|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
![]() |
|
Topic Tools |
#1
|
|||
|
|||
Trojan/malware (hjt log inside)
Seems my brother has downloaded a trojan, as I keep getting internet explorer pop-ups while browsing on firefox. My "startup inspector" notes some 10 or so new fishy .exe files trying to start up at start up, and spybot fixed some 192 problems. The startup inspector lists one file name as Deewoo, and all of the path names originate in c:/windows/system32 and try to run .dll files. A windows warning labeled Data Execution Prevention twice closed a program named "Run a DLL as an App."
Here are 2 hijackthis logs, before and after I ran spybot. All I have done to combat this infection so far has been to run hijack twice, spybot once, and stop any dodgy files from running at start up using startup inspector. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:05, on 2008-09-09 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\PnkBstrA.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\program files\premieropinion\pmropn.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\windows\system32\rmwnw64j.exe C:\WINDOWS\System32\Rundll32.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Documents and Settings\Haraldur\winlogon.exe C:\WINDOWS\faceback.exe C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\VnrPack\VnrPack20.exe C:\Program Files\VnrBlock\VnrBlock20.exe C:\Program Files\GetPack\GetPack20.exe C:\WINDOWS\system32\lcntstdl.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\Program Files\Startup Inspector for Windows\wsInspector.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wTR02\wTR022328.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB55.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe" O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\Haraldur\winlogon.exe O4 - HKLM\..\Run: [BMeb2e989b] Rundll32.exe "C:\WINDOWS\system32\rxwnmtde.dll",s O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?7fac99367c6a40b6ae765cc10735b1c9 O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?7fac99367c6a40b6ae765cc10735b1c9 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: c:\program,files\premieropinion\pmai.dll,C:\progra m,files\premieropinion\pmai.dll,C:\program files\premieropinion\pmai.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: digiSPTIService - Unknown owner - C:\Documents and Settings\Haraldur\Desktop\Ragnar\Digidesign\Pro Tools\digiSPTIService.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe -- End of file - 6825 bytes And the second log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:20, on 2008-09-09 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\PnkBstrA.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\program files\premieropinion\pmropn.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\windows\system32\rmwnw64j.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Documents and Settings\Haraldur\winlogon.exe C:\WINDOWS\faceback.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\VnrPack\VnrPack20.exe C:\Program Files\VnrBlock\VnrBlock20.exe C:\Program Files\GetPack\GetPack20.exe C:\WINDOWS\system32\lcntstdl.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\Program Files\Startup Inspector for Windows\wsInspector.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wTR02\wTR022328.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\Documents and Settings\Haraldur\Start Menu\Programs\Accessories\mspaint.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe" O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\Haraldur\winlogon.exe O4 - HKLM\..\Run: [BMeb2e989b] Rundll32.exe "C:\WINDOWS\system32\rxwnmtde.dll",s O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKLM\..\RunOnce: [SpybotDeletingA2064] command /c del "C:\WINDOWS\system32\rxwnmtde.dll_old" O4 - HKLM\..\RunOnce: [SpybotDeletingC771] cmd /c del "C:\WINDOWS\system32\rxwnmtde.dll_old" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\RunOnce: [SpybotDeletingB5005] command /c del "C:\WINDOWS\system32\rxwnmtde.dll_old" O4 - HKCU\..\RunOnce: [SpybotDeletingD668] cmd /c del "C:\WINDOWS\system32\rxwnmtde.dll_old" O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?7fac99367c6a40b6ae765cc10735b1c9 O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?7fac99367c6a40b6ae765cc10735b1c9 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: c:\program,files\premieropinion\pmai.dll,C:\progra m,files\premieropinion\pmai.dll,C:\program files\premieropinion\pmai.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: digiSPTIService - Unknown owner - C:\Documents and Settings\Haraldur\Desktop\Ragnar\Digidesign\Pro Tools\digiSPTIService.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe -- End of file - 7370 bytes |
#2
|
|||
|
|||
Still looking for help with this. The computer is a bit slower then usual, especially while browsing on the internet. Spybot keeps catching files trying to add values to the registry to run on start up, which I of course deny. A new hijack this log, the only things i have done since the last one is run spybot twice on start up. which didn't catch anything.
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:01, on 2008-09-10 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\PnkBstrA.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\program files\premieropinion\pmropn.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Documents and Settings\Haraldur\winlogon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe" O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\Haraldur\winlogon.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?7fac99367c6a40b6ae765cc10735b1c9 O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?7fac99367c6a40b6ae765cc10735b1c9 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: c:\program,files\premieropinion\pmai.dll,C:\progra m,files\premieropinion\pmai.dll,C:\program,files\p remieropinion\pmai.dll,C:\program,files\premieropi nion\pmai.dll,C:\program,files\premieropinion\pmai .dll,C:\program,files\premieropinion\pmai.dll,C:\p rogram files\premieropinion\pmai.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: digiSPTIService - Unknown owner - C:\Documents and Settings\Haraldur\Desktop\Ragnar\Digidesign\Pro Tools\digiSPTIService.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe -- End of file - 6397 bytes Any help is much appreciated. |
#3
|
||||
|
||||
Hi UgaUga. Your Hijack This log indicates that your operating system is infected but I want to see some logs before we start cleaning up the infection. Also please do not run any programs other than those that I suggest or install any new software while I am helping you.
Download OldTimer's OTViewIt from here to your desktop,and doubleclick on OTViewIt.exe to start the scan. When the display opens place a check next to: Scan All Users Then click the Run Scan button to start the scan. Once that completes a textbox will open. Copy and paste the contents here for review please. The log can also be found on your desktop as OTViewIt.Txt. It will be a reasonably large log so you may have to divide the log into sections and make several posts to post it. Extras.txt will also be generated. Please post that log as well. |
#4
|
|||
|
|||
Here you go:
OTViewIt logfile created on: 2008-09-12 14:19:21 - Run 1 OTViewIt by OldTimer - Version 1.0.3.1 Folder = C:\Documents and Settings\Haraldur\Desktop\Anti-Malware Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.2180) Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd 2.00 Gb Total Physical Memory | 1.45 Gb Available Physical Memory | 72.75% Memory free 3.95 Gb Paging File | 3.48 Gb Available in Paging File | 88.19% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092; %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 232.88 Gb Total Space | 24.97 Gb Free Space | 10.72% Space Free | Partition Type: NTFS D: Drive not present or media not loaded Drive E: | 3.86 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: HTH-NEMESIS Current User Name: Haraldur Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Whitelist: On ========== Processes - Non-Microsoft Only ========== [05-14-2008 12:04 PM | 01,660,416 | ---- | M] (VoiceFive Networks, Inc.) -- C:\Program Files\PremierOpinion\pmropn.exe [06-27-2008 06:38 PM | 00,053,248 | -HS- | M] () -- C:\Documents and Settings\Haraldur\winlogon.exe [08-18-2008 06:41 PM | 01,832,272 | RHS- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [01-28-2005 02:35 PM | 00,434,176 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe [12-10-2004 12:45 PM | 00,049,152 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE [01-07-2008 11:37 PM | 00,418,816 | ---- | M] (GRISOFT, s.r.o.) -- C:\Program Files\Grisoft\AVG7\avgamsvr.exe [07-09-2007 04:22 PM | 00,049,664 | ---- | M] (GRISOFT, s.r.o.) -- C:\Program Files\Grisoft\AVG7\avgupsvc.exe [01-10-2008 11:37 PM | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe [07-29-2008 07:03 PM | 00,307,712 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe [09-12-2008 02:18 PM | 00,379,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Haraldur\Desktop\Anti-Malware\OTViewIt.exe ========== Win32 Services - Non-Microsoft Only ========== [12-05-2007 02:17 PM | 00,593,920 | ---- | M] () -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart [Auto | Stopped]) [01-07-2008 11:37 PM | 00,418,816 | ---- | M] (GRISOFT, s.r.o.) -- C:\Program Files\Grisoft\AVG7\avgamsvr.exe -- (Avg7Alrt [Auto | Running]) [07-09-2007 04:22 PM | 00,049,664 | ---- | M] (GRISOFT, s.r.o.) -- C:\Program Files\Grisoft\AVG7\avgupsvc.exe -- (Avg7UpdSvc [Auto | Running]) File not found -- C:\Documents and Settings\Haraldur\Desktop\Ragnar\Digidesign\Pro Tools\digiSPTIService.exe -- (digiSPTIService [On_Demand | Stopped]) [10-13-2005 07:56 PM | 00,126,976 | ---- | M] (McAfee, Inc) -- c:\Program Files\McAfee.com\Agent\Mcdetect.exe -- (McDetect.exe [Disabled | Stopped]) [08-24-2005 04:01 PM | 00,122,368 | ---- | M] (McAfee, Inc) -- c:\Program Files\McAfee.com\Agent\McTskshd.exe -- (McTskshd.exe [Disabled | Stopped]) [07-01-2005 07:22 PM | 00,245,760 | ---- | M] (McAfee, Inc) -- C:\Program Files\McAfee.com\Agent\mcupdmgr.exe -- (mcupdmgr.exe [Disabled | Stopped]) [01-10-2008 11:37 PM | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe -- (PnkBstrA [Auto | Running]) ========== Driver Services - Non-Microsoft Only ========== [06-27-2006 02:24 PM | 00,031,744 | ---- | M] (AMD, Inc.) -- C:\WINDOWS\system32\drivers\AmdTools.sys -- (AmdTools [On_Demand | Running]) [10-14-2004 09:52 AM | 00,004,962 | R--- | M] () -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO [System | Running]) [01-23-2007 05:13 PM | 00,271,360 | ---- | M] () -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt [Auto | Running]) [01-07-2008 11:37 PM | 00,821,856 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\system32\drivers\avg7core.sys -- (Avg7Core [System | Running]) [07-09-2007 04:22 PM | 00,004,224 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\system32\drivers\avg7rsw.sys -- (Avg7RsW [System | Running]) [07-09-2007 04:22 PM | 00,027,776 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\system32\drivers\avg7rsxp.sys -- (Avg7RsXP [System | Running]) [01-07-2008 11:37 PM | 00,010,760 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\system32\drivers\avgclean.sys -- (AvgClean [System | Running]) File not found -- C:\DOCUME~1\Haraldur\LOCALS~1\Temp\catchme.sys -- (catchme [On_Demand | Stopped]) File not found -- C:\WINDOWS\system32\drivers\EagleNT.sys -- (EagleNT [On_Demand | Stopped]) [09-27-2005 02:57 AM | 00,027,328 | ---- | M] (PACE Anti-Piracy, Inc.) -- C:\WINDOWS\system32\drivers\iLokDrvr.sys -- (iLokDrvr [On_Demand | Stopped]) [12-10-2004 12:47 PM | 00,013,056 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd [On_Demand | Running]) [12-10-2004 12:48 PM | 00,052,992 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\system32\drivers\L8042mou.Sys -- (L8042mou [On_Demand | Stopped]) [12-10-2004 12:48 PM | 00,024,704 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\system32\drivers\LHidKE.Sys -- (LHidKe [On_Demand | Running]) [12-10-2004 12:48 PM | 00,036,480 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\system32\drivers\LHidUsbK.sys -- (LHidUsbK [On_Demand | Running]) [01-23-2007 05:13 PM | 00,018,048 | ---- | M] () -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt [Auto | Running]) [12-10-2004 12:48 PM | 00,068,992 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\system32\drivers\LMouKE.Sys -- (LMouKE [On_Demand | Running]) [08-13-2004 02:56 AM | 00,005,810 | R--- | M] () -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor [On_Demand | Running]) File not found -- C:\WINDOWS\system32\PCAMPR5.SYS -- (PCAMPR5 [On_Demand | Stopped]) [10-10-2006 01:53 PM | 00,005,632 | ---- | M] () -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV [System | Running]) [02-16-2006 05:51 PM | 00,004,096 | R--- | M] (SuperAdBlocker, Inc.) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped]) [02-27-2007 12:39 PM | 00,032,256 | ---- | M] () -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL [System | Running]) [11-10-2006 05:23 PM | 00,061,600 | R--- | M] (MCCI) -- C:\WINDOWS\system32\drivers\SE2Ebus.sys -- (SE2Ebus [On_Demand | Stopped]) [11-10-2006 05:23 PM | 00,009,360 | R--- | M] (MCCI) -- C:\WINDOWS\system32\drivers\SE2Emdfl.sys -- (SE2Emdfl [On_Demand | Stopped]) [11-10-2006 05:23 PM | 00,097,184 | R--- | M] (MCCI) -- C:\WINDOWS\system32\drivers\SE2Emdm.sys -- (SE2Emdm [On_Demand | Stopped]) [11-10-2006 05:23 PM | 00,088,688 | R--- | M] (MCCI) -- C:\WINDOWS\system32\drivers\SE2Emgmt.sys -- (SE2Emgmt [On_Demand | Stopped]) [05-01-2006 01:18 PM | 00,086,560 | ---- | M] (MCCI) -- C:\WINDOWS\system32\drivers\SE2Eobex.sys -- (SE2Eobex [On_Demand | Stopped]) [08-10-2005 12:44 PM | 00,050,688 | ---- | M] (Protection Technology) -- C:\WINDOWS\system32\drivers\sfdrv01.sys -- (sfdrv01 [Boot | Running]) [05-16-2005 01:20 PM | 00,006,656 | ---- | M] (Protection Technology) -- C:\WINDOWS\system32\drivers\sfhlp02.sys -- (sfhlp02 [Boot | Running]) [09-29-2005 05:01 PM | 00,066,048 | ---- | M] (Protection Technology) -- C:\WINDOWS\system32\drivers\sfvfs02.sys -- (sfvfs02 [Boot | Running]) [09-27-2005 08:00 AM | 00,069,920 | ---- | M] (PACE Anti-Piracy, Inc.) -- C:\WINDOWS\System32\drivers\TPkd.sys -- (TPkd [Boot | Running]) [08-16-2005 02:50 PM | 00,278,016 | ---- | M] (ZyDAS Technology Corporation) -- C:\WINDOWS\system32\drivers\ZD1211U.sys -- (WLAN(WLAN) [On_Demand | Stopped]) [08-19-2004 02:21 PM | 00,189,568 | ---- | M] (Marvell) -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp [On_Demand | Running]) [08-16-2005 02:50 PM | 00,278,016 | ---- | M] (ZyDAS Technology Corporation) -- C:\WINDOWS\system32\drivers\ZD1211U.sys -- (ZD1211U(PLANET Technology Corp.) [On_Demand | Stopped]) [06-30-2004 01:54 PM | 00,019,200 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\WINDOWS\system32\ZDBRGSYS.sys -- (ZDBRGSYS [On_Demand | Stopped]) [01-14-2004 11:30 AM | 00,017,151 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\WINDOWS\system32\ZDPNDIS5.sys -- (ZDPNDIS5 [On_Demand | Stopped]) ========== Run Keys ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "BMeb2e989b" = Rundll32.exe "C:\WINDOWS\system32\btdgjvdb.dll",s () "bucysukdnvkp" = C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\rnmbxrusvd.dll" EntryPoint ( ) "e81dab07" = rundll32.exe "C:\WINDOWS\system32\vsurcdgl.dll",b () "Logitech Hardware Abstraction Layer" = KHALMNPR.EXE (Logitech Inc.) "SoundMan" = SOUNDMAN.EXE (Realtek Semiconductor Corp.) "Windows Logon Applicationedc" = C:\Documents and Settings\Haraldur\winlogon.exe () [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "Aim6" = File not found "SpybotSD TeaTimer" = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited) [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run] "AVG7_Run" = C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (GRISOFT, s.r.o.) "MySpaceIM" = C:\Program Files\MySpace\IM\MySpaceIM.exe () "AVG7_Run" = C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (GRISOFT, s.r.o.) "MySpaceIM" = C:\Program Files\MySpace\IM\MySpaceIM.exe () "AVG7_Run" = C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (GRISOFT, s.r.o.) "AVG7_Run" = C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (GRISOFT, s.r.o.) "Aim6" = File not found "SpybotSD TeaTimer" = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited) ========== Startup Folders ========== [01-28-2005 02:35 PM | 00,434,176 | ---- | M] (Logitech Inc.) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe [09-08-2008 11:17 PM | 00,548,924 | ---- | M] () -- C:\Documents and Settings\Ragnar\Start Menu\Programs\Startup\Deewoo.lnk = C:\WINDOWS\system32\lcntstdl.exe [09-09-2008 05:15 PM | 00,200,728 | ---- | M] () -- C:\Documents and Settings\Ragnar\Start Menu\Programs\Startup\DW_Start.lnk = C:\WINDOWS\system32\rmwnw64j.exe ========== Internet Explorer ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main] "Default_Page_URL" = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome "Default_Search_URL" = http://www.microsoft.com/isapi/redir...ie&ar=iesearch "Local Page" = %SystemRoot%\system32\blank.htm "Search Page" = http://www.microsoft.com/isapi/redir...ie&ar=iesearch "Start Page" = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SU B_PVER}&ar=home [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search] "CustomizeSearch" = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm "SearchAssistant" = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main] "Local Page" = C:\WINDOWS\system32\blank.htm "Search Page" = http://www.microsoft.com/isapi/redir...ie&ar=iesearch "Start Page" = about:blank [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings] "ProxyEnable" = 0 "ProxyOverride" = *.local [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main] "Search Page" = http://www.microsoft.com/isapi/redir...ie&ar=iesearch "Start Page" = http://www.microsoft.com/isapi/redir...=ie&ar=msnhome [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Internet Settings] "ProxyEnable" = 0 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main] "Search Page" = http://www.microsoft.com/isapi/redir...ie&ar=iesearch "Start Page" = http://www.microsoft.com/isapi/redir...=ie&ar=msnhome [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings] "ProxyEnable" = 0 [HKEY_USERS\S-1-5-21-790525478-1336601894-839522115-1005\SOFTWARE\Microsoft\Internet Explorer\Main] "Local Page" = C:\WINDOWS\system32\blank.htm "Search Page" = http://www.microsoft.com/isapi/redir...ie&ar=iesearch "Start Page" = about:blank [HKEY_USERS\S-1-5-21-790525478-1336601894-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings] "ProxyEnable" = 0 "ProxyOverride" = *.local ========== BHO's ========== [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) {53707962-6F74-2D53-2644-206D7942484F} (HKLM) -- C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) {69A87B7D-DE56-4136-9655-716BA50C19C7} (HKLM) -- C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll () {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (Sun Microsystems, Inc.) {7E853D72-626A-48EC-A868-BA8D5E23E045} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found {8a8a534d-c4d5-775b-786d-9bc7623a03ef} (HKLM) -- C:\WINDOWS\system32\rnmbxrusvd.dll ( ) {8EEB2711-9D21-4f9c-99A1-B7FC5A8CA56A} (HKLM) -- C:\Program Files\QdrDrive\QdrDrive20.dll () {bacd361f-add3-9042-d986-5d1ce1acf8f4} (HKLM) -- C:\WINDOWS\system32\nss89F.dll () {cf0f7f89-0918-e6b0-85a8-2159d940bfa2} (HKLM) -- C:\WINDOWS\system32\{9c930136-e0fd-f363-dd85-9c42a28e6081}.dll ( ) {dc9ed708-0f21-bc62-ef55-3ca73de65dbb} (HKLM) -- C:\WINDOWS\system32\kswiwkeokeymnlvd.dll () ========== Toolbars ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar] "{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}" (HKLM) -- C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll () [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser] "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found "{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found "{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}" (HKLM) -- C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll () [HKEY_USERS\S-1-5-21-790525478-1336601894-839522115-1005\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser] "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found "{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found "{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}" (HKLM) -- C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll () ========== AppInit_DLLs ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_Dlls" = C:\program,files\premieropinion\pmai.dll,C:\progra m,files\premieropinion\pmai.dll,C:\program,files\p remieropinion\pmai.dll,C:\program files\premieropinion\pmai.dll >File not found -- >File not found -- >File not found -- >File not found -- >File not found -- >File not found -- >[09-09-2008 05:17 PM | 00,118,784 | ---- | M] (PremierOpinion) -- C:\Program Files\PremierOpinion\pmai.dll ========== Shell Execute Hooks ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" (HKLM) -- C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com) ========== Winlogon Notify Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\] !SASWinLogon: "DllName" = C:\Program Files\SUPERAntiSpyware\SASWINLO.dll -- C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com) AtiExtEvent: "DllName" = Ati2evxx.dll -- C:\WINDOWS\system32\ati2evxx.dll (ATI Technologies Inc.) PremierOpinion: "DllName" = C:\program files\premieropinion\pmls.dll -- C:\Program Files\PremierOpinion\pmls.dll (VoiceFive Networks, Inc.) ========== Safeboot Options ========== "AlternateShell" = cmd.exe ========== CDRom AutoRun Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Cdrom] "AutoRun" = 1 ========== Autorun Files on Drives ========== AUTOEXEC.BAT [] [04-07-2006 11:02 PM | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ] Autorun.exe [MZ | ] [08-05-2008 05:02 PM | 00,398,600 | R--- | M] (Electronic Arts Inc.) -- E:\Autorun.exe -- [ UDF ] Autorun.inf [[autorun] | open=autorun.exe | icon=spore.ico | ] [08-05-2008 04:23 PM | 00,000,043 | R--- | M] () -- E:\Autorun.inf -- [ UDF ] autorun [] [08-05-2008 05:02 PM | 00,398,600 | R--- | M] (Electronic Arts Inc.) -- E:\autorun.exe -- [ UDF ] |
#5
|
|||
|
|||
========== MountPoints2 ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\MountPoints2\{e83ff8f7-097b-11dc-88e0-00304f4b041f}\Shell\Auto\command] "" = RavMon.exe e [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\MountPoints2\{e83ff8f7-097b-11dc-88e0-00304f4b041f}\Shell\AutoRun] "" = Auto&Play [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\MountPoints2\{e83ff8f7-097b-11dc-88e0-00304f4b041f}\Shell\AutoRun\command] "" = C:\WINDOWS\system32\shell32.dll -- [10-26-2007 03:36 AM | 08,454,656 | ---- | M] (Microsoft Corporation) ========== DNS Name Servers ========== {5EB2AE2A-FFBF-4002-8969-C97A02941BF4} (Servers: | Description: 1394 Net Adapter) {62FCE9C8-61F2-4724-8637-099F0D81A811} (Servers: | Description: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller) {67A87936-B1E8-4BD2-A502-10540CCEA617} (Servers: | Description: XPC 802.11b/g Wireless Kit) {802952CC-24C3-4CAB-ADE6-983AC157E9AA} (Servers: | Description: ) {B02D3413-6E9B-435B-8ED3-70AAD349AA68} (Servers: | Description: XPC 802.11b/g Wireless Kit) {BCC4FB8F-E76F-40BF-B7B7-5DD4EE670C41} (Servers: | Description: 1394 Net Adapter) {E8CA36F2-4D61-4457-998C-F25547C0468F} (Servers: | Description: XPC 802.11b/g Wireless Kit) {EF1176F0-55D3-4EC4-9F3A-BBC83664F179} (Servers: | Description: ) ========== Hosts File ========== HOSTS File = (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts First 25 entries... 127.0.0.1 localhost ========== Files/Folders - Created Within 30 days ========== [09-05-2008 04:17 PM | ---D | C] -- C:\ProgramData [09-09-2008 05:16 PM | 00,000,232 | -H-- | C] () -- C:\sqmdata03.sqm [09-09-2008 05:16 PM | 00,000,232 | -H-- | C] () -- C:\sqmdata04.sqm [09-09-2008 05:16 PM | 00,000,244 | -H-- | C] () -- C:\sqmnoopt03.sqm [09-09-2008 05:16 PM | 00,000,244 | -H-- | C] () -- C:\sqmnoopt04.sqm [09-09-2008 05:24 PM | 00,000,244 | -H-- | C] () -- C:\sqmnoopt05.sqm [09-09-2008 05:24 PM | 00,000,268 | -H-- | C] () -- C:\sqmdata05.sqm [09-10-2008 06:42 PM | 00,000,244 | -H-- | C] () -- C:\sqmnoopt06.sqm [09-10-2008 06:42 PM | 00,000,268 | -H-- | C] () -- C:\sqmdata06.sqm [09-11-2008 07:17 PM | 00,000,244 | -H-- | C] () -- C:\sqmnoopt07.sqm [09-11-2008 07:17 PM | 00,000,268 | -H-- | C] () -- C:\sqmdata07.sqm [3 C:\WINDOWS\System32\*.tmp files] [09-04-2008 12:02 PM | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak [09-08-2008 11:16 PM | 00,063,904 | ---- | C] () -- C:\WINDOWS\System32\{9c930136-e0fd-f363-dd85-9c42a28e6081}.dll-uninst.exe [09-08-2008 11:16 PM | 00,090,921 | ---- | C] () -- C:\WINDOWS\System32\kswiwkeokeymnlvd.dll-uninst.exe [09-08-2008 11:16 PM | 00,200,711 | ---- | C] () -- C:\WINDOWS\System32\dwwnw64r.exe [09-08-2008 11:16 PM | 00,272,772 | ---- | C] () -- C:\WINDOWS\System32\gside.exe [09-08-2008 11:16 PM | 00,385,024 | ---- | C] () -- C:\WINDOWS\System32\WinNB55.dll [09-08-2008 11:16 PM | 00,548,924 | ---- | C] () -- C:\WINDOWS\System32\lcntstdl.exe [09-08-2008 11:17 PM | 00,000,860 | ---- | C] () -- C:\WINDOWS\System32\winpfz33.sys [09-08-2008 11:17 PM | 00,071,828 | ---- | C] () -- C:\WINDOWS\System32\kaqpwccjprozluu.exe [09-08-2008 11:19 PM | 00,102,154 | ---- | C] () -- C:\WINDOWS\System32\milehighads-remove.exe [09-08-2008 11:30 PM | ---D | C] -- C:\WINDOWS\System32\sl5 [09-08-2008 11:30 PM | ---D | C] -- C:\WINDOWS\System32\t [09-08-2008 11:30 PM | ---D | C] -- C:\WINDOWS\System32\wTR02 [09-08-2008 11:35 PM | 00,383,445 | -HS- | C] () -- C:\WINDOWS\System32\XGhNVyxx.ini [09-08-2008 11:35 PM | 00,383,445 | -HS- | C] () -- C:\WINDOWS\System32\XGhNVyxx.ini2 [09-08-2008 11:38 PM | 00,071,680 | ---- | C] () -- C:\WINDOWS\System32\nacxuoqf.dll [09-08-2008 11:38 PM | 01,298,830 | -HS- | C] () -- C:\WINDOWS\System32\fqouxcan.ini [09-09-2008 05:15 PM | 00,200,728 | ---- | C] () -- C:\WINDOWS\System32\rmwnw64j.exe [09-09-2008 11:42 PM | 00,071,680 | ---- | C] () -- C:\WINDOWS\System32\qcfkwlyo.dll [09-09-2008 11:42 PM | 01,298,829 | -HS- | C] () -- C:\WINDOWS\System32\oylwkfcq.ini [09-09-2008 12:17 AM | 00,153,352 | ---- | C] () -- C:\WINDOWS\System32\g97.exe [09-10-2008 06:42 PM | 00,000,021 | ---- | C] () -- C:\WINDOWS\System32\zxdnt3d.cfg [09-10-2008 06:42 PM | 00,000,180 | ---- | C] () -- C:\WINDOWS\System32\msnav32.ax [09-10-2008 11:44 PM | 01,192,370 | -HS- | C] () -- C:\WINDOWS\System32\hglivcgo.ini [09-11-2008 02:40 PM | 00,167,936 | ---- | C] ( ) -- C:\WINDOWS\System32\rnmbxrusvd.dll [09-11-2008 07:28 PM | 01,180,065 | -HS- | C] () -- C:\WINDOWS\System32\xtuyislu.ini [09-11-2008 07:38 PM | 01,180,185 | -HS- | C] () -- C:\WINDOWS\System32\wddslntb.ini [09-11-2008 08:33 AM | ---D | C] -- C:\WINDOWS\System32\mC02 [09-12-2008 12:05 AM | 00,096,256 | ---- | C] () -- C:\WINDOWS\System32\btdgjvdb.dll [09-12-2008 12:07 AM | 00,085,504 | ---- | C] () -- C:\WINDOWS\System32\vsurcdgl.dll [09-12-2008 12:07 AM | 01,180,121 | -HS- | C] () -- C:\WINDOWS\System32\lgdcrusv.ini [09-08-2008 11:16 PM | 00,102,400 | ---- | C] (M i r a r) -- C:\WINDOWS\mbd232.exe [09-08-2008 11:16 PM | 00,200,704 | ---- | C] () -- C:\WINDOWS\84.exe [09-08-2008 11:16 PM | 00,399,944 | ---- | C] () -- C:\WINDOWS\ISM3434.exe [09-08-2008 11:16 PM | 00,428,976 | ---- | C] () -- C:\WINDOWS\DWrvg.exe [09-08-2008 11:31 PM | 00,099,328 | ---- | C] () -- C:\WINDOWS\faceback.exe [09-08-2008 11:36 PM | 00,110,504 | ---- | C] () -- C:\WINDOWS\BMeb2e989b.xml [09-09-2008 06:20 PM | 00,000,093 | ---- | C] () -- C:\WINDOWS\wininit.ini [09-09-2008 11:39 PM | 00,000,022 | ---- | C] () -- C:\WINDOWS\pskt.ini [09-09-2008 06:02 PM | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy [09-05-2008 04:20 PM | ---D | C] -- C:\Documents and Settings\Haraldur\Application Data\SPORE [09-05-2008 04:20 PM | ---D | C] -- C:\Documents and Settings\Haraldur\My Documents\My Spore Creations [09-08-2008 11:08 PM | ---D | C] -- C:\Documents and Settings\Haraldur\My Documents\Sony [09-08-2008 11:09 PM | 00,001,673 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\ACID Pro 6.0.lnk [09-03-2008 01:16 PM | 00,083,968 | ---- | C] () -- C:\Documents and Settings\Haraldur\Desktop\Syllabus.doc [09-08-2008 11:00 PM | ---D | C] -- C:\Program Files\Sonic Foundry Setup [09-08-2008 11:16 PM | ---D | C] -- C:\Program Files\iCheck [09-08-2008 11:16 PM | ---D | C] -- C:\Program Files\QdrDrive [09-08-2008 11:16 PM | ---D | C] -- C:\Program Files\VnrPack [09-08-2008 11:17 PM | ---D | C] -- C:\Program Files\GetPack [09-08-2008 11:17 PM | ---D | C] -- C:\Program Files\VnrBlock [09-08-2008 11:19 PM | ---D | C] -- C:\Program Files\SolAds Games Collection [09-08-2008 11:20 PM | ---D | C] -- C:\Program Files\PremierOpinion [09-09-2008 06:02 PM | ---D | C] -- C:\Program Files\Spybot - Search & Destroy ========== Files - Modified Within 30 days ========== [09-09-2008 05:16 PM | 00,000,232 | -H-- | M] () -- C:\sqmdata03.sqm [09-09-2008 05:16 PM | 00,000,232 | -H-- | M] () -- C:\sqmdata04.sqm [09-09-2008 05:16 PM | 00,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm [09-09-2008 05:16 PM | 00,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm [09-09-2008 05:24 PM | 00,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm [09-09-2008 05:24 PM | 00,000,268 | -H-- | M] () -- C:\sqmdata05.sqm [09-10-2008 06:42 PM | 00,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm [09-10-2008 06:42 PM | 00,000,268 | -H-- | M] () -- C:\sqmdata06.sqm [09-11-2008 07:17 PM | 00,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm [09-11-2008 07:17 PM | 00,000,268 | -H-- | M] () -- C:\sqmdata07.sqm [09-12-2008 08:22 AM | 21,470,12608 | -HS- | M] () -- C:\hiberfil.sys [3 C:\WINDOWS\System32\*.tmp files] [08-19-2008 04:13 PM | 00,097,718 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [08-19-2008 04:13 PM | 00,509,066 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [08-19-2008 04:13 PM | 00,615,478 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [09-05-2008 04:20 PM | 00,107,888 | ---- | M] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll [09-08-2008 11:16 PM | 00,200,711 | ---- | M] () -- C:\WINDOWS\System32\dwwnw64r.exe [09-08-2008 11:16 PM | 00,272,772 | ---- | M] () -- C:\WINDOWS\System32\gside.exe [09-08-2008 11:17 PM | 00,063,904 | ---- | M] () -- C:\WINDOWS\System32\{9c930136-e0fd-f363-dd85-9c42a28e6081}.dll-uninst.exe [09-08-2008 11:17 PM | 00,548,924 | ---- | M] () -- C:\WINDOWS\System32\lcntstdl.exe [09-08-2008 11:19 PM | 00,102,154 | ---- | M] () -- C:\WINDOWS\System32\milehighads-remove.exe [09-08-2008 11:38 PM | 00,071,680 | ---- | M] () -- C:\WINDOWS\System32\nacxuoqf.dll [09-09-2008 05:15 PM | 00,200,728 | ---- | M] () -- C:\WINDOWS\System32\rmwnw64j.exe [09-09-2008 06:30 PM | 01,298,830 | -HS- | M] () -- C:\WINDOWS\System32\fqouxcan.ini [09-09-2008 11:42 PM | 00,071,680 | ---- | M] () -- C:\WINDOWS\System32\qcfkwlyo.dll [09-09-2008 12:17 AM | 00,153,352 | ---- | M] () -- C:\WINDOWS\System32\g97.exe [09-10-2008 06:42 PM | 00,000,021 | ---- | M] () -- C:\WINDOWS\System32\zxdnt3d.cfg [09-10-2008 12:25 AM | 01,298,829 | -HS- | M] () -- C:\WINDOWS\System32\oylwkfcq.ini [09-11-2008 02:40 PM | 00,167,936 | ---- | M] ( ) -- C:\WINDOWS\System32\rnmbxrusvd.dll [09-11-2008 04:11 PM | 00,071,828 | ---- | M] () -- C:\WINDOWS\System32\kaqpwccjprozluu.exe [09-11-2008 06:14 AM | 00,090,921 | ---- | M] () -- C:\WINDOWS\System32\kswiwkeokeymnlvd.dll-uninst.exe [09-11-2008 07:17 PM | 00,000,180 | ---- | M] () -- C:\WINDOWS\System32\msnav32.ax [09-11-2008 07:28 PM | 01,180,065 | -HS- | M] () -- C:\WINDOWS\System32\xtuyislu.ini [09-11-2008 08:09 PM | 01,180,185 | -HS- | M] () -- C:\WINDOWS\System32\wddslntb.ini [09-11-2008 08:32 AM | 01,192,370 | -HS- | M] () -- C:\WINDOWS\System32\hglivcgo.ini [09-11-2008 09:17 PM | 00,000,860 | ---- | M] () -- C:\WINDOWS\System32\winpfz33.sys [09-12-2008 02:18 PM | 00,383,445 | -HS- | M] () -- C:\WINDOWS\System32\XGhNVyxx.ini2 [09-12-2008 02:19 PM | 00,383,445 | -HS- | M] () -- C:\WINDOWS\System32\XGhNVyxx.ini [09-12-2008 08:22 AM | 00,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [09-12-2008 08:22 AM | 01,180,121 | -HS- | M] () -- C:\WINDOWS\System32\lgdcrusv.ini [09-12-2008 12:05 AM | 00,096,256 | ---- | M] () -- C:\WINDOWS\System32\btdgjvdb.dll [09-12-2008 12:07 AM | 00,085,504 | ---- | M] () -- C:\WINDOWS\System32\vsurcdgl.dll [4 C:\WINDOWS\*.tmp files] [08-15-2008 03:01 AM | 00,000,573 | ---- | M] () -- C:\WINDOWS\win.ini [08-15-2008 03:02 AM | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [09-08-2008 11:16 PM | 00,102,400 | ---- | M] (M i r a r) -- C:\WINDOWS\mbd232.exe [09-08-2008 11:16 PM | 00,200,704 | ---- | M] () -- C:\WINDOWS\84.exe [09-08-2008 11:16 PM | 00,399,944 | ---- | M] () -- C:\WINDOWS\ISM3434.exe [09-08-2008 11:16 PM | 00,428,976 | ---- | M] () -- C:\WINDOWS\DWrvg.exe [09-08-2008 11:31 PM | 00,099,328 | ---- | M] () -- C:\WINDOWS\faceback.exe [09-09-2008 06:20 PM | 00,000,093 | ---- | M] () -- C:\WINDOWS\wininit.ini [09-12-2008 02:18 PM | 00,110,504 | ---- | M] () -- C:\WINDOWS\BMeb2e989b.xml [09-12-2008 08:22 AM | 00,000,022 | ---- | M] () -- C:\WINDOWS\pskt.ini [09-12-2008 08:22 AM | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [09-06-2008 09:53 PM | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job [09-12-2008 01:25 PM | 00,000,256 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job [09-12-2008 08:22 AM | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [08-21-2008 11:16 PM | 01,574,798 | -H-- | M] () -- C:\Documents and Settings\Haraldur\Local Settings\Application Data\IconCache.db [09-12-2008 12:04 AM | 00,000,580 | ---- | M] () -- C:\Documents and Settings\Haraldur\My Documents\My Sharing Folders.lnk [09-08-2008 11:09 PM | 00,001,673 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ACID Pro 6.0.lnk [09-11-2008 04:15 PM | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk [09-03-2008 01:16 PM | 00,083,968 | ---- | M] () -- C:\Documents and Settings\Haraldur\Desktop\Syllabus.doc [09-12-2008 12:04 AM | 00,002,323 | ---- | M] () -- C:\Documents and Settings\Haraldur\Desktop\Windows Live Messenger.lnk [09-11-2008 09:17 PM | 00,001,687 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk < End of report > |
#6
|
|||
|
|||
OTViewIt Extras logfile created on: 2008-09-12 14:19:21 - Run 1
OTViewIt by OldTimer - Version 1.0.3.1 Folder = C:\Documents and Settings\Haraldur\Desktop\Anti-Malware Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.2180) Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd 2.00 Gb Total Physical Memory | 1.45 Gb Available Physical Memory | 72.75% Memory free 3.95 Gb Paging File | 3.48 Gb Available in Paging File | 88.19% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092; %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 232.88 Gb Total Space | 24.97 Gb Free Space | 10.72% Space Free | Partition Type: NTFS D: Drive not present or media not loaded Drive E: | 3.86 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "AntiVirusDisableNotify" = 1 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 1 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\DomainPr ofile\AuthorizedApplications\List] [07-22-2008 07:15 PM | 01,093,632 | ---- | M] (Nexon) -- C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe [07-21-2008 03:58 PM | 01,052,672 | ---- | M] (Nexon) -- C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe [01-19-2007 12:54 PM | 05,674,352 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 [01-04-2007 04:10 PM | 00,297,752 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List] [06-18-2008 06:46 PM | 00,147,456 | ---- | M] (Lime Wire, LLC) -- C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire [04-23-2008 03:46 PM | 26,150,480 | ---- | M] (Ubisoft) -- C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx9.exe:*:Enabled:Assassin's Creed Dx9 [04-16-2008 05:35 PM | 25,667,160 | ---- | M] (Ubisoft) -- C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx10.exe:*:Enabled:Assassin's Creed Dx10 [02-22-2008 11:08 AM | 00,619,144 | ---- | M] (Ubisoft) -- C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Launcher.exe:*:Enabled:Assass in's Creed Update [05-07-2008 10:19 AM | 25,490,664 | ---- | M] (BioWare) -- C:\Program Files\Mass Effect\Binaries\MassEffect.exe:*:Enabled:Mass Effect Game [05-07-2008 11:19 AM | 00,730,344 | ---- | M] (BioWare) -- C:\Program Files\Mass Effect\MassEffectLauncher.exe:*:Enabled:Mass Effect Launcher [07-24-2007 03:17 PM | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour [07-24-2008 05:42 AM | 00,159,744 | ---- | M] (Nexon) -- C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager [07-22-2008 07:15 PM | 01,093,632 | ---- | M] (Nexon) -- C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe [07-21-2008 03:58 PM | 01,052,672 | ---- | M] (Nexon) -- C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe [01-19-2007 12:54 PM | 05,674,352 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 [01-04-2007 04:10 PM | 00,297,752 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) [07-30-2008 10:47 AM | 20,252,968 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes [05-14-2008 12:04 PM | 01,660,416 | ---- | M] (VoiceFive Networks, Inc.) -- c:\program files\premieropinion\pmropn.exe:*:Enabled ![]() ========== Winsock2 Catalogs ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\WinSock2\Parameters\] NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] -- C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) ========== Protocol Handlers ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Hand ler\] ipp: [HKLM - No CLSID value] msdaipp: [HKLM - No CLSID value] [11-16-2007 12:36 PM | 01,934,672 | R--- | M] (Skype Technologies) C:\Program Files\Common Files\Skype\Skype4COM.dll (skype4com:{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} (HKLM) [IEProtocolHandler Class]) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall] "{000E79B7-E725-4F01-870A-C12942B7F8E4}" = Crysis(R) "{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}" = Google Gmail Notifier "{02B244A2-7F6A-42E8-A36F-8C385D7A1625}" = Gothic III "{0305052F-141B-FCEC-62B2-FB5668E7933E}" = Catalyst Control Center Graphics Full New "{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}" = Battlefield 2: Deluxe Edition "{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center "{083F79E4-6FE9-46FB-A6C6-4F8862742947}" = ATI HYDRAVISION "{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime "{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}" = MSXML 6.0 Parser (KB933579) "{0C5D0DC4-F5D3-46F9-AE2E-E45C99B4A6B6}" = Enemy Territory - QUAKE Wars(TM) 1.1 Patch "{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}" = Security Update for CAPICOM (KB931906) "{0F9196C6-58B4-445B-B56E-B1200FECC151}" = Microsoft Bootvis "{15095BF3-A3D7-4DDF-B193-3A496881E003}" = Microsoft .NET Framework 3.0 "{19754346-BF3D-F1FC-9AF3-B84C216E93D7}" = Catalyst Control Center Graphics Full Existing "{1A24F9E8-009D-40FC-ABED-2AAFFAB0F4F0}" = InterLok Driver Kit "{1B0FBB9A-995D-47cd-87CD-13E68B676E4F}" = Mass Effect "{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = Multimedia Launcher "{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}" = Windows Live Sign-in Assistant "{23D683DD-93C6-48E6-B84E-78B57778F126}" = Oblivion - Construction Set "{25A1E6A4-2DBD-4AC0-8650-8EA9A45B183D}" = Supreme Commander "{2938E4D6-DB86-4AE5-AA33-AB27FB6A8CCD}" = Auto Friend Adding Machine "{296554E6-A322-EEC8-2185-DF6E624CA990}" = Skins "{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SONY_MEDIAMGR2) "{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}" = Logitech SetPoint "{30C2FCD0-FF7B-4FFA-8DDE-43A22E01A1E7}" = Rhapsody Player Engine "{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java(TM) 6 Update 4 "{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar) "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion "{35E1A8C8-6646-4101-B0AA-42D1EB2AB3AE}" = Windows Live Outlook Toolbar (Windows Live Toolbar) "{37477865-A3F1-4772-AD43-AAFC6BCFF99F}" = MSXML 4.0 SP2 (KB927978) "{39F55A85-B356-64D7-F2BC-1E6C70A73FB8}" = CCC Help English "{3D047C15-C859-45F7-81CE-F2681778069B}" = iPod for Windows 2006-01-10 "{3DE0053C-FD9A-483E-B7C9-B06E4392206E}" = iTunes "{412B69AF-C352-4F6F-A318-B92B3CB9ACC6}" = Titan Quest "{4377F918-E6C9-4ECA-A7F5-754B310B7ED8}" = Sid Meier's Civilization 4 "{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour "{47FBF7F9-FBD3-43EF-823B-7684D56C1962}" = Tabbed Browsing (Windows Live Toolbar) "{491DD792-AD81-429C-9EB4-86DD3D22E333}" = Windows Communication Foundation "{49C88E44-1B38-4FC6-824E-2BDA3063B0E3}" = Apple Mobile Device Support "{4C4D25EB-6513-4702-8355-F4194DE2E1D9}" = Waves 4.0 "{4C9477E1-05BB-B5FD-3559-323AEFAFF7BA}" = MySidesearch Search Assistant Adzgalore "{53B2CFE9-A508-4457-B2CA-5D253536BFB7}" = OneCare Advisor (Windows Live Toolbar) "{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English) "{548B3DC6-2300-47E1-BA7B-74AD25F8DEBF}" = Form Fill (Windows Live Toolbar) "{571700F0-DB9D-4B3A-B03D-35A14BB5939F}" = Windows Live Messenger "{581CE7EA-A30D-F000-1211-088635773309}" = PLANET WL-U356A "{5C352D8A-6105-44C8-9371-43599AA01375}" = AmpliTube "{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.6 "{66D6F3BD-CA23-41A4-9FA3-96B26B32528C}" = Command & Conquer The First Decade "{68108E66-D13A-4EE8-A6F4-40E4B90C2A26}" = Windows Live Toolbar Feed Detector (Windows Live Toolbar) "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update "{6B976ADF-8AE8-434E-B282-A06C7F624D2F}" = Python 2.5.2 "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{767572FD-4D01-4FA3-B0A6-4B09FB2CFC37}" = Sony Sound Forge 8.0 "{76902AF9-DA86-419D-B533-077643124722}" = Sony ACID Pro 5.0 "{771221C5-FD0B-1197-355C-B2AFAA860483}" = ccc-core-preinstall "{7C9AD221-994C-45B2-B46D-26F5735158CF}" = Sony Vegas Pro 8.0 "{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}" = Windows Workflow Foundation "{87DABCF7-2C38-4996-8FBE-053CA6536168}" = Sony ACID Pro 6.0 "{882EE1CB-C2FB-657F-AA98-7DC91FC72447}" = Catalyst Control Center Core Implementation "{886C92E6-4AF1-4290-BB86-4B5064A1BB7D}" = AMD Dual-Core Optimizer "{89D2879E-F327-3B5F-F7C6-6E107C816671}" = ccc-utility "{8CFA9151-6404-409A-AF22-4632D04582FD}" = Assassin's Creed "{8FA5B6B7-D8BD-49F7-98D7-701C26B01E97}" = Sony Media Manager 2.3 "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system "{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003 "{92B43A6F-E328-495A-ACFA-FC47C1B7215D}" = Digidesign Shared Plug-Ins 7.0 "{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English) "{9DF0196F-B6B8-4C3A-8790-DE42AA530101}" = SPORE™ "{A2B4455D-1046-4732-BFBC-0821BEFC07BC}" = Hellgate: London "{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable "{A804B134-F03D-4EFD-9BC0-DCD257AA1B22}" = Hitman Blood Money "{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0 "{B0C30E93-D3D9-4F04-A2AC-54749B573275}" = Command & Conquer 3 "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy "{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1 "{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser "{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player "{B7A585C8-CE4E-4150-84C6-A13C3CB1379F}" = Enemy Territory - QUAKE Wars(TM) "{B97CF5C3-0487-11D8-A36E-0050BAE317E1}" = DVD Solution "{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation "{BEE64C14-BEF1-4610-8A68-A16EAA47B882}" = Futuremark SystemInfo "{C04E32E0-0416-434D-AFB9-6969D703A9EF}" = MSXML 4.0 SP2 (KB936181) "{C151CE54-E7EA-4804-854B-F515368B0798}" = Athlon 64 Processor Driver "{C194D333-B84A-4BB7-B35E-060732D98DC4}" = GPGNet "{C4B7FD4E-6AFD-AE07-FB7E-B9AB9B39232E}" = ccc-core-static "{C86A8B40-0702-45FA-BFEC-82B0C5932038}" = Sony Media Manager 2.1 "{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CC2422C9-F7B5-4175-B295-5EC2283AA674}" = Command & Conquer™ 3: Kane's Wrath "{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}" = WinZip 11.1 "{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition "{CE7CB214-DB11-4B5D-A6AF-3B4ED47C68B7}" = Microsoft Game Studios Common Redistributables Pack 1 "{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}" = Sid Meier's Civilization 4 "{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader "{D13D0C87-46BA-E646-BC40-C7B0D305A75F}" = Catalyst Control Center Graphics Previews Common "{D5A145FC-D00C-4F1A-9119-EB4D9D659750}" = Windows Live Toolbar "{D6782F44-58DB-4DE5-A65C-890320CF3F99}" = Prince of Persia The Two Thrones "{D9E52CD1-9DF1-4A8A-9BDC-1E5E53982F2B}" = Black & WhiteŽ 2 "{DE114695-AE58-4B66-8E0F-2505188602FB}_is1" = Uninstall Startup Inspector "{DFFE2B1F-07E0-45A9-8801-CD8514CAA876}" = Prince of Persia T2T "{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR) "{E17AF7A0-B0A8-4B55-A4B4-1D8D4E171BA2}" = Free Bomb Factory Plug-Ins 7.0 "{E280923D-C5D9-4728-8C79-AC9A0DC75875}" = BioShock "{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}" = Microsoft SQL Server VSS Writer "{ED50ECE9-EC54-4C05-B5ED-EE4741A9F2EC}" = Battlefield 2142 "{eeb86aef-4a5d-4b75-9d74-f16d438fc286}" = PremierOpinion "{EF7E931D-DC84-471B-8DB6-A83358095474}" = EA Download Manager "{F084395C-40FB-4DB3-981C-B51E74E1E83D}" = Smart Menus (Windows Live Toolbar) "{F20C1251-1D0A-4944-B2AE-678581B33B19}" = Neverwinter Nights 2 "{F28F72E1-D867-41A2-B37C-DA8A6BEF2688}" = Scarface: The World is Yours "{F40F05BE-47BB-72E2-4064-078B69F39BDA}" = Catalyst Control Center Graphics Light "{F7338FA3-DAB5-49B2-900D-0AFB5760C166}" = PC Probe II "{F84DCD57-20AB-4E22-8892-2F88FAF76702}" = Google Web Accelerator "{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}" = Microsoft SQL Server Native Client "{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio "7-Zip" = 7-Zip 4.42 "Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player Plugin "Adobe Shockwave Player" = Adobe Shockwave Player "All ATI Software" = ATI - Software Uninstall Utility "Antares Auto-Tune 3.00 RTAS PC" = Antares Auto-Tune 3.00 RTAS PC "Antares Kantos v1.02 VST & RTAS" = Antares Kantos v1.02 VST & RTAS "Antares Tube v1.02 RTAS" = Antares Tube v1.02 RTAS "AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove) "ATI Display Driver" = ATI Display Driver "AudibleDownloadManager" = Audible Download Manager "AVG7Uninstall" = AVG 7.5 "banneradsgalore" = Enhancement Browser Tools Banneradsgalore "BitTorrent" = BitTorrent 5.0.7 "CCleaner" = CCleaner (remove only) "Combat Arms" = Combat Arms "Deewoo Network Manager" = Deewoo Network Manager removal "Diablo II" = Diablo II "Digidesign D-Fi" = Digidesign D-Fi "DigiDesign DINR AudioSuite v3.41.330" = DigiDesign DINR AudioSuite v3.41.330 "DigiDesign Focusrite D2 1.71.345" = DigiDesign Focusrite D2 1.71.345 "DigiDesign Focusrite D3 AudioSuite 1.51.345" = DigiDesign Focusrite D3 AudioSuite 1.51.345 "Digidesign Maxim" = Digidesign Maxim "Digidesign Soundreplacer" = Digidesign Soundreplacer "eMule" = eMule "EsetOnlineScanner" = ESET Online Scanner "GRM Tools RTAS v1.04" = GRM Tools RTAS v1.04 "HijackThis" = HijackThis 2.0.2 "iCheck" = Internet Speed Monitor "InstallShield_{0C5D0DC4-F5D3-46F9-AE2E-E45C99B4A6B6}" = Enemy Territory - QUAKE Wars(TM) 1.1 Patch "InstallShield_{3D047C15-C859-45F7-81CE-F2681778069B}" = iPod for Windows 2006-01-10 "InstallShield_{B7A585C8-CE4E-4150-84C6-A13C3CB1379F}" = Enemy Territory - QUAKE Wars(TM) "InstallShield_{EF7E931D-DC84-471B-8DB6-A83358095474}" = EA Download Manager "InstallShield_{F28F72E1-D867-41A2-B37C-DA8A6BEF2688}" = Scarface: The World is Yours "IrfanView" = IrfanView (remove only) "kaqpwccjprozluu" = Browser Extension Tool Bannerstyles15 "KB893803" = Windows Installer 3.1 (KB893803) "KB893803v2" = Windows Installer 3.1 (KB893803) "KB911564" = Security Update for Windows Media Player (KB911564) "KB911565" = Security Update for Windows Media Player 10 (KB911565) "KB917734_WMP10" = Security Update for Windows Media Player 10 (KB917734) "KB925398_WMP64" = Security Update for Windows Media Player 6.4 (KB925398) "KB931906" = Security Update for CAPICOM (KB931906) "KB936782_WMP10" = Security Update for Windows Media Player 10 (KB936782) "KB948109_SQL9" = GDR 3068 for SQL Server Database Services 2005 ENU (KB948109) "LastFM_is1" = Last.fm 1.5.1.29527 "LimeWire" = LimeWire 4.18.3 "M928366" = Microsoft .NET Framework 1.1 Hotfix (KB928366) "Mcafee SecurityCenter" = McAfee SecurityCenter "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Microsoft .NET Framework 3.0" = Microsoft .NET Framework 3.0 "Microsoft SQL Server 2005" = Microsoft SQL Server 2005 "milehighads" = Browser Optimizer Milehighads "Move Player_is1" = Move Networks Player for Firefox "Mozilla Firefox (3.0.1)" = Mozilla Firefox (3.0.1) "MP3 Wave Converter_is1" = MP3 Wave Converter 3.0 "MySpaceIM" = MySpaceIM "Nero - Burning Rom!UninstallKey" = Nero OEM "NVIDIA Drivers" = NVIDIA Drivers "Pitch'n'Time RTAS v2.1" = Pitch'n'Time RTAS v2.1 "PunkBusterSvc" = PunkBuster Services "RealPlayer 6.0" = RealPlayer "S.T.A.L.K.E.R. - Shadow of Chernobyl_is1" = S.T.A.L.K.E.R. - Shadow of Chernobyl "ScummVM_is1" = ScummVM 0.11.1 "Serato Scratch Studio Edition RTAS v1.0" = Serato Scratch Studio Edition RTAS v1.0 "ShockwaveFlash" = Macromedia Flash Player 8 "SolAdsGames" = SolAds Games Collection "Sony Inflator RTAS v1.0" = Sony Inflator RTAS v1.0 "SPEED 1.04" = SPEED 1.04 "Synchro Arts VocAlign Project AudioSuite PlugIn v2.8" = Synchro Arts VocAlign Project AudioSuite PlugIn v2.8 "VLC media player" = VideoLAN VLC media player 0.8.6a "Waves Diamond Bundle v5.2" = Waves Diamond Bundle v5.2 "WgaNotify" = Windows Genuine Advantage Notifications (KB905474) "WIC" = Windows Imaging Component "Windows Live Toolbar" = Windows Live Toolbar "Windows Media Format Runtime" = Windows Media Format Runtime "Windows Media Player" = Windows Media Player 10 "WinRAR archiver" = WinRAR archiver "wxPython2.8-ansi-py25_is1" = wxPython 2.8.7.1 (ansi) for Python 2.5 "XpsEPSC" = XML Paper Specification Shared Components Pack 1.0 |
#7
|
|||
|
|||
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Uninstall] "InstallShield_{2938E4D6-DB86-4AE5-AA33-AB27FB6A8CCD}" = Auto Friend Adding Machine "Warcraft III" = Warcraft III: All Products ========== HKEY_USERS Uninstall List ========== [HKEY_USERS\S-1-5-21-790525478-1336601894-839522115-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall] "InstallShield_{2938E4D6-DB86-4AE5-AA33-AB27FB6A8CCD}" = Auto Friend Adding Machine "Warcraft III" = Warcraft III: All Products ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 2008-04-27 18:28:21 | Computer Name = HTH-NEMESIS | Source = MSSQL$SONY_MEDIAMGR2 | ID = 17207 Description = FileMgr::StartLogFiles: Operating system error 2(The system cannot find the file specified.) occurred while creating or opening file 'C:\Documents and Settings\Haraldur\My Documents\Sony Media Libraries\Default_log.LDF'. Diagnose and correct the operating system error, and retry the operation. Error - 2008-05-08 10:42:35 | Computer Name = HTH-NEMESIS | Source = Application Error | ID = 1000 Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting module flash9f.ocx, version 9.0.124.0, fault address 0x00059e66. Error - 2008-05-16 09:49:31 | Computer Name = HTH-NEMESIS | Source = Application Hang | ID = 1002 Description = Hanging application firefox.exe, version 1.8.20080.40413, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error - 2008-05-18 05:27:28 | Computer Name = HTH-NEMESIS | Source = MSSQL$SONY_MEDIAMGR2 | ID = 17207 Description = FileMgr::StartLogFiles: Operating system error 2(The system cannot find the file specified.) occurred while creating or opening file 'C:\Documents and Settings\Haraldur\My Documents\Sony Media Libraries\Default_log.LDF'. Diagnose and correct the operating system error, and retry the operation. Error - 2008-05-18 08:35:00 | Computer Name = HTH-NEMESIS | Source = MSSQL$SONY_MEDIAMGR2 | ID = 17207 Description = FileMgr::StartLogFiles: Operating system error 2(The system cannot find the file specified.) occurred while creating or opening file 'C:\Documents and Settings\Haraldur\My Documents\Sony Media Libraries\Default_log.LDF'. Diagnose and correct the operating system error, and retry the operation. Error - 2008-05-19 20:15:14 | Computer Name = HTH-NEMESIS | Source = Application Error | ID = 1000 Description = Faulting application firefox.exe, version 1.8.20080.40413, faulting module quicktimewebhelper.qtx, version 7.4.5.67, fault address 0x00006fd0. [ System Events ] Error - 2008-09-11 17:25:00 | Computer Name = HTH-NEMESIS | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334} Error - 2008-09-11 18:25:00 | Computer Name = HTH-NEMESIS | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334} Error - 2008-09-11 20:25:00 | Computer Name = HTH-NEMESIS | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334} Error - 2008-09-11 21:25:00 | Computer Name = HTH-NEMESIS | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334} Error - 2008-09-12 04:25:00 | Computer Name = HTH-NEMESIS | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334} Error - 2008-09-12 05:25:00 | Computer Name = HTH-NEMESIS | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334} Error - 2008-09-12 06:25:00 | Computer Name = HTH-NEMESIS | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334} Error - 2008-09-12 07:25:00 | Computer Name = HTH-NEMESIS | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334} Error - 2008-09-12 08:25:00 | Computer Name = HTH-NEMESIS | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334} Error - 2008-09-12 09:25:00 | Computer Name = HTH-NEMESIS | Source = DCOM | ID = 10005 Description = DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334} < End of report > |
#8
|
|||
|
|||
fyi, I'm fairly certain that PremierOpinion, SolAds games collection, and Deewoo were not on my computer until I was aware of the infection.
Thank you for helping! |
#9
|
||||
|
||||
You are welcome. Download the latest version of Combofix.exe from here and save it to your C folder (C:\ComboFix.exe).
Doubleclick on combofix.exe and the scan will start. When the scan completes, a text window with your log will open. Please copy and paste that log back here. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. NB Please disable your antivirus program as it may interfere with ComboFix's routines. Copy this log in your next reply together with a new Hijack This log. |
#10
|
|||
|
|||
Here ya go:
ComboFix 08-09-12.06 - Haraldur 2008-09-13 9:17:32.4 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1675 [GMT 0:00] Running from: C:\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Haraldur\Cookies\haraldur@ad.yieldmanager[1].txt C:\Documents and Settings\Ragnar\Start Menu\Programs\Startup\Deewoo.lnk C:\Documents and Settings\Ragnar\Start Menu\Programs\Startup\DW_Start.lnk C:\Program Files\GetPack C:\Program Files\GetPack\GetPack20.exe C:\Program Files\GetPack\trgtame.gz C:\Program Files\iCheck C:\Program Files\iCheck\iCheck.exe C:\Program Files\iCheck\Uninstall.exe C:\Program Files\QdrDrive C:\Program Files\QdrDrive\QdrDrive20.dll C:\Program Files\QdrDrive\qdrloader.exe C:\Program Files\VnrPack C:\Program Files\VnrPack\trgts.gz C:\Program Files\VnrPack\VnrPack20.exe C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\WINDOWS\84.exe C:\WINDOWS\BMeb2e989b.txt C:\WINDOWS\BMeb2e989b.xml C:\WINDOWS\faceback.exe C:\WINDOWS\pskt.ini C:\WINDOWS\system32\akwfmpso.dll C:\WINDOWS\system32\awttSjJD.dll C:\WINDOWS\system32\btdgjvdb.dll C:\WINDOWS\system32\btnlsddw.dll C:\WINDOWS\system32\caumsmso.dll C:\WINDOWS\system32\cbXPIyya.dll C:\WINDOWS\system32\cbXRHyWQ.dll C:\WINDOWS\system32\cnwboilj.dll C:\WINDOWS\system32\cruwdhwi.dll C:\WINDOWS\system32\dwwnw64r.exe C:\WINDOWS\system32\fqouxcan.ini C:\WINDOWS\system32\gside.exe C:\WINDOWS\system32\hglivcgo.ini C:\WINDOWS\system32\jrrjytxc.dll C:\WINDOWS\system32\kswiwkeokeymnlvd.dll C:\WINDOWS\system32\lgdcrusv.ini C:\WINDOWS\system32\mlJBSIYQ.dll C:\WINDOWS\system32\mlJcyYRi.dll C:\WINDOWS\system32\mlJyvVLF.dll C:\WINDOWS\system32\MSINET.oca C:\WINDOWS\system32\msnav32.ax C:\WINDOWS\system32\nacxuoqf.dll C:\WINDOWS\system32\nss89F.dll C:\WINDOWS\system32\ogcvilgh.dll C:\WINDOWS\system32\opnoLecB.dll C:\WINDOWS\system32\ospmfwka.ini C:\WINDOWS\system32\oylwkfcq.ini C:\WINDOWS\system32\pac.txt C:\WINDOWS\system32\pjwuhcls.ini C:\WINDOWS\system32\puwwlrgj.dll C:\WINDOWS\system32\qcfkwlyo.dll C:\WINDOWS\system32\qoMfGYRl.dll C:\WINDOWS\system32\QWyHRXbc.ini C:\WINDOWS\system32\QWyHRXbc.ini2 C:\WINDOWS\system32\rmwnw64j.exe C:\WINDOWS\system32\ssqNGArO.dll C:\WINDOWS\system32\urqNfCVo.dll C:\WINDOWS\system32\vsurcdgl.dll C:\WINDOWS\system32\wddslntb.ini C:\WINDOWS\system32\WinNB55.dll C:\WINDOWS\system32\winpfz33.sys C:\WINDOWS\system32\wvUkJdCv.dll C:\WINDOWS\system32\wvUkKbbY.dll C:\WINDOWS\system32\xbpeooqt.dll C:\WINDOWS\system32\XGhNVyxx.ini C:\WINDOWS\system32\XGhNVyxx.ini2 C:\WINDOWS\system32\xtuyislu.ini C:\WINDOWS\system32\xxyVNhGX.dll C:\WINDOWS\system32\yayAsqND.dll C:\WINDOWS\system32\zxdnt3d.cfg . ((((((((((((((((((((((((( Files Created from 2008-08-13 to 2008-09-13 ))))))))))))))))))))))))))))))) . 2008-09-13 09:12 . 2008-09-13 09:13 2,849,182 -ra------ C:\ComboFix.exe 2008-09-12 15:15 . 2008-09-12 15:15 268 --ah----- C:\sqmdata08.sqm 2008-09-12 15:15 . 2008-09-12 15:15 244 --ah----- C:\sqmnoopt09.sqm 2008-09-12 15:15 . 2008-09-12 15:15 244 --ah----- C:\sqmnoopt08.sqm 2008-09-12 15:15 . 2008-09-12 15:15 232 --ah----- C:\sqmdata09.sqm 2008-09-11 19:17 . 2008-09-11 19:17 268 --ah----- C:\sqmdata07.sqm 2008-09-11 19:17 . 2008-09-11 19:17 244 --ah----- C:\sqmnoopt07.sqm 2008-09-11 14:40 . 2008-09-11 14:40 167,936 --a------ C:\WINDOWS\system32\rnmbxrusvd.dll 2008-09-11 08:33 . 2008-09-11 08:33 <DIR> d-------- C:\WINDOWS\system32\mC02 2008-09-11 08:33 . 2008-09-11 08:33 <DIR> d-------- C:\temp\mtc2 2008-09-10 18:42 . 2008-09-10 18:42 268 --ah----- C:\sqmdata06.sqm 2008-09-10 18:42 . 2008-09-10 18:42 244 --ah----- C:\sqmnoopt06.sqm 2008-09-09 18:20 . 2008-09-09 18:20 93 --a------ C:\WINDOWS\wininit.ini 2008-09-09 18:02 . 2008-09-09 18:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-09-09 18:02 . 2008-09-09 21:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-09-09 17:26 . 2008-09-10 19:01 <DIR> d-------- C:\Documents and Settings\Ragnar\Incomplete 2008-09-09 17:24 . 2008-09-09 17:24 268 --ah----- C:\sqmdata05.sqm 2008-09-09 17:24 . 2008-09-09 17:24 244 --ah----- C:\sqmnoopt05.sqm 2008-09-09 17:16 . 2008-09-09 17:16 244 --ah----- C:\sqmnoopt04.sqm 2008-09-09 17:16 . 2008-09-09 17:16 244 --ah----- C:\sqmnoopt03.sqm 2008-09-09 17:16 . 2008-09-09 17:16 232 --ah----- C:\sqmdata04.sqm 2008-09-09 17:16 . 2008-09-09 17:16 232 --ah----- C:\sqmdata03.sqm 2008-09-09 17:15 . 2008-09-09 17:15 <DIR> d-------- C:\Documents and Settings\Ragnar\Application Data\ATI 2008-09-09 00:17 . 2008-09-09 00:17 153,352 --a------ C:\WINDOWS\system32\g97.exe 2008-09-08 23:30 . 2008-09-08 23:30 <DIR> d-------- C:\WINDOWS\system32\wTR02 2008-09-08 23:30 . 2008-09-08 23:30 <DIR> d-------- C:\WINDOWS\system32\t 2008-09-08 23:30 . 2008-09-08 23:30 <DIR> d-------- C:\WINDOWS\system32\sl5 2008-09-08 23:30 . 2008-09-08 23:30 <DIR> d-------- C:\temp\dax41 2008-09-08 23:30 . 2008-09-08 23:30 71 --a------ C:\Documents and Settings\Haraldur\6936.bat 2008-09-08 23:20 . 2008-09-09 17:17 <DIR> d-------- C:\Program Files\PremierOpinion 2008-09-08 23:19 . 2008-09-08 23:19 <DIR> d-------- C:\Program Files\SolAds Games Collection 2008-09-08 23:19 . 2008-09-08 23:19 102,154 --a------ C:\WINDOWS\system32\milehighads-remove.exe 2008-09-08 23:17 . 2008-09-08 23:17 <DIR> d-------- C:\Program Files\VnrBlock 2008-09-08 23:17 . 2008-09-11 16:11 71,828 --a------ C:\WINDOWS\system32\kaqpwccjprozluu.exe 2008-09-08 23:16 . 2008-09-08 23:17 548,924 --a------ C:\WINDOWS\system32\lcntstdl.exe 2008-09-08 23:16 . 2008-09-08 23:16 428,976 --a------ C:\WINDOWS\DWrvg.exe 2008-09-08 23:16 . 2008-09-08 23:16 399,944 --a------ C:\WINDOWS\ISM3434.exe 2008-09-08 23:16 . 2008-09-08 23:16 102,400 --a------ C:\WINDOWS\mbd232.exe 2008-09-08 23:16 . 2008-09-11 06:14 90,921 --a------ C:\WINDOWS\system32\kswiwkeokeymnlvd.dll-uninst.exe 2008-09-08 23:16 . 2008-09-08 23:17 63,904 --a------ C:\WINDOWS\system32\{9c930136-e0fd-f363-dd85-9c42a28e6081}.dll-uninst.exe 2008-09-08 23:14 . 2008-06-27 18:38 53,248 ---hs---- C:\Documents and Settings\Haraldur\winlogon.exe 2008-09-08 23:12 . 2008-09-08 23:12 <DIR> d-------- C:\Documents and Settings\Ragnar\Video Hardware Drivers 2008-09-08 23:12 . 2008-09-08 23:12 <DIR> d-------- C:\Documents and Settings\Ragnar\Startup Project 2008-09-08 23:12 . 2008-09-08 23:12 <DIR> d-------- C:\Documents and Settings\Ragnar\MIDI Drivers 2008-09-08 23:12 . 2008-09-08 23:12 <DIR> d-------- C:\Documents and Settings\Ragnar\HTML_ASSETS 2008-09-08 23:12 . 2008-09-08 23:12 <DIR> d-------- C:\Documents and Settings\Ragnar\Grooves 2008-09-08 23:12 . 2008-09-08 23:12 <DIR> d-------- C:\Documents and Settings\Ragnar\FileIO Plug-Ins 2008-09-08 23:12 . 2008-09-08 23:12 <DIR> d-------- C:\Documents and Settings\Ragnar\Audio Hardware Drivers 2008-09-08 23:00 . 2008-09-08 23:00 <DIR> d-------- C:\Program Files\Sonic Foundry Setup 2008-09-05 16:20 . 2008-09-08 00:02 <DIR> d-------- C:\Documents and Settings\Haraldur\Application Data\SPORE 2008-09-05 16:17 . 2008-09-05 16:17 <DIR> d-------- C:\ProgramData 2008-09-04 12:02 . 2008-09-04 12:18 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak 2008-08-13 13:13 . 2008-08-13 13:13 94,208 --a------ C:\WINDOWS\DIIUnin.exe 2008-08-13 13:13 . 2008-08-13 13:26 31,350 --a------ C:\WINDOWS\DIIUnin.dat 2008-08-13 13:13 . 2008-08-13 13:13 2,829 --a------ C:\WINDOWS\DIIUnin.pif 2008-08-13 13:02 . 2008-08-25 18:07 <DIR> d-------- C:\Program Files\D2 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-09-13 01:57 --------- d-----w C:\Documents and Settings\Haraldur\Application Data\wsInspector 2008-09-10 19:01 --------- d-----w C:\Documents and Settings\Ragnar\Application Data\LimeWire 2008-09-09 17:58 --------- d-----w C:\Documents and Settings\Haraldur\Application Data\AVG7 2008-09-08 23:08 --------- d-----w C:\Program Files\Sony 2008-09-06 09:17 --------- d-----w C:\Program Files\Apple Software Update 2008-09-05 16:18 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-09-05 16:18 --------- d-----w C:\Program Files\Electronic Arts 2008-08-13 12:54 --------- d-----w C:\Program Files\Diablo II 2008-08-02 10:02 --------- d-----w C:\Program Files\iTunes 2008-08-02 10:02 --------- d-----w C:\Program Files\iPod 2008-07-26 22:37 --------- d-----w C:\Program Files\LimeWire 2008-07-26 22:36 --------- d-----w C:\Documents and Settings\Ragnar\Application Data\AVG7 2008-07-24 12:59 --------- d-----w C:\Program Files\MSN Messenger 2008-07-24 05:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-07-24 05:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS 2008-07-19 10:01 --------- d-----w C:\Program Files\Bonjour 2008-07-19 10:00 --------- d-----w C:\Program Files\QuickTime 2008-01-10 23:37 22,328 ----a-w C:\Documents and Settings\Haraldur\Application Data\PnkBstrK.sys 2007-12-10 20:56 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat 2006-07-23 12:59 0 ----a-w C:\Documents and Settings\Haraldur\TRACE_BOOT_1_1.BIN 2004-10-22 15:05 4,128,256 ----a-w C:\Documents and Settings\Ragnar\acid50.exe 2004-10-22 15:00 946,176 ----a-w C:\Documents and Settings\Ragnar\sfvstwrap.dll 2004-10-22 15:00 2,756,608 ----a-w C:\Documents and Settings\Ragnar\acid50k.dll 2004-10-22 14:52 516,096 ----a-w C:\Documents and Settings\Ragnar\sfnetmedia.dll 2004-10-22 14:52 1,581,056 ----a-w C:\Documents and Settings\Ragnar\sfs4rw.dll 2004-10-22 14:51 937,984 ----a-w C:\Documents and Settings\Ragnar\sfmarket2.dll 2004-10-22 14:51 487,424 ----a-w C:\Documents and Settings\Ragnar\sfpublish.dll 2004-10-22 14:51 212,992 ----a-w C:\Documents and Settings\Ragnar\sfconfigmgr.dll 2004-10-22 14:48 655,360 ----a-w C:\Documents and Settings\Ragnar\sfcdx.dll 2004-10-22 14:47 73,728 ----a-w C:\Documents and Settings\Ragnar\sfspti.dll 2004-10-22 14:47 589,824 ----a-w C:\Documents and Settings\Ragnar\sfcdi.dll 2004-10-22 14:47 19,456 ----a-w C:\Documents and Settings\Ragnar\sfscsi.dll 2004-10-22 14:47 13,824 ----a-w C:\Documents and Settings\Ragnar\sfspti2.dll 2004-10-15 13:18 3,427 ----a-w C:\Documents and Settings\Ragnar\acid50.zip 2004-10-01 22:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe 2004-05-10 15:43 49,152 ----a-w C:\Documents and Settings\Ragnar\OpcPcmImporter.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8a8a534d-c4d5-775b-786d-9bc7623a03ef}] 2008-09-11 14:40 167936 --a------ C:\WINDOWS\system32\rnmbxrusvd.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf0f7f89-0918-e6b0-85a8-2159d940bfa2}] 2008-05-26 12:13 365568 --a------ C:\WINDOWS\system32\{9c930136-e0fd-f363-dd85-9c42a28e6081}.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-10-08 15360] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "Windows Logon Applicationedc"="C:\Documents and Settings\Haraldur\winlogon.exe" [2008-06-27 53248] "SoundMan"="SOUNDMAN.EXE" [2005-04-15 C:\WINDOWS\SOUNDMAN.EXE] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 C:\WINDOWS\KHALMNPR.Exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-07 5181440] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-07 219136] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2006-10-04 C:\WINDOWS\system32\narrator.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-05-04 434176] [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PremierOpinion] 2008-04-24 17:51 331776 C:\Program Files\PremierOpinion\pmls.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] ---h----- 2006-07-08 05:18 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"= "C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"= "C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"= "C:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"= "C:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"= "C:\Nexon\Combat Arms\CombatArms.exe"= C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe "C:\Nexon\Combat Arms\Engine.exe"= C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "c:\\program files\\premieropinion\\pmropn.exe"= R3 AmdTools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys [2006-06-27 31744] S3 iLokDrvr;iLok;C:\WINDOWS\system32\DRIVERS\iLokDrvr .sys [2005-09-27 27328] S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504] S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Ebus.sys [2006-11-10 61600] S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE2Emdfl.sys [2006-11-10 9360] S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE2Emdm.sys [2006-11-10 97184] S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\SE2Emgmt.sys [2006-11-10 88688] S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\SE2Eobex.sys [2006-05-01 86560] S3 WLAN(WLAN);XPC 802.11b/g Wireless Kit Driver(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211u.s ys [2005-08-16 278016] S3 ZD1211U(PLANET Technology Corp.);PLANET WL-U356A Driver(PLANET Technology Corp.);C:\WINDOWS\system32\DRIVERS\zd1211u.sys [2005-08-16 278016] S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;C:\WINDOWS\system32\ZDBRGSYS.SYS [2004-06-30 19200] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{e83ff8f7-097b-11dc-88e0-00304f4b041f}] \Shell\Auto\command - RavMon.exe e \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e . Contents of the 'Scheduled Tasks' folder . - - - - ORPHANS REMOVED - - - - BHO-{0F920657-F252-4F1C-9C44-456D557FE261} - C:\WINDOWS\system32\mlJBSIYQ.dll BHO-{bacd361f-add3-9042-d986-5d1ce1acf8f4} - C:\WINDOWS\system32\nss89F.dll BHO-{dc9ed708-0f21-bc62-ef55-3ca73de65dbb} - C:\WINDOWS\system32\kswiwkeokeymnlvd.dll BHO-{F4759981-9002-4771-B851-530E296D5989} - C:\WINDOWS\system32\xxyVNhGX.dll HKCU-Run-Aim6 - (no file) ShellExecuteHooks-{0F920657-F252-4F1C-9C44-456D557FE261} - C:\WINDOWS\system32\mlJBSIYQ.dll . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Haraldur\Application Data\Mozilla\Firefox\Profiles\037fqimh.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.knowmore.org FF -: plugin - C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npActiveGS.dll FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmnqmp07030901.dll FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll . ************************************************** ************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-13 09:26:09 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\Documents and Settings\Haraldur\winlogon.exe -> C:\Program Files\Logitech\SetPoint\GameHook.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\PremierOpinion\pmropn.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\wdfmgr.exe . ************************************************** ************************ . Completion time: 2008-09-13 9:42:22 - machine was rebooted ComboFix-quarantined-files.txt 2008-09-13 09:42:19 Pre-Run: 26,703,601,664 bytes free Post-Run: 26,874,650,624 bytes free 311 --- E O F --- 2008-08-15 03:02:30 |
#11
|
|||
|
|||
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:44, on 2008-09-13 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\program files\premieropinion\pmropn.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\Documents and Settings\Haraldur\winlogon.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\WINDOWS\system32\PnkBstrA.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: bannerstyles15 browser enhancer - {8a8a534d-c4d5-775b-786d-9bc7623a03ef} - C:\WINDOWS\system32\rnmbxrusvd.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: banneradsgalore browser optimizer - {cf0f7f89-0918-e6b0-85a8-2159d940bfa2} - C:\WINDOWS\system32\{9c930136-e0fd-f363-dd85-9c42a28e6081}.dll O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\Haraldur\winlogon.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?7fac99367c6a40b6ae765cc10735b1c9 O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?7fac99367c6a40b6ae765cc10735b1c9 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: PremierOpinion - C:\program files\premieropinion\pmls.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: digiSPTIService - Unknown owner - C:\Documents and Settings\Haraldur\Desktop\Ragnar\Digidesign\Pro Tools\digiSPTIService.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe -- End of file - 7466 bytes Thanks once again for this. |
#12
|
||||
|
||||
Please follow the instructions here and disable Spybot's TeaTimer else changes may not be saved. Please make sure that it stays disabled until I give you the "all clear". If TeaTimer reinstates itself, please uninstall Spybot before it causes further problems.
Download Malwarebytes' Anti-Malware from here or here. Doubleclick on mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan" then click Scan. The scan may take some time to finish so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. Please do so. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Please copy and paste the entire report in your next reply. Also post a new OTViewIt log please. |
#13
|
|||
|
|||
Here are the logs:
Malwarebytes' Anti-Malware 1.28 Database version: 1147 Windows 5.1.2600 Service Pack 2 2008-09-14 10:11:41 mbam-log-2008-09-14 (10-11-41).txt Scan type: Quick Scan Objects scanned: 54892 Time elapsed: 3 minute(s), 46 second(s) Memory Processes Infected: 2 Memory Modules Infected: 4 Registry Keys Infected: 19 Registry Values Infected: 4 Registry Data Items Infected: 2 Folders Infected: 2 Files Infected: 23 Memory Processes Infected: C:\program files\premieropinion\pmropn.exe (Adware.RK) -> Unloaded process successfully. C:\Documents and Settings\Haraldur\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully. Memory Modules Infected: C:\WINDOWS\system32\efcDTLCt.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\qtbkrthy.dll (Trojan.Vundo.H) -> Delete on reboot. C:\program files\premieropinion\pmls.dll (Adware.RK) -> Delete on reboot. C:\WINDOWS\system32\nnnkJApO.dll (Trojan.Vundo.H) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{4cafaf0c-c38f-43c1-8080-390e776254de} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnkjapo (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{4cafaf0c-c38f-43c1-8080-390e776254de} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{6913369e-43da-4916-96ee-308cc90776c2} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{6913369e-43da-4916-96ee-308cc90776c2} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\premieropinion (Adware.RK) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\banneradsgalore (Adware.Agent) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{cf0f7f89-0918-e6b0-85a8-2159d940bfa2} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{cf0f7f89-0918-e6b0-85a8-2159d940bfa2} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\VnrBlock (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvid er (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{8a8a534d-c4d5-775b-786d-9bc7623a03ef} (Adware.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{8a8a534d-c4d5-775b-786d-9bc7623a03ef} (Adware.BHO) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\e81dab07 (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{4cafaf0c-c38f-43c1-8080-390e776254de} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\Windows Logon Applicationedc (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\bmeb2e989b (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\efcdtlct -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\efcdtlct -> Delete on reboot. Folders Infected: C:\WINDOWS\system32\wTR02 (Trojan.Agent) -> Quarantined and deleted successfully. C:\Program Files\VnrBlock (Trojan.Agent) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\nnnkJApO.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\efcDTLCt.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\tCLTDcfe.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\tCLTDcfe.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\qtbkrthy.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\yhtrkbtq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\program files\premieropinion\pmls.dll (Adware.RK) -> Delete on reboot. C:\program files\premieropinion\pmropn.exe (Adware.RK) -> Delete on reboot. C:\WINDOWS\ISM3434.exe (Adware.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\urqPgdeF.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Documents and Settings\Haraldur\Local Settings\Temporary Internet Files\Content.IE5\6SEM9MQT\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wTR02\wTR022328.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Program Files\VnrBlock\VnrBlock20.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Program Files\VnrBlock\xtarga.gz (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Haraldur\winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\{9c930136-e0fd-f363-dd85-9c42a28e6081}.dll-uninst.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\{9c930136-e0fd-f363-dd85-9c42a28e6081}.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\xqvbskcd.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\BMeb2e989b.xml (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\BMeb2e989b.txt (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\rnmbxrusvd.dll (Adware.BHO) -> Delete on reboot. |
#14
|
|||
|
|||
OTViewIt logfile created on: 2008-09-14 10:15:44 - Run 2
OTViewIt by OldTimer - Version 1.0.3.1 Folder = C:\Documents and Settings\Haraldur\Desktop\Anti-Malware Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.2180) Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd 2.00 Gb Total Physical Memory | 1.62 Gb Available Physical Memory | 80.78% Memory free 3.95 Gb Paging File | 3.66 Gb Available in Paging File | 92.72% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092; %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 232.88 Gb Total Space | 25.13 Gb Free Space | 10.79% Space Free | Partition Type: NTFS D: Drive not present or media not loaded Drive E: | 3.86 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: HTH-NEMESIS Current User Name: Haraldur Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Whitelist: On ========== Processes - Non-Microsoft Only ========== [01-28-2005 02:35 PM | 00,434,176 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe [12-10-2004 12:45 PM | 00,049,152 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE [01-07-2008 11:37 PM | 00,418,816 | ---- | M] (GRISOFT, s.r.o.) -- C:\Program Files\Grisoft\AVG7\avgamsvr.exe [07-09-2007 04:22 PM | 00,049,664 | ---- | M] (GRISOFT, s.r.o.) -- C:\Program Files\Grisoft\AVG7\avgupsvc.exe [01-10-2008 11:37 PM | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe [07-29-2008 07:03 PM | 00,307,712 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe [09-10-2008 12:08 AM | 01,253,040 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [09-12-2008 02:18 PM | 00,379,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Haraldur\Desktop\Anti-Malware\OTViewIt.exe ========== Win32 Services - Non-Microsoft Only ========== [12-05-2007 02:17 PM | 00,593,920 | ---- | M] () -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart [Auto | Stopped]) [01-07-2008 11:37 PM | 00,418,816 | ---- | M] (GRISOFT, s.r.o.) -- C:\Program Files\Grisoft\AVG7\avgamsvr.exe -- (Avg7Alrt [Auto | Running]) [07-09-2007 04:22 PM | 00,049,664 | ---- | M] (GRISOFT, s.r.o.) -- C:\Program Files\Grisoft\AVG7\avgupsvc.exe -- (Avg7UpdSvc [Auto | Running]) File not found -- C:\Documents and Settings\Haraldur\Desktop\Ragnar\Digidesign\Pro Tools\digiSPTIService.exe -- (digiSPTIService [On_Demand | Stopped]) [10-13-2005 07:56 PM | 00,126,976 | ---- | M] (McAfee, Inc) -- c:\Program Files\McAfee.com\Agent\Mcdetect.exe -- (McDetect.exe [Disabled | Stopped]) [08-24-2005 04:01 PM | 00,122,368 | ---- | M] (McAfee, Inc) -- c:\Program Files\McAfee.com\Agent\McTskshd.exe -- (McTskshd.exe [Disabled | Stopped]) [07-01-2005 07:22 PM | 00,245,760 | ---- | M] (McAfee, Inc) -- C:\Program Files\McAfee.com\Agent\mcupdmgr.exe -- (mcupdmgr.exe [Disabled | Stopped]) [01-10-2008 11:37 PM | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe -- (PnkBstrA [Auto | Running]) ========== Driver Services - Non-Microsoft Only ========== [06-27-2006 02:24 PM | 00,031,744 | ---- | M] (AMD, Inc.) -- C:\WINDOWS\system32\drivers\AmdTools.sys -- (AmdTools [On_Demand | Running]) [10-14-2004 09:52 AM | 00,004,962 | R--- | M] () -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO [System | Running]) [01-23-2007 05:13 PM | 00,271,360 | ---- | M] () -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt [Auto | Running]) [01-07-2008 11:37 PM | 00,821,856 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\system32\drivers\avg7core.sys -- (Avg7Core [System | Running]) [07-09-2007 04:22 PM | 00,004,224 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\system32\drivers\avg7rsw.sys -- (Avg7RsW [System | Running]) [07-09-2007 04:22 PM | 00,027,776 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\system32\drivers\avg7rsxp.sys -- (Avg7RsXP [System | Running]) [01-07-2008 11:37 PM | 00,010,760 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\system32\drivers\avgclean.sys -- (AvgClean [System | Running]) File not found -- C:\ComboFix\catchme.sys -- (catchme [On_Demand | Stopped]) File not found -- C:\WINDOWS\system32\drivers\EagleNT.sys -- (EagleNT [On_Demand | Stopped]) [09-27-2005 02:57 AM | 00,027,328 | ---- | M] (PACE Anti-Piracy, Inc.) -- C:\WINDOWS\system32\drivers\iLokDrvr.sys -- (iLokDrvr [On_Demand | Stopped]) [12-10-2004 12:47 PM | 00,013,056 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd [On_Demand | Running]) [12-10-2004 12:48 PM | 00,052,992 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\system32\drivers\L8042mou.Sys -- (L8042mou [On_Demand | Stopped]) [12-10-2004 12:48 PM | 00,024,704 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\system32\drivers\LHidKE.Sys -- (LHidKe [On_Demand | Running]) [12-10-2004 12:48 PM | 00,036,480 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\system32\drivers\LHidUsbK.sys -- (LHidUsbK [On_Demand | Running]) [01-23-2007 05:13 PM | 00,018,048 | ---- | M] () -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt [Auto | Running]) [12-10-2004 12:48 PM | 00,068,992 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\system32\drivers\LMouKE.Sys -- (LMouKE [On_Demand | Running]) [08-13-2004 02:56 AM | 00,005,810 | R--- | M] () -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor [On_Demand | Running]) File not found -- C:\WINDOWS\system32\PCAMPR5.SYS -- (PCAMPR5 [On_Demand | Stopped]) [10-10-2006 01:53 PM | 00,005,632 | ---- | M] () -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV [System | Running]) [02-16-2006 05:51 PM | 00,004,096 | R--- | M] (SuperAdBlocker, Inc.) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped]) [02-27-2007 12:39 PM | 00,032,256 | ---- | M] () -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL [System | Running]) [11-10-2006 05:23 PM | 00,061,600 | R--- | M] (MCCI) -- C:\WINDOWS\system32\drivers\SE2Ebus.sys -- (SE2Ebus [On_Demand | Stopped]) [11-10-2006 05:23 PM | 00,009,360 | R--- | M] (MCCI) -- C:\WINDOWS\system32\drivers\SE2Emdfl.sys -- (SE2Emdfl [On_Demand | Stopped]) [11-10-2006 05:23 PM | 00,097,184 | R--- | M] (MCCI) -- C:\WINDOWS\system32\drivers\SE2Emdm.sys -- (SE2Emdm [On_Demand | Stopped]) [11-10-2006 05:23 PM | 00,088,688 | R--- | M] (MCCI) -- C:\WINDOWS\system32\drivers\SE2Emgmt.sys -- (SE2Emgmt [On_Demand | Stopped]) [05-01-2006 01:18 PM | 00,086,560 | ---- | M] (MCCI) -- C:\WINDOWS\system32\drivers\SE2Eobex.sys -- (SE2Eobex [On_Demand | Stopped]) [08-10-2005 12:44 PM | 00,050,688 | ---- | M] (Protection Technology) -- C:\WINDOWS\system32\drivers\sfdrv01.sys -- (sfdrv01 [Boot | Running]) [05-16-2005 01:20 PM | 00,006,656 | ---- | M] (Protection Technology) -- C:\WINDOWS\system32\drivers\sfhlp02.sys -- (sfhlp02 [Boot | Running]) [09-29-2005 05:01 PM | 00,066,048 | ---- | M] (Protection Technology) -- C:\WINDOWS\system32\drivers\sfvfs02.sys -- (sfvfs02 [Boot | Running]) [09-27-2005 08:00 AM | 00,069,920 | ---- | M] (PACE Anti-Piracy, Inc.) -- C:\WINDOWS\System32\drivers\TPkd.sys -- (TPkd [Boot | Running]) [08-16-2005 02:50 PM | 00,278,016 | ---- | M] (ZyDAS Technology Corporation) -- C:\WINDOWS\system32\drivers\ZD1211U.sys -- (WLAN(WLAN) [On_Demand | Stopped]) [08-19-2004 02:21 PM | 00,189,568 | ---- | M] (Marvell) -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp [On_Demand | Running]) [08-16-2005 02:50 PM | 00,278,016 | ---- | M] (ZyDAS Technology Corporation) -- C:\WINDOWS\system32\drivers\ZD1211U.sys -- (ZD1211U(PLANET Technology Corp.) [On_Demand | Stopped]) [06-30-2004 01:54 PM | 00,019,200 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\WINDOWS\system32\ZDBRGSYS.sys -- (ZDBRGSYS [On_Demand | Stopped]) [01-14-2004 11:30 AM | 00,017,151 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\WINDOWS\system32\ZDPNDIS5.sys -- (ZDPNDIS5 [On_Demand | Stopped]) ========== Run Keys ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "bucysukdnvkp" = C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\rnmbxrusvd.dll" EntryPoint File not found "Logitech Hardware Abstraction Layer" = KHALMNPR.EXE (Logitech Inc.) "PremierOpinion" = C:\program files\premieropinion\pmropn.exe -boot File not found "SoundMan" = SOUNDMAN.EXE (Realtek Semiconductor Corp.) [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run] "AVG7_Run" = C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (GRISOFT, s.r.o.) "MySpaceIM" = C:\Program Files\MySpace\IM\MySpaceIM.exe () "AVG7_Run" = C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (GRISOFT, s.r.o.) "MySpaceIM" = C:\Program Files\MySpace\IM\MySpaceIM.exe () "AVG7_Run" = C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (GRISOFT, s.r.o.) "AVG7_Run" = C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (GRISOFT, s.r.o.) ========== Startup Folders ========== [01-28-2005 02:35 PM | 00,434,176 | ---- | M] (Logitech Inc.) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe ========== Internet Explorer ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main] "Default_Page_URL" = http://go.microsoft.com/fwlink/?LinkId=69157 "Default_Search_URL" = http://go.microsoft.com/fwlink/?LinkId=54896 "Local Page" = %SystemRoot%\system32\blank.htm "Search Page" = http://go.microsoft.com/fwlink/?LinkId=54896 "Start Page" = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SU B_PVER}&ar=home [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search] "CustomizeSearch" = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm "SearchAssistant" = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main] "Local Page" = C:\WINDOWS\system32\blank.htm "Search Page" = http://www.microsoft.com/isapi/redir...ie&ar=iesearch "Start Page" = about:blank [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings] "ProxyEnable" = 0 "ProxyOverride" = *.local [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main] "Search Page" = http://www.microsoft.com/isapi/redir...ie&ar=iesearch "Start Page" = http://www.microsoft.com/isapi/redir...=ie&ar=msnhome [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Internet Settings] "ProxyEnable" = 0 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main] "Search Page" = http://www.microsoft.com/isapi/redir...ie&ar=iesearch "Start Page" = http://www.microsoft.com/isapi/redir...=ie&ar=msnhome [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings] "ProxyEnable" = 0 [HKEY_USERS\S-1-5-21-790525478-1336601894-839522115-1005\SOFTWARE\Microsoft\Internet Explorer\Main] "Local Page" = C:\WINDOWS\system32\blank.htm "Search Page" = http://www.microsoft.com/isapi/redir...ie&ar=iesearch "Start Page" = about:blank [HKEY_USERS\S-1-5-21-790525478-1336601894-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings] "ProxyEnable" = 0 "ProxyOverride" = *.local ========== BHO's ========== [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) {69A87B7D-DE56-4136-9655-716BA50C19C7} (HKLM) -- C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll () {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (Sun Microsystems, Inc.) {7E853D72-626A-48EC-A868-BA8D5E23E045} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found ========== Toolbars ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar] "{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}" (HKLM) -- C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll () [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser] "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found "{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found "{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}" (HKLM) -- C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll () [HKEY_USERS\S-1-5-21-790525478-1336601894-839522115-1005\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser] "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found "{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found "{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}" (HKLM) -- C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll () ========== AppInit_DLLs ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_Dlls" = C:\program,files\premieropinion\pmai.dll,C:\progra m,files\premieropinion\pmai.dll,C:\program,files\p remieropinion\pmai.dll,C:\program,files\premieropi nion\pmai.dll,C:\program,files\premieropinion\pmai .dll,C:\program files\premieropinion\pmai.dll >File not found -- >File not found -- >File not found -- >File not found -- >File not found -- >File not found -- >File not found -- >File not found -- >File not found -- >File not found -- >[09-09-2008 05:17 PM | 00,118,784 | ---- | M] (PremierOpinion) -- C:\Program Files\PremierOpinion\pmai.dll ========== Shell Execute Hooks ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" (HKLM) -- C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com) ========== Winlogon Notify Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\] !SASWinLogon: "DllName" = C:\Program Files\SUPERAntiSpyware\SASWINLO.dll -- C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com) AtiExtEvent: "DllName" = Ati2evxx.dll -- C:\WINDOWS\system32\ati2evxx.dll (ATI Technologies Inc.) ========== Safeboot Options ========== "AlternateShell" = cmd.exe ========== CDRom AutoRun Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Cdrom] "AutoRun" = 1 ========== Autorun Files on Drives ========== AUTOEXEC.BAT [] [04-07-2006 11:02 PM | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ] Autorun.exe [MZ | ] [08-05-2008 05:02 PM | 00,398,600 | R--- | M] (Electronic Arts Inc.) -- E:\Autorun.exe -- [ UDF ] Autorun.inf [[autorun] | open=autorun.exe | icon=spore.ico | ] [08-05-2008 04:23 PM | 00,000,043 | R--- | M] () -- E:\Autorun.inf -- [ UDF ] autorun [] [08-05-2008 05:02 PM | 00,398,600 | R--- | M] (Electronic Arts Inc.) -- E:\autorun.exe -- [ UDF ] |
#15
|
|||
|
|||
========== MountPoints2 ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\MountPoints2\{e83ff8f7-097b-11dc-88e0-00304f4b041f}\Shell\Auto\command] "" = RavMon.exe e [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\MountPoints2\{e83ff8f7-097b-11dc-88e0-00304f4b041f}\Shell\AutoRun] "" = Auto&Play [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\MountPoints2\{e83ff8f7-097b-11dc-88e0-00304f4b041f}\Shell\AutoRun\command] "" = C:\WINDOWS\system32\shell32.dll -- [10-26-2007 03:36 AM | 08,454,656 | ---- | M] (Microsoft Corporation) ========== DNS Name Servers ========== {5EB2AE2A-FFBF-4002-8969-C97A02941BF4} (Servers: | Description: 1394 Net Adapter) {62FCE9C8-61F2-4724-8637-099F0D81A811} (Servers: | Description: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller) {67A87936-B1E8-4BD2-A502-10540CCEA617} (Servers: | Description: XPC 802.11b/g Wireless Kit) {802952CC-24C3-4CAB-ADE6-983AC157E9AA} (Servers: | Description: ) {B02D3413-6E9B-435B-8ED3-70AAD349AA68} (Servers: | Description: XPC 802.11b/g Wireless Kit) {BCC4FB8F-E76F-40BF-B7B7-5DD4EE670C41} (Servers: | Description: 1394 Net Adapter) {E8CA36F2-4D61-4457-998C-F25547C0468F} (Servers: | Description: XPC 802.11b/g Wireless Kit) {EF1176F0-55D3-4EC4-9F3A-BBC83664F179} (Servers: | Description: ) ========== Hosts File ========== HOSTS File = (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts First 25 entries... 127.0.0.1 localhost ========== Files/Folders - Created Within 30 days ========== [09-05-2008 04:17 PM | ---D | C] -- C:\ProgramData [09-09-2008 05:16 PM | 00,000,232 | -H-- | C] () -- C:\sqmdata03.sqm [09-09-2008 05:16 PM | 00,000,232 | -H-- | C] () -- C:\sqmdata04.sqm [09-09-2008 05:16 PM | 00,000,244 | -H-- | C] () -- C:\sqmnoopt03.sqm [09-09-2008 05:16 PM | 00,000,244 | -H-- | C] () -- C:\sqmnoopt04.sqm [09-09-2008 05:24 PM | 00,000,244 | -H-- | C] () -- C:\sqmnoopt05.sqm [09-09-2008 05:24 PM | 00,000,268 | -H-- | C] () -- C:\sqmdata05.sqm [09-10-2008 06:42 PM | 00,000,244 | -H-- | C] () -- C:\sqmnoopt06.sqm [09-10-2008 06:42 PM | 00,000,268 | -H-- | C] () -- C:\sqmdata06.sqm [09-11-2008 07:17 PM | 00,000,244 | -H-- | C] () -- C:\sqmnoopt07.sqm [09-11-2008 07:17 PM | 00,000,268 | -H-- | C] () -- C:\sqmdata07.sqm [09-12-2008 03:15 PM | 00,000,232 | -H-- | C] () -- C:\sqmdata09.sqm [09-12-2008 03:15 PM | 00,000,244 | -H-- | C] () -- C:\sqmnoopt08.sqm [09-12-2008 03:15 PM | 00,000,244 | -H-- | C] () -- C:\sqmnoopt09.sqm [09-12-2008 03:15 PM | 00,000,268 | -H-- | C] () -- C:\sqmdata08.sqm [09-13-2008 06:13 PM | 00,000,244 | -H-- | C] () -- C:\sqmnoopt10.sqm [09-13-2008 06:13 PM | 00,000,268 | -H-- | C] () -- C:\sqmdata10.sqm [09-13-2008 09:12 AM | 02,849,182 | R--- | C] () -- C:\ComboFix.exe [09-13-2008 09:16 AM | ---D | C] -- C:\QooBox [09-14-2008 10:05 AM | 00,017,200 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [09-14-2008 10:05 AM | 00,038,528 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [3 C:\WINDOWS\System32\*.tmp files] [09-04-2008 12:02 PM | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak [09-08-2008 11:16 PM | 00,090,921 | ---- | C] () -- C:\WINDOWS\System32\kswiwkeokeymnlvd.dll-uninst.exe [09-08-2008 11:16 PM | 00,548,924 | ---- | C] () -- C:\WINDOWS\System32\lcntstdl.exe [09-08-2008 11:17 PM | 00,071,828 | ---- | C] () -- C:\WINDOWS\System32\kaqpwccjprozluu.exe [09-08-2008 11:19 PM | 00,102,154 | ---- | C] () -- C:\WINDOWS\System32\milehighads-remove.exe [09-08-2008 11:30 PM | ---D | C] -- C:\WINDOWS\System32\sl5 [09-08-2008 11:30 PM | ---D | C] -- C:\WINDOWS\System32\t [09-09-2008 12:17 AM | 00,153,352 | ---- | C] () -- C:\WINDOWS\System32\g97.exe [09-11-2008 08:33 AM | ---D | C] -- C:\WINDOWS\System32\mC02 [4 C:\WINDOWS\*.tmp files] [09-08-2008 11:16 PM | 00,102,400 | ---- | C] (M i r a r) -- C:\WINDOWS\mbd232.exe [09-08-2008 11:16 PM | 00,428,976 | ---- | C] () -- C:\WINDOWS\DWrvg.exe [09-09-2008 06:20 PM | 00,000,093 | ---- | C] () -- C:\WINDOWS\wininit.ini [09-13-2008 09:16 AM | 00,028,672 | ---- | C] (NirSoft) -- C:\WINDOWS\Nircmd.exe [09-13-2008 09:16 AM | 00,049,152 | ---- | C] () -- C:\WINDOWS\VFind.exe [09-13-2008 09:16 AM | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [09-13-2008 09:16 AM | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [09-13-2008 09:16 AM | 00,089,504 | ---- | C] (Smallfrogs Studio) -- C:\WINDOWS\fdsv.exe [09-13-2008 09:16 AM | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [09-13-2008 09:16 AM | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\swsc.exe [09-13-2008 09:16 AM | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\swreg.exe [09-13-2008 09:16 AM | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\swxcacls.exe [09-13-2008 09:42 AM | ---D | C] -- C:\WINDOWS\temp [09-09-2008 06:02 PM | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy [09-14-2008 10:05 AM | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [09-05-2008 04:20 PM | ---D | C] -- C:\Documents and Settings\Haraldur\Application Data\SPORE [09-14-2008 10:05 AM | ---D | C] -- C:\Documents and Settings\Haraldur\Application Data\Malwarebytes [09-05-2008 04:20 PM | ---D | C] -- C:\Documents and Settings\Haraldur\My Documents\My Spore Creations [09-08-2008 11:08 PM | ---D | C] -- C:\Documents and Settings\Haraldur\My Documents\Sony [09-08-2008 11:09 PM | 00,001,673 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\ACID Pro 6.0.lnk [09-03-2008 01:16 PM | 00,083,968 | ---- | C] () -- C:\Documents and Settings\Haraldur\Desktop\Syllabus.doc [09-08-2008 11:00 PM | ---D | C] -- C:\Program Files\Sonic Foundry Setup [09-08-2008 11:19 PM | ---D | C] -- C:\Program Files\SolAds Games Collection [09-08-2008 11:20 PM | ---D | C] -- C:\Program Files\PremierOpinion [09-09-2008 06:02 PM | ---D | C] -- C:\Program Files\Spybot - Search & Destroy [09-14-2008 10:05 AM | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware ========== Files - Modified Within 30 days ========== [09-09-2008 05:16 PM | 00,000,232 | -H-- | M] () -- C:\sqmdata03.sqm [09-09-2008 05:16 PM | 00,000,232 | -H-- | M] () -- C:\sqmdata04.sqm [09-09-2008 05:16 PM | 00,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm [09-09-2008 05:16 PM | 00,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm [09-09-2008 05:24 PM | 00,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm [09-09-2008 05:24 PM | 00,000,268 | -H-- | M] () -- C:\sqmdata05.sqm [09-10-2008 06:42 PM | 00,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm [09-10-2008 06:42 PM | 00,000,268 | -H-- | M] () -- C:\sqmdata06.sqm [09-11-2008 07:17 PM | 00,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm [09-11-2008 07:17 PM | 00,000,268 | -H-- | M] () -- C:\sqmdata07.sqm [09-12-2008 03:15 PM | 00,000,232 | -H-- | M] () -- C:\sqmdata09.sqm [09-12-2008 03:15 PM | 00,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm [09-12-2008 03:15 PM | 00,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm [09-12-2008 03:15 PM | 00,000,268 | -H-- | M] () -- C:\sqmdata08.sqm [09-13-2008 06:13 PM | 00,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm [09-13-2008 06:13 PM | 00,000,268 | -H-- | M] () -- C:\sqmdata10.sqm [09-13-2008 09:13 AM | 02,849,182 | R--- | M] () -- C:\ComboFix.exe [09-14-2008 10:13 AM | 21,470,12608 | -HS- | M] () -- C:\hiberfil.sys [09-13-2008 09:25 AM | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts [09-10-2008 12:08 AM | 00,017,200 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [09-10-2008 12:08 AM | 00,038,528 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [3 C:\WINDOWS\System32\*.tmp files] [08-19-2008 04:13 PM | 00,097,718 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [08-19-2008 04:13 PM | 00,509,066 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [08-19-2008 04:13 PM | 00,615,478 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [09-05-2008 04:20 PM | 00,107,888 | ---- | M] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll [09-08-2008 11:17 PM | 00,548,924 | ---- | M] () -- C:\WINDOWS\System32\lcntstdl.exe [09-08-2008 11:19 PM | 00,102,154 | ---- | M] () -- C:\WINDOWS\System32\milehighads-remove.exe [09-09-2008 12:17 AM | 00,153,352 | ---- | M] () -- C:\WINDOWS\System32\g97.exe [09-11-2008 04:11 PM | 00,071,828 | ---- | M] () -- C:\WINDOWS\System32\kaqpwccjprozluu.exe [09-11-2008 06:14 AM | 00,090,921 | ---- | M] () -- C:\WINDOWS\System32\kswiwkeokeymnlvd.dll-uninst.exe [09-14-2008 10:14 AM | 00,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [4 C:\WINDOWS\*.tmp files] [09-08-2008 11:16 PM | 00,102,400 | ---- | M] (M i r a r) -- C:\WINDOWS\mbd232.exe [09-08-2008 11:16 PM | 00,428,976 | ---- | M] () -- C:\WINDOWS\DWrvg.exe [09-09-2008 06:20 PM | 00,000,093 | ---- | M] () -- C:\WINDOWS\wininit.ini [09-13-2008 09:25 AM | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini [09-14-2008 10:13 AM | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [09-13-2008 09:53 PM | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job [09-13-2008 10:25 PM | 00,000,256 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job [09-14-2008 10:13 AM | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [08-21-2008 11:16 PM | 01,574,798 | -H-- | M] () -- C:\Documents and Settings\Haraldur\Local Settings\Application Data\IconCache.db [09-12-2008 06:41 PM | 00,000,580 | ---- | M] () -- C:\Documents and Settings\Haraldur\My Documents\My Sharing Folders.lnk [09-08-2008 11:09 PM | 00,001,673 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ACID Pro 6.0.lnk [09-13-2008 10:06 PM | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk [09-03-2008 01:16 PM | 00,083,968 | ---- | M] () -- C:\Documents and Settings\Haraldur\Desktop\Syllabus.doc [09-12-2008 06:41 PM | 00,002,323 | ---- | M] () -- C:\Documents and Settings\Haraldur\Desktop\Windows Live Messenger.lnk [09-13-2008 01:57 AM | 00,001,687 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk < End of report > |
![]() |
Bookmarks |
«
Previous Topic
|
Next Topic
»
Topic Tools | |
|
|
![]() |
||||
Topic | Topic Starter | Forum | Replies | Last Post |
Need help removing malware (HJT + malwarebytes antimalware logs inside) | sadgoat | Malware Removal | 14 | August 30th, 2009 09:01 PM |
Malware? Virus? Trojan? (HJT, ewido logs inside) | AlphaShadow | Malware Removal | 4 | June 8th, 2006 02:59 AM |
MALWARE! Please help! HJ This logfile inside! | bravesirrobin12 | Malware Removal | 17 | November 1st, 2005 01:01 AM |
virus/malware inside explorer.exe? | cody1109 | Malware Removal | 12 | May 18th, 2005 10:55 PM |
Need Help, Possible Trojan, HijackFile inside (please help if you can) | gfa202 | Malware Removal | 8 | April 14th, 2004 02:17 AM |
All times are GMT +1. The time now is 12:55 AM.