110592 -----n--- C:\Windows\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2008-04-08 22:01:08 152576 -----n--- C:\Windows\system32\SPWizUI.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{627C7723-6E7A-44A5-9D3D-42478FF8F4F1}]
C:\Windows\system32\mlJbXNGX.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 18:12]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-11-28 07:34]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 08:55]
"Launch LCDMon"="C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 17:43]
"Launch LGDCore"="C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 17:57]
"GBMPro8Agent"="C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-01-27 09:55]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-05-02 22:46]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-18 23:33]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-07 16:35]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-01-07 19:25]
"GBMPro8Agent"="C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-01-27 09:55]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DevconDefaultDB"=C:\Windows\system32\READREG /SILENT /FAIL=1
"CtxfiReg"=CTXFIREG.exe /FAIL1

C:\Users\rick.MATRIX6\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk.disabled [2008-01-07 23:11:22]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2007-05-01 12:11:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{2AA0726C-95B7-4216-AA43-B5BDD524892F}"= C:\Windows\system32\awtrRICV.dll [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"CTHelper"=CTHELPER.EXE
"CTxfiHlp"=CTXFIHLP.EXE
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
"NvCplDaemon"=RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
iissvcs w3svc was
apphost apphostsvc
GPSvcGroup GPSvc
rsmsvcs ntmssvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL H:\Servers\splash.hta *DVD*


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration



-- End of Deckard's System Scanner: finished at 2008-06-28 10:55:17 ------------


extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Ultimate (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz
Percentage of Memory in Use: 50%
Physical Memory (total/avail): 2046.58 MiB / 1014.14 MiB
Pagefile Memory (total/avail): 4330.21 MiB / 3157.21 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1889.07 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 229.51 GiB total, 135.28 GiB free.
D: is Fixed (NTFS) - 68.58 GiB total, 17.24 GiB free.
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is CDROM (No Media)
I: is Fixed (NTFS) - 34.47 GiB total, 34.39 GiB free.
K: is Fixed (NTFS) - 149.05 GiB total, 83.87 GiB free.

\\.\PHYSICALDRIVE2 - WDC WD1600PD-00FZB0 ATA Device - 149.05 GiB - 1 partition
\PARTITION0 - Logical Disk Manager - 149.05 GiB - K:

\\.\PHYSICALDRIVE1 - WDC WD3200KS-00PFB0 ATA Device - 298.09 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 68.58 GiB - D:
\PARTITION1 - Installable File System - 229.51 GiB - C:

\\.\PHYSICALDRIVE0 - WDC WD360GD-00FNA0 ATA Device - 34.47 GiB - 1 partition
\PARTITION0 - Installable File System - 34.47 GiB - I:

\\.\PHYSICALDRIVE3 - VIA-P VT6205-DevB USB Device

\\.\PHYSICALDRIVE4 - VIA-P VT6205-DevM USB Device



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is enabled.

AV: Symantec AntiVirus v10.2.0.276 (Symantec Corporation)
AS: Spybot - Search and Destroy v1.0.0.5 (Safer Networking Ltd.)
AS: Symantec AntiVirus v10.2.0.276 (Symantec Corporation)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\rick.MATRIX6\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RRB
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\rick.MATRIX6
lib=C:\Program Files\SQLXML 4.0\bin\
LOCALAPPDATA=C:\Users\rick.MATRIX6\AppData\Local
LOGONSERVER=\\BASE
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\Microsoft SQL Server\80\Tools\Binn;C:\Program Files\Microsoft SQL Server\90\Tools\binn;C:\Program Files\Microsoft SQL Server\90\DTS\Binn;C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies;C:\Program Files\Smart Projects\IsoBuster;C:\Program Files\Common Files\Ulead Systems\MPEG
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\RICK~1.MAT\AppData\Local\Temp
TMP=C:\Users\RICK~1.MAT\AppData\Local\Temp
USERDNSDOMAIN=MATRIX6.LOCAL
USERDOMAIN=MATRIX6
USERNAME=rick
USERPROFILE=C:\Users\rick.MATRIX6
VS90COMNTOOLS=c:\Program Files\Microsoft Visual Studio 9.0\Common7\Tools\
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

rick.MATRIX6 (admin)
alexi (admin)
administrator (admin)
rick (new local, net ready)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
--> MsiExec.exe /I{C4CBAD7E-DF4A-4FEC-AC17-8BC709AFB844}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7AB55EC6-1158-41EF-B87D-90555A8F5C92}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AA9944C8-7D34-475E-8C90-2788685B2C47}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AA9944C8-7D34-475E-8C90-2788685B2C47}\setup.exe" -l0x9 /remove
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
Add or Remove Adobe Creative Suite 3 Master Collection --> C:\Program Files\Common Files\Adobe\Installers\4dcfd9b7e901b57f81f667144603236\Setup.exe
ADO.NET Entity Framework 1.0 (Pre-Release Version) --> c:\Windows\Microsoft.NET\Framework\v3.5\ADO.NET Entity Framework 1.0 (Pre-Release Version)\install.exe
ADO.NET Entity Framework 1.0 (Pre-Release Version) --> MsiExec.exe /I{CD0A3112-39C9-43F4-99CF-F31EAF48099F}
Adobe After Effects CS3 Presets --> MsiExec.exe /I{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285}
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe BridgeTalk Plugin CS3 --> MsiExec.exe /I{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> C:\Program Files\Common Files\Adobe\Installers\6c8e2cb4fd241c55406016127a6ab2e\Setup.exe
Adobe Color Common Settings --> MsiExec.exe /I{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Creative Suite 3 Master Collection --> MsiExec.exe /I{8718DC03-D066-4957-94E5-50C3C5042E8E}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> C:\Program Files\Common Files\Adobe\Installers\3e054d2218e7aa282c2369d939e58ff\Setup.exe
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}
Adobe Extension Manager CS3 --> MsiExec.exe /I{BE5F3842-8309-4754-92D5-83E02E6077A3}
Adobe Flash Player 9 Plugin --> MsiExec.exe /X{88D422DB-E9C7-4E16-9D80-2999F4FD6AD9}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Center 2.1 --> MsiExec.exe /I{25569723-DC5A-4467-A639-79535BF01B71}
Adobe Help Viewer CS3 --> MsiExec.exe /I{7ACFB90E-8FD0-4397-AD3A-5195412623A3}
Adobe InDesign CS3 Icon Handler --> MsiExec.exe /I{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe MotionPicture Color Files --> MsiExec.exe /I{6B708481-748A-4EB4-97C1-CD386244FF77}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Photoshop Elements 5.0 --> msiexec /I {A7B609FB-83D8-4FC3-8477-1BC65ECFE85B}
Adobe Premiere Pro CS3 --> MsiExec.exe /I{58DCEEE5-532E-44F4-B1D7-A146EF9E9FDA}
Adobe Premiere Pro CS3 Functional Content --> MsiExec.exe /I{50F102CA-4BE2-41A9-9810-5BB05EB91B9A}
Adobe Premiere Pro CS3 Third Party Content --> MsiExec.exe /I{485ACF57-F364-440A-8496-E1E81C8FA1AA}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Setup --> MsiExec.exe /I{4458C442-7376-4CF9-AF58-E8CEA6722363}
Adobe Setup --> MsiExec.exe /I{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}
Adobe Setup --> MsiExec.exe /I{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}
Adobe SING CS3 --> MsiExec.exe /I{B671CBFD-4109-4D35-9252-3062D3CCB7B2}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe Video Profiles --> MsiExec.exe /I{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}
Adobe WAS CS3 --> MsiExec.exe /I{C5BD220A-EFE8-48A5-B70E-9503D535FACE}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP DVA Panels CS3 --> MsiExec.exe /I{0224CACC-994D-45F8-B973-D65056EA9C2F}
Adobe XMP Panels CS3 --> MsiExec.exe /I{D5A31AB1-345D-47C7-A87B-036A669F6DF1}
AHV content for Acrobat and Flash --> MsiExec.exe /I{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}
AI RoboForm (All Users) --> "C:\Program Files\Siber Systems\AI RoboForm\rfwipeout.exe"
Araxis Merge --> MsiExec.exe /I{F02ECEAA-AAD5-4AE1-9B08-FE8CCA5A3B8A}
ASP.Net MVC Membership Starter Kit --> MsiExec.exe /I{087D69B3-CE1A-4E87-8CB9-96BB35FFDC37}
Axure RP Pro 4 --> "C:\Users\Public\Application Data\{A13631F3-4B4E-4D16-A15C-B6E45A98E464}\AxureRP.exe" REMOVE=TRUE MODIFY=FALSE
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Creative Audio Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9 /remove
Creative Sound Blaster Properties --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7AB55EC6-1158-41EF-B87D-90555A8F5C92}\setup.exe" -l0x9 /remove
Crysis(R) --> MsiExec.exe /I{000E79B7-E725-4F01-870A-C12942B7F8E4}
Crystal Reports Basic for Visual Studio 2008 --> MsiExec.exe /X{AA467959-A1D6-4F45-90CD-11DC57733F32}
DameWare NT Utilities --> MsiExec.exe /I{62A38EFA-3CA3-47AC-89CF-1A29F9AF0A62}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
EasyBCD 1.7.1 --> C:\Program Files\NeoSmart Technologies\EasyBCD\uninstall.exe
eFax Messenger 4.3 --> C:\Program Files\eFax Messenger 4.3\Uninstall.exe
Fiddler2 (remove only) --> "C:\Program Files\Fiddler2\uninst.exe"
Flickr Uploadr 3.0.5 --> "C:\Program Files\Flickr Uploadr\uninstall.exe"
Fraps --> "C:\Program Files\Fraps\uninstall.exe"
GDR 3054 for SQL Server Tools and Workstation Components 2005 ENU (KB934458) --> C:\Windows\SQLTools9_KB934458_ENU\Hotfix.exe /Uninstall
Genie Backup Manager Pro 8.0 --> "C:\Program Files\Genie-Soft\GBMPro8\unins000.exe"
Google Toolbar for Internet Explorer --> MsiExec.exe /X{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
InterVideo DeviceService --> MsiExec.exe /I{521AAD14-5030-44BB-8B0E-5CE65FCE57E0}
IsoBuster 2.3 --> "C:\Program Files\Smart Projects\IsoBuster\Uninst\unins000.exe"
Java(TM) 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Logitech GamePanel Software 2.02 --> MsiExec.exe /X{0523EAF4-402C-4435-A0DA-13C40193D811}
Logitech QuickCam --> MsiExec.exe /X{364EC092-93CF-4DDC-9D7A-7278452028E0}
Logitech® Camera Driver --> "C:\Program Files\Common Files\LogiShrd\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
Magic ISO Maker v5.4 (build 0251) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
MagicDisc 2.5.79 --> C:\PROGRA~1\MAGICD~1\UNWISE.EXE C:\PROGRA~1\MAGICD~1\INSTALL.LOG
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MediaMonkey 3.0 --> "C:\Program Files\MediaMonkey\unins000.exe"
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB929729) --> "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M929729\M929729Uninstall.msp"
Microsoft .NET Framework 3.5 --> C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\setup.exe
Microsoft .NET Framework 3.5 --> MsiExec.exe /I{2FC099BD-AC9B-33EB-809C-D332E1B27C40}
Microsoft ASP.NET Futures (July 2007) --> MsiExec.exe /I{2B237956-DF51-49D0-8095-353A46B9D116}
Microsoft ASP.NET MVC Preview 2 --> MsiExec.exe /X{A4394612-D02F-11DC-9BFF-D18556D89593}
Microsoft Device Emulator version 3.0 - ENU --> MsiExec.exe /X{B32E7732-B2FB-3FD0-81AC-6025B1104C66}
Microsoft Document Explorer 2008 --> C:\Program Files\Common Files\Microsoft Shared\Help 9\Microsoft Document Explorer 2008\install.exe
Microsoft Document Explorer 2008 --> MsiExec.exe /X{6753B40C-0FBD-3BED-8A9D-0ACAC2DCD85D}
Microsoft Expression Blend 2.5 June 2008 Preview --> MsiExec.exe /I{2D28D108-BE26-48AF-B26C-966DC332112A}
Microsoft Office 2003 Web Components --> MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Visual Web Developer 2007 --> MsiExec.exe /X{90120000-0021-0000-0000-0000000FF1CE}
Microsoft Office Visual Web Developer MUI (English) 2007 --> MsiExec.exe /X{90120000-0021-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Silverlight 2 SDK Beta2 --> MsiExec.exe /I{2E2F47AA-B1BB-4D95-B3CD-C3A95C9CBED6}
Microsoft Silverlight Tools Beta 2 for Visual Studio 2008 --> MsiExec.exe /X{13335FCE-C126-4E3B-B856-66DEB5A2B458}
Microsoft SQL Server 2005 --> "c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 Backward compatibility --> MsiExec.exe /I{69880C00-08DD-4385-B752-9C62656F6D1E}
Microsoft SQL Server 2005 Books Online (English) (September 2007) --> MsiExec.exe /I{6FDD4688-E063-401D-B6BE-7234E20B9173}
Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft SQL Server 2005 Tools --> MsiExec.exe /I{1DD463C0-A50A-4394-B7E4-5895C02F9E0D}
Microsoft SQL Server Compact 3.5 Design Tools ENU --> MsiExec.exe /X{2E5C075E-11AB-4BDD-918C-7B9A68953FF8}
Microsoft SQL Server Compact 3.5 ENU --> MsiExec.exe /I{BCC899FE-2DAA-460C-A5FB-60291E73D9C3}
Microsoft SQL Server Compact 3.5 for Devices ENU --> MsiExec.exe /I{241F2BF7-69EB-42A4-9156-96B2426C7504}
Microsoft SQL Server Database Publishing Wizard 1.2 --> MsiExec.exe /X{9A33B83D-FFC4-44CF-BEEF-632DECEF2FCD}
Microsoft SQL Server Native Client --> MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Visual Studio 2005 Premier Partner Edition - ENU --> MsiExec.exe /I{C25EF637-BE7A-4761-9B45-9069989C319F}
Microsoft Visual Studio 2005 Toolbox Controls Installer --> MsiExec.exe /I{BB000E0F-5291-4C90-84AE-5296023254BF}
Microsoft Visual Studio 2005 Tools for Office Runtime --> MsiExec.exe /X{388E4B09-3E71-4649-8921-F44A3A2954A7}
Microsoft Visual Studio 2008 Professional Edition - ENU --> c:\Program Files\Microsoft Visual Studio 9.0\Microsoft Visual Studio 2008 Professional Edition - ENU\setup.exe
Microsoft Visual Studio Web Authoring Component --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall VISUALWEBDEVELOPER /dll OSETUP.DLL
Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools --> MsiExec.exe /X{05EC21B8-4593-3037-A781-A6B5AFFCB19D}
Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries --> MsiExec.exe /X{842FAF7C-50EF-4463-9B8F-6222E1384D7D}
Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense --> MsiExec.exe /X{64c5b887-b5ee-42b8-8596-78905a6b5f1f}
Microsoft Windows SDK for Visual Studio 2008 Tools --> MsiExec.exe /X{CAA376AF-0DE8-4FCA-942E-C6AC579B94B3}
Microsoft Windows SDK for Visual Studio 2008 Win32 Tools --> MsiExec.exe /X{B268E9A1-04A9-40D0-9866-846BE2B74BA7}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSDN Library for Visual Studio 2005 --> msiexec /i {23959E96-A80F-4172-A655-210E9BB7BFBE}
MSDN Library for Visual Studio 2005 --> MsiExec.exe /X{23959E96-A80F-4172-A655-210E9BB7BFBE}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MVision --> MsiExec.exe /I{35725FBC-A136-4A46-9F29-091759D9BB93}
Nero 8 Trial --> MsiExec.exe /X{5FCCD531-1B38-4A94-924C-127F722F1033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
OpenAL --> "C:\Program Files\OpenAL\OALInst.exe" /U
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
PowerArchiver 2007 --> MsiExec.exe /I{C297F052-BB51-43FF-B403-A4045D865816}
PunkBuster Services --> C:\Windows\system32\pbsvc.exe -u
Quicken 2007 --> MsiExec.exe /X{0D2E80C8-0875-43EB-9623-47118E2DFBCA}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Service Pack 2 for SQL Server Tools and Workstation Components 2005 ENU (KB921896) --> C:\Windows\SQLTools9_KB921896_ENU\Hotfix.exe /Uninstall
Sins of a Solar Empire Demo --> "C:\ProgramData\{5553977E-AF8B-4870-AEB6-53B6C1BC822D}\Sins_of_a_Solar_Empire_setup.exe" REMOVE=TRUE MODIFY=FALSE
Sins of a Solar Empire Demo --> C:\ProgramData\{5553977E-AF8B-4870-AEB6-53B6C1BC822D}\Sins_of_a_Solar_Empire_setup.exe
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SnagIt 8 --> MsiExec.exe /I{DA0BF7AB-88EB-4675-8FA1-531EAD938821}
Sony Vegas Movie Studio 8.0 --> MsiExec.exe /X{6D3A42EA-DFD9-4E8A-A9DC-3DE9B162BEDD}
Sony Vegas Movie Studio Platinum 8.0 --> MsiExec.exe /X{B8E8C8EC-5C22-4B02-9C02-D851262F574C}
SpeedSim --> C:\Program Files\SpeedSim\uninst.exe
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 6.0 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
SQLXML4 --> MsiExec.exe /I{36DD7006-7BFE-4E3D-AF6E-FA734BC879B7}
Symantec AntiVirus --> MsiExec.exe /I{7C9E6E52-EB11-44DB-A761-82D5D873A8D9}
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
Update for Microsoft Visual Studio 2008 Professional Edition - ENU (KB950630) --> C:\Windows\system32\msiexec.exe /package {D7DAD1E4-45F4-3B2B-899A-EA728167EC4F} /uninstall {3EEE605B-4E76-4365-80A0-37AE044534BD} /qb+ REBOOTPROMPT=""
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0021-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
VC Runtimes MSI --> MsiExec.exe /X{FF29527A-44CD-3422-945E-981A13584000}
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
VideoLAN VLC media player 0.8.6f --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Vista Codec Package --> MsiExec.exe /I{F9FD80CE-0448-4D4F-8BCD-77FC514C3F99}
Visual Studio 2005 Tools for Office Second Edition Runtime --> c:\Program Files\Common Files\Microsoft Shared\VSTO\8.0\Microsoft Visual Studio 2005 Tools for Office Runtime\install.exe
Visual Studio Tools for the Office system 3.0 Runtime --> C:\Program Files\Common Files\Microsoft Shared\VSTO\9.0\Visual Studio Tools for the Office system 3.0 Runtime\install.exe
Visual Studio Tools for the Office system 3.0 Runtime --> MsiExec.exe /X{8FB53850-246A-3507-8ADE-0060093FFEA6}
Vodei Multimedia Processor 2.10 --> C:\Program Files\Vodei\uninst.exe
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live OneCare safety scanner --> "C:\Program Files\Windows Live Safety Center\UnInstall.exe"
Windows Live OneCare safety scanner --> MsiExec.exe /X{FE0646A7-19D0-41B4-A2BB-2C35D644270D}
Windows Live Photo Gallery --> MsiExec.exe /X{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Mobile 5.0 SDK R2 for Pocket PC --> MsiExec.exe /I{6C9F6D23-E9AD-43C9-B43A-011562AAF876}
Windows Mobile 5.0 SDK R2 for Smartphone --> MsiExec.exe /I{9656F3AC-6BA9-43F0-ABED-F214B5DAB27B}
Windows NT Backup - Restore Utility --> MsiExec.exe /I{B3E699B5-7EEE-4AB1-A7BB-A43B7B4D94ED}
Windows Sound Schemes --> RunDll32 advpack.dll,LaunchINFSection C:\Windows\INF\UltSound.inf,Uninstall
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
WowAceUpdater --> rundll32.exe dfshim.dll,ShArpMaintain WowAceUpdater.application, Culture=neutral, PublicKeyToken=4d89fb8d52541cc9, processorArchitecture=msil


-- Application Event Log -------------------------------------------------------

Event Record #/Type16600 / Success
Event Submitted/Written: 06/28/2008 09:19:43 AM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type16588 / Success
Event Submitted/Written: 06/28/2008 09:19:28 AM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type16587 / Success
Event Submitted/Written: 06/28/2008 09:19:28 AM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type16583 / Success
Event Submitted/Written: 06/28/2008 09:19:26 AM
Event ID/Source: 2570 / Adobe Active File Monitor 5.0
Event Description:
Adobe Active File Monitor Service has Started.

Event Record #/Type16568 / Error
Event Submitted/Written: 06/28/2008 08:55:21 AM
Event ID/Source: 51 / Symantec AntiVirus
Event Description:
Security Risk Found!Risk: Trojan.Vundo in File: C:\Windows\System32\vfcilxcv.dll by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description:



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type77111 / Error
Event Submitted/Written: 06/28/2008 10:48:20 AM
Event ID/Source: 4 / Kerberos
Event Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server alexi$. The target name used was cifs/Alexib.Matrix6.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (MATRIX6.LOCAL) is different from the client domain (MATRIX6.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Event Record #/Type77109 / Error
Event Submitted/Written: 06/28/2008 09:30:27 AM
Event ID/Source: 4 / Kerberos
Event Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server alexi$. The target name used was cifs/Alexib.Matrix6.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (MATRIX6.LOCAL) is different from the client domain (MATRIX6.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Event Record #/Type76695 / Error
Event Submitted/Written: 06/27/2008 03:48:31 PM
Event ID/Source: 10010 / DCOM
Event Description:
{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Event Record #/Type76553 / Error
Event Submitted/Written: 06/26/2008 09:30:50 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
Network List ServiceNetwork Location Awareness%%1068

Event Record #/Type76552 / Error
Event Submitted/Written: 06/26/2008 09:30:49 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
Network List ServiceNetwork Location Awareness%%1068



-- End of Deckard's System Scanner: finished at 2008-06-28 10:55:17 ------------
rboarman
Active Member
 
Posts: 14
Joined: June 25th, 2008, 9:30 pm

Re: Virtumonde help

Unread postby Shaba » June 29th, 2008, 4:52 am

Hi

You are not supposed to run tools like combofix unsupervised.

But as you have now combofix, we can use it :)

  • Click Start and then Run to bring up the Run box.
  • Copy and paste the contents of this quote box into the run box:
    "%userprofile%\desktop\dss.exe" /daft
  • Click OK.
  • Click OK to the prompt from Deckard's System Scanner.
  • Click Scan.
  • Place a tick next to the following entries (if they are present).
    .cpl
    .reg
    .scr
  • Click Fix

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
C:\Windows\System32\qomjiIBQ.dll
C:\Windows\System32\XGNXbJlm.ini
C:\Windows\System32\nXGjknpo.ini
C:\Windows\System32\wgrfawbk.dll
C:\Windows\System32\vgbbhcpi.dll
C:\Windows\System32\yedbcfhq.dll
C:\Windows\System32\uyyryyvy.dll
C:\Windows\System32\eoseynta.dll
C:\Windows\System32\hpqiemyt.dll
C:\Windows\System32\DKlooYxx.ini
C:\Windows\System32\rghnhvwc.dll
C:\Windows\System32\bssepcsx.dll
C:\Windows\System32\arxbegbn.dll
C:\Windows\System32\amjookvf.dll
C:\Windows\System32\mfcgflhi.dll
C:\Windows\System32\umrxwksy.dll
C:\Windows\System32\ajkhtfbg.dll
C:\Windows\System32\rwiksqtr.dll
C:\Windows\System32\spdohtwy.dll
C:\Windows\System32\pnljisoq.dll
C:\Windows\System32\aelxlqyt.dll
C:\Windows\System32\vfcilxcv.dll
C:\Windows\System32\WGfiQXyb.ini

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{197AE0D6-306F-4E94-811B-2219F514BC17}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{232C2641-F618-425F-9413-1836B216C295}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B22A14E-2E73-43E1-9049-F02F26CC3A52}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{627C7723-6E7A-44A5-9D3D-42478FF8F4F1}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6e0b6c34-c19f-4afd-93c3-83c799e0c36e}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMa748361b"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2AA0726C-95B7-4216-AA43-B5BDD524892F}"=-


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Virtumonde help

Unread postby rboarman » June 29th, 2008, 3:39 pm

Thank you for your help.

Here's the ComboFix log. It ran fairly quickly and I did not have to kill any processes.

Rick


ComboFix 08-06-20.4 - rick 2008-06-29 9:45:46.2 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1127 [GMT -7:00]
Running from: C:\Users\rick.MATRIX6\Desktop\ComboFix.exe
Command switches used :: C:\Users\rick.MATRIX6\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-29 )))))))))))))))))))))))))))))))
.

2008-06-28 10:46 . 2008-06-28 10:46 <DIR> d-------- C:\Deckard
2008-06-28 08:20 . 2008-06-28 08:20 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Malwarebytes
2008-06-28 08:20 . 2008-06-28 08:20 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-06-28 08:20 . 2008-06-28 08:20 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-06-28 08:20 . 2008-06-28 08:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-28 08:20 . 2008-06-19 17:48 34,296 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-06-28 08:20 . 2008-06-19 17:47 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-06-26 17:42 . 2008-01-18 23:34 888,320 --a------ C:\Windows\System32\qomjiIBQ.dll
2008-06-26 16:53 . 2008-06-26 16:53 524,288 --ahs---- C:\ntuser.dat{ce33fa67-43d3-11dd-9089-d8860555e289}.TMContainer00000000000000000002.regtrans-ms
2008-06-26 16:53 . 2008-06-27 08:58 524,288 --ahs---- C:\ntuser.dat{ce33fa67-43d3-11dd-9089-d8860555e289}.TMContainer00000000000000000001.regtrans-ms
2008-06-26 16:53 . 2008-06-26 16:53 524,288 --ahs---- C:\ntuser.dat{ce33fa63-43d3-11dd-9089-d8860555e289}.TMContainer00000000000000000002.regtrans-ms
2008-06-26 16:53 . 2008-06-26 16:53 524,288 --ahs---- C:\ntuser.dat{ce33fa63-43d3-11dd-9089-d8860555e289}.TMContainer00000000000000000001.regtrans-ms
2008-06-26 16:53 . 2008-06-27 08:58 262,144 --a------ C:\ntuser.dat
2008-06-26 16:53 . 2008-06-27 08:58 65,536 --ahs---- C:\ntuser.dat{ce33fa67-43d3-11dd-9089-d8860555e289}.TM.blf
2008-06-26 16:53 . 2008-06-26 16:53 65,536 --ahs---- C:\ntuser.dat{ce33fa63-43d3-11dd-9089-d8860555e289}.TM.blf
2008-06-26 16:53 . 2008-06-27 08:58 5,120 --ah----- C:\ntuser.dat.LOG1
2008-06-26 16:53 . 2008-06-26 16:53 0 --ah----- C:\ntuser.dat.LOG2
2008-06-26 15:42 . 2008-06-26 15:42 345 --ahs---- C:\Windows\System32\XGNXbJlm.ini
2008-06-26 15:30 . 2008-06-26 15:30 345 --ahs---- C:\Windows\System32\nXGjknpo.ini
2008-06-25 18:30 . 2008-06-25 18:30 91,136 --a------ C:\Windows\System32\vgbbhcpi.dll
2008-06-25 17:22 . 2008-06-25 17:22 91,136 --a------ C:\Windows\System32\yedbcfhq.dll
2008-06-25 17:18 . 2008-06-25 17:18 91,136 --a------ C:\Windows\System32\hpqiemyt.dll
2008-06-25 17:18 . 2008-06-25 18:12 345 --ahs---- C:\Windows\System32\DKlooYxx.ini
2008-06-25 16:51 . 2008-06-25 16:51 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\PC Tools
2008-06-25 16:51 . 2008-06-26 16:14 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-25 16:51 . 2008-06-10 21:22 81,288 --a------ C:\Windows\System32\drivers\iksyssec.sys
2008-06-25 16:51 . 2008-06-02 15:19 66,952 --a------ C:\Windows\System32\drivers\iksysflt.sys
2008-06-25 16:51 . 2008-06-02 15:19 42,376 --a------ C:\Windows\System32\drivers\ikfilesec.sys
2008-06-25 16:51 . 2008-06-02 15:19 29,576 --a------ C:\Windows\System32\drivers\kcom.sys
2008-06-25 15:21 . 2008-06-25 15:21 91,136 --a------ C:\Windows\System32\arxbegbn.dll
2008-06-25 14:04 . 2008-06-25 14:05 <DIR> d-------- C:\Program Files\Java
2008-06-25 14:03 . 2008-06-25 14:03 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-25 13:51 . 2008-06-25 13:57 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-06-25 13:31 . 2008-06-25 13:31 91,136 --a------ C:\Windows\System32\umrxwksy.dll
2008-06-25 13:08 . 2008-06-25 13:08 91,136 --a------ C:\Windows\System32\rwiksqtr.dll
2008-06-25 11:41 . 2008-06-25 11:41 <DIR> d-------- C:\VundoFix Backups
2008-06-25 10:46 . 2008-06-25 10:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-25 10:02 . 2008-06-25 13:32 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-06-25 10:02 . 2008-06-25 13:32 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-06-25 10:02 . 2008-06-25 13:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-25 09:58 . 2008-06-25 09:58 91,136 --a------ C:\Windows\System32\spdohtwy.dll
2008-06-25 09:23 . 2008-06-25 09:23 91,136 --a------ C:\Windows\System32\aelxlqyt.dll
2008-06-24 22:16 . 2008-06-24 22:28 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Sony
2008-06-24 22:16 . 2008-06-24 22:16 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Publish Providers
2008-06-24 22:16 . 2008-06-24 22:28 156 --a------ C:\Windows\Twunk001.MTX
2008-06-24 22:16 . 2008-06-24 22:28 2 --a------ C:\Windows\Twain001.Mtx
2008-06-24 22:16 . 2008-06-24 22:16 0 --a------ C:\Windows\Twunk002.MTX
2008-06-24 22:11 . 2008-06-24 22:26 <DIR> d-------- C:\Users\All Users\Sony
2008-06-24 22:11 . 2008-06-24 22:26 <DIR> d-------- C:\ProgramData\Sony
2008-06-24 22:11 . 2008-06-24 22:11 <DIR> d-------- C:\Program Files\Vstplugins
2008-06-24 22:11 . 2008-06-24 22:25 <DIR> d-------- C:\Program Files\Sony Setup
2008-06-24 22:11 . 2008-06-24 22:26 <DIR> d-------- C:\Program Files\Sony
2008-06-24 21:20 . 2008-06-25 10:01 345 --ahs---- C:\Windows\System32\WGfiQXyb.ini
2008-06-21 10:20 . 2008-06-21 10:20 <DIR> d-------- C:\Users\All Users\Genie-Soft
2008-06-21 10:20 . 2008-06-21 10:20 <DIR> d-------- C:\ProgramData\Genie-Soft
2008-06-21 10:18 . 2008-06-21 10:18 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Genie-soft
2008-06-21 10:15 . 2008-06-21 10:15 <DIR> d-------- C:\Program Files\Common Files\PX Storage Engine
2008-06-21 10:15 . 2006-11-02 00:50 128,104 --------- C:\Windows\System32\drivers\WimFltr.sys
2008-06-21 10:14 . 2008-06-21 10:14 <DIR> d-------- C:\Program Files\Genie-Soft
2008-06-20 12:13 . 2008-06-20 12:13 <DIR> d-------- C:\Program Files\MSECache
2008-06-19 15:21 . 2008-06-19 15:21 <DIR> d-------- C:\Program Files\Microsoft Expression
2008-06-16 18:01 . 2008-06-16 18:01 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\J River
2008-06-15 19:43 . 2008-03-07 19:08 4,240,384 --------- C:\Windows\System32\GameUXLegacyGDFs.dll
2008-06-15 19:43 . 2008-03-07 21:21 1,695,744 --------- C:\Windows\System32\gameux.dll
2008-06-15 19:43 . 2008-04-22 21:42 428,544 --------- C:\Windows\System32\EncDec.dll
2008-06-15 19:43 . 2008-04-22 21:42 293,376 --------- C:\Windows\System32\psisdecd.dll
2008-06-15 19:43 . 2008-04-22 21:41 218,624 --------- C:\Windows\System32\psisrndr.ax
2008-06-15 19:43 . 2008-04-22 21:41 57,856 --------- C:\Windows\System32\MSDvbNP.ax
2008-06-11 08:54 . 2008-04-24 19:12 1,383,424 --------- C:\Windows\System32\mshtml.tlb
2008-06-11 08:54 . 2008-04-26 01:08 1,314,816 --------- C:\Windows\System32\quartz.dll
2008-06-11 08:54 . 2008-04-24 21:35 826,880 --------- C:\Windows\System32\wininet.dll
2008-06-11 08:54 . 2008-05-09 18:33 113,664 --------- C:\Windows\System32\drivers\rmcast.sys
2008-06-09 11:22 . 2007-12-20 14:10 129,520 --------- C:\Windows\System32\pxafs.dll
2008-06-09 11:21 . 2008-06-09 11:22 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Winamp
2008-06-09 11:21 . 2008-06-09 11:22 <DIR> d-------- C:\Program Files\Winamp
2008-06-09 11:10 . 2008-06-09 11:10 <DIR> d-------- C:\Program Files\J River
2008-06-09 11:10 . 2008-03-13 08:58 585,728 --------- C:\Windows\System32\AReadyLB.dll
2008-06-09 11:10 . 2008-03-13 08:58 229,376 --------- C:\Windows\System32\AudDevicePlugin.dll
2008-06-09 11:10 . 2008-03-13 08:58 183,129 --------- C:\Windows\System32\AM Install1.INF
2008-06-09 10:09 . 2008-06-15 19:46 <DIR> d-------- C:\Program Files\Windows Live
2008-06-09 10:09 . 2008-06-09 10:12 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-09 10:08 . 2008-06-09 10:08 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-06-09 10:08 . 2008-06-09 10:08 <DIR> d-------- C:\ProgramData\WLInstaller
2008-06-03 07:58 . 2008-06-03 07:58 <DIR> d-------- C:\Users\alexi\AppData\Roaming\Ulead Systems
2008-05-30 11:23 . 2008-05-30 11:24 222,425,481 --------- C:\Windows\MEMORY.DMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-29 16:30 --------- d---a-w C:\ProgramData\TEMP
2008-06-25 21:07 --------- d-----w C:\Program Files\Trillian
2008-06-25 05:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-25 05:10 --------- d-----w C:\ProgramData\Ulead Systems
2008-06-25 04:14 --------- d-----w C:\Program Files\PowerArchiver
2008-06-23 03:10 --------- d-----w C:\ProgramData\NVIDIA
2008-06-20 14:49 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-06-19 20:18 --------- d-----w C:\ProgramData\Microsoft Help
2008-06-19 20:18 --------- d-----w C:\Program Files\Microsoft Visual Studio 9.0
2008-06-19 20:17 --------- d-----w C:\Program Files\Microsoft SDKs
2008-06-18 16:44 --------- d-----w C:\Program Files\DivX
2008-06-16 05:41 --------- d-----w C:\Program Files\Windows Mail
2008-06-09 23:47 --------- d-----w C:\Program Files\World of Warcraft
2008-06-09 17:12 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-06-04 02:39 --------- d-----w C:\Users\rick.MATRIX6\AppData\Roaming\Ventrilo
2008-06-03 14:56 --------- d-----w C:\ProgramData\eFax Messenger 4.3 Output
2008-05-30 23:22 823,296 ------w C:\Windows\System32\divx_xx0c.dll
2008-05-30 23:22 823,296 ------w C:\Windows\System32\divx_xx07.dll
2008-05-30 23:22 815,104 ------w C:\Windows\System32\divx_xx0a.dll
2008-05-30 23:22 802,816 ------w C:\Windows\System32\divx_xx11.dll
2008-05-30 23:22 683,520 ------w C:\Windows\System32\DivX.dll
2008-05-30 23:22 593,920 ------w C:\Windows\System32\dpuGUI11.dll
2008-05-30 23:22 57,344 ------w C:\Windows\System32\dpv11.dll
2008-05-30 23:22 53,248 ------w C:\Windows\System32\dpuGUI10.dll
2008-05-30 23:22 344,064 ------w C:\Windows\System32\dpus11.dll
2008-05-30 23:22 294,912 ------w C:\Windows\System32\dpu11.dll
2008-05-30 23:22 294,912 ------w C:\Windows\System32\dpu10.dll
2008-05-29 04:49 --------- d-----w C:\Program Files\Flickr Uploadr
2008-05-27 20:49 --------- d-----w C:\Program Files\StarterKits
2008-05-26 18:39 --------- d-----w C:\ProgramData\FLEXnet
2008-05-26 18:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-26 18:13 --------- d-----w C:\Program Files\Bonjour
2008-05-26 18:09 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-05-26 18:04 --------- d-----w C:\Users\rick.MATRIX6\AppData\Roaming\Ulead Systems
2008-05-26 17:58 0 ---h--w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-05-26 17:56 --------- d-----w C:\Program Files\Windows Media Components
2008-05-26 17:56 --------- d-----w C:\Program Files\Common Files\InterVideo
2008-05-26 17:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-22 22:22 524,288 ------w C:\Windows\System32\DivXsm.exe
2008-05-22 22:22 3,596,288 ------w C:\Windows\System32\qt-dx331.dll
2008-05-22 22:20 200,704 ------w C:\Windows\System32\ssldivx.dll
2008-05-22 22:20 1,044,480 ------w C:\Windows\System32\libdivx.dll
2008-05-22 22:19 81,920 ------w C:\Windows\System32\dpl100.dll
2008-05-22 22:19 196,608 ------w C:\Windows\System32\dtu100.dll
2008-05-22 22:19 161,096 ------w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-05-22 22:18 12,288 ------w C:\Windows\System32\DivXWMPExtType.dll
2008-05-22 01:35 --------- d--h--w C:\ProgramData\{5553977E-AF8B-4870-AEB6-53B6C1BC822D}
2008-05-22 01:32 --------- d-----w C:\Program Files\Stardock Games
2008-05-21 00:10 --------- d-----w C:\Users\rick.MATRIX6\AppData\Roaming\vlc
2008-05-21 00:09 --------- d-----w C:\Program Files\VideoLAN
2008-05-20 16:20 --------- d-----w C:\Program Files\Windows NT Backup - Restore Utility
2008-05-10 01:49 --------- d-----w C:\Program Files\Vodei
2008-05-05 21:53 --------- d-----w C:\Users\rick.MATRIX6\AppData\Roaming\eFax Messenger
2008-05-05 21:53 --------- d-----w C:\ProgramData\eFax Messenger 4.3 Setup
2008-05-05 21:53 --------- d-----w C:\Program Files\eFax Messenger 4.3
2008-05-03 00:47 --------- d-----w C:\Users\rick.MATRIX6\AppData\Roaming\Bioshock
2008-05-02 17:13 0 ---h--w C:\Windows\system32\drivers\Msft_User_LgLcdSSDriver_01_00_00.Wdf
2008-05-02 17:13 --------- d-----w C:\ProgramData\Logitech
2008-05-02 17:13 --------- d-----w C:\Program Files\Logitech
2008-05-02 12:59 122,368 ----a-w C:\Windows\system32\drivers\Rtlh86.sys
2008-05-01 00:27 442,368 ------w C:\Windows\System32\NVUNINST.EXE
2008-04-26 07:12 107,888 ------w C:\Windows\System32\CmdLineExt.dll
2008-04-12 00:23 38,400 ------w C:\Windows\System32\SoundSchemes.exe
2008-04-09 05:54 174 --sh--w C:\Program Files\desktop.ini
2008-04-09 05:30 413,696 ------w C:\Windows\System32\wrap_oal.dll
2008-04-09 05:30 110,592 ------w C:\Windows\System32\OpenAL32.dll
2008-04-09 05:21 82,432 ------w C:\Windows\System32\axaltocm.dll
2008-04-09 05:21 101,888 ------w C:\Windows\System32\ifxcardm.dll
2008-04-09 05:01 47,560 ------w C:\Windows\System32\SPReview.exe
2008-04-09 05:01 152,576 ------w C:\Windows\System32\SPWizUI.dll
2008-03-06 01:32 32 ------w C:\Users\All Users\ezsid.dat
2008-03-06 01:32 32 ------w C:\ProgramData\ezsid.dat
2008-02-03 07:49 22,328 ------w C:\Users\rick.MATRIX6\AppData\Roaming\PnkBstrK.sys
2008-03-07 05:21 32,768 --sh--w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008030620080307\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-06-27_23.44.18.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-28 04:13:26 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-06-29 16:16:43 67,584 --s-a-w C:\Windows\bootstat.dat
- 2007-11-21 00:04:32 1,523,536 ------w C:\Windows\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
+ 2008-03-25 02:33:02 1,527,056 ----a-w C:\Windows\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
- 2008-06-28 04:13:27 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-06-29 16:16:44 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-06-28 04:13:27 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-06-29 16:16:44 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-06-28 04:27:37 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-29 16:22:56 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-29 16:22:56 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-06-28 04:27:32 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-29 16:22:56 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-29 16:22:56 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-06-28 04:13:52 32,768 --sh--w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-06-29 16:23:43 32,768 --sh--w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-06-28 04:13:52 196,608 --sh--w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-29 16:23:43 196,608 --sh--w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-28 04:13:52 32,768 --sh--w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-06-29 16:23:43 32,768 --sh--w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-06-28 04:17:50 127,740 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-06-29 16:26:56 127,740 ----a-w C:\Windows\System32\perfc009.dat
- 2008-06-28 04:17:50 671,868 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-06-29 16:26:56 671,868 ----a-w C:\Windows\System32\perfh009.dat
- 2008-06-27 15:50:55 17,262 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3969327731-1230743064-1942364166-1109_UserData.bin
+ 2008-06-29 16:24:22 17,310 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3969327731-1230743064-1942364166-1109_UserData.bin
- 2008-06-27 15:50:55 75,268 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-06-29 16:24:21 75,332 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-06-27 15:50:48 61,254 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-06-29 16:24:16 61,608 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-18 23:33 1233920]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-07 16:35 68856]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-01-07 19:25 160592]
"GBMPro8Agent"="C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-01-27 09:55 230016]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 18:12 107112]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-11-28 07:34 134808]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 08:55 61440]
"Launch LCDMon"="C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 17:43 2051096]
"Launch LGDCore"="C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 17:57 2095640]
"GBMPro8Agent"="C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-01-27 09:55 230016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-05-02 22:46 92704]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="C:\Windows\system32\READREG" [ ]
"CtxfiReg"="CTXFIREG.exe" [2007-10-25 22:52 43520 C:\Windows\System32\CTXFIREG.EXE]

C:\Users\rick.MATRIX6\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk.disabled [2008-01-07 23:11:22 798]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2007-05-01 12:11:48 6395464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= divxa32.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"CTHelper"=CTHELPER.EXE
"CTxfiHlp"=CTXFIHLP.EXE
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
"NvCplDaemon"=RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{569D53C3-706A-4456-B5DA-E1BD72FE7E91}"= UDP:C:\Windows\System32\migwiz\migwiz.exe:Windows Easy Transfer
"{F18DE565-6EA1-4630-87DE-A0C8D4036CD5}"= TCP:C:\Windows\System32\migwiz\migwiz.exe:Windows Easy Transfer
"TCP Query User{7F76A358-63CF-46E4-8AF8-346CC0DEFC64}C:\\users\\rick.matrix6\\documents\\visual studio 2008\\projects\\gameserverservice\\gameservertestapp\\bin\\debug\\gameservertestapp.exe"= UDP:C:\users\rick.matrix6\documents\visual studio 2008\projects\gameserverservice\gameservertestapp\bin\debug\gameservertestapp.exe:gameservertestapp.exe
"UDP Query User{2A8DC694-EDBA-430B-8E54-568DCAE98DD2}C:\\users\\rick.matrix6\\documents\\visual studio 2008\\projects\\gameserverservice\\gameservertestapp\\bin\\debug\\gameservertestapp.exe"= TCP:C:\users\rick.matrix6\documents\visual studio 2008\projects\gameserverservice\gameservertestapp\bin\debug\gameservertestapp.exe:gameservertestapp.exe
"TCP Query User{56C1193A-DCF7-414A-B91D-2DF9BCD084B2}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{13ED714D-8851-4AA2-8A11-8B507492FB51}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{1441EED2-19F8-48E7-9D37-9319F7EDABEF}C:\\users\\rick.matrix6\\documents\\visual studio 2008\\projects\\gameserverservice\\gameservertestapp\\bin\\debug\\gameservertestapp.vshost.exe"= UDP:C:\users\rick.matrix6\documents\visual studio 2008\projects\gameserverservice\gameservertestapp\bin\debug\gameservertestapp.vshost.exe:gameservertestapp.vshost.exe
"UDP Query User{39CED5C9-1D29-47D5-B950-BCD64CED3D4C}C:\\users\\rick.matrix6\\documents\\visual studio 2008\\projects\\gameserverservice\\gameservertestapp\\bin\\debug\\gameservertestapp.vshost.exe"= TCP:C:\users\rick.matrix6\documents\visual studio 2008\projects\gameserverservice\gameservertestapp\bin\debug\gameservertestapp.vshost.exe:gameservertestapp.vshost.exe
"{F234B377-A305-4B89-9789-FAC613F0AB53}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{913AC9CB-A469-4241-9A64-DA088A219799}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{FE80938A-9132-478F-BC2D-595521ABCEBE}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{79C88D88-66DE-4DC2-BC4E-B0F950884EC3}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{C19915FB-BB9A-4992-83C2-FE68DAAE7DC0}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{B7033A8E-B7CC-4223-8976-F27E76851EAB}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{ACBE0E22-6DD4-4596-863A-276D448401F0}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{02A2F050-DC6A-43D1-A480-42A49F818D19}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"TCP Query User{71C22B22-FDA2-4723-96BB-9A8C1311C549}C:\\windows\\system32\\ftp.exe"= UDP:C:\windows\system32\ftp.exe:File Transfer Program
"UDP Query User{A1E7A201-8BB2-4DC1-A633-734292F36F67}C:\\windows\\system32\\ftp.exe"= TCP:C:\windows\system32\ftp.exe:File Transfer Program
"{5407455A-286A-4784-B98B-28038757A191}"= UDP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{114A0A80-0F24-487C-A74D-6C68D858005C}"= TCP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{561578AD-5632-47B4-A624-67FDF2A1C661}"= UDP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{E1469D84-059A-4B0E-86A3-CB5F06EFD5C9}"= TCP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{402134E8-C9F7-4FC1-8E33-8D551B47C1CD}"= Disabled:UDP:C:\Program Files\Adobe\Photoshop Elements 5.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{F896FCBE-BCB9-4455-B1FE-648C34EBBD9A}"= Disabled:TCP:C:\Program Files\Adobe\Photoshop Elements 5.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"TCP Query User{E432EE64-FCBC-4DAB-A175-E349295D84F9}C:\\program files\\reallusion\\crazytalk for skype\\ct4skype.exe"= UDP:C:\program files\reallusion\crazytalk for skype\ct4skype.exe:CrazyTalk
"UDP Query User{69F7DF09-CCC2-4758-B432-86A87E93F7AD}C:\\program files\\reallusion\\crazytalk for skype\\ct4skype.exe"= TCP:C:\program files\reallusion\crazytalk for skype\ct4skype.exe:CrazyTalk
"{19B0CE24-11DA-4655-9114-1569C8AB0B5E}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{72D730A3-CB26-4D00-9A9B-230A0A4F474D}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{C6C75529-2063-49CD-8B07-D9F4BE99823C}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{9D348DE3-9F0C-4335-8890-0EF1760CE955}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"TCP Query User{14CB1A57-2EDB-4322-B910-E70DC8D76B5A}C:\\program files\\world of warcraft\\repair.exe"= UDP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"UDP Query User{958372C2-2FB8-4F10-B9E5-04E0EE92211D}C:\\program files\\world of warcraft\\repair.exe"= TCP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"{AD5B00EF-200F-4B5F-BC06-1E67F14CB324}"= UDP:C:\Program Files\Stardock Games\Sins of a Solar Empire Demo\Sins of a Solar Empire.exe:Sins of a Solar Empire Demo
"{41A3127D-9712-4887-B3D3-C7A187F020A0}"= TCP:C:\Program Files\Stardock Games\Sins of a Solar Empire Demo\Sins of a Solar Empire.exe:Sins of a Solar Empire Demo
"TCP Query User{E7C85640-0E49-4A56-9F94-ACA31F16AB6B}C:\\program files\\trillian\\trillian.exe"= UDP:C:\program files\trillian\trillian.exe:Trillian
"UDP Query User{8DBC632B-7AFF-4113-A265-00393317097D}C:\\program files\\trillian\\trillian.exe"= TCP:C:\program files\trillian\trillian.exe:Trillian

R3 ha20x2k;Creative 20X HAL Driver;C:\Windows\system32\drivers\ha20x2k.sys [2007-10-26 00:33]
S3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2008-02-25 22:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
GPSvcGroup REG_MULTI_SZ GPSvc
rsmsvcs REG_MULTI_SZ ntmssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL H:\Servers\splash.hta *DVD*


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
"2008-06-29 18:05:05 C:\Windows\Tasks\User_Feed_Synchronization-{31B90036-0669-4958-AA20-50CC211610BD}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-29 10:27:42
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-29 11:12:50
ComboFix-quarantined-files.txt 2008-06-29 18:09:19
ComboFix2.txt 2008-06-28 06:44:53

Pre-Run: 143,842,344,960 bytes free
Post-Run: 143,336,198,144 bytes free

318 --- E O F --- 2008-06-24 15:54:19


HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38, on 2008-06-29
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netvibes.com/#General
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {627C7723-6E7A-44A5-9D3D-42478FF8F4F1} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [GBMPro8Agent] C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [GBMPro8Agent] C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')
O4 - Startup: MagicDisc.lnk.disabled
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_de ... Plugin.ocx
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.itaggit.com/Items/Controls/I ... oader4.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/L ... nstall.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Matrix6.local
O17 - HKLM\Software\..\Telephony: DomainName = Matrix6.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Matrix6.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Matrix6.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 11574 bytes
rboarman
Active Member
 
Posts: 14
Joined: June 25th, 2008, 9:30 pm

Re: Virtumonde help

Unread postby Shaba » June 30th, 2008, 5:12 am

Hi

Did you copy everything in quotebox to CFScript?

I ask because it didn't do everything it was supposed to do.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Virtumonde help

Unread postby rboarman » June 30th, 2008, 2:01 pm

I ran ComboFix again just to make sure. The log file is below as well as a new HijackThis log.

One thing I noticed is that ComboFix took almost 2 hours to run. It was not stuck but just running very slowly. I noticed that one process was taking most of the cpu time (LVPrcSrv.exe). Once I killed that process ComboFix started to run very quickly.

Rick

ComboFix 08-06-20.4 - rick 2008-06-30 9:19:16.3 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1113 [GMT -7:00]
Running from: C:\Users\rick.MATRIX6\Desktop\ComboFix.exe
Command switches used :: C:\Users\rick.MATRIX6\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-28 10:46 . 2008-06-28 10:46 <DIR> d-------- C:\Deckard
2008-06-28 08:20 . 2008-06-28 08:20 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Malwarebytes
2008-06-28 08:20 . 2008-06-28 08:20 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-06-28 08:20 . 2008-06-28 08:20 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-06-28 08:20 . 2008-06-28 08:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-28 08:20 . 2008-06-19 17:48 34,296 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-06-28 08:20 . 2008-06-19 17:47 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-06-26 17:42 . 2008-01-18 23:34 888,320 --a------ C:\Windows\System32\qomjiIBQ.dll
2008-06-26 16:53 . 2008-06-26 16:53 524,288 --ahs---- C:\ntuser.dat{ce33fa67-43d3-11dd-9089-d8860555e289}.TMContainer00000000000000000002.regtrans-ms
2008-06-26 16:53 . 2008-06-27 08:58 524,288 --ahs---- C:\ntuser.dat{ce33fa67-43d3-11dd-9089-d8860555e289}.TMContainer00000000000000000001.regtrans-ms
2008-06-26 16:53 . 2008-06-26 16:53 524,288 --ahs---- C:\ntuser.dat{ce33fa63-43d3-11dd-9089-d8860555e289}.TMContainer00000000000000000002.regtrans-ms
2008-06-26 16:53 . 2008-06-26 16:53 524,288 --ahs---- C:\ntuser.dat{ce33fa63-43d3-11dd-9089-d8860555e289}.TMContainer00000000000000000001.regtrans-ms
2008-06-26 16:53 . 2008-06-27 08:58 262,144 --a------ C:\ntuser.dat
2008-06-26 16:53 . 2008-06-27 08:58 65,536 --ahs---- C:\ntuser.dat{ce33fa67-43d3-11dd-9089-d8860555e289}.TM.blf
2008-06-26 16:53 . 2008-06-26 16:53 65,536 --ahs---- C:\ntuser.dat{ce33fa63-43d3-11dd-9089-d8860555e289}.TM.blf
2008-06-26 16:53 . 2008-06-27 08:58 5,120 --ah----- C:\ntuser.dat.LOG1
2008-06-26 16:53 . 2008-06-26 16:53 0 --ah----- C:\ntuser.dat.LOG2
2008-06-26 15:42 . 2008-06-26 15:42 345 --ahs---- C:\Windows\System32\XGNXbJlm.ini
2008-06-26 15:30 . 2008-06-26 15:30 345 --ahs---- C:\Windows\System32\nXGjknpo.ini
2008-06-25 18:30 . 2008-06-25 18:30 91,136 --a------ C:\Windows\System32\vgbbhcpi.dll
2008-06-25 17:22 . 2008-06-25 17:22 91,136 --a------ C:\Windows\System32\yedbcfhq.dll
2008-06-25 17:18 . 2008-06-25 17:18 91,136 --a------ C:\Windows\System32\hpqiemyt.dll
2008-06-25 17:18 . 2008-06-25 18:12 345 --ahs---- C:\Windows\System32\DKlooYxx.ini
2008-06-25 16:51 . 2008-06-25 16:51 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\PC Tools
2008-06-25 16:51 . 2008-06-26 16:14 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-25 16:51 . 2008-06-10 21:22 81,288 --a------ C:\Windows\System32\drivers\iksyssec.sys
2008-06-25 16:51 . 2008-06-02 15:19 66,952 --a------ C:\Windows\System32\drivers\iksysflt.sys
2008-06-25 16:51 . 2008-06-02 15:19 42,376 --a------ C:\Windows\System32\drivers\ikfilesec.sys
2008-06-25 16:51 . 2008-06-02 15:19 29,576 --a------ C:\Windows\System32\drivers\kcom.sys
2008-06-25 15:21 . 2008-06-25 15:21 91,136 --a------ C:\Windows\System32\arxbegbn.dll
2008-06-25 14:04 . 2008-06-25 14:05 <DIR> d-------- C:\Program Files\Java
2008-06-25 14:03 . 2008-06-25 14:03 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-25 13:51 . 2008-06-25 13:57 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-06-25 13:31 . 2008-06-25 13:31 91,136 --a------ C:\Windows\System32\umrxwksy.dll
2008-06-25 13:08 . 2008-06-25 13:08 91,136 --a------ C:\Windows\System32\rwiksqtr.dll
2008-06-25 11:41 . 2008-06-25 11:41 <DIR> d-------- C:\VundoFix Backups
2008-06-25 10:46 . 2008-06-25 10:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-25 10:02 . 2008-06-25 13:32 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-06-25 10:02 . 2008-06-25 13:32 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-06-25 10:02 . 2008-06-25 13:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-25 09:58 . 2008-06-25 09:58 91,136 --a------ C:\Windows\System32\spdohtwy.dll
2008-06-25 09:23 . 2008-06-25 09:23 91,136 --a------ C:\Windows\System32\aelxlqyt.dll
2008-06-24 22:16 . 2008-06-24 22:28 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Sony
2008-06-24 22:16 . 2008-06-24 22:16 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Publish Providers
2008-06-24 22:16 . 2008-06-24 22:28 156 --a------ C:\Windows\Twunk001.MTX
2008-06-24 22:16 . 2008-06-24 22:28 2 --a------ C:\Windows\Twain001.Mtx
2008-06-24 22:16 . 2008-06-24 22:16 0 --a------ C:\Windows\Twunk002.MTX
2008-06-24 22:11 . 2008-06-24 22:26 <DIR> d-------- C:\Users\All Users\Sony
2008-06-24 22:11 . 2008-06-24 22:26 <DIR> d-------- C:\ProgramData\Sony
2008-06-24 22:11 . 2008-06-24 22:11 <DIR> d-------- C:\Program Files\Vstplugins
2008-06-24 22:11 . 2008-06-24 22:25 <DIR> d-------- C:\Program Files\Sony Setup
2008-06-24 22:11 . 2008-06-24 22:26 <DIR> d-------- C:\Program Files\Sony
2008-06-24 21:20 . 2008-06-25 10:01 345 --ahs---- C:\Windows\System32\WGfiQXyb.ini
2008-06-21 10:20 . 2008-06-21 10:20 <DIR> d-------- C:\Users\All Users\Genie-Soft
2008-06-21 10:20 . 2008-06-21 10:20 <DIR> d-------- C:\ProgramData\Genie-Soft
2008-06-21 10:18 . 2008-06-21 10:18 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Genie-soft
2008-06-21 10:15 . 2008-06-21 10:15 <DIR> d-------- C:\Program Files\Common Files\PX Storage Engine
2008-06-21 10:15 . 2006-11-02 00:50 128,104 --------- C:\Windows\System32\drivers\WimFltr.sys
2008-06-21 10:14 . 2008-06-21 10:14 <DIR> d-------- C:\Program Files\Genie-Soft
2008-06-20 12:13 . 2008-06-20 12:13 <DIR> d-------- C:\Program Files\MSECache
2008-06-19 15:21 . 2008-06-19 15:21 <DIR> d-------- C:\Program Files\Microsoft Expression
2008-06-16 18:01 . 2008-06-16 18:01 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\J River
2008-06-15 19:43 . 2008-03-07 19:08 4,240,384 --------- C:\Windows\System32\GameUXLegacyGDFs.dll
2008-06-15 19:43 . 2008-03-07 21:21 1,695,744 --------- C:\Windows\System32\gameux.dll
2008-06-15 19:43 . 2008-04-22 21:42 428,544 --------- C:\Windows\System32\EncDec.dll
2008-06-15 19:43 . 2008-04-22 21:42 293,376 --------- C:\Windows\System32\psisdecd.dll
2008-06-15 19:43 . 2008-04-22 21:41 218,624 --------- C:\Windows\System32\psisrndr.ax
2008-06-15 19:43 . 2008-04-22 21:41 57,856 --------- C:\Windows\System32\MSDvbNP.ax
2008-06-11 08:54 . 2008-04-24 19:12 1,383,424 --------- C:\Windows\System32\mshtml.tlb
2008-06-11 08:54 . 2008-04-26 01:08 1,314,816 --------- C:\Windows\System32\quartz.dll
2008-06-11 08:54 . 2008-04-24 21:35 826,880 --------- C:\Windows\System32\wininet.dll
2008-06-11 08:54 . 2008-05-09 18:33 113,664 --------- C:\Windows\System32\drivers\rmcast.sys
2008-06-09 11:22 . 2007-12-20 14:10 129,520 --------- C:\Windows\System32\pxafs.dll
2008-06-09 11:21 . 2008-06-09 11:22 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Winamp
2008-06-09 11:21 . 2008-06-09 11:22 <DIR> d-------- C:\Program Files\Winamp
2008-06-09 11:10 . 2008-06-09 11:10 <DIR> d-------- C:\Program Files\J River
2008-06-09 11:10 . 2008-03-13 08:58 585,728 --------- C:\Windows\System32\AReadyLB.dll
2008-06-09 11:10 . 2008-03-13 08:58 229,376 --------- C:\Windows\System32\AudDevicePlugin.dll
2008-06-09 11:10 . 2008-03-13 08:58 183,129 --------- C:\Windows\System32\AM Install1.INF
2008-06-09 10:09 . 2008-06-15 19:46 <DIR> d-------- C:\Program Files\Windows Live
2008-06-09 10:09 . 2008-06-09 10:12 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-09 10:08 . 2008-06-09 10:08 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-06-09 10:08 . 2008-06-09 10:08 <DIR> d-------- C:\ProgramData\WLInstaller
2008-06-03 07:58 . 2008-06-03 07:58 <DIR> d-------- C:\Users\alexi\AppData\Roaming\Ulead Systems
2008-05-30 11:23 . 2008-05-30 11:24 222,425,481 --------- C:\Windows\MEMORY.DMP
2008-05-27 13:49 . 2008-05-27 13:49 <DIR> d-------- C:\Program Files\StarterKits
2008-05-26 11:39 . 2008-05-26 11:39 <DIR> d-------- C:\Users\All Users\FLEXnet
2008-05-26 11:39 . 2008-05-26 11:39 <DIR> d-------- C:\ProgramData\FLEXnet
2008-05-26 11:18 . 2007-02-20 16:04 2,463,976 --------- C:\Windows\System32\NPSWF32.dll
2008-05-26 11:18 . 2007-02-20 16:04 190,696 --------- C:\Windows\System32\NPSWF32_FlashUtil.exe
2008-05-26 11:13 . 2008-05-26 11:13 <DIR> d-------- C:\Program Files\Bonjour
2008-05-26 11:09 . 2008-05-26 11:09 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-26 11:02 . 2008-05-26 11:04 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Ulead Systems
2008-05-26 10:58 . 2008-05-26 10:58 0 ---h----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-05-26 10:56 . 2008-05-26 10:56 <DIR> d-------- C:\Users\RICK~1~MAT\AppData
2008-05-26 10:56 . 2008-05-26 10:56 <DIR> d-------- C:\Users\RICK~1~MAT
2008-05-26 10:56 . 2008-05-26 10:56 <DIR> d-------- C:\Program Files\Windows Media Components
2008-05-26 10:56 . 2008-05-26 10:56 <DIR> d-------- C:\Program Files\Common Files\InterVideo
2008-05-26 10:54 . 2008-06-24 22:10 <DIR> d-------- C:\Users\All Users\Ulead Systems
2008-05-26 10:54 . 2008-06-24 22:10 <DIR> d-------- C:\ProgramData\Ulead Systems
2008-05-22 15:22 . 2008-05-22 15:22 4,816 --------- C:\Windows\System32\divxsm.tlb
2008-05-22 15:20 . 2008-05-22 15:20 1,044,480 --------- C:\Windows\System32\libdivx.dll
2008-05-22 15:20 . 2008-05-22 15:20 200,704 --------- C:\Windows\System32\ssldivx.dll
2008-05-22 15:19 . 2008-05-22 15:19 196,608 --------- C:\Windows\System32\dtu100.dll
2008-05-22 15:19 . 2008-05-22 15:19 161,096 --------- C:\Windows\System32\DivXCodecVersionChecker.exe
2008-05-22 15:19 . 2008-05-22 15:19 81,920 --------- C:\Windows\System32\dpl100.dll
2008-05-22 15:19 . 2008-05-22 15:19 416 --------- C:\Windows\System32\dtu100.dll.manifest
2008-05-22 15:19 . 2008-05-22 15:19 416 --------- C:\Windows\System32\dpl100.dll.manifest
2008-05-22 15:18 . 2008-05-22 15:18 12,288 --------- C:\Windows\System32\DivXWMPExtType.dll
2008-05-21 18:35 . 2008-05-21 18:35 <DIR> d--h----- C:\Users\All Users\{5553977E-AF8B-4870-AEB6-53B6C1BC822D}
2008-05-21 18:35 . 2008-05-21 18:35 <DIR> d--h----- C:\ProgramData\{5553977E-AF8B-4870-AEB6-53B6C1BC822D}
2008-05-21 18:32 . 2008-05-21 18:32 <DIR> d-------- C:\Program Files\Stardock Games
2008-05-20 17:10 . 2008-05-20 17:10 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\vlc
2008-05-20 17:09 . 2008-05-20 17:09 <DIR> d-------- C:\Program Files\VideoLAN
2008-05-20 09:21 . 2008-05-20 09:23 1,337 --------- C:\Windows\ntbackup.ini
2008-05-20 09:20 . 2008-05-21 10:19 <DIR> d-------- C:\Windows\System32\NtmsData
2008-05-20 09:20 . 2008-05-20 09:20 <DIR> d-------- C:\Program Files\Windows NT Backup - Restore Utility
2008-05-09 18:49 . 2008-05-09 18:49 <DIR> d-------- C:\Program Files\Vodei
2008-05-05 14:53 . 2008-05-05 14:53 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\eFax Messenger
2008-05-05 14:53 . 2008-05-05 14:53 <DIR> d-------- C:\Users\All Users\eFax Messenger 4.3 Setup
2008-05-05 14:53 . 2008-06-03 07:56 <DIR> d-------- C:\Users\All Users\eFax Messenger 4.3 Output
2008-05-05 14:53 . 2008-05-05 14:53 <DIR> d-------- C:\ProgramData\eFax Messenger 4.3 Setup
2008-05-05 14:53 . 2008-06-03 07:56 <DIR> d-------- C:\ProgramData\eFax Messenger 4.3 Output
2008-05-05 14:53 . 2008-05-05 14:53 <DIR> d-------- C:\Program Files\eFax Messenger 4.3
2008-05-05 14:53 . 2008-05-05 14:53 0 --------- C:\Windows\System32\eFax_4_3_Port

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-29 16:30 --------- d---a-w C:\ProgramData\TEMP
2008-06-25 21:07 --------- d-----w C:\Program Files\Trillian
2008-06-25 05:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-25 04:14 --------- d-----w C:\Program Files\PowerArchiver
2008-06-23 03:10 --------- d-----w C:\ProgramData\NVIDIA
2008-06-20 14:49 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-06-19 20:18 --------- d-----w C:\ProgramData\Microsoft Help
2008-06-19 20:18 --------- d-----w C:\Program Files\Microsoft Visual Studio 9.0
2008-06-19 20:17 --------- d-----w C:\Program Files\Microsoft SDKs
2008-06-18 16:44 --------- d-----w C:\Program Files\DivX
2008-06-16 05:41 --------- d-----w C:\Program Files\Windows Mail
2008-06-09 23:47 --------- d-----w C:\Program Files\World of Warcraft
2008-06-09 17:12 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-06-04 02:39 --------- d-----w C:\Users\rick.MATRIX6\AppData\Roaming\Ventrilo
2008-05-30 23:22 823,296 ------w C:\Windows\System32\divx_xx0c.dll
2008-05-30 23:22 823,296 ------w C:\Windows\System32\divx_xx07.dll
2008-05-30 23:22 815,104 ------w C:\Windows\System32\divx_xx0a.dll
2008-05-30 23:22 802,816 ------w C:\Windows\System32\divx_xx11.dll
2008-05-30 23:22 683,520 ------w C:\Windows\System32\DivX.dll
2008-05-30 23:22 593,920 ------w C:\Windows\System32\dpuGUI11.dll
2008-05-30 23:22 57,344 ------w C:\Windows\System32\dpv11.dll
2008-05-30 23:22 53,248 ------w C:\Windows\System32\dpuGUI10.dll
2008-05-30 23:22 344,064 ------w C:\Windows\System32\dpus11.dll
2008-05-30 23:22 294,912 ------w C:\Windows\System32\dpu11.dll
2008-05-30 23:22 294,912 ------w C:\Windows\System32\dpu10.dll
2008-05-29 04:49 --------- d-----w C:\Program Files\Flickr Uploadr
2008-05-26 18:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-26 17:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-22 22:22 524,288 ------w C:\Windows\System32\DivXsm.exe
2008-05-22 22:22 3,596,288 ------w C:\Windows\System32\qt-dx331.dll
2008-05-03 00:47 --------- d-----w C:\Users\rick.MATRIX6\AppData\Roaming\Bioshock
2008-05-02 17:13 --------- d-----w C:\ProgramData\Logitech
2008-05-02 17:13 --------- d-----w C:\Program Files\Logitech
2008-05-01 00:27 442,368 ------w C:\Windows\System32\NVUNINST.EXE
2008-04-26 07:12 107,888 ------w C:\Windows\System32\CmdLineExt.dll
2008-04-12 00:23 38,400 ------w C:\Windows\System32\SoundSchemes.exe
2008-04-09 05:54 174 --sh--w C:\Program Files\desktop.ini
2008-04-09 05:30 413,696 ------w C:\Windows\System32\wrap_oal.dll
2008-04-09 05:30 110,592 ------w C:\Windows\System32\OpenAL32.dll
2008-04-09 05:21 82,432 ------w C:\Windows\System32\axaltocm.dll
2008-04-09 05:21 101,888 ------w C:\Windows\System32\ifxcardm.dll
2008-04-09 05:01 47,560 ------w C:\Windows\System32\SPReview.exe
2008-04-09 05:01 152,576 ------w C:\Windows\System32\SPWizUI.dll
2008-03-25 02:52 35,840 ------w C:\Windows\System32\nvcod100.dll
2008-03-12 20:21 678,408 ------w C:\Windows\System32\gpprefcl.dll
2008-03-08 04:19 540,672 ------w C:\Windows\AppPatch\AcLayers.dll
2008-03-08 04:19 458,752 ------w C:\Windows\AppPatch\AcSpecfc.dll
2008-03-08 04:19 2,153,984 ------w C:\Windows\AppPatch\AcGenral.dll
2008-03-08 04:19 173,056 ------w C:\Windows\AppPatch\AcXtrnal.dll
2008-03-08 01:58 2,560 ------w C:\Windows\AppPatch\AcRes.dll
2008-03-08 00:00 795,104 ------w C:\Windows\System32\dpinst.exe
2008-03-08 00:00 5,769,760 ------w C:\Windows\System32\nvdispsr.dll
2008-03-08 00:00 465,440 ------w C:\Windows\System32\nvmccssr.dll
2008-03-08 00:00 4,143,648 ------w C:\Windows\System32\nvvitvsr.dll
2008-03-08 00:00 3,385,888 ------w C:\Windows\System32\nvgamesr.dll
2008-03-08 00:00 2,861,600 ------w C:\Windows\System32\nvmoblsr.dll
2008-03-08 00:00 2,681,376 ------w C:\Windows\System32\nvwssr.dll
2008-03-08 00:00 1,079,840 ------w C:\Windows\System32\nvcpluir.dll
2008-03-06 01:32 32 ------w C:\Users\All Users\ezsid.dat
2008-03-06 01:32 32 ------w C:\ProgramData\ezsid.dat
2008-02-03 07:49 22,328 ------w C:\Users\rick.MATRIX6\AppData\Roaming\PnkBstrK.sys
2008-03-07 05:21 32,768 --sh--w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008030620080307\index.dat
.

((((((((((((((((((((((((((((( snapshot_2008-06-29_10.59.56.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-29 16:16:43 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-06-30 15:47:29 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-06-29 16:16:44 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-06-30 15:47:30 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-06-29 16:16:44 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-06-30 15:47:30 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-06-29 16:22:56 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-30 15:52:45 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-30 15:52:45 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-06-29 16:22:56 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-30 15:52:50 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-30 15:52:50 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-06-29 16:26:56 127,740 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-06-30 15:51:56 127,740 ----a-w C:\Windows\System32\perfc009.dat
- 2008-06-29 16:26:56 671,868 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-06-30 15:51:56 671,868 ----a-w C:\Windows\System32\perfh009.dat
- 2008-06-29 16:24:22 17,310 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3969327731-1230743064-1942364166-1109_UserData.bin
+ 2008-06-30 15:53:44 17,310 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3969327731-1230743064-1942364166-1109_UserData.bin
- 2008-06-29 16:24:21 75,332 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-06-30 15:53:43 75,768 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-06-29 16:24:16 61,608 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-06-30 15:53:41 61,672 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-18 23:33 1233920]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-07 16:35 68856]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-01-07 19:25 160592]
"GBMPro8Agent"="C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-01-27 09:55 230016]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 18:12 107112]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-11-28 07:34 134808]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 08:55 61440]
"Launch LCDMon"="C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 17:43 2051096]
"Launch LGDCore"="C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 17:57 2095640]
"GBMPro8Agent"="C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-01-27 09:55 230016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-05-02 22:46 92704]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="C:\Windows\system32\READREG" [ ]
"CtxfiReg"="CTXFIREG.exe" [2007-10-25 22:52 43520 C:\Windows\System32\CTXFIREG.EXE]

C:\Users\rick.MATRIX6\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk.disabled [2008-01-07 23:11:22 798]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2007-05-01 12:11:48 6395464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= divxa32.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"CTHelper"=CTHELPER.EXE
"CTxfiHlp"=CTXFIHLP.EXE
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
"NvCplDaemon"=RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{569D53C3-706A-4456-B5DA-E1BD72FE7E91}"= UDP:C:\Windows\System32\migwiz\migwiz.exe:Windows Easy Transfer
"{F18DE565-6EA1-4630-87DE-A0C8D4036CD5}"= TCP:C:\Windows\System32\migwiz\migwiz.exe:Windows Easy Transfer
"TCP Query User{7F76A358-63CF-46E4-8AF8-346CC0DEFC64}C:\\users\\rick.matrix6\\documents\\visual studio 2008\\projects\\gameserverservice\\gameservertestapp\\bin\\debug\\gameservertestapp.exe"= UDP:C:\users\rick.matrix6\documents\visual studio 2008\projects\gameserverservice\gameservertestapp\bin\debug\gameservertestapp.exe:gameservertestapp.exe
"UDP Query User{2A8DC694-EDBA-430B-8E54-568DCAE98DD2}C:\\users\\rick.matrix6\\documents\\visual studio 2008\\projects\\gameserverservice\\gameservertestapp\\bin\\debug\\gameservertestapp.exe"= TCP:C:\users\rick.matrix6\documents\visual studio 2008\projects\gameserverservice\gameservertestapp\bin\debug\gameservertestapp.exe:gameservertestapp.exe
"TCP Query User{56C1193A-DCF7-414A-B91D-2DF9BCD084B2}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{13ED714D-8851-4AA2-8A11-8B507492FB51}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{1441EED2-19F8-48E7-9D37-9319F7EDABEF}C:\\users\\rick.matrix6\\documents\\visual studio 2008\\projects\\gameserverservice\\gameservertestapp\\bin\\debug\\gameservertestapp.vshost.exe"= UDP:C:\users\rick.matrix6\documents\visual studio 2008\projects\gameserverservice\gameservertestapp\bin\debug\gameservertestapp.vshost.exe:gameservertestapp.vshost.exe
"UDP Query User{39CED5C9-1D29-47D5-B950-BCD64CED3D4C}C:\\users\\rick.matrix6\\documents\\visual studio 2008\\projects\\gameserverservice\\gameservertestapp\\bin\\debug\\gameservertestapp.vshost.exe"= TCP:C:\users\rick.matrix6\documents\visual studio 2008\projects\gameserverservice\gameservertestapp\bin\debug\gameservertestapp.vshost.exe:gameservertestapp.vshost.exe
"{F234B377-A305-4B89-9789-FAC613F0AB53}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{913AC9CB-A469-4241-9A64-DA088A219799}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{FE80938A-9132-478F-BC2D-595521ABCEBE}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{79C88D88-66DE-4DC2-BC4E-B0F950884EC3}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{C19915FB-BB9A-4992-83C2-FE68DAAE7DC0}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{B7033A8E-B7CC-4223-8976-F27E76851EAB}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{ACBE0E22-6DD4-4596-863A-276D448401F0}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{02A2F050-DC6A-43D1-A480-42A49F818D19}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"TCP Query User{71C22B22-FDA2-4723-96BB-9A8C1311C549}C:\\windows\\system32\\ftp.exe"= UDP:C:\windows\system32\ftp.exe:File Transfer Program
"UDP Query User{A1E7A201-8BB2-4DC1-A633-734292F36F67}C:\\windows\\system32\\ftp.exe"= TCP:C:\windows\system32\ftp.exe:File Transfer Program
"{5407455A-286A-4784-B98B-28038757A191}"= UDP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{114A0A80-0F24-487C-A74D-6C68D858005C}"= TCP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{561578AD-5632-47B4-A624-67FDF2A1C661}"= UDP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{E1469D84-059A-4B0E-86A3-CB5F06EFD5C9}"= TCP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{402134E8-C9F7-4FC1-8E33-8D551B47C1CD}"= Disabled:UDP:C:\Program Files\Adobe\Photoshop Elements 5.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{F896FCBE-BCB9-4455-B1FE-648C34EBBD9A}"= Disabled:TCP:C:\Program Files\Adobe\Photoshop Elements 5.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"TCP Query User{E432EE64-FCBC-4DAB-A175-E349295D84F9}C:\\program files\\reallusion\\crazytalk for skype\\ct4skype.exe"= UDP:C:\program files\reallusion\crazytalk for skype\ct4skype.exe:CrazyTalk
"UDP Query User{69F7DF09-CCC2-4758-B432-86A87E93F7AD}C:\\program files\\reallusion\\crazytalk for skype\\ct4skype.exe"= TCP:C:\program files\reallusion\crazytalk for skype\ct4skype.exe:CrazyTalk
"{19B0CE24-11DA-4655-9114-1569C8AB0B5E}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{72D730A3-CB26-4D00-9A9B-230A0A4F474D}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{C6C75529-2063-49CD-8B07-D9F4BE99823C}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{9D348DE3-9F0C-4335-8890-0EF1760CE955}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"TCP Query User{14CB1A57-2EDB-4322-B910-E70DC8D76B5A}C:\\program files\\world of warcraft\\repair.exe"= UDP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"UDP Query User{958372C2-2FB8-4F10-B9E5-04E0EE92211D}C:\\program files\\world of warcraft\\repair.exe"= TCP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"{AD5B00EF-200F-4B5F-BC06-1E67F14CB324}"= UDP:C:\Program Files\Stardock Games\Sins of a Solar Empire Demo\Sins of a Solar Empire.exe:Sins of a Solar Empire Demo
"{41A3127D-9712-4887-B3D3-C7A187F020A0}"= TCP:C:\Program Files\Stardock Games\Sins of a Solar Empire Demo\Sins of a Solar Empire.exe:Sins of a Solar Empire Demo
"TCP Query User{E7C85640-0E49-4A56-9F94-ACA31F16AB6B}C:\\program files\\trillian\\trillian.exe"= UDP:C:\program files\trillian\trillian.exe:Trillian
"UDP Query User{8DBC632B-7AFF-4113-A265-00393317097D}C:\\program files\\trillian\\trillian.exe"= TCP:C:\program files\trillian\trillian.exe:Trillian

S3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2008-02-25 22:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
GPSvcGroup REG_MULTI_SZ GPSvc
rsmsvcs REG_MULTI_SZ ntmssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL H:\Servers\splash.hta *DVD*


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
"2008-06-30 17:55:01 C:\Windows\Tasks\User_Feed_Synchronization-{31B90036-0669-4958-AA20-50CC211610BD}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 10:13:43
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Users\RICK~1.MAT\AppData\Local\Temp\catchme.dll 53248 bytes executable


**************************************************************************
.
Completion time: 2008-06-30 10:57:18
ComboFix-quarantined-files.txt 2008-06-30 17:56:15
ComboFix2.txt 2008-06-29 18:13:10
ComboFix3.txt 2008-06-28 06:44:53

Pre-Run: 142,815,559,680 bytes free
Post-Run: 141,758,988,288 bytes free

335 --- E O F --- 2008-06-24 15:54:19



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01, on 2008-06-30
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netvibes.com/#General
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [GBMPro8Agent] C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [GBMPro8Agent] C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')
O4 - Startup: MagicDisc.lnk.disabled
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_de ... Plugin.ocx
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.itaggit.com/Items/Controls/I ... oader4.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/L ... nstall.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Matrix6.local
O17 - HKLM\Software\..\Telephony: DomainName = Matrix6.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Matrix6.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Matrix6.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 11250 bytes
rboarman
Active Member
 
Posts: 14
Joined: June 25th, 2008, 9:30 pm

Re: Virtumonde help

Unread postby Shaba » June 30th, 2008, 2:15 pm

Hi

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: Select all
    C:\Windows\System32\qomjiIBQ.dll
    C:\Windows\System32\XGNXbJlm.ini
    C:\Windows\System32\nXGjknpo.ini
    C:\Windows\System32\wgrfawbk.dll
    C:\Windows\System32\vgbbhcpi.dll
    C:\Windows\System32\yedbcfhq.dll
    C:\Windows\System32\uyyryyvy.dll
    C:\Windows\System32\eoseynta.dll
    C:\Windows\System32\hpqiemyt.dll
    C:\Windows\System32\DKlooYxx.ini
    C:\Windows\System32\rghnhvwc.dll
    C:\Windows\System32\bssepcsx.dll
    C:\Windows\System32\arxbegbn.dll
    C:\Windows\System32\amjookvf.dll
    C:\Windows\System32\mfcgflhi.dll
    C:\Windows\System32\umrxwksy.dll
    C:\Windows\System32\ajkhtfbg.dll
    C:\Windows\System32\rwiksqtr.dll
    C:\Windows\System32\spdohtwy.dll
    C:\Windows\System32\pnljisoq.dll
    C:\Windows\System32\aelxlqyt.dll
    C:\Windows\System32\vfcilxcv.dll
    C:\Windows\System32\WGfiQXyb.ini
    

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Re-run combofix.

Post:

- combofix log
- otmovei2 report
- a fresh HijackThis log
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Virtumonde help

Unread postby rboarman » June 30th, 2008, 2:41 pm

Hello,

Thank you for your prompt reply. Here is the OTMoveIt log and a new HiJackThis log. I am running ComboFix and will post it shortly.

Rick

File/Folder :\Windows\System32\qomjiIBQ.dll not found.
C:\Windows\System32\XGNXbJlm.ini moved successfully.
C:\Windows\System32\nXGjknpo.ini moved successfully.
File/Folder C:\Windows\System32\wgrfawbk.dll not found.
DllUnregisterServer procedure not found in C:\Windows\System32\vgbbhcpi.dll
C:\Windows\System32\vgbbhcpi.dll NOT unregistered.
C:\Windows\System32\vgbbhcpi.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\yedbcfhq.dll
C:\Windows\System32\yedbcfhq.dll NOT unregistered.
C:\Windows\System32\yedbcfhq.dll moved successfully.
File/Folder C:\Windows\System32\uyyryyvy.dll not found.
File/Folder C:\Windows\System32\eoseynta.dll not found.
DllUnregisterServer procedure not found in C:\Windows\System32\hpqiemyt.dll
C:\Windows\System32\hpqiemyt.dll NOT unregistered.
C:\Windows\System32\hpqiemyt.dll moved successfully.
C:\Windows\System32\DKlooYxx.ini moved successfully.
File/Folder C:\Windows\System32\rghnhvwc.dll not found.
File/Folder C:\Windows\System32\bssepcsx.dll not found.
DllUnregisterServer procedure not found in C:\Windows\System32\arxbegbn.dll
C:\Windows\System32\arxbegbn.dll NOT unregistered.
C:\Windows\System32\arxbegbn.dll moved successfully.
File/Folder C:\Windows\System32\amjookvf.dll not found.
File/Folder C:\Windows\System32\mfcgflhi.dll not found.
DllUnregisterServer procedure not found in C:\Windows\System32\umrxwksy.dll
C:\Windows\System32\umrxwksy.dll NOT unregistered.
C:\Windows\System32\umrxwksy.dll moved successfully.
File/Folder C:\Windows\System32\ajkhtfbg.dll not found.
DllUnregisterServer procedure not found in C:\Windows\System32\rwiksqtr.dll
C:\Windows\System32\rwiksqtr.dll NOT unregistered.
C:\Windows\System32\rwiksqtr.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\spdohtwy.dll
C:\Windows\System32\spdohtwy.dll NOT unregistered.
C:\Windows\System32\spdohtwy.dll moved successfully.
File/Folder C:\Windows\System32\pnljisoq.dll not found.
DllUnregisterServer procedure not found in C:\Windows\System32\aelxlqyt.dll
C:\Windows\System32\aelxlqyt.dll NOT unregistered.
C:\Windows\System32\aelxlqyt.dll moved successfully.
File/Folder C:\Windows\System32\vfcilxcv.dll not found.
C:\Windows\System32\WGfiQXyb.ini moved successfully.
File/Folder not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 06302008_113818


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40, on 06/30/08
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netvibes.com/#General
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [GBMPro8Agent] C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [GBMPro8Agent] C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')
O4 - Startup: MagicDisc.lnk.disabled
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_de ... Plugin.ocx
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.itaggit.com/Items/Controls/I ... oader4.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/L ... nstall.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Matrix6.local
O17 - HKLM\Software\..\Telephony: DomainName = Matrix6.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Matrix6.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Matrix6.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 11248 bytes
rboarman
Active Member
 
Posts: 14
Joined: June 25th, 2008, 9:30 pm

Re: Virtumonde help

Unread postby rboarman » June 30th, 2008, 2:47 pm

Here's the ComboFix log. It ran very quickly this time.

Rick

ComboFix 08-06-20.4 - rick 2008-06-30 11:42:27.4 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1068 [GMT -7:00]
Running from: C:\Users\rick.MATRIX6\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-30 11:38 . 2008-06-30 11:38 <DIR> d-------- C:\_OTMoveIt
2008-06-28 10:46 . 2008-06-28 10:46 <DIR> d-------- C:\Deckard
2008-06-28 08:20 . 2008-06-28 08:20 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Malwarebytes
2008-06-28 08:20 . 2008-06-28 08:20 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-06-28 08:20 . 2008-06-28 08:20 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-06-28 08:20 . 2008-06-28 08:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-28 08:20 . 2008-06-19 17:48 34,296 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-06-28 08:20 . 2008-06-19 17:47 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-06-26 17:42 . 2008-01-18 23:34 888,320 --a------ C:\Windows\System32\qomjiIBQ.dll
2008-06-26 16:53 . 2008-06-26 16:53 524,288 --ahs---- C:\ntuser.dat{ce33fa67-43d3-11dd-9089-d8860555e289}.TMContainer00000000000000000002.regtrans-ms
2008-06-26 16:53 . 2008-06-27 08:58 524,288 --ahs---- C:\ntuser.dat{ce33fa67-43d3-11dd-9089-d8860555e289}.TMContainer00000000000000000001.regtrans-ms
2008-06-26 16:53 . 2008-06-26 16:53 524,288 --ahs---- C:\ntuser.dat{ce33fa63-43d3-11dd-9089-d8860555e289}.TMContainer00000000000000000002.regtrans-ms
2008-06-26 16:53 . 2008-06-26 16:53 524,288 --ahs---- C:\ntuser.dat{ce33fa63-43d3-11dd-9089-d8860555e289}.TMContainer00000000000000000001.regtrans-ms
2008-06-26 16:53 . 2008-06-27 08:58 262,144 --a------ C:\ntuser.dat
2008-06-26 16:53 . 2008-06-27 08:58 65,536 --ahs---- C:\ntuser.dat{ce33fa67-43d3-11dd-9089-d8860555e289}.TM.blf
2008-06-26 16:53 . 2008-06-26 16:53 65,536 --ahs---- C:\ntuser.dat{ce33fa63-43d3-11dd-9089-d8860555e289}.TM.blf
2008-06-26 16:53 . 2008-06-27 08:58 5,120 --ah----- C:\ntuser.dat.LOG1
2008-06-26 16:53 . 2008-06-26 16:53 0 --ah----- C:\ntuser.dat.LOG2
2008-06-25 16:51 . 2008-06-25 16:51 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\PC Tools
2008-06-25 16:51 . 2008-06-26 16:14 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-25 16:51 . 2008-06-10 21:22 81,288 --a------ C:\Windows\System32\drivers\iksyssec.sys
2008-06-25 16:51 . 2008-06-02 15:19 66,952 --a------ C:\Windows\System32\drivers\iksysflt.sys
2008-06-25 16:51 . 2008-06-02 15:19 42,376 --a------ C:\Windows\System32\drivers\ikfilesec.sys
2008-06-25 16:51 . 2008-06-02 15:19 29,576 --a------ C:\Windows\System32\drivers\kcom.sys
2008-06-25 14:04 . 2008-06-25 14:05 <DIR> d-------- C:\Program Files\Java
2008-06-25 14:03 . 2008-06-25 14:03 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-25 13:51 . 2008-06-25 13:57 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-06-25 11:41 . 2008-06-25 11:41 <DIR> d-------- C:\VundoFix Backups
2008-06-25 10:46 . 2008-06-25 10:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-25 10:02 . 2008-06-25 13:32 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-06-25 10:02 . 2008-06-25 13:32 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-06-25 10:02 . 2008-06-25 13:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-24 22:16 . 2008-06-24 22:28 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Sony
2008-06-24 22:16 . 2008-06-24 22:16 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Publish Providers
2008-06-24 22:16 . 2008-06-24 22:28 156 --a------ C:\Windows\Twunk001.MTX
2008-06-24 22:16 . 2008-06-24 22:28 2 --a------ C:\Windows\Twain001.Mtx
2008-06-24 22:16 . 2008-06-24 22:16 0 --a------ C:\Windows\Twunk002.MTX
2008-06-24 22:11 . 2008-06-24 22:26 <DIR> d-------- C:\Users\All Users\Sony
2008-06-24 22:11 . 2008-06-24 22:26 <DIR> d-------- C:\ProgramData\Sony
2008-06-24 22:11 . 2008-06-24 22:11 <DIR> d-------- C:\Program Files\Vstplugins
2008-06-24 22:11 . 2008-06-24 22:25 <DIR> d-------- C:\Program Files\Sony Setup
2008-06-24 22:11 . 2008-06-24 22:26 <DIR> d-------- C:\Program Files\Sony
2008-06-21 10:20 . 2008-06-21 10:20 <DIR> d-------- C:\Users\All Users\Genie-Soft
2008-06-21 10:20 . 2008-06-21 10:20 <DIR> d-------- C:\ProgramData\Genie-Soft
2008-06-21 10:18 . 2008-06-21 10:18 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Genie-soft
2008-06-21 10:15 . 2008-06-21 10:15 <DIR> d-------- C:\Program Files\Common Files\PX Storage Engine
2008-06-21 10:15 . 2006-11-02 00:50 128,104 --------- C:\Windows\System32\drivers\WimFltr.sys
2008-06-21 10:14 . 2008-06-21 10:14 <DIR> d-------- C:\Program Files\Genie-Soft
2008-06-20 12:13 . 2008-06-20 12:13 <DIR> d-------- C:\Program Files\MSECache
2008-06-19 15:21 . 2008-06-19 15:21 <DIR> d-------- C:\Program Files\Microsoft Expression
2008-06-16 18:01 . 2008-06-16 18:01 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\J River
2008-06-15 19:43 . 2008-03-07 19:08 4,240,384 --------- C:\Windows\System32\GameUXLegacyGDFs.dll
2008-06-15 19:43 . 2008-03-07 21:21 1,695,744 --------- C:\Windows\System32\gameux.dll
2008-06-15 19:43 . 2008-04-22 21:42 428,544 --------- C:\Windows\System32\EncDec.dll
2008-06-15 19:43 . 2008-04-22 21:42 293,376 --------- C:\Windows\System32\psisdecd.dll
2008-06-15 19:43 . 2008-04-22 21:41 218,624 --------- C:\Windows\System32\psisrndr.ax
2008-06-15 19:43 . 2008-04-22 21:41 57,856 --------- C:\Windows\System32\MSDvbNP.ax
2008-06-11 08:54 . 2008-04-24 19:12 1,383,424 --------- C:\Windows\System32\mshtml.tlb
2008-06-11 08:54 . 2008-04-26 01:08 1,314,816 --------- C:\Windows\System32\quartz.dll
2008-06-11 08:54 . 2008-04-24 21:35 826,880 --------- C:\Windows\System32\wininet.dll
2008-06-11 08:54 . 2008-05-09 18:33 113,664 --------- C:\Windows\System32\drivers\rmcast.sys
2008-06-09 11:22 . 2007-12-20 14:10 129,520 --------- C:\Windows\System32\pxafs.dll
2008-06-09 11:21 . 2008-06-09 11:22 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Winamp
2008-06-09 11:21 . 2008-06-09 11:22 <DIR> d-------- C:\Program Files\Winamp
2008-06-09 11:10 . 2008-06-09 11:10 <DIR> d-------- C:\Program Files\J River
2008-06-09 11:10 . 2008-03-13 08:58 585,728 --------- C:\Windows\System32\AReadyLB.dll
2008-06-09 11:10 . 2008-03-13 08:58 229,376 --------- C:\Windows\System32\AudDevicePlugin.dll
2008-06-09 11:10 . 2008-03-13 08:58 183,129 --------- C:\Windows\System32\AM Install1.INF
2008-06-09 10:09 . 2008-06-15 19:46 <DIR> d-------- C:\Program Files\Windows Live
2008-06-09 10:09 . 2008-06-09 10:12 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-09 10:08 . 2008-06-09 10:08 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-06-09 10:08 . 2008-06-09 10:08 <DIR> d-------- C:\ProgramData\WLInstaller
2008-06-03 07:58 . 2008-06-03 07:58 <DIR> d-------- C:\Users\alexi\AppData\Roaming\Ulead Systems
2008-05-30 11:23 . 2008-05-30 11:24 222,425,481 --------- C:\Windows\MEMORY.DMP
2008-05-27 13:49 . 2008-05-27 13:49 <DIR> d-------- C:\Program Files\StarterKits
2008-05-26 11:39 . 2008-05-26 11:39 <DIR> d-------- C:\Users\All Users\FLEXnet
2008-05-26 11:39 . 2008-05-26 11:39 <DIR> d-------- C:\ProgramData\FLEXnet
2008-05-26 11:18 . 2007-02-20 16:04 2,463,976 --------- C:\Windows\System32\NPSWF32.dll
2008-05-26 11:18 . 2007-02-20 16:04 190,696 --------- C:\Windows\System32\NPSWF32_FlashUtil.exe
2008-05-26 11:13 . 2008-05-26 11:13 <DIR> d-------- C:\Program Files\Bonjour
2008-05-26 11:09 . 2008-05-26 11:09 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-26 11:02 . 2008-05-26 11:04 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\Ulead Systems
2008-05-26 10:58 . 2008-05-26 10:58 0 ---h----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-05-26 10:56 . 2008-05-26 10:56 <DIR> d-------- C:\Users\RICK~1~MAT\AppData
2008-05-26 10:56 . 2008-05-26 10:56 <DIR> d-------- C:\Users\RICK~1~MAT
2008-05-26 10:56 . 2008-05-26 10:56 <DIR> d-------- C:\Program Files\Windows Media Components
2008-05-26 10:56 . 2008-05-26 10:56 <DIR> d-------- C:\Program Files\Common Files\InterVideo
2008-05-26 10:54 . 2008-06-24 22:10 <DIR> d-------- C:\Users\All Users\Ulead Systems
2008-05-26 10:54 . 2008-06-24 22:10 <DIR> d-------- C:\ProgramData\Ulead Systems
2008-05-22 15:22 . 2008-05-22 15:22 4,816 --------- C:\Windows\System32\divxsm.tlb
2008-05-22 15:20 . 2008-05-22 15:20 1,044,480 --------- C:\Windows\System32\libdivx.dll
2008-05-22 15:20 . 2008-05-22 15:20 200,704 --------- C:\Windows\System32\ssldivx.dll
2008-05-22 15:19 . 2008-05-22 15:19 196,608 --------- C:\Windows\System32\dtu100.dll
2008-05-22 15:19 . 2008-05-22 15:19 161,096 --------- C:\Windows\System32\DivXCodecVersionChecker.exe
2008-05-22 15:19 . 2008-05-22 15:19 81,920 --------- C:\Windows\System32\dpl100.dll
2008-05-22 15:19 . 2008-05-22 15:19 416 --------- C:\Windows\System32\dtu100.dll.manifest
2008-05-22 15:19 . 2008-05-22 15:19 416 --------- C:\Windows\System32\dpl100.dll.manifest
2008-05-22 15:18 . 2008-05-22 15:18 12,288 --------- C:\Windows\System32\DivXWMPExtType.dll
2008-05-21 18:35 . 2008-05-21 18:35 <DIR> d--h----- C:\Users\All Users\{5553977E-AF8B-4870-AEB6-53B6C1BC822D}
2008-05-21 18:35 . 2008-05-21 18:35 <DIR> d--h----- C:\ProgramData\{5553977E-AF8B-4870-AEB6-53B6C1BC822D}
2008-05-21 18:32 . 2008-05-21 18:32 <DIR> d-------- C:\Program Files\Stardock Games
2008-05-20 17:10 . 2008-05-20 17:10 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\vlc
2008-05-20 17:09 . 2008-05-20 17:09 <DIR> d-------- C:\Program Files\VideoLAN
2008-05-20 09:21 . 2008-05-20 09:23 1,337 --------- C:\Windows\ntbackup.ini
2008-05-20 09:20 . 2008-05-21 10:19 <DIR> d-------- C:\Windows\System32\NtmsData
2008-05-20 09:20 . 2008-05-20 09:20 <DIR> d-------- C:\Program Files\Windows NT Backup - Restore Utility
2008-05-09 18:49 . 2008-05-09 18:49 <DIR> d-------- C:\Program Files\Vodei
2008-05-05 14:53 . 2008-05-05 14:53 <DIR> d-------- C:\Users\rick.MATRIX6\AppData\Roaming\eFax Messenger
2008-05-05 14:53 . 2008-05-05 14:53 <DIR> d-------- C:\Users\All Users\eFax Messenger 4.3 Setup
2008-05-05 14:53 . 2008-06-03 07:56 <DIR> d-------- C:\Users\All Users\eFax Messenger 4.3 Output
2008-05-05 14:53 . 2008-05-05 14:53 <DIR> d-------- C:\ProgramData\eFax Messenger 4.3 Setup
2008-05-05 14:53 . 2008-06-03 07:56 <DIR> d-------- C:\ProgramData\eFax Messenger 4.3 Output
2008-05-05 14:53 . 2008-05-05 14:53 <DIR> d-------- C:\Program Files\eFax Messenger 4.3
2008-05-05 14:53 . 2008-05-05 14:53 0 --------- C:\Windows\System32\eFax_4_3_Port
2008-05-02 10:13 . 2008-05-02 10:13 0 ---h----- C:\Windows\System32\drivers\Msft_User_LgLcdSSDriver_01_00_00.Wdf
2008-05-02 05:59 . 2008-05-02 05:59 122,368 --a------ C:\Windows\System32\drivers\Rtlh86.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-29 16:30 --------- d---a-w C:\ProgramData\TEMP
2008-06-25 21:07 --------- d-----w C:\Program Files\Trillian
2008-06-25 05:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-25 04:14 --------- d-----w C:\Program Files\PowerArchiver
2008-06-23 03:10 --------- d-----w C:\ProgramData\NVIDIA
2008-06-20 14:49 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-06-19 20:18 --------- d-----w C:\ProgramData\Microsoft Help
2008-06-19 20:18 --------- d-----w C:\Program Files\Microsoft Visual Studio 9.0
2008-06-19 20:17 --------- d-----w C:\Program Files\Microsoft SDKs
2008-06-18 16:44 --------- d-----w C:\Program Files\DivX
2008-06-16 05:41 --------- d-----w C:\Program Files\Windows Mail
2008-06-09 23:47 --------- d-----w C:\Program Files\World of Warcraft
2008-06-09 17:12 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-06-04 02:39 --------- d-----w C:\Users\rick.MATRIX6\AppData\Roaming\Ventrilo
2008-05-30 23:22 823,296 ------w C:\Windows\System32\divx_xx0c.dll
2008-05-30 23:22 823,296 ------w C:\Windows\System32\divx_xx07.dll
2008-05-30 23:22 815,104 ------w C:\Windows\System32\divx_xx0a.dll
2008-05-30 23:22 802,816 ------w C:\Windows\System32\divx_xx11.dll
2008-05-30 23:22 683,520 ------w C:\Windows\System32\DivX.dll
2008-05-30 23:22 593,920 ------w C:\Windows\System32\dpuGUI11.dll
2008-05-30 23:22 57,344 ------w C:\Windows\System32\dpv11.dll
2008-05-30 23:22 53,248 ------w C:\Windows\System32\dpuGUI10.dll
2008-05-30 23:22 344,064 ------w C:\Windows\System32\dpus11.dll
2008-05-30 23:22 294,912 ------w C:\Windows\System32\dpu11.dll
2008-05-30 23:22 294,912 ------w C:\Windows\System32\dpu10.dll
2008-05-29 04:49 --------- d-----w C:\Program Files\Flickr Uploadr
2008-05-26 18:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-26 17:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-22 22:22 524,288 ------w C:\Windows\System32\DivXsm.exe
2008-05-22 22:22 3,596,288 ------w C:\Windows\System32\qt-dx331.dll
2008-05-03 00:47 --------- d-----w C:\Users\rick.MATRIX6\AppData\Roaming\Bioshock
2008-05-02 17:13 --------- d-----w C:\ProgramData\Logitech
2008-05-02 17:13 --------- d-----w C:\Program Files\Logitech
2008-05-01 00:27 442,368 ------w C:\Windows\System32\NVUNINST.EXE
2008-04-26 07:12 107,888 ------w C:\Windows\System32\CmdLineExt.dll
2008-04-12 00:23 38,400 ------w C:\Windows\System32\SoundSchemes.exe
2008-04-09 05:54 174 --sh--w C:\Program Files\desktop.ini
2008-04-09 05:30 413,696 ------w C:\Windows\System32\wrap_oal.dll
2008-04-09 05:30 110,592 ------w C:\Windows\System32\OpenAL32.dll
2008-04-09 05:21 82,432 ------w C:\Windows\System32\axaltocm.dll
2008-04-09 05:21 101,888 ------w C:\Windows\System32\ifxcardm.dll
2008-04-09 05:01 47,560 ------w C:\Windows\System32\SPReview.exe
2008-04-09 05:01 152,576 ------w C:\Windows\System32\SPWizUI.dll
2008-03-25 02:52 35,840 ------w C:\Windows\System32\nvcod100.dll
2008-03-12 20:21 678,408 ------w C:\Windows\System32\gpprefcl.dll
2008-03-08 04:19 540,672 ------w C:\Windows\AppPatch\AcLayers.dll
2008-03-08 04:19 458,752 ------w C:\Windows\AppPatch\AcSpecfc.dll
2008-03-08 04:19 2,153,984 ------w C:\Windows\AppPatch\AcGenral.dll
2008-03-08 04:19 173,056 ------w C:\Windows\AppPatch\AcXtrnal.dll
2008-03-08 01:58 2,560 ------w C:\Windows\AppPatch\AcRes.dll
2008-03-08 00:00 795,104 ------w C:\Windows\System32\dpinst.exe
2008-03-08 00:00 5,769,760 ------w C:\Windows\System32\nvdispsr.dll
2008-03-08 00:00 465,440 ------w C:\Windows\System32\nvmccssr.dll
2008-03-08 00:00 4,143,648 ------w C:\Windows\System32\nvvitvsr.dll
2008-03-08 00:00 3,385,888 ------w C:\Windows\System32\nvgamesr.dll
2008-03-08 00:00 2,861,600 ------w C:\Windows\System32\nvmoblsr.dll
2008-03-08 00:00 2,681,376 ------w C:\Windows\System32\nvwssr.dll
2008-03-08 00:00 1,079,840 ------w C:\Windows\System32\nvcpluir.dll
2008-03-06 01:32 32 ------w C:\Users\All Users\ezsid.dat
2008-03-06 01:32 32 ------w C:\ProgramData\ezsid.dat
2008-02-03 07:49 22,328 ------w C:\Users\rick.MATRIX6\AppData\Roaming\PnkBstrK.sys
2008-03-07 05:21 32,768 --sh--w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008030620080307\index.dat
.

((((((((((((((((((((((((((((( snapshot_2008-06-29_10.59.56.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-29 16:16:43 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-06-30 15:47:29 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-06-29 16:16:44 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-06-30 15:47:30 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-06-29 16:16:44 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-06-30 15:47:30 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-06-29 16:22:56 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-30 15:52:45 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-30 15:52:45 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-06-29 16:22:56 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-30 15:52:50 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-30 15:52:50 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-06-29 16:26:56 127,740 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-06-30 15:51:56 127,740 ----a-w C:\Windows\System32\perfc009.dat
- 2008-06-29 16:26:56 671,868 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-06-30 15:51:56 671,868 ----a-w C:\Windows\System32\perfh009.dat
- 2008-06-29 16:24:22 17,310 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3969327731-1230743064-1942364166-1109_UserData.bin
+ 2008-06-30 15:53:44 17,310 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3969327731-1230743064-1942364166-1109_UserData.bin
- 2008-06-29 16:24:21 75,332 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-06-30 15:53:43 75,768 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-06-29 16:24:16 61,608 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-06-30 15:53:41 61,672 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-18 23:33 1233920]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-07 16:35 68856]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-01-07 19:25 160592]
"GBMPro8Agent"="C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-01-27 09:55 230016]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 18:12 107112]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-11-28 07:34 134808]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 08:55 61440]
"Launch LCDMon"="C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 17:43 2051096]
"Launch LGDCore"="C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 17:57 2095640]
"GBMPro8Agent"="C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-01-27 09:55 230016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-05-02 22:46 92704]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="C:\Windows\system32\READREG" [ ]
"CtxfiReg"="CTXFIREG.exe" [2007-10-25 22:52 43520 C:\Windows\System32\CTXFIREG.EXE]

C:\Users\rick.MATRIX6\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk.disabled [2008-01-07 23:11:22 798]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2007-05-01 12:11:48 6395464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= divxa32.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"CTHelper"=CTHELPER.EXE
"CTxfiHlp"=CTXFIHLP.EXE
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
"NvCplDaemon"=RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{569D53C3-706A-4456-B5DA-E1BD72FE7E91}"= UDP:C:\Windows\System32\migwiz\migwiz.exe:Windows Easy Transfer
"{F18DE565-6EA1-4630-87DE-A0C8D4036CD5}"= TCP:C:\Windows\System32\migwiz\migwiz.exe:Windows Easy Transfer
"TCP Query User{7F76A358-63CF-46E4-8AF8-346CC0DEFC64}C:\\users\\rick.matrix6\\documents\\visual studio 2008\\projects\\gameserverservice\\gameservertestapp\\bin\\debug\\gameservertestapp.exe"= UDP:C:\users\rick.matrix6\documents\visual studio 2008\projects\gameserverservice\gameservertestapp\bin\debug\gameservertestapp.exe:gameservertestapp.exe
"UDP Query User{2A8DC694-EDBA-430B-8E54-568DCAE98DD2}C:\\users\\rick.matrix6\\documents\\visual studio 2008\\projects\\gameserverservice\\gameservertestapp\\bin\\debug\\gameservertestapp.exe"= TCP:C:\users\rick.matrix6\documents\visual studio 2008\projects\gameserverservice\gameservertestapp\bin\debug\gameservertestapp.exe:gameservertestapp.exe
"TCP Query User{56C1193A-DCF7-414A-B91D-2DF9BCD084B2}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{13ED714D-8851-4AA2-8A11-8B507492FB51}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{1441EED2-19F8-48E7-9D37-9319F7EDABEF}C:\\users\\rick.matrix6\\documents\\visual studio 2008\\projects\\gameserverservice\\gameservertestapp\\bin\\debug\\gameservertestapp.vshost.exe"= UDP:C:\users\rick.matrix6\documents\visual studio 2008\projects\gameserverservice\gameservertestapp\bin\debug\gameservertestapp.vshost.exe:gameservertestapp.vshost.exe
"UDP Query User{39CED5C9-1D29-47D5-B950-BCD64CED3D4C}C:\\users\\rick.matrix6\\documents\\visual studio 2008\\projects\\gameserverservice\\gameservertestapp\\bin\\debug\\gameservertestapp.vshost.exe"= TCP:C:\users\rick.matrix6\documents\visual studio 2008\projects\gameserverservice\gameservertestapp\bin\debug\gameservertestapp.vshost.exe:gameservertestapp.vshost.exe
"{F234B377-A305-4B89-9789-FAC613F0AB53}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{913AC9CB-A469-4241-9A64-DA088A219799}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{FE80938A-9132-478F-BC2D-595521ABCEBE}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{79C88D88-66DE-4DC2-BC4E-B0F950884EC3}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{C19915FB-BB9A-4992-83C2-FE68DAAE7DC0}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{B7033A8E-B7CC-4223-8976-F27E76851EAB}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{ACBE0E22-6DD4-4596-863A-276D448401F0}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{02A2F050-DC6A-43D1-A480-42A49F818D19}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"TCP Query User{71C22B22-FDA2-4723-96BB-9A8C1311C549}C:\\windows\\system32\\ftp.exe"= UDP:C:\windows\system32\ftp.exe:File Transfer Program
"UDP Query User{A1E7A201-8BB2-4DC1-A633-734292F36F67}C:\\windows\\system32\\ftp.exe"= TCP:C:\windows\system32\ftp.exe:File Transfer Program
"{5407455A-286A-4784-B98B-28038757A191}"= UDP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{114A0A80-0F24-487C-A74D-6C68D858005C}"= TCP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{561578AD-5632-47B4-A624-67FDF2A1C661}"= UDP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{E1469D84-059A-4B0E-86A3-CB5F06EFD5C9}"= TCP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{402134E8-C9F7-4FC1-8E33-8D551B47C1CD}"= Disabled:UDP:C:\Program Files\Adobe\Photoshop Elements 5.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{F896FCBE-BCB9-4455-B1FE-648C34EBBD9A}"= Disabled:TCP:C:\Program Files\Adobe\Photoshop Elements 5.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"TCP Query User{E432EE64-FCBC-4DAB-A175-E349295D84F9}C:\\program files\\reallusion\\crazytalk for skype\\ct4skype.exe"= UDP:C:\program files\reallusion\crazytalk for skype\ct4skype.exe:CrazyTalk
"UDP Query User{69F7DF09-CCC2-4758-B432-86A87E93F7AD}C:\\program files\\reallusion\\crazytalk for skype\\ct4skype.exe"= TCP:C:\program files\reallusion\crazytalk for skype\ct4skype.exe:CrazyTalk
"{19B0CE24-11DA-4655-9114-1569C8AB0B5E}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{72D730A3-CB26-4D00-9A9B-230A0A4F474D}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{C6C75529-2063-49CD-8B07-D9F4BE99823C}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{9D348DE3-9F0C-4335-8890-0EF1760CE955}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"TCP Query User{14CB1A57-2EDB-4322-B910-E70DC8D76B5A}C:\\program files\\world of warcraft\\repair.exe"= UDP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"UDP Query User{958372C2-2FB8-4F10-B9E5-04E0EE92211D}C:\\program files\\world of warcraft\\repair.exe"= TCP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"{AD5B00EF-200F-4B5F-BC06-1E67F14CB324}"= UDP:C:\Program Files\Stardock Games\Sins of a Solar Empire Demo\Sins of a Solar Empire.exe:Sins of a Solar Empire Demo
"{41A3127D-9712-4887-B3D3-C7A187F020A0}"= TCP:C:\Program Files\Stardock Games\Sins of a Solar Empire Demo\Sins of a Solar Empire.exe:Sins of a Solar Empire Demo
"TCP Query User{E7C85640-0E49-4A56-9F94-ACA31F16AB6B}C:\\program files\\trillian\\trillian.exe"= UDP:C:\program files\trillian\trillian.exe:Trillian
"UDP Query User{8DBC632B-7AFF-4113-A265-00393317097D}C:\\program files\\trillian\\trillian.exe"= TCP:C:\program files\trillian\trillian.exe:Trillian

R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R3 ha20x2k;Creative 20X HAL Driver;C:\Windows\system32\drivers\ha20x2k.sys [2007-10-26 00:33]
S3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2008-02-25 22:53]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
S4 msvsmon90;Visual Studio 2008 Remote Debugger;"c:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon90 []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
GPSvcGroup REG_MULTI_SZ GPSvc
rsmsvcs REG_MULTI_SZ ntmssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL H:\Servers\splash.hta *DVD*


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
"2008-06-30 18:39:59 C:\Windows\Tasks\User_Feed_Synchronization-{31B90036-0669-4958-AA20-50CC211610BD}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 11:44:10
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-30 11:45:04
ComboFix-quarantined-files.txt 2008-06-30 18:44:56
ComboFix2.txt 2008-06-30 17:57:19
ComboFix3.txt 2008-06-29 18:13:10
ComboFix4.txt 2008-06-28 06:44:53

Pre-Run: 141,778,423,808 bytes free
Post-Run: 141,757,149,184 bytes free

330 --- E O F --- 2008-06-24 15:54:19
rboarman
Active Member
 
Posts: 14
Joined: June 25th, 2008, 9:30 pm

Re: Virtumonde help

Unread postby Shaba » June 30th, 2008, 2:53 pm

Hi

Delete this:

C:\Windows\System32\qomjiIBQ.dll

Empty Recycle Bin.

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Virtumonde help

Unread postby rboarman » June 30th, 2008, 3:04 pm

Thank you. I will run the scan now. Last time it took many hours.

Rick
rboarman
Active Member
 
Posts: 14
Joined: June 25th, 2008, 9:30 pm

Re: Virtumonde help

Unread postby Shaba » June 30th, 2008, 3:14 pm

Hi

No hurry, take your time :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 382 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware