ok, i have tried over and over to save the file in ALLFILES but it automaticall saves as text file. dont know what to do, but here is the malware log and a deckards sytem scanner w/ hijackthis included log
Deckard's System Scanner v20071014.68
Run by Owner on 2008-01-24 07:43:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Failed to create restore point; unknown error code 0x00000001
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as Owner.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:45:48 AM, on 1/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Webroot\Desktop Firewall\WDF.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://us.rd.yahoo.com/customize/ie/def ... earch.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://us.rd.yahoo.com/customize/ie/def ... .yahoo.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://us.rd.yahoo.com/customize/ie/def ... .yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://us.rd.yahoo.com/customize/ie/def ... earch.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://us.rd.yahoo.com/customize/ie/def ... .yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.comR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://us.rd.yahoo.com/customize/ie/def ... .yahoo.comR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone:
http://portal.coursecompass.comO15 - Trusted Zone:
http://www.coursecompass.comO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} -
http://messenger.zone.msn.com/binary/ms ... b31267.cabO16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) -
http://zone.msn.com/binFrameWork/v10/St ... b55579.cabO16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) -
http://downloads.ewido.net/ewidoOnlineScan.cabO16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} -
http://zone.msn.com/BinFrameWork/v10/ZB ... b55579.cabO16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) -
http://zone.msn.com/binframework/v10/ZP ... b55579.cabO16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) -
http://messenger.zone.msn.com/EN-US/a-U ... E_UNO1.cabO16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) -
http://zone.msn.com/bingame/zpagames/GA ... b55579.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -
http://messenger.zone.msn.com/binary/Me ... b31267.cabO16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) -
http://zone.msn.com/bingame/zpagames/zp ... b55579.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
http://cdn2.zone.msn.com/binFramework/v ... b55579.cabO16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} -
http://zone.msn.com/binframework/v10/St ... b55579.cabO16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) -
http://zone.msn.com/bingame/hsol/defaul ... uncher.cabO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 6737 bytes
-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------
backup-20080115-052802-339 O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
backup-20080115-052802-432 O3 - Toolbar: The emlkdvo - {A972081B-E5FE-45E4-BE29-856D23403C4F} - (no file)
backup-20080115-052802-517 O15 - Trusted Zone:
http://us.mcafee.combackup-20080115-052802-652 O3 - Toolbar: (no name) - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - (no file)
backup-20080115-052802-827 O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
backup-20080115-052802-987 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080115-052803-577 O23 - Service: McAfee Application Installer Cleanup (0229661198942547) (0229661198942547mcinstcleanup) - - (no file)
backup-20080115-052803-900 O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
http://zone.msn.com/bingame/popcaploader_v10.cabbackup-20080116-065140-481 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
backup-20080116-065140-535 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://srch-qus9.hpwis.com/backup-20080116-065140-576 O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
backup-20080116-065142-540 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) -
http://downloads.ewido.net/ewidoOnlineScan.cabbackup-20080116-065142-919 O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) -
http://www.pogo.com/cdl/launcher/PogoWe ... taller.CABbackup-20080116-065143-405 O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
backup-20080116-065143-723 O16 - DPF: {A6B13EE4-A974-11D2-8DB7-00C04FB6E8F6} -
http://www.rapidfax.com/mso_packet/acti ... 653274.cabbackup-20080122-210523-451 O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup (User '?')
backup-20080122-210523-638 O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [LTMSG] LTMSG.exe 7 (User '?')
backup-20080122-210523-661 O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [CISCO] "C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\ESYLVAN\Remote_Workforce_profile\Remote_Workforce_Profile\DelayInst.exe" delay C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\ESYLVAN\Remote_Workforce_profile\Remote_Workforce_Profile\setup.exe (User '?')
backup-20080122-210523-672 O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [NVIEW] "rundll32.exe" nview.dll,nViewLoadHook (User '?')
backup-20080122-210523-817 O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" (User '?')
backup-20080122-210523-846 O4 - HKUS\S-1-5-21-2992285633-4232029239-668411950-1003\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User '?')
backup-20080122-210523-905 O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User '?')
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
All drivers whitelisted.
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
All services whitelisted.
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Scheduled Tasks -------------------------------------------------------------
2008-01-24 06:00:00 292 --a----c- C:\WINDOWS\Tasks\avast! Antivirus.job
2008-01-24 00:00:14 1504 --a----c- C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job
2008-01-23 07:51:45 264 --a----c- C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
2008-01-23 07:51:43 338 --a----c- C:\WINDOWS\Tasks\Uniblue SpyEraser.job
2008-01-21 05:25:29 346 --a----c- C:\WINDOWS\Tasks\SmartDefrag.job
2008-01-21 03:30:00 402 --a----c- C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
2008-01-21 02:08:02 330 --ah---c- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-01-19 03:00:00 362 --a----c- C:\WINDOWS\Tasks\XoftSpySE.job
2008-01-05 18:35:03 284 --a----c- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-06-09 19:22:36 0 --a----c- C:\WINDOWS\Tasks\ErrorKiller Scheduled Scan.job
2006-09-27 19:03:31 342 --a----c- C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1151330391.job
2005-02-09 08:06:12 342 --a----c- C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1098932354.job
-- Files created between 2007-12-24 and 2008-01-24 -----------------------------
2008-01-24 06:31:36 0 d------c- C:\WINDOWS\ERUNT
2008-01-24 06:06:43 0 dr-h---c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Recent
2008-01-23 22:04:34 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Malwarebytes
2008-01-23 22:04:33 0 d------c- C:\Program Files\Malwarebytes' Anti-Malware
2008-01-23 07:04:01 0 d------c- C:\Program Files\CCleaner
2008-01-23 05:42:04 0 d------c- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-01-23 05:42:02 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Uniblue
2008-01-23 05:41:53 0 d------c- C:\Program Files\Uniblue
2008-01-22 19:09:45 0 d------c- C:\Documents and Settings\LocalService\Application Data\PeerNetworking
2008-01-20 17:49:51 0 d------c- C:\Program Files\LimeWire
2008-01-17 08:08:52 0 d------c- C:\Documents and Settings\All Users\Application Data\pdf995
2008-01-17 08:08:50 249856 --a----c- C:\WINDOWS\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-01-17 08:08:50 51716 --a----c- C:\WINDOWS\system32\pdf995mon.dll
2008-01-17 08:08:14 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\TaxCut
2008-01-17 08:06:10 0 d------c- C:\Program Files\TaxCut07
2008-01-17 08:06:10 0 d------c- C:\Program Files\PDF995
2008-01-17 08:00:19 0 d------c- C:\Documents and Settings\All Users\Application Data\TaxCut
2008-01-17 07:59:07 0 d--hs--c- C:\WINDOWS\ftpcache
2008-01-16 16:35:58 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\VSRevoGroup
2008-01-16 16:34:40 0 d------c- C:\Program Files\VS Revo Group
2008-01-15 21:02:26 0 d------c- C:\Program Files\Mozilla Thunderbird
2008-01-15 20:24:50 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Opera
2008-01-15 20:24:29 0 d------c- C:\Program Files\Opera
2008-01-15 06:32:02 36 --ah---c- C:\WINDOWS\system32\f9t.dat
2008-01-15 05:08:41 111 --a----c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\FixServices.bat
2008-01-13 10:07:23 0 d------c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\Desktop Mechanic
2008-01-12 20:12:35 497 --ah---c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\hpothb07.dat
2008-01-12 20:12:33 0 d------c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\WINDOWS
2008-01-12 20:12:33 0 d--h---c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Templates
2008-01-12 20:12:33 0 dr-----c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Start Menu
2008-01-12 20:12:33 0 dr-h---c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\SendTo
2008-01-12 20:12:33 0 d--h---c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Recent
2008-01-12 20:12:33 0 d--h---c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\PrintHood
2008-01-12 20:12:33 786432 --ah----- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\NTUSER.DAT
2008-01-12 20:12:33 0 d--h---c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\NetHood
2008-01-12 20:12:33 0 d------c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\My Documents
2008-01-12 20:12:33 0 d--h---c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Local Settings
2008-01-12 20:12:33 0 d------c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Favorites
2008-01-12 20:12:33 0 d------c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Desktop
2008-01-12 20:12:33 0 d--hs--c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Cookies
2008-01-12 20:12:33 0 dr-h---c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data
2008-01-12 20:12:33 0 d------c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\Symantec
2008-01-12 20:12:33 0 d------c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\Sonic
2008-01-12 20:12:33 0 d------c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\SampleView
2008-01-12 20:12:33 0 d------c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\Real
2008-01-12 20:12:33 0 d---s--c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\Microsoft
2008-01-12 20:12:33 0 d------c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\interMute
2008-01-12 20:12:33 0 d------c- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41.001\Application Data\Identities
2008-01-12 13:16:07 497 --ah---c- C:\Documents and Settings\Guest\hpothb07.dat
2008-01-12 13:16:06 0 d------c- C:\Documents and Settings\Guest\WINDOWS
2008-01-12 13:16:06 0 d--h---c- C:\Documents and Settings\Guest\Templates
2008-01-12 13:16:06 0 dr-----c- C:\Documents and Settings\Guest\Start Menu
2008-01-12 13:16:06 0 dr-h---c- C:\Documents and Settings\Guest\SendTo
2008-01-12 13:16:06 0 dr-h---c- C:\Documents and Settings\Guest\Recent
2008-01-12 13:16:06 0 d--h---c- C:\Documents and Settings\Guest\PrintHood
2008-01-12 13:16:06 524288 --ah----- C:\Documents and Settings\Guest\NTUSER.DAT
2008-01-12 13:16:06 0 d--h---c- C:\Documents and Settings\Guest\NetHood
2008-01-12 13:16:06 0 dr-----c- C:\Documents and Settings\Guest\My Documents
2008-01-12 13:16:06 0 d--h---c- C:\Documents and Settings\Guest\Local Settings
2008-01-12 13:16:06 0 dr-----c- C:\Documents and Settings\Guest\Favorites
2008-01-12 13:16:06 0 d------c- C:\Documents and Settings\Guest\Desktop
2008-01-12 13:16:06 0 d--hs--c- C:\Documents and Settings\Guest\Cookies
2008-01-12 13:16:06 0 dr-h---c- C:\Documents and Settings\Guest\Application Data
2008-01-12 13:16:06 0 d------c- C:\Documents and Settings\Guest\Application Data\Symantec
2008-01-12 13:16:06 0 d------c- C:\Documents and Settings\Guest\Application Data\Sonic
2008-01-12 13:16:06 0 d------c- C:\Documents and Settings\Guest\Application Data\SampleView
2008-01-12 13:16:06 0 d------c- C:\Documents and Settings\Guest\Application Data\Real
2008-01-12 13:16:06 0 d---s--c- C:\Documents and Settings\Guest\Application Data\Microsoft
2008-01-12 13:16:06 0 d------c- C:\Documents and Settings\Guest\Application Data\interMute
2008-01-12 13:16:06 0 d------c- C:\Documents and Settings\Guest\Application Data\Identities
2008-01-12 07:53:11 0 d------c- C:\WINDOWS\Data
2008-01-12 07:35:20 0 d------c- C:\WINDOWS\system32\ar-sa
2008-01-12 07:35:19 0 d------c- C:\WINDOWS\system32\zh-cn
2008-01-12 07:35:19 0 d------c- C:\WINDOWS\system32\pt-br
2008-01-12 07:35:18 0 d------c- C:\WINDOWS\system32\zh-tw
2008-01-12 07:35:18 0 d------c- C:\WINDOWS\system32\cs-cz
2008-01-12 07:35:17 0 d------c- C:\WINDOWS\system32\da-dk
2008-01-12 07:35:16 0 d------c- C:\WINDOWS\system32\es-es
2008-01-12 07:35:16 0 d------c- C:\WINDOWS\system32\el-gr
2008-01-12 07:35:15 0 d------c- C:\WINDOWS\system32\fr-fr
2008-01-12 07:35:15 0 d------c- C:\WINDOWS\system32\fi-fi
2008-01-12 07:35:14 0 d------c- C:\WINDOWS\system32\de-de
2008-01-12 07:35:13 0 d------c- C:\WINDOWS\system32\hu-hu
2008-01-12 07:35:13 0 d------c- C:\WINDOWS\system32\he-il
2008-01-12 07:35:12 0 d------c- C:\WINDOWS\system32\ja-jp
2008-01-12 07:35:12 0 d------c- C:\WINDOWS\system32\it-it
2008-01-12 07:35:11 0 d------c- C:\WINDOWS\system32\ko-kr
2008-01-12 07:35:10 0 d------c- C:\WINDOWS\system32\nl-nl
2008-01-12 07:35:10 0 d------c- C:\WINDOWS\system32\nb-no
2008-01-12 07:35:09 0 d------c- C:\WINDOWS\system32\pt-pt
2008-01-12 07:35:09 0 d------c- C:\WINDOWS\system32\pl-pl
2008-01-12 07:35:08 0 d------c- C:\WINDOWS\system32\sv-se
2008-01-12 07:35:08 0 d------c- C:\WINDOWS\system32\ru-ru
2008-01-12 07:35:07 0 d------c- C:\WINDOWS\system32\tr-tr
2008-01-11 08:26:56 0 d------c- C:\Program Files\Trend Micro
2008-01-11 08:23:11 0 d------c- C:\KAV
2008-01-11 06:32:08 0 d------c- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-11 06:31:26 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\PrevxCSI
2007-12-29 10:44:30 0 d------c- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-12-29 10:33:03 0 d------c- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-29 08:38:42 0 d------c- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-29 08:35:30 4212 ---h---c- C:\WINDOWS\system32\zllictbl.dat
2007-12-29 08:29:00 0 d------c- C:\WINDOWS\system32\ZoneLabs
2007-12-29 06:07:33 0 d------c- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-12-29 06:06:20 0 d------c- C:\Program Files\Webroot
2007-12-29 06:06:20 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Webroot
2007-12-29 06:06:20 0 d------c- C:\Documents and Settings\All Users\Application Data\Webroot
2007-12-29 06:05:21 164 --a----c- C:\install.dat
2007-12-27 09:32:16 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Mattel
2007-12-27 09:31:15 0 d------c- C:\Program Files\Mattel
2007-12-26 19:53:32 0 d--hs--c- C:\Documents and Settings\All Users\DRM
2007-12-26 19:47:04 4 --a----c- C:\WINDOWS\system32\A888B7
2007-12-26 19:45:04 8413 --a----c- C:\WINDOWS\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
2007-12-26 19:41:54 0 d------c- C:\Program Files\Rhapsody
2007-12-26 19:26:48 0 d------c- C:\Program Files\Common Files\ArcSoft
2007-12-26 19:26:46 0 d------c- C:\Program Files\SanDisk
-- Find3M Report ---------------------------------------------------------------
2008-01-23 23:57:38 0 d------c- C:\Program Files\Common Files
2008-01-23 08:27:24 2084 --a----c- C:\WINDOWS\system32\tmp.reg
2008-01-23 07:41:52 0 d------c- C:\Program Files\Common Files\Scanner
2008-01-23 05:50:29 0 d------c- C:\Program Files\MalwareBot
2008-01-22 23:55:11 0 d------c- C:\Program Files\Spark
2008-01-22 19:14:52 0 d------c- C:\Program Files\Desktop Maestro
2008-01-21 09:12:47 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\LimeWire
2008-01-21 05:25:05 0 d------c- C:\Program Files\IObit
2008-01-18 07:53:45 0 d------c- C:\Program Files\Paint.NET
2008-01-17 16:15:00 333 --a----c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\AdobeDLM.log
2008-01-17 16:14:44 754 --a----c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\dm.ini
2008-01-17 06:26:41 0 d------c- C:\Program Files\QuickTime
2008-01-17 06:10:29 22037 --a----c- C:\WINDOWS\mozver.dat
2008-01-15 09:23:50 0 d------c- C:\Program Files\MSECache
2008-01-14 06:02:05 0 d------c- C:\Program Files\Yahoo!
2008-01-12 05:05:12 0 d------c- C:\Program Files\Common Files\InstallShield
2008-01-11 08:00:43 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Yahoo!
2008-01-09 07:44:23 0 d------c- C:\Program Files\ErrorSmart
2008-01-09 07:44:23 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\ErrorSmart
2008-01-05 15:27:59 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\ArcSoft
2007-12-27 09:31:57 0 d--h---c- C:\Program Files\InstallShield Installation Information
2007-12-26 19:44:02 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Real
2007-12-21 07:38:45 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Stamps.com Internet Postage
2007-12-20 09:02:14 8 --a----c- C:\WINDOWS\system32\success
2007-12-20 09:00:54 0 d------c- C:\Program Files\Common Files\Deterministic Networks
2007-12-18 06:50:22 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\SiteAdvisor
2007-12-17 06:40:57 0 d------c- C:\Program Files\Microsoft Silverlight
2007-12-14 11:59:48 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Desktop Mechanic
2007-12-11 09:49:47 0 d------c- C:\Program Files\Windows Defender
2007-12-11 09:48:53 0 d------c- C:\Program Files\iTunes
2007-12-10 06:51:25 0 d------c- C:\Program Files\Rand McNally
2007-12-10 06:40:56 509 --a----c- C:\WINDOWS\EReg077.dat
2007-12-08 14:14:40 0 d------c- C:\Program Files\Thinkwell
2007-12-06 08:54:18 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Avaya
2007-12-06 07:40:42 0 d------c- C:\Program Files\Cisco Systems
2007-12-05 13:14:26 0 d------c- C:\Program Files\TryMedia
2007-12-03 14:13:04 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\VonageTalk
2007-12-03 10:47:30 0 d------c- C:\Program Files\iPod
2007-11-27 08:51:41 0 d------c- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Image Zone Express
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 06:04 PM]
"KBD"="C:\HP\KBD\KBD.EXE" [02/11/2003 10:02 PM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [09/13/2002 11:42 PM]
"PS2"="C:\WINDOWS\system32\ps2.exe" [07/31/2002 10:28 PM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [11/02/2004 08:03 AM]
"Webroot Desktop Firewall"="C:\Program Files\Webroot\Desktop Firewall\WDF.exe" [10/20/2007 01:20 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/10/2008 03:27 PM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 08:56 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 02/21/2003 05:50 AM 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Avaya IP Agent - English.lnk]
backup=C:\WINDOWS\pss\Avaya IP Agent - English.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner.YOUR-LK4RLMSU41.000^Start Menu^Programs^Startup^Compaq Organize.lnk]
backup=C:\WINDOWS\pss\Compaq Organize.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner.YOUR-LK4RLMSU41.000^Start Menu^Programs^Startup^spamsubtract.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopMaestro]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\errorkiller]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ErrorSmart]
"C:\Program Files\ErrorSmart\ErrorSmart.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MalwareBot]
C:\Program Files\MalwareBot\MalwareBot.exe -boot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PGhist]
"C:\Program Files\Desktop Maestro\PgHist.exe" WinguidesPG
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrivacyGuardianIndex]
"C:\Program Files\Desktop Maestro\PgIndex.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pwreset]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rainlendar2]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spark]
C:\Program Files\Spark\Spark.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"omniserv"=3 (0x3)
"usnjsvc"=3 (0x3)
"MpfService"=2 (0x2)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"WinDefend"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
-- End of Deckard's System Scanner: finished at 2008-01-24 07:48:51 ------------
malware log
Malwarebytes' Anti-Malware version 1.00
Database version: 270
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 183583
Time elapsed: 1 hour(s), 41 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\MalwareBot\Quarantine\19-05-2007-22-11-36\13578.qit (Backdoor) -> Quarantined and deleted successfully.