Free Malware Removal Forum

by **railker** » March 6th, 2008, 6:41 pm

Symptoms: Popups with IE open or cosed, for sites such as 'Bite Fight', 'divine.ca' and 'Takkle'.

=====

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:34:47 PM, on 06/03/2008
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\ASUS\ASUS Direct Console\LCMP.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ASUS\NB Probe\NBProbe.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Windows\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Users\Colin\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07CCF8E6-B40A-4F9A-AE37-0BE24BFC34CF} - C:\Windows\system32\efcdd.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - (no file)
O2 - BHO: (no name) - {0b608aad-c38d-4927-9240-f103ec448287} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - (no file)
O2 - BHO: (no name) - {B22D570C-D83A-4485-8DAD-4679E1E21676} - (no file)
O2 - BHO: (no name) - {DCE9719B-3C8F-4B43-8178-E223CE9B7D68} - C:\Windows\system32\efcdd.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [DirectMessenger] "C:\Program Files\ASUS\ASUS Direct Console\LCMP.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [NB Probe] C:\Program Files\ASUS\NB Probe\NBProbe.exe
O4 - HKCU\..\Run: [Host Process] C:\Users\Colin\svchost.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: MultiFrame.lnk = ?
O4 - Global Startup: SetPoint.lnk = C:\Program Files\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resourc ... den-ca.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ADSM Service (ADSMService) - Unknown owner - C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Microsoft Office Groove Audit Service - Unknown owner - C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10104 bytes

by **chryssi2001** » March 8th, 2008, 11:47 am

Hello railker

,

I will be assisting you with your malware issues.

Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
Please bookmark or favourite this page. In case you need it as reference or etc.

----------------------------------------------
IMPORTANT NOTE:
If you are using Windows Vista you must right click on the desktop icon and choose Run as Administrator all tools.
----------------------------------------------
Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
----------------------------------------------
You posted the Beta version of HijackThis.
Please remove it from your pc.

Download and Run HijackThis
Download HJTInstall.exe to your Desktop.

Before running HijackThis, i need you to rename it, as per my instructions below:
Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to:C:\Users\Colin\Desktop\HiJackThis.exe

Right-click on HijackThis.exe & select Rename to scanner.exe and post back a new Hijackthis log.

Doubleclick HJTInstall.exe to install it.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
----------------------------------------------
Post back:
Vundofix report.
A new HijackThis log.

by **railker** » March 8th, 2008, 4:57 pm

Running VundoFix.exe only brings up the window, "Run-time error '339': Component 'comdlg32.ocx' or one of its depndencies not correctly registered: a file is missing or invalid"

Also, Spybot S&D often asks about changed registry entries by "Browser Helper Objects", values being added. Should I allow or deny these? I've been denying them, JIC.

Another problem that's been occurring is Windows Explorer is often un-openable until I spend 2 hours cleaning everything out with McAfee and Spybot S&D. Also, my desktop and the bottom bar disapear often. As I write this, I have no desktop (well, the picture's there) and no toolbar.

by **chryssi2001** » March 9th, 2008, 3:10 am

Hello railker,

Have a read here how to fix that error.
*If VundoFix gives an runtime error on startup you are most likely missing the file: comdlg32.ocx A new copy and instructions on where to put it can be found HERE

Did you right click to run Vundofix as administrator?

I need you to right click and run all tool as administrator.
----------------------------------------------

Also, Spybot S&D often asks about changed registry entries by "Browser Helper Objects", values being added. Should I allow or deny these? I've been denying them.

Please continue denying them.
----------------------------------------------
R/BOT ADVICE

You have been infected by an Rbot, which allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data.

I recommend that you disconnect this machine from the internet NOW!

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

After you've done above, let's start some cleaning.
----------------------------------------------
Remove/Disable one of your Anti Virus programs.
You are operating your computer with multiple Anti Virus programs running in memory at once:

McAfee
Symantec

Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

Please remove/disable one of them.

As i believe Symantec is a remainant, use the link below to remove it.

REMOVE NORTON

ONLY if you don't have an active subscription, use below link to uninstall, and install a free AV from my links below.

Please click HERE and follow the instructions to download and run the norton removal tool for your own version.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.
----------------------------------------------
Ad-Aware Ad-Watch

Right click on the Ad-Watch icon in the system tray.
At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
- Active: This will turn Ad-Watch On\Off without closing it
- Automatic: Suspicious activity will be blocked automatically
Uncheck both of those boxes. You can enable these after resolving your problem.

Don't forget to re-enable it, when your computer is clean.
----------------------------------------------
Important
Please uninstall your HijackThis as per my previous post and install the newer version before following this step.

FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {07CCF8E6-B40A-4F9A-AE37-0BE24BFC34CF} - C:\Windows\system32\efcdd.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - (no file)
O2 - BHO: (no name) - {0b608aad-c38d-4927-9240-f103ec448287} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - (no file)
O2 - BHO: (no name) - {B22D570C-D83A-4485-8DAD-4679E1E21676} - (no file)
O2 - BHO: (no name) - {DCE9719B-3C8F-4B43-8178-E223CE9B7D68} - C:\Windows\system32\efcdd.dll
O4 - HKCU\..\Run: [Host Process] C:\Users\Colin\svchost.exe

Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
Please download the OTMoveIt2 by OldTimer and Save it to your Desktop.

Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code: Select all
```
C:\Windows\system32\efcdd.dll
C:\Users\Colin\svchost.exe
```
Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
----------------------------------------------
Post back a new HijackThis log.
Tell me how the pc behaves now.
Do you still have problems with your desktop:

Also, my desktop and the bottom bar disapear often. As I write this, I have no desktop (well, the picture's there) and no toolbar.

Can you be more specific about no toolbar?

by **railker** » March 9th, 2008, 7:08 am

VundoFix corrected and run ...

VundoFix V6.5.10

Checking Java version...

Scan started at 2:22:11 PM 06/03/2008

Listing files found while scanning....

No infected files were found.

VundoFix V7.0.1

Scan started at 3:34:48 AM 09/03/2008

Listing files found while scanning....

VundoFix V7.0.1

Scan started at 3:36:23 AM 09/03/2008

Listing files found while scanning....

C:\windows\System32\bwpjkfhs.dllbox
C:\Windows\System32\ddcfe.ini
C:\Windows\System32\ddcfe.ini2
C:\Windows\System32\efcdd.dll
C:\Windows\System32\hroyjqol.dll
C:\Windows\System32\ixjrjkdy.dll
C:\windows\System32\kpwznbpb.dllbox
C:\Windows\System32\speglxly.dll
C:\Windows\System32\ufqwchfc.dll
C:\Windows\System32\xciokwqj.dll

Beginning removal...

[[And it restarted by itself, so I guess no end to the logfile ...]]

Hijack This run successfully. More entries must have been added later, so I checked and fixed all the 02 with (no file).

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:02:55 AM, on 09/03/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\ASUS\ASUS Direct Console\LCMP.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ASUS\NB Probe\NBProbe.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Users\Colin\Desktop\scanner.exe.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {E47FC2EE-2BE4-4FD9-A31C-2E0ADF7330C3} - C:\Windows\system32\efcdd.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [DirectMessenger] "C:\Program Files\ASUS\ASUS Direct Console\LCMP.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [BM075bc38f] Rundll32.exe "C:\Windows\system32\ixjrjkdy.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [NB Probe] C:\Program Files\ASUS\NB Probe\NBProbe.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: MultiFrame.lnk = ?
O4 - Global Startup: SetPoint.lnk = C:\Program Files\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resourc ... den-ca.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ADSM Service (ADSMService) - Unknown owner - C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Microsoft Office Groove Audit Service - Unknown owner - C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

--
End of file - 9692 bytes

Still, at this point, getting endless registry 'added value' questions from S&D. Still rejecting, I can figure out what they are now, those files on 02 on HJT.

OTMoveIt2 run with abovementioned code, and received the following results ...

DllUnregisterServer procedure not found in C:\Windows\system32\efcdd.dll
C:\Windows\system32\efcdd.dll NOT unregistered.
File move failed. C:\Windows\system32\efcdd.dll scheduled to be moved on reboot.
File/Folder C:\Users\Colin\svchost.exe not found.

OTMoveIt2 v1.0.20 log created on 03092008_040657

No change to the above log after restart. All programs run as Admin.

by **chryssi2001** » March 9th, 2008, 11:35 am

Hello railker,

After vundofix finds the files at the point it says:
Beginning removal

it shows the files found and says if they were removed or not.
So either you missed a part of the Vundofix report either you stopped the tool before it finished.

You still have vundo infection on your pc.
-----------------------------------------------------

Still, at this point, getting endless registry 'added value' questions from S&D. Still rejecting, I can figure out what they are now, those files on 02 on HJT.

I posted instructions in my previous post to disable Spybot Search & Destroy Tea Timer, and Ad-Aware 2007, as they can interfere with the fix, or tools we need to run.
Please follow the instructions in my previous post and disable both programs if we are going to do a proper job here.
-----------------------------------------------------
You've missed also removing Symantec.
Please do so.

Remove/Disable one of your Anti Virus programs.
You are operating your computer with multiple Anti Virus programs running in memory at once:

McAfee
Symantec

Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

Please remove/disable one of them.

As i believe Symantec is a remainant, use the link below to remove it.

REMOVE NORTON

ONLY if you don't have an active subscription, use below link to uninstall, and install a free AV from my links below.

Please click HERE and follow the instructions to download and run the norton removal tool for your own version.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.
-----------------------------------------------------
P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

BitTorrent DNA

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

Please remove it and you can re-install it after we finish cleaning your pc.
-----------------------------------------------------
Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 5.

Go to http://java.sun.com/javase/downloads/index.jsp
Go to Java Runtime Environment (JRE) 6 Update 5 and click on Download button.
In Platform box choose Windows.
Check the box to Accept License Agreement and click Continue.
Click on Windows Offline Installation, click on the link under it which says "jre-6u4-windows-i586-p.exe" and save the downloaded file to your desktop.
Go to Start => Control Panel => Add or Remove Programs
Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
Reboot your computer
Delete the folder C:\Program Files\Java if present
Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
Reboot your computer

-----------------------------------------------------
Now i suggest you run Vundofix again, and let it re-start to finish it's work.
-----------------------------------------------------
We are going to continue after seeing your new Vundofix report, and after you doing all i asked.

A summary of things you have to do:
Disable Ad-Aware Ad-Watch.
Disable Spybot's S&D Tea Timer.
Remove Symantec.
BitTorrent DNA.
Update Java.

Post back:
Vundofix report.
A new HijackThis log.

by **railker** » March 10th, 2008, 6:50 pm

Completed everything above, except for the last two steps of removing Vundo and posting a HJT log.

VundoFix found 13 viruses and completed the scan. I click 'Fix Vundo' and 'Yes'.

It says "Removing vundo..." and sits there for an incredibly long time. I left it while I was at work for 10 hours last night, came home, still sitting there with the Vista timer going in circles. I can still click on the File and Info menus, but no blanking out of the desktop or restarting. Or removal of the virus.

by **chryssi2001** » March 11th, 2008, 7:54 am

Hello railker,

VundoFix found 13 viruses and completed the scan

Did it create any report showing the names like last time you run it?
-----------------------------------------------
Did you reboot your computer after those 10 hours?
Let's give this another try in safe mode this time.
Please describe if any problems again.
-----------------------------------------------

Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens,Click Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste the entries below.
- C:\Windows\system32\efcdd.dll
- C:\Windows\system32\ixjrjkdy.dll
Click Add Files and Click Close Window
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

-----------------------------------------------
Safe Mode

Print out all these instructions or save them into a notepad on your desktop, because you will not have internet access while in Safe Mode.
Go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
-----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {E47FC2EE-2BE4-4FD9-A31C-2E0ADF7330C3} - C:\Windows\system32\efcdd.dll
O4 - HKLM\..\Run: [BM075bc38f] Rundll32.exe "C:\Windows\system32\ixjrjkdy.dll",s

Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
-----------------------------------------------
Reboot in Normal mode.
-----------------------------------------------
Run HijackThis again.
-----------------------------------------------
Please post a new HijackThis log, even if you don't have a vundo fix report.

by **railker** » March 11th, 2008, 4:05 pm

Here's the contents of the last scan from VundoFix.txt ...

VundoFix V7.0.1

Scan started at 12:44:05 PM 11/03/2008

Listing files found while scanning....

C:\windows\System32\bwpjkfhs.dllbox
C:\Windows\System32\ddcfe.ini
C:\Windows\System32\ddcfe.ini2
C:\Windows\System32\efcdd.dll
C:\Windows\System32\fayanlmu.dll
C:\Windows\System32\hroyjqol.dll
C:\Windows\System32\ixjrjkdy.dll
C:\Windows\System32\jdxohihg.dll
C:\Windows\System32\jlnqbhpk.dll
C:\windows\System32\kpwznbpb.dllbox
C:\Windows\System32\speglxly.dll
C:\Windows\System32\syseysba.dll
C:\Windows\System32\tnvestob.dll
C:\Windows\System32\ufqwchfc.dll
C:\Windows\System32\vecranfv.dll
C:\Windows\System32\xciokwqj.dll

Beginning removal...

Same problem occurred as last time. ((Couldn't "Run as task", no such option that I could find)). Ran program as admin. Same thing. "Remove Vundo". I click "Yes". It sits there. Menus and everything still clickable, window still movable -- so the program's not frozen ...

by **chryssi2001** » March 11th, 2008, 4:57 pm

Hello railker,

Try to follow the steps in my previous post.
I've just edited it. Run vundofix, adding those 2 files as explained and run it. It it doesn't reboot and creates a report post it back here.
You have to fix HijackThis lines in Safe mode.
Even if vundofix fails again post back a new HijackThis log, so i will see what's left and give you a new fix if this fails again.

by **railker** » March 11th, 2008, 5:32 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:04:09 PM, on 11/03/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Safe mode

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Colin\Desktop\scanner.exe.exe
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {04791870-29A5-424B-86B0-710332C0B530} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {CE265B61-CA69-4568-A88E-BCEED37A23F4} - C:\Windows\system32\efcdd.dll
O2 - BHO: (no name) - {E47FC2EE-2BE4-4FD9-A31C-2E0ADF7330C3} - (no file)
O2 - BHO: {0e441a15-457d-c30b-3964-b6fd3a21f59e} - {e95f12a3-df6b-4693-b03c-d75451a144e0} - C:\Windows\system32\jdxohihg.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [DirectMessenger] "C:\Program Files\ASUS\ASUS Direct Console\LCMP.EXE"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [0468f013] rundll32.exe "C:\Windows\system32\fayanlmu.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BM075bc38f] Rundll32.exe "C:\Windows\system32\tnvestob.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [NB Probe] C:\Program Files\ASUS\NB Probe\NBProbe.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: MultiFrame.lnk = ?
O4 - Global Startup: SetPoint.lnk = C:\Program Files\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resourc ... den-ca.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ADSM Service (ADSMService) - Unknown owner - C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Microsoft Office Groove Audit Service - Unknown owner - C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

--
End of file - 7217 bytes

\\\ Symptoms sill occurring that I've noticed: problems with Windows Explorer:: can't open any folders (My Documents, Pictures, anything). Window will open, timer will appear for a second, then desktop resets itself (taskbar disappears and comes back, along with all icons on desktop. Any internet browser windows re-open to where they were). No more pop-up ads that I've noticed, but I bet they'd appear if I stayed long enough. \\\

by **chryssi2001** » March 12th, 2008, 2:10 am

Hello railker,

-----------------------------------------------
Reboot in Normal mode.
-----------------------------------------------
Run HijackThis again.
-----------------------------------------------

Please try to focus a little more on this and pay attention to what i ask.
You posted a HijackThis log which you run in Safe mode.
-----------------------------------------------
Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Download this file from one of the three below listed places and place it at your DESKTOP :
For information regarding this download, please visit this webpage:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Then double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
-----------------------------------------------
Run HijackThis again.
-----------------------------------------------
Post back:
Combofix report.
A new HijackThis log. (Normal Mode)

by **railker** » March 12th, 2008, 4:55 am

(¯`·._.·[ ComboFix Log ]·._.·´¯)

ComboFix 08-03-10.1 - Colin 2008-03-12 1:40:53.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1095 [GMT -7:00]
Running from: C:\Users\Colin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\BM075bc38f.xml
C:\Windows\pskt.ini
C:\Windows\System32\ddcfe.ini
C:\Windows\System32\ddcfe.ini2
C:\Windows\system32\efcdd.dll
C:\Windows\system32\fayanlmu.dll
C:\Windows\system32\hroyjqol.dll
C:\Windows\system32\ixjrjkdy.dll
C:\Windows\system32\jdxohihg.dll
C:\Windows\system32\jlnqbhpk.dll
C:\Windows\system32\khhii.dll
C:\Windows\System32\ljjfkyst.ini
C:\Windows\system32\mcrh.tmp
C:\Windows\system32\oiuhksgv.dll
C:\Windows\system32\speglxly.dll
C:\Windows\system32\syseysba.dll
C:\Windows\system32\tnvestob.dll
C:\Windows\system32\ufqwchfc.dll
C:\Windows\System32\umlnayaf.ini
C:\Windows\system32\vecranfv.dll
C:\Windows\System32\vfnarcev.ini
C:\Windows\system32\vtuuuus.dll
C:\Windows\system32\wvursrr.dll
C:\Windows\system32\xciokwqj.dll
C:\Windows\System32\ylxlgeps.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-12 to 2008-03-12 )))))))))))))))))))))))))))))))
.

2008-03-12 01:46 . 2003-07-30 11:18 3,839 --a------ C:\Windows\System32\drivers\GETPADD.sys
2008-03-11 13:47 . 2008-03-11 19:56 54,156 --ah----- C:\Windows\QTFont.qfn
2008-03-11 13:47 . 2008-03-11 13:48 1,409 --a------ C:\Windows\QTFont.for
2008-03-11 13:46 . 2008-03-11 13:47 <DIR> d-------- C:\Program Files\QuickTime
2008-03-11 13:46 . 2008-03-11 13:46 <DIR> d-------- C:\Program Files\Apple Software Update
2008-03-11 13:46 . 2008-03-11 13:46 <DIR> d-------- C:\PROGRA~2\Apple Computer
2008-03-11 13:46 . 2008-03-11 13:46 <DIR> d-------- C:\PROGRA~2\Apple
2008-03-10 02:40 . 2008-03-11 15:09 <DIR> d-------- C:\Program Files\WolfQuest
2008-03-09 15:54 . 2008-03-09 15:54 <DIR> d-------- C:\Program Files\Sun
2008-03-09 15:48 . 2008-03-09 15:53 <DIR> d-------- C:\Program Files\Java
2008-03-09 15:48 . 2008-03-09 15:48 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-09 04:06 . 2008-03-09 04:06 <DIR> d-------- C:\_OTMoveIt
2008-03-09 03:57 . 2008-03-09 03:57 24,576 --a------ C:\Windows\System32\VundoFixSVC.exe
2008-03-09 03:34 . 2008-03-09 03:34 198,656 --a------ C:\Windows\System32\comdlg32.ocx
2008-03-07 13:27 . 2008-03-08 02:58 2,306 ---hs---- C:\Windows\System32\qivgspxi.ini
2008-03-06 15:22 . 2008-03-11 14:21 <DIR> d-------- C:\VundoFix Backups
2008-03-06 13:58 . 2008-03-09 15:16 <DIR> d-------- C:\PROGRA~2\Spybot - Search & Destroy
2008-03-06 12:22 . 2008-03-06 12:21 102,664 --a------ C:\Windows\System32\drivers\tmcomm.sys
2008-03-06 12:21 . 2008-03-06 13:29 <DIR> d-------- C:\Users\Colin\.housecall6.6
2008-03-06 00:48 . 2008-03-06 10:46 1,309,618 ---hs---- C:\Windows\System32\cwgrghdu.ini
2008-03-05 00:40 . 2008-03-05 16:45 1,304,738 ---hs---- C:\Windows\System32\khgawgxa.ini
2008-03-04 01:02 . 2008-03-04 01:02 1,158 --a------ C:\Windows\mozver.dat
2008-03-03 22:42 . 2008-03-09 15:24 <DIR> d-------- C:\PROGRA~2\SiteAdvisor
2008-03-03 22:41 . 2008-03-04 00:27 1,305,090 ---hs---- C:\Windows\System32\jaumlgvc.ini
2008-03-03 22:21 . 2008-03-09 15:27 <DIR> d-------- C:\PROGRA~2\McAfee
2008-03-03 21:32 . 2008-03-03 21:32 0 --a------ C:\Windows\nsreg.dat
2008-03-03 19:39 . 2008-03-03 22:35 1,304,514 ---hs---- C:\Windows\System32\jfxgowdx.ini
2008-03-03 19:34 . 2008-03-03 19:41 20,664 ---hs---- C:\Windows\System32\bwpjkfhs.dllbox
2008-03-03 03:50 . 2008-03-03 03:51 <DIR> d-------- C:\Users\Colin\AppData\Roaming\SecondLife
2008-02-29 16:06 . 2008-02-29 16:06 77 --a------ C:\Windows\System32\3282.bat
2008-02-29 16:01 . 2008-02-29 16:01 77 --a------ C:\Windows\System32\5571.bat
2008-02-29 15:56 . 2008-03-01 00:06 39,096 ---hs---- C:\Windows\System32\kpwznbpb.dllbox
2008-02-29 15:55 . 2008-02-29 15:55 77 --a------ C:\Windows\System32\7892.bat
2008-02-29 14:57 . 2008-02-29 15:07 <DIR> d-------- C:\Users\Colin\AppData\Roaming\Ahead
2008-02-29 03:17 . 2008-03-03 20:59 <DIR> d--hs---- C:\Users\Colin\'
2008-02-29 03:12 . 2008-02-29 22:55 <DIR> d-a------ C:\PROGRA~2\TEMP
2008-02-29 02:56 . 2008-03-03 22:37 <DIR> d-------- C:\PROGRA~2\Lavasoft
2008-02-28 12:36 . 2008-02-28 12:44 <DIR> d-------- C:\Program Files\MpcStar
2008-02-28 00:25 . 2008-02-28 00:25 <DIR> d-------- C:\PROGRA~2\Office Genuine Advantage
2008-02-28 00:18 . 2006-10-26 20:56 32,592 --a------ C:\Windows\System32\msonpmon.dll
2008-02-28 00:12 . 2008-02-28 00:12 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-02-27 19:39 . 2008-02-29 15:51 <DIR> d-------- C:\Program Files\BitComet
2008-02-27 16:33 . 2008-02-27 17:03 1,942 --a------ C:\Windows\asrc.ini
2008-02-27 14:29 . 2008-02-27 14:29 100,464 --a------ C:\Windows\System32\ICKHTTPS2.OCX
2008-02-26 23:52 . 2008-02-26 23:52 327,662,570 --a------ C:\Windows\MEMORY.DMP
2008-02-26 23:00 . 2008-02-29 03:09 <DIR> d-------- C:\Program Files\BitLord
2008-02-19 12:56 . 2008-02-19 12:56 <DIR> d-------- C:\Graphics
2008-02-19 12:56 . 2005-11-13 02:28 238,080 --------- C:\Windows\System32\mwgfx24.dll
2008-02-19 12:56 . 2008-01-06 15:05 190,464 --------- C:\Windows\System32\mwgfx.dll
2008-02-19 12:56 . 2008-01-09 13:43 104,960 --------- C:\Windows\System32\mwdds.dll
2008-02-19 12:56 . 2004-05-14 12:13 56,832 --------- C:\Windows\System32\mwace.dll
2008-02-19 12:56 . 2007-08-19 10:37 28,672 --------- C:\Windows\System32\mwgfxcopy.exe
2008-02-16 15:36 . 2008-02-16 15:36 <DIR> d-------- C:\Users\Colin\AppData\Roaming\Intel
2008-02-15 16:43 . 2008-01-09 22:50 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-02-13 14:53 . 2008-03-03 18:15 1,328 --a------ C:\FSUIPC_reg.bin
2008-02-13 01:03 . 2008-02-13 01:03 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-13 01:03 . 2008-02-13 01:03 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-13 01:01 . 2008-02-13 01:01 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-02-13 01:01 . 2008-02-13 01:01 3,470,392 --a------ C:\Windows\System32\ntoskrnl.exe
2008-02-13 01:01 . 2008-02-13 01:01 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-02-13 01:01 . 2008-02-13 01:01 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-02-13 01:01 . 2008-02-13 01:01 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-02-13 01:01 . 2008-02-13 01:01 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-02-13 01:01 . 2008-02-13 01:01 17,464 --a------ C:\Windows\System32\drivers\intelide.sys
2008-02-13 01:00 . 2008-02-13 01:00 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 01:00 . 2008-02-13 01:00 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-02-13 01:00 . 2008-02-13 01:00 803,328 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-02-13 01:00 . 2008-02-13 01:00 216,632 --a------ C:\Windows\System32\drivers\netio.sys
2008-02-13 01:00 . 2008-02-13 01:00 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-02-13 01:00 . 2008-02-13 01:00 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-02-13 01:00 . 2008-02-13 01:00 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-02-12 23:22 . 2008-02-12 23:22 <DIR> d-------- C:\Program Files\Common Files\NSV
2008-02-12 23:17 . 2008-02-13 00:55 <DIR> d-------- C:\Users\Colin\AppData\Roaming\Winamp
2008-02-12 23:17 . 2008-02-12 23:18 <DIR> d-------- C:\Program Files\Winamp
2008-02-12 23:17 . 2007-03-07 16:51 129,784 --------- C:\Windows\System32\pxafs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 08:46 45,056 ----a-w C:\Windows\System32\acovcnt.exe
2008-03-09 22:28 --------- d-----w C:\Program Files\DNA
2008-03-04 06:55 --------- d-----w C:\Users\Colin\AppData\Roaming\BitTorrent
2008-03-04 06:07 13,025 ----a-w C:\Users\Colin\AppData\Roaming\nvModes.dat
2008-03-04 05:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 05:44 --------- d-----w C:\Users\Colin\AppData\Roaming\FrostWire
2008-02-29 22:51 --------- d-----w C:\Program Files\Common Files\Ahead
2008-02-28 22:31 --------- d-----w C:\PROGRA~2\Microsoft Help
2008-02-28 07:17 --------- d-----w C:\Program Files\MSBuild
2008-02-14 00:32 --------- d-----w C:\PROGRA~2\Messenger Plus!
2008-02-13 08:00 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 08:00 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 08:00 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 08:00 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 07:57 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-13 07:57 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-13 07:57 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-13 07:57 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-07 02:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-07 01:26 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-02-07 01:26 --------- d-----w C:\PROGRA~2\Macrovision
2008-02-07 01:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-06 08:42 --------- d-----w C:\PROGRA~2\FLEXnet
2008-02-06 00:01 --------- d-----w C:\Program Files\Real Environment Pro
2008-02-05 02:37 --------- d-----w C:\Program Files\Google
2008-02-05 02:23 693,792 ----a-w C:\Windows\System32\OGACheckControl.DLL
2008-02-04 23:11 --------- d-----w C:\Program Files\DivX
2008-01-26 20:44 12,400 ----a-w C:\Windows\system32\drivers\secdrv.sys
2008-01-15 23:54 --------- d-----w C:\Users\Colin\AppData\Roaming\PeerNetworking
2008-01-09 21:33 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-08 19:57 74,752 ----a-w C:\Windows\ST6UNST.EXE
2008-01-08 19:57 253,952 ------w C:\Windows\Setup1.exe
2007-12-21 21:54 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-21 21:53 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-21 21:53 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-04 20:40 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon]
@={A825576B-0042-4F0F-8FB0-93CE0F054E69}

[HKEY_CLASSES_ROOT\CLSID\{A825576B-0042-4F0F-8FB0-93CE0F054E69}]
2006-12-11 17:27 147456 --a------ C:\Program Files\ASUS\ASUS Data Security Manager\OverlayIconShlExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 05:36 201728]
"NB Probe"="C:\Program Files\ASUS\NB Probe\NBProbe.exe" [2007-01-05 16:01 806912]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 05:35 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Pinyin IME Migration"="C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.exe" [2006-10-26 14:53 32560]
"RtHDVCpl"="RtHDVCpl.exe" [2007-02-14 10:07 4390912 C:\Windows\RtHDVCpl.exe]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-21 10:31 630784]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-01 06:24 857648]
"ATKMEDIA"="C:\Program Files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 08:27 61440]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-02 02:22 56080 C:\Windows\KHALMNPR.Exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 14:37 174872]
"DirectMessenger"="C:\Program Files\ASUS\ASUS Direct Console\LCMP.EXE" [2007-02-01 20:58 987648]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [ ]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
MultiFrame.lnk - C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe [2007-07-30 23:28:30 991600]
SetPoint.lnk - C:\Program Files\SetPoint\SetPoint.exe [2007-07-30 23:34:30 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\Windows\pss\Adobe Gamma Loader.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\Windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ExifLauncher2.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ExifLauncher2.lnk
backup=C:\Windows\pss\ExifLauncher2.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Colin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Users\Colin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\Windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0468f013]
C:\Windows\system32\tsykfjjl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-03-03 23:52 287040 C:\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM075bc38f]
C:\Windows\system32\rrhikdum.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChkMail]
--a------ 2007-03-20 18:12 741376 C:\Program Files\ChkMail\ChkMail\ChkMail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-03-26 11:42 1057328 C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
C:\Windows\system32\khhii.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-26 12:12 161328 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerForPhone]
--a------ 2007-01-15 15:17 778240 C:\Program Files\PowerForPhone\PowerForPhone.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{EBC9C276-8866-4936-B37E-B5A03F010851}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{2C3021C5-5994-44FA-A85A-F6F17DDCA18C}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)|Edge=TRUE|
"{39CDA52E-6E08-4830-90DA-641A7C03A9AA}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
"{14CB9DC3-1A03-4657-BF91-AF5C5D37D44D}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
"{00BEF18D-DF13-4696-B63E-BCA765807ACC}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{27831563-5EA6-4477-A48E-31CC2EE6969E}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{935B1EDB-6A12-4295-9F1C-99112A08371C}"= UDP:C:\Program Files\FrostWire\FrostWire.exe:LimeWire
"{6276A1E3-FEFD-4373-9FF9-B113B8BD36E1}"= TCP:C:\Program Files\FrostWire\FrostWire.exe:LimeWire
"TCP Query User{4A110543-D3E6-479C-AD92-FCA87A495355}C:\windows\system32\dpnsvr.exe"= UDP:C:\windows\system32\dpnsvr.exe:Microsoft DirectPlay8 Server|Desc=Microsoft DirectPlay8 Server
"UDP Query User{116C37C7-7E2A-48A6-A963-C63E69927D5B}C:\windows\system32\dpnsvr.exe"= TCP:C:\windows\system32\dpnsvr.exe:Microsoft DirectPlay8 Server|Desc=Microsoft DirectPlay8 Server
"TCP Query User{ACA228CC-0F8C-4A0E-854E-E34180FD7F06}C:\program files\squawkbox3\squawkbox.exe"= UDP:C:\program files\squawkbox3\squawkbox.exe:squawkbox.exe|Desc=squawkbox.exe
"UDP Query User{FF194837-F8BC-40D6-AA93-2A07EEC191F9}C:\program files\squawkbox3\squawkbox.exe"= TCP:C:\program files\squawkbox3\squawkbox.exe:squawkbox.exe|Desc=squawkbox.exe
"TCP Query User{F1C151AB-830C-4AD3-88BC-E0EF1762B08D}C:\program files\microsoft games\flight simulator 9\fs9.exe"= UDP:C:\program files\microsoft games\flight simulator 9\fs9.exe:Microsoft Flight Simulator|Desc=Microsoft Flight Simulator
"UDP Query User{BBA073CD-194F-4BCE-B8EE-84632EBBEE9C}C:\program files\microsoft games\flight simulator 9\fs9.exe"= TCP:C:\program files\microsoft games\flight simulator 9\fs9.exe:Microsoft Flight Simulator|Desc=Microsoft Flight Simulator
"TCP Query User{717A03CC-CFA0-4D54-A0A9-F656182327B8}C:\users\colin\documents\mudmasterbuild27\mudmaster.exe"= UDP:C:\users\colin\documents\mudmasterbuild27\mudmaster.exe:mudmaster.exe|Desc=mudmaster.exe
"UDP Query User{48FB2C95-7553-49B1-A642-AE5B6C0C67BF}C:\users\colin\documents\mudmasterbuild27\mudmaster.exe"= TCP:C:\users\colin\documents\mudmasterbuild27\mudmaster.exe:mudmaster.exe|Desc=mudmaster.exe
"TCP Query User{83A01532-821C-48E5-B15C-8125873AD264}C:\program files\internet explorer\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer
"UDP Query User{68F06ED9-46C2-4099-B6ED-57EC5CA370E3}C:\program files\internet explorer\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer
"TCP Query User{B24F5BA9-400C-4C06-BAD4-DF182D4E0DB0}C:\program files\bitlord\bitlord.exe"= UDP:C:\program files\bitlord\bitlord.exe:BitLord|Desc=BitLord
"UDP Query User{0D9D90DA-08DC-4CB2-AD37-DA33287B681C}C:\program files\bitlord\bitlord.exe"= TCP:C:\program files\bitlord\bitlord.exe:BitLord|Desc=BitLord
"TCP Query User{7EFF02C1-4B0A-428F-B91F-14EBB354A8AC}C:\program files\asrc\asrc.exe"= UDP:C:\program files\asrc\asrc.exe:ASRC executable|Desc=ASRC executable
"UDP Query User{6D0326CD-069F-4AE2-B5B7-2738672560CE}C:\program files\asrc\asrc.exe"= TCP:C:\program files\asrc\asrc.exe:ASRC executable|Desc=ASRC executable
"TCP Query User{ACEE2FA6-5E2B-4FD7-9532-4B7E642E114A}C:\program files\advanced voice client\avc.exe"= UDP:C:\program files\advanced voice client\avc.exe:VATSIM Advanced Voice Client|Desc=VATSIM Advanced Voice Client
"UDP Query User{329F1794-8150-44FF-A6AD-FAB2BAC84EAE}C:\program files\advanced voice client\avc.exe"= TCP:C:\program files\advanced voice client\avc.exe:VATSIM Advanced Voice Client|Desc=VATSIM Advanced Voice Client
"{1B74D0C9-EFF7-4A59-A632-955BFC4F49DD}"= UDP:24469:BitComet 24469 TCP
"{E641CF57-7603-43C2-9A07-1E966EA325B0}"= TCP:24469:BitComet 24469 UDP
"TCP Query User{F7C9E664-30DA-4C1F-AD7A-0E53C4A09894}C:\program files\bitcomet\bitcomet.exe"= UDP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client|Desc=BitComet - a BitTorrent Client
"UDP Query User{550871E9-F60E-48F6-AB69-91236EA7F4CE}C:\program files\bitcomet\bitcomet.exe"= TCP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client|Desc=BitComet - a BitTorrent Client
"{B5BFBCB6-ED36-493E-8767-46A23669E20E}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{9E148F33-A4BC-4F0B-A4F6-4C48FF6F5EC1}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{984A9587-FFB5-4B29-B869-ECB17FE05DDC}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{87EDB76E-8C35-4629-BF06-8C21C39D2132}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{CB1E2BEA-57BA-4585-84F0-3CDC019D05DB}C:\program files\secondlife\slvoice.exe"= UDP:C:\program files\secondlife\slvoice.exe:SLVoice|Desc=SLVoice
"UDP Query User{39B1761A-704A-4F15-8DD7-54581176BFA0}C:\program files\secondlife\slvoice.exe"= TCP:C:\program files\secondlife\slvoice.exe:SLVoice|Desc=SLVoice
"TCP Query User{DF8A89E6-F153-4CE2-9C62-BD65B09594B0}C:\program files\wolfquest\wolfquest.exe"= UDP:C:\program files\wolfquest\wolfquest.exe:WolfQuest|Desc=WolfQuest
"UDP Query User{AC070987-270A-4E08-9EAF-387A83DB764F}C:\program files\wolfquest\wolfquest.exe"= TCP:C:\program files\wolfquest\wolfquest.exe:WolfQuest|Desc=WolfQuest

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BitTorrent\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 AsDsm;AsDsm;C:\Windows\system32\drivers\AsDsm.sys [2007-04-24 17:28]
R2 ADSMService;ADSM Service;C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe [2007-02-16 19:48]
R2 ASLDRService;ASLDR Service;C:\Program Files\ATK Hotkey\ASLDRSrv.exe [2007-02-05 18:13]
R2 ASMMAP;ASMMAP;C:\Program Files\ATKGFNEX\ASMMAP.sys [2007-02-05 04:53]
R2 ATKGFNEXSrv;ATKGFNEX Service;C:\Program Files\ATKGFNEX\GFNEXSrv.exe [2007-03-09 19:57]
R3 NETw4v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit;C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-02-25 06:14]
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC);C:\Windows\system32\DRIVERS\snp2uvc.sys [2007-03-29 20:30]
S2 ghaio;ghaio;C:\Program Files\ASUS\NB Probe\SPM\ghaio.sys [2006-11-15 03:02]
S3 lvupdtio;lvupdtio;C:\Program Files\ASUS\ASUS Live Update\SYS64\lvupdtio.sys [2006-11-08 15:44]
S3 NETw3v32;Intel(R) PRO/Wireless 3945BG Adapter Driver for Windows Vista 32 Bit;C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-11-02 00:30]
S3 RTL8169;Realtek 8169 NT Driver;C:\Windows\system32\DRIVERS\Rtlh86.sys [2007-01-15 07:28]
S3 TPM;TPM;C:\Windows\system32\drivers\tpm.sys [2006-11-02 02:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 03:59:59 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Colin.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeB/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 01:46:25
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe [6.00.6000.16549]
-> C:\Program Files\ASUS\Asus MultiFrame\HookTitle.dll
-> C:\Program Files\ASUS\ASUS Direct Console\MSNHOOK.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\system32\WLANExt.exe
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\P4G\BatteryLife.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Windows\System32\ACEngSvr.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2008-03-12 1:49:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-12 08:49:23
.
2008-02-28 09:21:19 --- E O F ---

==========================================================================
==========================================================================

(¯`·._.·[ Hijack This Log ]·._.·´¯)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:50:42 AM, on 12/03/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\ASUS\ASUS Direct Console\LCMP.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ASUS\NB Probe\NBProbe.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Windows\Explorer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Colin\Desktop\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [DirectMessenger] "C:\Program Files\ASUS\ASUS Direct Console\LCMP.EXE"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [NB Probe] C:\Program Files\ASUS\NB Probe\NBProbe.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: MultiFrame.lnk = ?
O4 - Global Startup: SetPoint.lnk = C:\Program Files\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resourc ... den-ca.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ADSM Service (ADSMService) - Unknown owner - C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Microsoft Office Groove Audit Service - Unknown owner - C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

--
End of file - 7398 bytes

by **chryssi2001** » March 12th, 2008, 4:51 pm

Hello railker,

Please follow my instructions. I keep repeating the same instructions and it's like you don't want to read and follow them.
Do you still want to clean your pc? If you do just follow my instructions and do everything with the order i post them.

Otherwise let me know.

If i see you still continue to ignore my posts and do half of the things i post to you i am not going to continue helping you.

If there is a problem and you can do what i tell you, please tell me so!
----------------------------------------------------
No wonder you are so much infected. You use a lot of P2P programs.
As much as we try to clean your pc, as soon as we will clean it, it will get re-infected again.
You have open ports in your firewall for them, and they are bringing infections to your pc.
I will close the open ports for the P2P programs to keep the infections out, so please remove them as per my instructions below.
If you decide to install them after we clean your pc and you are infected again it's your own decision.
----------------------------------------------------
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

BitTorrent DNA
BitComet
BitLord
BitTorrent
PeerNetworking

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

Please uninstall them all via Add/Remove programs.
Also uninstall Vundofix.
----------------------------------------------------
You still didn't use the link i gave you to uninstall Symantec.
Please use it and remove the remainants of Symantec.

REMOVE NORTON

Please click HERE and follow the instructions to download and run the norton removal tool for your own version.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.
----------------------------------------------------
Disable Ad-Aware Ad-Watch

Right click on the Ad-Watch icon in the system tray.
At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
- Active: This will turn Ad-Watch On\Off without closing it
- Automatic: Suspicious activity will be blocked automatically
Uncheck both of those boxes. You can enable these after resolving your problem.

Don't forget to re-enable it, when your computer is clean.
----------------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

Then close all windows except Hijackthis and click Fix Checked

Please reopen Hijackthis, or click the back button if it's still open.

Now click on Config, then Misc Tools, and then press the Delete an NT service.. button. When it opens you should then enter the service name and press OK.

Symantec Core LC
VundoFixSvc

Close HijackThis.
----------------------------------------------------
COMBOFIX-Script

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code: Select all

File::
C:\Windows\System32\qivgspxi.ini
C:\Windows\System32\cwgrghdu.ini
C:\Windows\System32\khgawgxa.ini
C:\Windows\System32\jaumlgvc.ini
C:\Windows\System32\jfxgowdx.ini
C:\Windows\System32\bwpjkfhs.dllbox
C:\Windows\System32\3282.bat
C:\Windows\System32\5571.bat
C:\Windows\System32\kpwznbpb.dllbox
C:\Windows\System32\7892.bat
C:\Windows\system32\tsykfjjl.dll
C:\Windows\system32\rrhikdum.dll
C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Colin.job
C:\Windows\SYSTEM32\VundoFixSVC.exe

Folder::
C:\Program Files\DNA
C:\Program Files\BitComet
C:\Program Files\BitLord
C:\Users\Colin\AppData\Roaming\BitTorrent
C:\Users\Colin\AppData\Roaming\PeerNetworking
C:\Program Files\BitTorrent
C:\Program Files\FrostWire
C:\Program Files\Common Files\Symantec Shared

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0468f013]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM075bc38f]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{39CDA52E-6E08-4830-90DA-641A7C03A9AA}"=-
"{14CB9DC3-1A03-4657-BF91-AF5C5D37D44D}"=-
"{00BEF18D-DF13-4696-B63E-BCA765807ACC}"=-
"{27831563-5EA6-4477-A48E-31CC2EE6969E}"=-
"{935B1EDB-6A12-4295-9F1C-99112A08371C}"=-
"{6276A1E3-FEFD-4373-9FF9-B113B8BD36E1}"=-
"TCP Query User{B24F5BA9-400C-4C06-BAD4-DF182D4E0DB0}C:\program files\bitlord\bitlord.exe"=-
"UDP Query User{0D9D90DA-08DC-4CB2-AD37-DA33287B681C}C:\program files\bitlord\bitlord.exe"=-
"{1B74D0C9-EFF7-4A59-A632-955BFC4F49DD}"=-
"{E641CF57-7603-43C2-9A07-1E966EA325B0}"=-
"TCP Query User{F7C9E664-30DA-4C1F-AD7A-0E53C4A09894}C:\program files\bitcomet\bitcomet.exe"=-
"UDP Query User{550871E9-F60E-48F6-AB69-91236EA7F4CE}C:\program files\bitcomet\bitcomet.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BitTorrent\bittorrent.exe"=-

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------------
Run HijackThis again.
----------------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
Tell me how the pc behaves.

by **railker** » March 12th, 2008, 5:26 pm

Alright, before I even read the second half of your post, I'm going to settle a couple of things.

I have removed and uninstalled all P2P programs. Whatever you're seeing is remnants I can't find or that were left inplace by the program after the uninstall. All those programs were at one time on my computer, but I haven't used since the infection and will not use P2P. That's it, that's all. If there's something left, tell me where it is and how to get rid of it, because if I knew, I would've done it myself already. And of course there's holes in my firewall, I've also removed and disabled and wiped out all signs of Anti-Virus as far as I can with Add-Remove programs and the host uninstall program. Which also covers your third point. I do not have Norton, either. I don't know how that got there. Nor can I use the Norton uninstall tool you gave me becase I HAVE NO IDEA WHICH VERSION OF NORTON WAS INSTALLED BECAUSE I NEVER INSTALLED IT. Which makes your link rather useless.

I didn't go to University and get a degree on computer technology, so stop pretending everyone else should know as much as you or else they're stupid. I'm not computer incompetent, but I'm not highly skilled either.

I followed your last post exactly. As far as my computer's performance goes, it's been running well since I ran ComboFix the first time. I can access My Documents and Windows Explorer, no problems, no popups. Don't go and whine because I didn't follow your last post because "VundoFixSvc" is still in the HJTlog. I 'Fix Checked' and went to remove NT Service, and it woiuld say it's running. Chicken and egg situation. I have to disable it to remove it, but whenever I disable it, it comes back up.

===========

ComboFix 08-03-10.1 - Colin 2008-03-12 14:37:46.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1139 [GMT -7:00]
Running from: C:\Users\Colin\Desktop\ComboFix.exe
Command switches used :: C:\Users\Colin\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Windows\System32\3282.bat
C:\Windows\System32\5571.bat
C:\Windows\System32\7892.bat
C:\Windows\System32\bwpjkfhs.dllbox
C:\Windows\System32\cwgrghdu.ini
C:\Windows\System32\jaumlgvc.ini
C:\Windows\System32\jfxgowdx.ini
C:\Windows\System32\khgawgxa.ini
C:\Windows\System32\kpwznbpb.dllbox
C:\Windows\System32\qivgspxi.ini
C:\Windows\system32\rrhikdum.dll
C:\Windows\system32\tsykfjjl.dll
C:\Windows\SYSTEM32\VundoFixSVC.exe
C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Colin.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\BitComet
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\BitComet\BitComet.xml
C:\Program Files\BitComet\cache\post_info.xml
C:\Program Files\BitComet\cache\rss_index.xml
C:\Program Files\BitComet\Downloads.xml
C:\Program Files\BitComet\Favourite.xml
C:\Program Files\BitComet\rules\dhtnodes.dat
C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
C:\Program Files\BitComet\tools\UPNP.exe
C:\Program Files\BitComet\torrents\FS2004 - PMDG - 737NG - 800-900.torrent
C:\Program Files\BitComet\torrents\FS2004 - PMDG - 737NG - 800-900.xml
C:\Program Files\BitComet\torrents\swat 4.rar.torrent
C:\Program Files\BitComet\torrents\swat 4.rar.xml
C:\Program Files\BitLord
C:\Program Files\BitLord\BitLord.xml
C:\Program Files\BitLord\Downloads.xml
C:\Program Files\BitLord\Downloads\Ad-Aware 2007 + working crack.rar.bc!
C:\Program Files\BitLord\Downloads\Microsoft Office 2007 Complete Version + CD Key\Microsoft Office 2007 Complete Version + CD Key.uif
C:\Program Files\BitLord\Downloads\Microsoft Office 2007 Complete Version + CD Key\Readme.txt
C:\Program Files\BitLord\Downloads\Microsoft Office 2007 Complete Version + CD Key\tracked_by_h33t_com.txt
C:\Program Files\BitLord\Downloads\PMDG - 737-800-900 V1-1.Retail.rar
C:\Program Files\BitLord\lang\lang_ar_ae.xml
C:\Program Files\BitLord\lang\lang_bg_bg.xml
C:\Program Files\BitLord\lang\lang_ca_es.xml
C:\Program Files\BitLord\lang\lang_cz_cz.xml
C:\Program Files\BitLord\lang\lang_da_dk.xml
C:\Program Files\BitLord\lang\lang_de_de.xml
C:\Program Files\BitLord\lang\lang_el_gr.xml
C:\Program Files\BitLord\lang\lang_en_us.xml
C:\Program Files\BitLord\lang\lang_es_ar.xml
C:\Program Files\BitLord\lang\lang_es_es.xml
C:\Program Files\BitLord\lang\lang_et_ee.xml
C:\Program Files\BitLord\lang\lang_fi_fi.xml
C:\Program Files\BitLord\lang\lang_fr_fr.xml
C:\Program Files\BitLord\lang\lang_gl_es.xml
C:\Program Files\BitLord\lang\lang_he_il.xml
C:\Program Files\BitLord\lang\lang_hu_hu.xml
C:\Program Files\BitLord\lang\lang_it_it.xml
C:\Program Files\BitLord\lang\lang_jp_jp.xml
C:\Program Files\BitLord\lang\lang_ko_kr.xml
C:\Program Files\BitLord\lang\lang_nb_no.xml
C:\Program Files\BitLord\lang\lang_nl_nl.xml
C:\Program Files\BitLord\lang\lang_pl_pl.xml
C:\Program Files\BitLord\lang\lang_pt_br.xml
C:\Program Files\BitLord\lang\lang_pt_pt.xml
C:\Program Files\BitLord\lang\lang_ro_ro.xml
C:\Program Files\BitLord\lang\lang_ru_ru.xml
C:\Program Files\BitLord\lang\lang_sk_sk.xml
C:\Program Files\BitLord\lang\lang_sl_si.xml
C:\Program Files\BitLord\lang\lang_sr_sr.xml
C:\Program Files\BitLord\lang\lang_sv_se.xml
C:\Program Files\BitLord\lang\lang_th_th.xml
C:\Program Files\BitLord\lang\lang_tr_tr.xml
C:\Program Files\BitLord\lang\lang_va_es.xml
C:\Program Files\BitLord\lang\lang_zh_tw.xml
C:\Program Files\BitLord\rules\ipfilter.dat
C:\Program Files\BitLord\Torrents\Ad-Aware 2007 + working crack.rar.torrent
C:\Program Files\BitLord\Torrents\Ad-Aware 2007 + working crack.rar.xml
C:\Program Files\BitLord\Torrents\PMDG - 737-800-900 V1-1.Retail.rar.torrent
C:\Program Files\BitLord\Torrents\PMDG - 737-800-900 V1-1.Retail.rar.xml
C:\Program Files\DNA
C:\Program Files\DNA\btdna.exe
C:\Users\Colin\AppData\Roaming\BitTorrent
C:\Users\Colin\AppData\Roaming\BitTorrent\dht.dat
C:\Users\Colin\AppData\Roaming\BitTorrent\Emergency3.exe.torrent
C:\Users\Colin\AppData\Roaming\BitTorrent\resume.dat
C:\Users\Colin\AppData\Roaming\BitTorrent\resume.dat.old
C:\Users\Colin\AppData\Roaming\BitTorrent\settings.dat
C:\Users\Colin\AppData\Roaming\PeerNetworking
C:\Windows\System32\3282.bat
C:\Windows\System32\5571.bat
C:\Windows\System32\7892.bat
C:\Windows\System32\bwpjkfhs.dllbox
C:\Windows\System32\cwgrghdu.ini
C:\Windows\System32\jaumlgvc.ini
C:\Windows\System32\jfxgowdx.ini
C:\Windows\System32\khgawgxa.ini
C:\Windows\System32\kpwznbpb.dllbox
C:\Windows\System32\qivgspxi.ini
C:\Windows\SYSTEM32\VundoFixSVC.exe
C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Colin.job

.
((((((((((((((((((((((((( Files Created from 2008-02-12 to 2008-03-12 )))))))))))))))))))))))))))))))
.

2008-03-12 01:12 . 2007-12-16 15:50 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-03-12 01:12 . 2007-12-16 02:56 41,984 --a------ C:\Windows\System32\drivers\monitor.sys
2008-03-11 13:47 . 2008-03-12 02:49 54,156 --ah----- C:\Windows\QTFont.qfn
2008-03-11 13:47 . 2008-03-11 13:48 1,409 --a------ C:\Windows\QTFont.for
2008-03-11 13:46 . 2008-03-11 13:47 <DIR> d-------- C:\Program Files\QuickTime
2008-03-11 13:46 . 2008-03-11 13:46 <DIR> d-------- C:\Program Files\Apple Software Update
2008-03-11 13:46 . 2008-03-11 13:46 <DIR> d-------- C:\PROGRA~2\Apple Computer
2008-03-11 13:46 . 2008-03-11 13:46 <DIR> d-------- C:\PROGRA~2\Apple
2008-03-10 02:40 . 2008-03-11 15:09 <DIR> d-------- C:\Program Files\WolfQuest
2008-03-09 15:54 . 2008-03-09 15:54 <DIR> d-------- C:\Program Files\Sun
2008-03-09 15:48 . 2008-03-09 15:53 <DIR> d-------- C:\Program Files\Java
2008-03-09 15:48 . 2008-03-09 15:48 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-09 04:06 . 2008-03-09 04:06 <DIR> d-------- C:\_OTMoveIt
2008-03-09 03:34 . 2008-03-09 03:34 198,656 --a------ C:\Windows\System32\comdlg32.ocx
2008-03-06 15:22 . 2008-03-11 14:21 <DIR> d-------- C:\VundoFix Backups
2008-03-06 13:58 . 2008-03-09 15:16 <DIR> d-------- C:\PROGRA~2\Spybot - Search & Destroy
2008-03-06 12:22 . 2008-03-06 12:21 102,664 --a------ C:\Windows\System32\drivers\tmcomm.sys
2008-03-06 12:21 . 2008-03-06 13:29 <DIR> d-------- C:\Users\Colin\.housecall6.6
2008-03-04 01:02 . 2008-03-04 01:02 1,158 --a------ C:\Windows\mozver.dat
2008-03-03 22:42 . 2008-03-09 15:24 <DIR> d-------- C:\PROGRA~2\SiteAdvisor
2008-03-03 22:21 . 2008-03-09 15:27 <DIR> d-------- C:\PROGRA~2\McAfee
2008-03-03 21:32 . 2008-03-03 21:32 0 --a------ C:\Windows\nsreg.dat
2008-03-03 03:50 . 2008-03-03 03:51 <DIR> d-------- C:\Users\Colin\AppData\Roaming\SecondLife
2008-02-29 14:57 . 2008-02-29 15:07 <DIR> d-------- C:\Users\Colin\AppData\Roaming\Ahead
2008-02-29 03:17 . 2008-03-03 20:59 <DIR> d--hs---- C:\Users\Colin\'
2008-02-29 03:12 . 2008-02-29 22:55 <DIR> d-a------ C:\PROGRA~2\TEMP
2008-02-29 02:56 . 2008-03-03 22:37 <DIR> d-------- C:\PROGRA~2\Lavasoft
2008-02-28 12:36 . 2008-02-28 12:44 <DIR> d-------- C:\Program Files\MpcStar
2008-02-28 00:25 . 2008-02-28 00:25 <DIR> d-------- C:\PROGRA~2\Office Genuine Advantage
2008-02-28 00:18 . 2006-10-26 20:56 32,592 --a------ C:\Windows\System32\msonpmon.dll
2008-02-28 00:12 . 2008-02-28 00:12 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-02-27 16:33 . 2008-02-27 17:03 1,942 --a------ C:\Windows\asrc.ini
2008-02-27 14:29 . 2008-02-27 14:29 100,464 --a------ C:\Windows\System32\ICKHTTPS2.OCX
2008-02-26 23:52 . 2008-02-26 23:52 327,662,570 --a------ C:\Windows\MEMORY.DMP
2008-02-19 12:56 . 2008-02-19 12:56 <DIR> d-------- C:\Graphics
2008-02-19 12:56 . 2005-11-13 02:28 238,080 --------- C:\Windows\System32\mwgfx24.dll
2008-02-19 12:56 . 2008-01-06 15:05 190,464 --------- C:\Windows\System32\mwgfx.dll
2008-02-19 12:56 . 2008-01-09 13:43 104,960 --------- C:\Windows\System32\mwdds.dll
2008-02-19 12:56 . 2004-05-14 12:13 56,832 --------- C:\Windows\System32\mwace.dll
2008-02-19 12:56 . 2007-08-19 10:37 28,672 --------- C:\Windows\System32\mwgfxcopy.exe
2008-02-16 15:36 . 2008-02-16 15:36 <DIR> d-------- C:\Users\Colin\AppData\Roaming\Intel
2008-02-15 16:43 . 2008-01-09 22:50 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-02-13 14:53 . 2008-03-03 18:15 1,328 --a------ C:\FSUIPC_reg.bin
2008-02-13 01:03 . 2008-02-13 01:03 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-13 01:03 . 2008-02-13 01:03 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-13 01:01 . 2008-02-13 01:01 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-02-13 01:01 . 2008-02-13 01:01 3,470,392 --a------ C:\Windows\System32\ntoskrnl.exe
2008-02-13 01:01 . 2008-02-13 01:01 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-02-13 01:01 . 2008-02-13 01:01 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-02-13 01:01 . 2008-02-13 01:01 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-02-13 01:01 . 2008-02-13 01:01 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-02-13 01:01 . 2008-02-13 01:01 17,464 --a------ C:\Windows\System32\drivers\intelide.sys
2008-02-13 01:00 . 2008-02-13 01:00 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 01:00 . 2008-02-13 01:00 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-02-13 01:00 . 2008-02-13 01:00 803,328 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-02-13 01:00 . 2008-02-13 01:00 216,632 --a------ C:\Windows\System32\drivers\netio.sys
2008-02-13 01:00 . 2008-02-13 01:00 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-02-13 01:00 . 2008-02-13 01:00 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-02-13 01:00 . 2008-02-13 01:00 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-02-12 23:22 . 2008-02-12 23:22 <DIR> d-------- C:\Program Files\Common Files\NSV
2008-02-12 23:17 . 2008-02-13 00:55 <DIR> d-------- C:\Users\Colin\AppData\Roaming\Winamp
2008-02-12 23:17 . 2008-02-12 23:18 <DIR> d-------- C:\Program Files\Winamp
2008-02-12 23:17 . 2007-03-07 16:51 129,784 --------- C:\Windows\System32\pxafs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 10:16 --------- d-----w C:\Program Files\Windows Mail
2008-03-12 10:04 --------- d-----w C:\PROGRA~2\Microsoft Help
2008-03-12 08:46 45,056 ----a-w C:\Windows\System32\acovcnt.exe
2008-03-04 06:07 13,025 ----a-w C:\Users\Colin\AppData\Roaming\nvModes.dat
2008-03-04 05:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 05:44 --------- d-----w C:\Users\Colin\AppData\Roaming\FrostWire
2008-02-29 22:51 --------- d-----w C:\Program Files\Common Files\Ahead
2008-02-28 07:17 --------- d-----w C:\Program Files\MSBuild
2008-02-14 00:32 --------- d-----w C:\PROGRA~2\Messenger Plus!
2008-02-13 08:00 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 08:00 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 08:00 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 08:00 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 07:57 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-13 07:57 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-13 07:57 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-13 07:57 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-07 02:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-07 01:26 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-02-07 01:26 --------- d-----w C:\PROGRA~2\Macrovision
2008-02-07 01:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-06 08:42 --------- d-----w C:\PROGRA~2\FLEXnet
2008-02-06 00:01 --------- d-----w C:\Program Files\Real Environment Pro
2008-02-05 02:37 --------- d-----w C:\Program Files\Google
2008-02-05 02:23 693,792 ----a-w C:\Windows\System32\OGACheckControl.DLL
2008-02-04 23:11 --------- d-----w C:\Program Files\DivX
2008-01-26 20:44 12,400 ----a-w C:\Windows\system32\drivers\secdrv.sys
2008-01-09 21:33 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-08 19:57 74,752 ----a-w C:\Windows\ST6UNST.EXE
2008-01-08 19:57 253,952 ------w C:\Windows\Setup1.exe
2007-12-21 21:54 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-21 21:53 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-21 21:53 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-04 20:40 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((( snapshot@2008-03-12_ 1.49.02.13 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-12 08:45:53 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-03-12 21:34:19 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-02-13 08:31:01 665,600 ----a-w C:\Windows\inf\drvindex.dat
+ 2008-03-12 10:16:51 665,600 ----a-w C:\Windows\inf\drvindex.dat
- 2008-02-13 08:31:36 51,200 ----a-w C:\Windows\inf\infpub.dat
+ 2008-03-12 10:16:51 51,200 ----a-w C:\Windows\inf\infpub.dat
- 2008-02-13 08:31:36 86,016 ----a-w C:\Windows\inf\infstor.dat
+ 2008-03-12 10:16:50 86,016 ----a-w C:\Windows\inf\infstor.dat
- 2008-02-13 08:31:36 86,016 ----a-w C:\Windows\inf\infstrng.dat
+ 2008-03-12 10:16:50 86,016 ----a-w C:\Windows\inf\infstrng.dat
- 2008-02-28 09:21:09 1,165,584 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-03-12 10:03:59 1,165,584 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-02-28 09:21:09 20,240 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-03-12 10:03:59 20,240 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-02-28 09:21:09 159,504 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-03-12 10:03:59 159,504 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-02-28 09:21:09 184,080 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-03-12 10:03:59 184,080 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-02-28 09:21:09 217,864 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2008-03-12 10:03:59 217,864 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-02-28 09:21:09 18,704 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-03-12 10:03:59 18,704 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-02-28 09:21:09 35,088 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-03-12 10:03:59 35,088 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-02-28 09:21:09 845,584 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-03-12 10:03:59 845,584 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-02-28 09:21:09 922,384 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-03-12 10:03:59 922,384 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-02-28 09:21:09 272,648 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-03-12 10:03:59 272,648 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-02-28 09:21:09 888,080 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-03-12 10:03:59 888,080 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-02-28 09:21:09 1,172,240 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-03-12 10:03:59 1,172,240 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-02-13 08:01:13 1,165,584 ----a-r C:\Windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-03-12 10:04:12 1,165,584 ----a-r C:\Windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\accicons.exe
- 2008-02-13 08:01:13 20,240 ----a-r C:\Windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-03-12 10:04:12 20,240 ----a-r C:\Windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-02-13 08:01:13 217,864 ----a-r C:\Windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\misc.exe
+ 2008-03-12 10:04:12 217,864 ----a-r C:\Windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\misc.exe
- 2008-02-13 08:01:13 18,704 ----a-r C:\Windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-03-12 10:04:12 18,704 ----a-r C:\Windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-02-13 08:01:13 35,088 ----a-r C:\Windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-03-12 10:04:13 35,088 ----a-r C:\Windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-02-13 08:01:13 845,584 ----a-r C:\Windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-03-12 10:04:12 845,584 ----a-r C:\Windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\outicon.exe
- 2008-02-13 08:01:13 922,384 ----a-r C:\Windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-03-12 10:04:12 922,384 ----a-r C:\Windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\pptico.exe
- 2008-02-13 08:01:13 272,648 ----a-r C:\Windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-03-12 10:04:12 272,648 ----a-r C:\Windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\pubs.exe
- 2008-02-13 08:01:13 888,080 ----a-r C:\Windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-03-12 10:04:13 888,080 ----a-r C:\Windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-02-13 08:01:13 1,172,240 ----a-r C:\Windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-03-12 10:04:12 1,172,240 ----a-r C:\Windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-03-12 08:12:32 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-03-12 21:35:32 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-03-12 08:46:11 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-03-12 21:36:28 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-03-12 21:36:28 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-03-12 08:40:27 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-03-12 21:37:20 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-03-12 08:46:11 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-03-12 21:36:22 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-03-12 21:36:22 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-03-12 08:40:23 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-03-12 21:09:40 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-03-12 08:40:23 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-12 21:09:40 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-03-12 08:40:23 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-03-12 21:09:40 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-12-16 09:56:45 41,984 ----a-w C:\Windows\System32\DriverStore\FileRepository\monitor.inf_1a316eff\monitor.sys
- 2008-02-04 23:09:46 18,214,008 ----a-w C:\Windows\System32\mrt.exe
+ 2008-03-05 16:30:54 19,148,408 ----a-w C:\Windows\System32\mrt.exe
- 2008-03-12 08:11:28 113,060 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-03-12 21:42:26 113,060 ----a-w C:\Windows\System32\perfc009.dat
- 2008-03-12 08:11:28 634,574 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-03-12 21:42:26 634,574 ----a-w C:\Windows\System32\perfh009.dat
- 2008-03-12 08:44:02 6,156,288 ----a-w C:\Windows\System32\SMI\Store\Machine\schema.dat
+ 2008-03-12 10:20:11 6,156,288 ----a-w C:\Windows\System32\SMI\Store\Machine\schema.dat
- 2008-03-12 08:09:15 12,826 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3037727994-2318491079-2961448558-1000_UserData.bin
+ 2008-03-12 21:36:51 13,346 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3037727994-2318491079-2961448558-1000_UserData.bin
- 2008-03-12 08:09:15 77,656 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-03-12 21:36:51 77,868 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-03-12 08:09:12 53,138 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-03-12 21:36:49 53,310 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2007-12-16 22:50:41 1,060,920 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ntfs_31bf3856ad364e35_6.0.6000.16615_none_a4851c9d1fc8a346\ntfs.sys
+ 2007-12-16 22:52:59 1,061,944 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ntfs_31bf3856ad364e35_6.0.6000.20740_none_a4e9483239031830\ntfs.sys
+ 2008-01-15 00:00:51 2,414,136 ----a-w C:\Windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.16643_none_f0799cac6e717dff\OESpamFilter.dat
+ 2008-01-15 00:00:38 2,414,136 ----a-w C:\Windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.20778_none_f0e7cb2587a2f04f\OESpamFilter.dat
+ 2007-12-16 09:56:45 41,984 ----a-w C:\Windows\winsxs\x86_monitor.inf_31bf3856ad364e35_6.0.6000.16615_none_4117345983213804\monitor.sys
+ 2007-12-16 09:50:45 41,984 ----a-w C:\Windows\winsxs\x86_monitor.inf_31bf3856ad364e35_6.0.6000.20740_none_417b5fee9c5bacee\monitor.sys
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon]
@={A825576B-0042-4F0F-8FB0-93CE0F054E69}

[HKEY_CLASSES_ROOT\CLSID\{A825576B-0042-4F0F-8FB0-93CE0F054E69}]
2006-12-11 17:27 147456 --a------ C:\Program Files\ASUS\ASUS Data Security Manager\OverlayIconShlExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 05:36 201728]
"NB Probe"="C:\Program Files\ASUS\NB Probe\NBProbe.exe" [2007-01-05 16:01 806912]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 05:35 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Pinyin IME Migration"="C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.exe" [2006-10-26 14:53 32560]
"RtHDVCpl"="RtHDVCpl.exe" [2007-02-14 10:07 4390912 C:\Windows\RtHDVCpl.exe]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-21 10:31 630784]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-01 06:24 857648]
"ATKMEDIA"="C:\Program Files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 08:27 61440]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-02 02:22 56080 C:\Windows\KHALMNPR.Exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 14:37 174872]
"DirectMessenger"="C:\Program Files\ASUS\ASUS Direct Console\LCMP.EXE" [2007-02-01 20:58 987648]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [ ]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
MultiFrame.lnk - C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe [2007-07-30 23:28:30 991600]
SetPoint.lnk - C:\Program Files\SetPoint\SetPoint.exe [2007-07-30 23:34:30 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\Windows\pss\Adobe Gamma Loader.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\Windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ExifLauncher2.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ExifLauncher2.lnk
backup=C:\Windows\pss\ExifLauncher2.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Colin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Users\Colin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\Windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChkMail]
--a------ 2007-03-20 18:12 741376 C:\Program Files\ChkMail\ChkMail\ChkMail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-03-26 11:42 1057328 C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-26 12:12 161328 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerForPhone]
--a------ 2007-01-15 15:17 778240 C:\Program Files\PowerForPhone\PowerForPhone.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{EBC9C276-8866-4936-B37E-B5A03F010851}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{2C3021C5-5994-44FA-A85A-F6F17DDCA18C}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)|Edge=TRUE|
"TCP Query User{4A110543-D3E6-479C-AD92-FCA87A495355}C:\windows\system32\dpnsvr.exe"= UDP:C:\windows\system32\dpnsvr.exe:Microsoft DirectPlay8 Server|Desc=Microsoft DirectPlay8 Server
"UDP Query User{116C37C7-7E2A-48A6-A963-C63E69927D5B}C:\windows\system32\dpnsvr.exe"= TCP:C:\windows\system32\dpnsvr.exe:Microsoft DirectPlay8 Server|Desc=Microsoft DirectPlay8 Server
"TCP Query User{ACA228CC-0F8C-4A0E-854E-E34180FD7F06}C:\program files\squawkbox3\squawkbox.exe"= UDP:C:\program files\squawkbox3\squawkbox.exe:squawkbox.exe|Desc=squawkbox.exe
"UDP Query User{FF194837-F8BC-40D6-AA93-2A07EEC191F9}C:\program files\squawkbox3\squawkbox.exe"= TCP:C:\program files\squawkbox3\squawkbox.exe:squawkbox.exe|Desc=squawkbox.exe
"TCP Query User{F1C151AB-830C-4AD3-88BC-E0EF1762B08D}C:\program files\microsoft games\flight simulator 9\fs9.exe"= UDP:C:\program files\microsoft games\flight simulator 9\fs9.exe:Microsoft Flight Simulator|Desc=Microsoft Flight Simulator
"UDP Query User{BBA073CD-194F-4BCE-B8EE-84632EBBEE9C}C:\program files\microsoft games\flight simulator 9\fs9.exe"= TCP:C:\program files\microsoft games\flight simulator 9\fs9.exe:Microsoft Flight Simulator|Desc=Microsoft Flight Simulator
"TCP Query User{717A03CC-CFA0-4D54-A0A9-F656182327B8}C:\users\colin\documents\mudmasterbuild27\mudmaster.exe"= UDP:C:\users\colin\documents\mudmasterbuild27\mudmaster.exe:mudmaster.exe|Desc=mudmaster.exe
"UDP Query User{48FB2C95-7553-49B1-A642-AE5B6C0C67BF}C:\users\colin\documents\mudmasterbuild27\mudmaster.exe"= TCP:C:\users\colin\documents\mudmasterbuild27\mudmaster.exe:mudmaster.exe|Desc=mudmaster.exe
"TCP Query User{83A01532-821C-48E5-B15C-8125873AD264}C:\program files\internet explorer\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer
"UDP Query User{68F06ED9-46C2-4099-B6ED-57EC5CA370E3}C:\program files\internet explorer\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer
"TCP Query User{B24F5BA9-400C-4C06-BAD4-DF182D4E0DB0}C:\program files\bitlord\bitlord.exe"= UDP:C:\program files\bitlord\bitlord.exe:BitLord|Desc=BitLord
"UDP Query User{0D9D90DA-08DC-4CB2-AD37-DA33287B681C}C:\program files\bitlord\bitlord.exe"= TCP:C:\program files\bitlord\bitlord.exe:BitLord|Desc=BitLord
"TCP Query User{7EFF02C1-4B0A-428F-B91F-14EBB354A8AC}C:\program files\asrc\asrc.exe"= UDP:C:\program files\asrc\asrc.exe:ASRC executable|Desc=ASRC executable
"UDP Query User{6D0326CD-069F-4AE2-B5B7-2738672560CE}C:\program files\asrc\asrc.exe"= TCP:C:\program files\asrc\asrc.exe:ASRC executable|Desc=ASRC executable
"TCP Query User{ACEE2FA6-5E2B-4FD7-9532-4B7E642E114A}C:\program files\advanced voice client\avc.exe"= UDP:C:\program files\advanced voice client\avc.exe:VATSIM Advanced Voice Client|Desc=VATSIM Advanced Voice Client
"UDP Query User{329F1794-8150-44FF-A6AD-FAB2BAC84EAE}C:\program files\advanced voice client\avc.exe"= TCP:C:\program files\advanced voice client\avc.exe:VATSIM Advanced Voice Client|Desc=VATSIM Advanced Voice Client
"TCP Query User{F7C9E664-30DA-4C1F-AD7A-0E53C4A09894}C:\program files\bitcomet\bitcomet.exe"= UDP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client|Desc=BitComet - a BitTorrent Client
"UDP Query User{550871E9-F60E-48F6-AB69-91236EA7F4CE}C:\program files\bitcomet\bitcomet.exe"= TCP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client|Desc=BitComet - a BitTorrent Client
"{B5BFBCB6-ED36-493E-8767-46A23669E20E}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{9E148F33-A4BC-4F0B-A4F6-4C48FF6F5EC1}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{984A9587-FFB5-4B29-B869-ECB17FE05DDC}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{87EDB76E-8C35-4629-BF06-8C21C39D2132}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{CB1E2BEA-57BA-4585-84F0-3CDC019D05DB}C:\program files\secondlife\slvoice.exe"= UDP:C:\program files\secondlife\slvoice.exe:SLVoice|Desc=SLVoice
"UDP Query User{39B1761A-704A-4F15-8DD7-54581176BFA0}C:\program files\secondlife\slvoice.exe"= TCP:C:\program files\secondlife\slvoice.exe:SLVoice|Desc=SLVoice
"TCP Query User{DF8A89E6-F153-4CE2-9C62-BD65B09594B0}C:\program files\wolfquest\wolfquest.exe"= UDP:C:\program files\wolfquest\wolfquest.exe:WolfQuest|Desc=WolfQuest
"UDP Query User{AC070987-270A-4E08-9EAF-387A83DB764F}C:\program files\wolfquest\wolfquest.exe"= TCP:C:\program files\wolfquest\wolfquest.exe:WolfQuest|Desc=WolfQuest

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BitTorrent\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 AsDsm;AsDsm;C:\Windows\system32\drivers\AsDsm.sys [2007-04-24 17:28]
R2 ADSMService;ADSM Service;C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe [2007-02-16 19:48]
R2 ASLDRService;ASLDR Service;C:\Program Files\ATK Hotkey\ASLDRSrv.exe [2007-02-05 18:13]
R2 ASMMAP;ASMMAP;C:\Program Files\ATKGFNEX\ASMMAP.sys [2007-02-05 04:53]
R2 ATKGFNEXSrv;ATKGFNEX Service;C:\Program Files\ATKGFNEX\GFNEXSrv.exe [2007-03-09 19:57]
R3 NETw4v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit;C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-02-25 06:14]
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC);C:\Windows\system32\DRIVERS\snp2uvc.sys [2007-03-29 20:30]
S2 ghaio;ghaio;C:\Program Files\ASUS\NB Probe\SPM\ghaio.sys [2006-11-15 03:02]
S3 lvupdtio;lvupdtio;C:\Program Files\ASUS\ASUS Live Update\SYS64\lvupdtio.sys [2006-11-08 15:44]
S3 NETw3v32;Intel(R) PRO/Wireless 3945BG Adapter Driver for Windows Vista 32 Bit;C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-11-02 00:30]
S3 RTL8169;Realtek 8169 NT Driver;C:\Windows\system32\DRIVERS\Rtlh86.sys [2007-01-15 07:28]
S3 TPM;TPM;C:\Windows\system32\drivers\tpm.sys [2006-11-02 02:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 14:42:24
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-12 14:43:19
ComboFix-quarantined-files.txt 2008-03-12 21:43:18
ComboFix2.txt 2008-03-12 08:49:27
.
2008-03-12 10:04:14 --- E O F ---

=================
=================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:34 PM, on 12/03/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\ASUS\ASUS Direct Console\LCMP.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ASUS\NB Probe\NBProbe.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Colin\Desktop\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [DirectMessenger] "C:\Program Files\ASUS\ASUS Direct Console\LCMP.EXE"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [NB Probe] C:\Program Files\ASUS\NB Probe\NBProbe.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: MultiFrame.lnk = ?
O4 - Global Startup: SetPoint.lnk = C:\Program Files\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resourc ... den-ca.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ADSM Service (ADSMService) - Unknown owner - C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Microsoft Office Groove Audit Service - Unknown owner - C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Unknown owner - VundoFixSVC.exe (file missing)

--
End of file - 7255 bytes

Free Malware Removal Forum

HJT Log from Canada::

HJT Log from Canada::

Re: HJT Log from Canada::

Re: HJT Log from Canada::

Re: HJT Log from Canada::

Re: HJT Log from Canada::

Re: HJT Log from Canada::

Re: HJT Log from Canada::

Re: HJT Log from Canada::

Re: HJT Log from Canada::

Re: HJT Log from Canada::

Re: HJT Log from Canada::

Re: HJT Log from Canada::

Re: HJT Log from Canada::

Re: HJT Log from Canada::

Re: HJT Log from Canada::

Who is online