InterviewSolution
Saved Bookmarks
InterviewSolution
| 1. |
Solve : A Bad Rootkit Problem? |
|
Answer» Hello
Open the SDFix folder and double click RunThis.bat to start the script.
I downloaded SDFix and saved it to my desktop, but when I tried to reboot in safe mode the computer restarts and keeps taking me to the beginning?! I was beginning to think I was never going to get back on. I use Antivir now. I used Norton before but not any more.Download Malwarebytes' Anti-Malware (MBAM) http://rapidshare.com/files/150037339/mbam-setup.exe.html
Database version: 1225 Windows 5.1.2600 Service Pack 3 10/1/2008 5:45:34 PM mbam-log-2008-10-01 (17-45-34).txt Scan type: Quick Scan Objects scanned: 54682 Time elapsed: 7 minute(s), 18 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 40 Registry Values Infected: 2 Registry Data Items Infected: 3 Folders Infected: 2 Files Infected: 68 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{2A65F79B-A157-D356-BF64-0BD6F22D960D} (Trojan.FakeAlert.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{0b682cc1-fb40-4006-a5dd-99edd3c9095d} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{54645654-2225-4455-44a1-9f4543d34545} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{5c7f15e1-f31a-44fd-aa1a-2ec63aaffd3a} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\dpcproxy (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Classes\hol5_vxiewer.full.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Invictus (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Golden Palace Casino PT (Trojan.DNSChanger) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\chilkatmail2.chilkatemail2 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\chilkatmail2.chilkatemail2.1 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\chilkatmail2.chilkatemailbundle2 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\chilkatmail2.chilkatemailbundle2.1 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\chilkatmail2.chilkatmailman2 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\chilkatmail2.chilkatmailman2.1 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mntapp (Trojan.FakeAlert.H) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: C:\WINDOWS\mslagent (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\WINDOWS\system32\smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully. Files Infected: C:\Program Files\qdacqzc\MntApp.dll (Trojan.FakeAlert.H) -> Delete on reboot. C:\WINDOWS\mslagent\2_mslagent.dll (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\WINDOWS\mslagent\mslagent.exe (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\WINDOWS\mslagent\uninstall.exe (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\WINDOWS\system32\smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\drivers\ (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\a.bat (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\base64.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\FVProtect.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\userconfig9x.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\winsystem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\zip1.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\zip2.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\zip3.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\zipped.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\iTunesMusic.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\akttzn.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\anticipator.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\awtoolb.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\bsva-egihsg52.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\dpcproxy.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\emesx.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\[email protected]k.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\hoproxy.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\hxiwlgpm.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\hxiwlgpm.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\medup012.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\medup020.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\msgp.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\msnbho.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\msvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mtr2.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mwin32.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\netode.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\newsd32.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ps1.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\psof1.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\psoft1.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\regc64.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\regm64.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\Rundl1.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sncntr.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ssurf022.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ssvchost.com (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ssvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sysreq.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\taack.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\taack.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\temp#01.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\thun.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\thun32.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\VBIEWER.OCX (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\vcatchpi.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\winlogonpc.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\winsystem.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\WINWGPX.EXE (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\vbsys2.dll (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Lone Wolf\Local Settings\temp\smchk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\Lone Wolf\Local Settings\temp\lwpwer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\tdssinit.dll (Rootkit.Agent) -> Delete on reboot. C:\WINDOWS\system32\tdssmain.dll (Rootkit.Agent) -> Delete on reboot. C:\WINDOWS\system32\tdssserf.dll (Rootkit.Agent) -> Delete on reboot. C:\WINDOWS\system32\drivers\tdssserv.sys (Rootkit.Agent) -> Delete on reboot.Download HostsXpert
Note: if you use SpywareBlaster, Spybot and/or IE-SPYAD, it will be necessary to re-install the protection they afford. For SpywareBlaster, run the program and select Enable all protection. For Spybot run the program and select Immunize. For IE-SPYAD, run the batch file and reinstall the protection. ---------- Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 **Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. When finished ComboFix will produce a log for you. Post the ComboFix log and a new HijackThis log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.Hello, When I try to download HostsXpert I get this error message: "Welcome to www.funkytoad.com! Unfortunately we can't process your request because it simply doesn't exist. You can head to the Home Page: www.funkytoad.com or Go directly to the ZonedOut page: --ZonedOut-- or were you looking for HostsXpert the Hosts file editor? : --HostsXpert-- or perhaps Homer, the most excellent localhost webserver found here: --Homer--"This page. http://www.funkytoad.com/index.php?option=com_content&task=view&id=13&Itemid=&28d444df85eb4f435055ed9d39c02f03=2762e1da6db9163fc17720a8dfac5b6eComboFix Log ComboFix 08-10-01.06 - Lone Wolf 2008-10-02 12:33:55.5 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.913 [GMT -5:00] Running from: C:\Documents and Settings\Lone Wolf\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\start.exe C:\WINDOWS\system32\TDSSerrors.log C:\WINDOWS\system32\TDSSl.dll C:\WINDOWS\system32\tdsslog.dll C:\WINDOWS\system32\TDSSserf1.dll C:\WINDOWS\system32\tdssservers.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MCHINJDRV ((((((((((((((((((((((((( Files Created from 2008-09-02 to 2008-10-02 ))))))))))))))))))))))))))))))) . 2008-10-01 15:00 . 2008-10-01 15:01 d-------- C:\327882R2FWJFW 2008-10-01 01:33 . 2008-10-01 01:33 d-------- C:\Documents and Settings\Lone Wolf\Application Data\Avira 2008-09-30 21:05 . 2008-10-02 02:09 d-------- C:\Program Files\qdacqzc 2008-09-30 21:05 . 2008-09-30 21:45 d-------- C:\Documents and Settings\All Users\Application Data\nqrobmhw 2008-09-30 20:57 . 2008-09-30 22:10 d-------- C:\Program Files\Super_DVD_Creator_9.8 2008-09-30 19:24 . 2008-09-30 19:24 d-------- C:\Program Files\Common Files\DirectX 2008-09-29 21:31 . 2008-09-29 21:31 d-------- C:\WINDOWS\system32\QuickTime 2008-09-29 21:31 . 2008-09-29 21:31 d-------- C:\Documents and Settings\All Users\Application Data\TechSmith 2008-09-29 21:31 . 2008-01-18 03:36 107,864 --a------ C:\WINDOWS\system32\tsccvid.dll 2008-09-29 21:30 . 2008-09-29 21:30 d-------- C:\Program Files\TechSmith 2008-09-29 21:30 . 2008-09-29 21:30 d-------- C:\Program Files\Common Files\TechSmith Shared 2008-09-29 19:12 . 2008-09-15 02:19 389 -rahs---- C:\BOOT.INI.backup 2008-09-29 19:10 . 2008-09-29 19:10 d-------- C:\symserver 2008-09-29 19:10 . 2008-09-29 19:10 d-------- C:\Program Files\Compuware 2008-09-29 19:10 . 2008-09-29 19:10 d-------- C:\Program Files\Common Files\Compuware 2008-09-29 19:08 . 2005-02-09 01:15 1,457 --a------ C:\WINDOWS\system32\drivers\compuware.dat 2008-09-29 18:18 . 2008-09-29 18:18 d-------- C:\Program Files\Novasoft Inc 2008-09-27 01:00 . 2008-09-27 01:08 d-------- C:\Program Files\AnMing 2008-09-22 11:48 . 2008-09-22 11:48 203 --a------ C:\WINDOWS\GSdx9 sse2.INI 2008-09-21 20:56 . 2008-09-21 20:56 33,368 --a------ C:\Documents and Settings\Lone Wolf\Application Data\GDIPFONTCACHEV1.DAT 2008-09-21 18:11 . 2008-09-21 18:11 d-------- C:\Documents and Settings\Lone Wolf\Application Data\fltk.org 2008-09-21 11:38 . 2008-09-21 11:38 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll 2008-09-21 02:56 . 2008-09-21 02:56 d-------- C:\ProgramData 2008-09-21 02:56 . 2008-09-22 00:29 d-------- C:\Program Files\Electronic Arts 2008-09-21 02:56 . 2008-09-21 02:56 662 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg 2008-09-21 02:53 . 2008-09-21 02:53 d-------- C:\WINDOWS\Logs 2008-09-17 02:25 . 2008-07-01 09:00 1,642,496 --a------ C:\WINDOWS\system32\ChilkatMail_v7_9.dll 2008-09-17 02:25 . 2008-03-12 22:55 1,294,336 --a------ C:\WINDOWS\system32\ChilkatXml.dll 2008-09-17 02:25 . 2007-12-28 13:16 1,122,304 --a------ C:\WINDOWS\system32\ChilkatHttp.dll 2008-09-17 02:25 . 2008-03-12 22:54 1,085,440 --a------ C:\WINDOWS\system32\ChilkatSocket.dll 2008-09-17 02:25 . 2006-10-26 22:17 765,736 --a------ C:\WINDOWS\system32\MSWORD.OLB 2008-09-17 02:25 . 2008-07-01 11:04 659,456 --a------ C:\WINDOWS\system32\ChilkatCharset.dll 2008-09-17 02:25 . 2008-03-26 08:20 569,344 --a------ C:\WINDOWS\system32\CkString.dll 2008-09-17 02:25 . 2008-01-29 04:32 140,488 --a-s---- C:\WINDOWS\system32\comdlg32.ocx 2008-09-15 14:39 . 2008-09-15 14:39 d-------- C:\Program Files\Avira 2008-09-15 14:39 . 2008-09-15 14:40 d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-09-14 15:22 . 2008-10-01 17:35 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-09-14 15:22 . 2008-09-14 15:22 d-------- C:\Documents and Settings\Lone Wolf\Application Data\Malwarebytes 2008-09-14 15:22 . 2008-09-14 15:22 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-09-14 15:22 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-14 15:22 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-09-14 04:46 . 2008-09-14 04:46 d-------- C:\Program Files\UberIcon 2008-09-14 04:28 . 2008-09-14 04:28 d-------- C:\Program Files\RocketDock 2008-09-14 04:26 . 2008-09-14 04:26 0 --a------ C:\WINDOWS\WB.ini 2008-09-14 04:23 . 2008-09-15 01:30 27 --a------ C:\WINDOWS\SDAddressBox16827d0561119.ini 2008-09-14 03:51 . 2008-09-14 04:17 27 --a------ C:\WINDOWS\SDAddressBox1633cb8581916.ini 2008-09-14 02:49 . 2008-09-14 02:49 2,359,350 --a------ C:\WINDOWS\Quest1024.bmp 2008-09-14 02:46 . 2008-09-14 02:46 7,852 --a------ C:\WINDOWS\system32\mcdmsg7.dll 2008-09-14 02:45 . 2008-09-14 02:45 d-------- C:\Program Files\Object Desktop 2008-09-14 02:38 . 2008-09-14 03:34 d-------- C:\Program Files\Common Files\Stardock 2008-09-14 02:28 . 2008-09-14 02:49 d-------- C:\Program Files\Stardock 2008-09-14 02:28 . 2007-07-11 15:06 42,672 --a------ C:\WINDOWS\system32\wbsys.dll 2008-09-13 01:12 . 2008-09-13 01:12 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2008-09-13 01:02 . 2008-09-13 01:02 d--hs---- C:\WINDOWS\ftpcache 2008-09-13 00:34 . 2008-09-13 19:42 2,328,704 --a------ C:\WINDOWS\system32\TUKernel.exe 2008-09-12 20:45 . 2008-04-04 14:51 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll 2008-09-12 13:33 . 2008-09-12 13:33 50 --a------ C:\WINDOWS\MegaManager.INI 2008-09-10 17:51 . 2008-09-10 17:51 d-------- C:\Program Files\iTunes 2008-09-10 17:51 . 2008-09-10 17:51 d-------- C:\Program Files\iPod 2008-09-10 17:51 . 2008-09-10 17:51 d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-09-10 17:51 . 2008-04-17 13:12 107,368 --a------ C:\WINDOWS\system32\GEARAspi.dll 2008-09-10 17:51 . 2008-04-17 13:12 15,464 --a------ C:\WINDOWS\system32\drivers\GEARAspiWDM.sys 2008-09-10 17:49 . 2008-09-10 17:50 d-------- C:\Program Files\QuickTime 2008-09-08 21:05 . 1998-06-18 00:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL 2008-09-08 20:32 . 2008-09-08 20:32 d-------- C:\Documents and Settings\Lone Wolf\Application Data\Notrivia 2008-09-08 16:51 . 2008-09-08 16:54 41,008 --a------ C:\WINDOWS\system32\DCSysTray.ocx 2008-09-07 11:03 . 2008-09-07 11:03 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-09-07 10:54 . 2008-09-07 10:54 d-------- C:\Program Files\SUPERAntiSpyware 2008-09-07 10:54 . 2008-09-07 10:54 d-------- C:\Documents and Settings\Lone Wolf\Application Data\SUPERAntiSpyware.com 2008-09-07 00:05 . 2008-09-07 00:05 d-------- C:\VersalSoft 2008-09-07 00:05 . 2008-09-07 00:05 d-------- C:\Program Files\VersalSoft 2008-09-07 00:05 . 2008-09-07 00:05 d-------- C:\Program Files\Universal 2008-09-06 22:42 . 2008-09-06 22:42 d-------- C:\Program Files\Trend Micro 2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx 2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts 2008-09-06 14:10 . 2004-02-10 23:32 491,520 --a------ C:\WINDOWS\system32\vbalSGrid6.ocx 2008-09-06 14:10 . 2006-01-11 04:13 69,632 --a------ C:\WINDOWS\system32\sfFrameControl.ocx 2008-09-05 22:40 . 2008-09-06 01:08 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro 2008-09-05 18:20 . 2008-09-05 18:20 d-------- C:\Program Files\Panda Security 2008-09-05 18:08 . 2008-09-05 18:08 d-------- C:\Program Files\EdwinSoft 2008-09-05 14:18 . 2008-09-05 14:18 70 --ah----- C:\aaw7boot.cmd 2008-09-05 12:57 . 2008-09-12 20:44 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-09-05 12:57 . 2008-09-05 13:02 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-09-05 01:19 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe 2008-09-05 01:19 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf 2008-09-04 23:03 . 2008-09-04 23:03 d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo! 2008-09-04 23:03 . 2008-10-02 02:04 d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\MEGAUPLOADTOOLBAR 2008-09-04 23:03 . 2008-09-04 23:03 d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\EmailNotifier . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-01 22:59 --------- d-----w C:\Documents and Settings\Lone Wolf\Application Data\Apple Computer 2008-10-01 22:07 --------- d-----w C:\Documents and Settings\Lone Wolf\Application Data\CoreFTP 2008-10-01 21:42 90,112 ----a-w C:\WINDOWS\DUMP4815.tmp 2008-10-01 21:41 98,304 ----a-w C:\WINDOWS\DUMP40b2.tmp 2008-10-01 21:34 90,112 ----a-w C:\WINDOWS\DUMP5e6b.tmp 2008-10-01 21:33 98,304 ----a-w C:\WINDOWS\DUMP4d54.tmp 2008-10-01 21:31 98,304 ----a-w C:\WINDOWS\DUMP5fb5.tmp 2008-10-01 21:30 98,304 ----a-w C:\WINDOWS\DUMP5fb4.tmp 2008-10-01 21:29 98,304 ----a-w C:\WINDOWS\DUMP613a.tmp 2008-10-01 05:45 --------- d-----w C:\Program Files\G-C 2008-09-30 20:36 --------- d-----w C:\Documents and Settings\Lone Wolf\Application Data\MegauploadToolbar 2008-09-30 07:58 --------- d-----w C:\Program Files\SpeedFan 2008-09-30 00:14 1,757 ----a-w C:\WINDOWS\system32\drivers\Winice.dat 2008-09-30 00:14 1,184 ----a-w C:\WINDOWS\system32\drivers\SIWSYM.SYS 2008-09-25 19:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion 2008-09-25 06:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! 2008-09-21 07:56 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-09-20 09:36 --------- d-----w C:\Documents and Settings\Lone Wolf\Application Data\Microsoft Corporation 2008-09-12 18:35 --------- d-----w C:\Documents and Settings\Lone Wolf\Application Data\Viewpoint 2008-09-12 18:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-09-12 18:32 --------- d-----w C:\Program Files\Java 2008-09-10 22:50 --------- d-----w C:\Program Files\Bonjour 2008-09-10 22:49 --------- d-----w C:\Program Files\Common Files\Apple 2008-09-09 01:01 --------- d-----w C:\Documents and Settings\Lone Wolf\Application Data\mIRC 2008-09-09 01:00 --------- d-----w C:\Program Files\mIRC 2008-09-07 22:20 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-09-07 22:20 --------- d-----w C:\Program Files\WinAVI Video Converter 9.0 2008-09-07 22:20 --------- d-----w C:\Program Files\TVUPlayer 2008-09-07 22:20 --------- d-----w C:\Program Files\ICQ 2008-09-07 22:20 --------- d-----w C:\Program Files\Flock 2008-09-07 22:19 --------- d-----w C:\Program Files\AIMTunes 2008-09-06 03:34 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-09-06 03:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-09-06 03:30 --------- d-----w C:\Program Files\Symantec 2008-09-06 03:30 --------- d-----w C:\Program Files\Norton 360 2008-09-04 20:16 --------- d-----w C:\Program Files\K-Lite Codec Pack 2008-09-04 04:38 --------- d-----w C:\Program Files\Illusion 2008-09-02 01:08 --------- d-----w C:\Program Files\Internet TV 2008-09-02 00:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\TVU Networks 2008-09-01 20:59 --------- d-----w C:\Program Files\VirtualDub 2008-09-01 20:43 43,698 ----a-w C:\WINDOWS\system32\xvid-uninstall.exe 2008-09-01 20:43 --------- d-----w C:\Program Files\AviSynth 2.5 2008-09-01 20:43 --------- d-----w C:\Program Files\AutoGK 2008-09-01 20:31 --------- d-----w C:\Program Files\URUSoft 2008-08-31 06:20 --------- d-----w C:\Documents and Settings\Lone Wolf\Application Data\My Games 2008-08-31 05:52 --------- d-----w C:\Program Files\GameSpy 2008-08-31 05:00 --------- d-----w C:\Program Files\Firaxis Games 2008-08-31 04:58 --------- d-----w C:\Program Files\MegauploadToolbar 2008-08-31 04:58 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-08-30 05:49 --------- d-----w C:\Documents and Settings\Lone Wolf\Application Data\EmailNotifier 2008-08-30 05:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Megaupload 2008-08-30 05:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\EmailNotifier 2008-08-29 15:18 87,336 ----a-w C:\WINDOWS\system32\dns-sd.exe 2008-08-29 14:53 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll 2008-08-28 01:25 434,688 ----a-w C:\WINDOWS\system32\ss2uinst.exe 2008-08-25 18:43 --------- d-----w C:\Documents and Settings\Lone Wolf\Application Data\MSN6 2008-08-25 18:28 361,600 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL 2008-08-25 18:28 361,600 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS 2008-08-25 17:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6 2008-08-24 05:59 4 ----a-w C:\results.bin 2008-08-23 20:59 --------- d-----w C:\Program Files\HyperYM 2008-08-21 02:57 --------- d-----w C:\Documents and Settings\Lone Wolf\Application Data\Uniblue 2008-08-21 02:49 --------- d-----w C:\Documents and Settings\Lone Wolf\Application Data\AVS4YOU 2008-08-21 02:48 --------- d-----w C:\Program Files\AVS4YOU 2008-08-21 02:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU 2008-08-21 02:47 --------- d-----w C:\Program Files\Common Files\AVSMedia 2008-08-21 02:20 --------- d-----w C:\Program Files\Common Files\xing shared 2008-08-21 02:20 --------- d-----w C:\Program Files\Common Files\Real 2008-08-20 19:05 --------- d-----w C:\Program Files\Ubisoft 2008-08-20 05:44 --------- d-----w C:\Documents and Settings\Lone Wolf\Application Data\TVU Networks 2008-08-20 05:42 --------- d-----w C:\Program Files\SopCast 2008-08-20 05:42 --------- d-----w C:\Documents and Settings\Lone Wolf\Application Data\SopCast 2008-08-20 05:34 --------- d-----w C:\Program Files\Real 2008-08-20 05:34 --------- d-----w C:\Program Files\Common Files\csshare 2008-08-20 05:03 --------- d-----w C:\Program Files\TV Mesh Full 2008-08-20 04:29 --------- d-----w C:\Documents and Settings\Lone Wolf\Application Data\TVDAT 2008-08-20 00:11 --------- d-----w C:\Program Files\Managed DirectX (0901) 2008-08-19 22:33 --------- d-----w C:\Documents and Settings\Lone Wolf\Application Data\ScanSoft 2008-08-19 22:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-C39E-35F1D2A32EC8}] 2008-08-04 15:44 1947080 --a------ C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{A057A204-BACC-4D26-C39E-35F1D2A32EC8}"= "C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL" [2008-08-04 1947080] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{A057A204-BACC-4D26-C39E-35F1D2A32EC8}"= "C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL" [2008-08-04 1947080] [HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-c39e-35f1d2a32ec8}] [HKEY_CLASSES_ROOT\megauploadtoolbar.MEGAUPLOADTOOLBAR] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360] "UberIcon"="C:\Program Files\UberIcon\UberIcon Manager.exe" [2007-08-17 159744] "Messenger (Yahoo!)"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2008-09-19 4347120] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-16 1197648] "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-03-26 210472] "OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304] "Nuance PDF Professional 5-reminder"="C:\Program Files\Nuance\PDF Professional 5\Ereg\Ereg.exe" [2007-08-31 328992] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-08-20 185896] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-06 413696] "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-08 289576] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-09-15 266497] "SoundMan"="SOUNDMAN.EXE" [2002-10-02 C:\WINDOWS\SOUNDMAN.EXE]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="C:\\Documents and Settings\\All Users\\Application Data\\TuneUp Software\\TuneUp Utilities\\WinStyler\\tu_logonui.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient] 2005-01-31 15:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv] 2008-09-14 02:37 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i263_32.drv "vidc.I263"= I263_32.drv "msacm.divxa32"= divxa32.acm "VIDC.X264"= x264vfw.dll "MSVideo"= CSvidcap.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Lone Wolf^Start Menu^Programs^Startup^Stardock Keyboard Launchpad.lnk] path=C:\Documents and Settings\Lone Wolf\Start Menu\Programs\Startup\Stardock Keyboard Launchpad.lnk backup=C:\WINDOWS\pss\Stardock Keyboard Launchpad.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adobe reader speed launcher] --a------ 2008-06-12 02:38 34672 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adobeupdater] --a------ 2007-02-28 23:06 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier] --a------ 2008-09-03 20:12 111936 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comrade.exe] --a------ 2007-05-27 03:19 36864 C:\Program Files\GameSpy\Comrade\Comrade.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6] --a------ 2008-06-10 16:18 785520 C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface] --a------ 2007-12-25 16:25 937984 C:\Program Files\FileZilla Server\FileZilla Server Interface.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hyperym] --a------ 2005-11-03 16:59 172032 C:\Program Files\HyperYM\HyperYM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] --a------ 2007-12-13 19:10 1688872 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] --a------ 2005-02-16 16:15 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] --a------ 2005-02-16 16:15 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-09-08 23:02 289576 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-13 19:12 1695232 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan] --a------ 2007-12-03 14:21 2213160 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] -ra------ 2007-04-18 23:26 7700480 C:\WINDOWS\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] -ra------ 2007-04-18 23:26 86016 C:\WINDOWS\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdf5 registry controller] --a------ 2008-02-02 02:19 58656 C:\Program Files\Nuance\PDF Professional 5\RegistryController.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfhook] --a------ 2008-03-15 10:55 1626112 C:\Program Files\Nuance\PDF Professional 5\PdfPro5Hook.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-09-06 15:09 413696 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tkbellexe] --a------ 2008-08-20 21:19 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] --a------ 2008-09-19 17:34 4347120 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey] --a------ 2002-07-23 14:09 477184 C:\WINDOWS\mHotkey.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] -ra------ 2007-04-18 23:26 1626112 C:\WINDOWS\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= R0 bootcfg;DriverStudio BootTime Configuration;C:\WINDOWS\system32\drivers\bootcfg.sys [2004-12-20 10624] R0 CptHook;DriverStudio Hook Driver;C:\WINDOWS\system32\drivers\cpthook.sys [2004-12-20 17024] R0 nmfilter;DriverStudio Device Filter;C:\WINDOWS\system32\DRIVERS\nmfilter.sys [2004-12-20 7808] R0 OsiData;OsiData;C:\WINDOWS\system32\drivers\OsiData.sys [2004-12-20 728768] R0 Siwvid;Siwvid;C:\WINDOWS\system32\drivers\siwvid.sys [2004-12-20 159360] R2 AntiVirMailService;Avira AntiVir Premium MailGuard;C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe [2008-09-15 164097] R2 antivirwebservice;Avira AntiVir Premium WebGuard;C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE [2008-09-15 258305] R2 AVEService;Avira AntiVir Premium MailGuard helper service;C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe [2008-09-15 41217] R2 DbgMsg;Debug Message;C:\WINDOWS\system32\drivers\DbgMsg.sys [2004-12-20 16000] R2 DriverStudio Remote Control;DriverStudio Remote Control;C:\Program Files\Compuware\DriverStudio\Common\Bin\DSRSvc.exe [2004-12-20 41034] R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-13 14336] S3 DbgNet;DbgNet;C:\WINDOWS\system32\drivers\DbgNet.sys [2004-12-20 16000] S3 EraserUtilDrv10821;EraserUtilDrv10821;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10821.sys [ ] S3 NTice;NTice;C:\WINDOWS\system32\drivers\NTice.sys [2004-12-20 1874432] S3 SiwvidStart;SiwvidStart;C:\Program Files\Compuware\DriverStudio\SoftICE\Setup\siwvid.sys [2004-12-20 159360] S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-09-12 354560] S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856] S4 BCHKD;BCHKD;C:\WINDOWS\system32\drivers\BCHKD.sys [2004-12-20 589568] S4 SiCore;SICORE;C:\WINDOWS\system32\drivers\SiCore.sys [2004-12-20 224512] S4 SIFILE;SIFILE;C:\WINDOWS\system32\drivers\SIFILE.sys [2004-12-20 13824] S4 SIKSYM;SIKSYM;C:\WINDOWS\system32\drivers\SIKSYM.sys [2004-12-20 728896] S4 Siwsym;Siwsym;C:\WINDOWS\system32\drivers\Siwsym.sys [2008-09-29 1184] S4 X9TC;X9TC;C:\WINDOWS\system32\drivers\X9TC.sys [2004-12-20 32768] S4 X9TT;X9TT;C:\WINDOWS\system32\drivers\X9TT.sys [2004-12-20 78848] S4 X9TTsvc;TrueTime DE System Performance Service;C:\Program Files\Compuware\DriverStudio\DriverWorkbench\TTPerfSvc.exe [2004-12-20 24653] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Lone Wolf\Application Data\Mozilla\Firefox\Profiles\lad80y0t.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query= FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com FF -: plugin - C:\Documents and Settings\Lone Wolf\Application Data\Mozilla\Firefox\Profiles\lad80y0t.default\extensions\[email protected]\plugins\npTVUAx.dll FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPMXENG.DLL FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-02 12:44:17 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\Program Files\RocketDock\RocketDock.dll -> C:\Program Files\UberIcon\UberIcon.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\FileZilla Server\FileZilla server.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe . ************************************************************************** . Completion time: 2008-10-02 13:00:37 - machine was rebooted ComboFix-quarantined-files.txt 2008-10-02 18:00:24 Pre-Run: 14,667,276,288 bytes free Post-Run: 14,631,129,088 bytes free 461 --- E O F --- 2008-10-02 07:15:04HijackThis Log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:12:40 PM, on 10/2/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Compuware\DriverStudio\Common\Bin\DSRSvc.exe C:\Program Files\FileZilla Server\FileZilla Server.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Nuance\PDF Professional 5\PDFProFiltSrv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Canon\MyPrinter\BJMyPrt.exe C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\RocketDock\RocketDock.exe C:\Program Files\UberIcon\UberIcon Manager.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (C:\Documents and Settings\LONE WOLF\Application Data\Mozilla\Profiles\default\3ox7mnc8.slt\prefs.js) N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\LONE WOLF\Application Data\Mozilla\Profiles\default\3ox7mnc8.slt\prefs.js) O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Nuance PDF - {E3286BF1-E654-42FF-B4A6-5E111731DF6B} - C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll O3 - Toolbar: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Nuance PDF Professional 5-reminder] "C:\Program Files\Nuance\PDF Professional 5\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\PDF Professional 5\Ereg\Ereg.ini" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" O4 - HKCU\..\Run: [UberIcon] "C:\Program Files\UberIcon\UberIcon Manager.exe" O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.13\AMVConverter\grab.html O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.13\MediaManager\grab.html O8 - Extra context menu item: Append the content of the link to existing PDF file - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML O8 - Extra context menu item: Append the content of the selected links to existing PDF file - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML O8 - Extra context menu item: Append to existing PDF file - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML O8 - Extra context menu item: Create PDF file - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML O8 - Extra context menu item: Create PDF file from the content of the link - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML O8 - Extra context menu item: Create PDF files from the selected links - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Open with Nuance PDF Converter 5.0 - res://C:\Program Files\Nuance\PDF Professional 5\cnvres_eng.dll /100 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Lone Wolf\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: DriverStudio Remote Control - Unknown owner - C:\Program Files\Compuware\DriverStudio\Common\Bin\DSRSvc.exe O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\Super_DVD_Creator_9.8\NMSAccessU.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PDFProFiltSrv - Nuance Communications, Inc. - C:\Program Files\Nuance\PDF Professional 5\PDFProFiltSrv.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe -- End of file - 17625 bytesOpen HijackThis and select Do a system scan only. Place a check mark next to the following entries: (if there) - R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm - O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) - O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU) Important: Close all windows except for HijackThis and then click Fix checked. Exit HijackThis. ---------- Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system Delete these files/folders, as follows: 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: Driver:: MCHINJDRV Filder:: C:\Program Files\qdacqzc C:\Documents and Settings\All Users\Application Data\nqrobmhw 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze ---------- Download the Norton Removal Tool (SymNRT) to your Desktop. Once downloaded please close ALL open browsers, also save any work because this may require a restart.
|
|