1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Antivirus XP 2008: wraping up the cleaning up

Discussion in 'Windows - Virus and spyware problems' started by dracomoe, Sep 5, 2008.

  1. dracomoe

    dracomoe Guest

    After hearing about this website, I read up on other threads that had this Antivirus XP 2008 virus/trojan issue. I followed the steps that 2oldGeek had given to a few others that had this issue. I Downloaded the progams he mentioned: ATF Cleaner, SUPERAntiSpyware, Avira AntiVir, and MalwareBytes.
    I installed and ran Anira AntiVir and SUPERAntiSpyware. I then restared my PC in safe mode and ran the ATF cleaner and MalwareBytes. After doing these actions, it seems to have cleared the apparent issues: screen saver of blue-screen-of-death, inhibiting of changing backround and screen saver settings, trojans attempting to get on the internet, etc.
    My brother, s/n: Waltfarie, faced this same issue and is strogly recommending me to post my HIjackthis log for further review.

    Please tell me if there is anything that may pose any future problems, thank you greatly for your time.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:09:44 PM, on 09/05/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    D:\Program Files\CBOClean\BOCORE.exe
    D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Promise Disk Controller Manager\UtMsgAgt.exe
    D:\WINDOWS\system32\ZuneBusEnum.exe
    D:\Program Files\Intel(R) Active Monitor\imonnt.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\Intel(R) Active Monitor\imontray.exe
    D:\WINDOWS\vsnpstd2.exe
    D:\Program Files\WinFast\WFDTV\WFWIZ.exe
    D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    D:\Program Files\Zune\ZuneLauncher.exe
    D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    D:\PROGRA~1\CBOClean\BOC427.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
    D:\Program Files\BitComet\BitComet.exe
    D:\Program Files\GBMPro8\GBMAgent.exe
    D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    D:\Program Files\TotalMedia 3\TMMonitor.exe
    D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    D:\Program Files\Nostromo\nost_LM.exe
    D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    D:\WINDOWS\system32\taskmgr.exe
    D:\Program Files\Internet Explorer\iexplore.exe
    D:\Documents and Settings\Brother Moe\Desktop\Maintanence\scanner.exe .exe
    D:\WINDOWS\system32\NOTEPAD.EXE
    D:\WINDOWS\System32\NOTEPAD.EXE
    D:\Program Files\Opera\opera.exe
    D:\Program Files\Mozilla Firefox\firefox.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/
    O1 - Hosts: 64.207.166.100 www.gmail.com
    O1 - Hosts: 64.207.166.100 gmail.com
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
    O2 - BHO: (no name) - {6271797D-8480-4443-B96E-732B68B1780B} - D:\WINDOWS\system32\hgGxULdA.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [IMONTRAY] D:\Program Files\Intel(R) Active Monitor\imontray.exe
    O4 - HKLM\..\Run: [SNPSTD2] D:\WINDOWS\vsnpstd2.exe
    O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
    O4 - HKLM\..\Run: [WinFast Schedule] D:\Program Files\WinFast\WFDTV\WFWIZ.exe
    O4 - HKLM\..\Run: [ArcSoft Connection Service] D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [Zune Launcher] "D:\Program Files\Zune\ZuneLauncher.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [GBMPro8Agent] D:\Program Files\GBMPro8\GBMAgent.exe
    O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [BOC-427] D:\PROGRA~1\CBOClean\BOC427.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [BitComet] "D:\Program Files\BitComet\BitComet.exe" /tray
    O4 - HKCU\..\Run: [GBMPro8Agent] D:\Program Files\GBMPro8\GBMAgent.exe
    O4 - HKCU\..\Run: [xrt_Shell] D:\Documents and Settings\Brother Moe\xrt_wpmh.exe
    O4 - HKCU\..\Run: [Jnskdfmf9eldfd] D:\DOCUME~1\BROTHE~1\LOCALS~1\Temp\csrssc.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Startup: Shortcut to nost_LM.lnk = D:\Program Files\Nostromo\nost_LM.exe
    O4 - Global Startup: TMMonitor.lnk = D:\Program Files\TotalMedia 3\TMMonitor.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
    O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: ddcDuTLD - ddcDuTLD.dll (file missing)
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: BOCore - COMODO - D:\Program Files\CBOClean\BOCORE.exe
    O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - D:\Program Files\Intel(R) Active Monitor\imonnt.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: UtMsgAgt (UtMsgSvc) - Promise Technology Inc. - D:\Program Files\Promise Disk Controller Manager\UtMsgAgt.exe

    --
    End of file - 7833 bytes
     
  2. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hey dracomoe

    Your brother was right. You do need to post the log to remove some of the traces left by the malware.

    Please run HijackThis.

    • Click on the button which says Main Menu, then Do a system scan only.
    • Please wait for the scan to be completed.
    • After the scan has completed, check the following entries.

    *****R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/
    O1 - Hosts: 64.207.166.100 www.gmail.com
    O1 - Hosts: 64.207.166.100 gmail.com
    O2 - BHO: (no name) - {6271797D-8480-4443-B96E-732B68B1780B} - D:\WINDOWS\system32\hgGxULdA.dll (file missing)
    O4 - HKCU\..\Run: [xrt_Shell] D:\Documents and Settings\Brother Moe\xrt_wpmh.exe
    O4 - HKCU\..\Run: [Jnskdfmf9eldfd] D:\DOCUME~1\BROTHE~1\LOCALS~1\Temp\csrssc.exe
    O20 - Winlogon Notify: ddcDuTLD - ddcDuTLD.dll (file missing)


    Click on the button Fix checked

    NOTE:: Close all browsers before fixing anything.

    After that, reboot.

    *****Note: If you wanted google.atcomet.com to be your homepage, then ignore this entry.

    Also, I'm sorry to say that you aren't completely clean yet. I see traces of a trojan on your system still active.

    First, please upload these two files: D:\Documents and Settings\Brother Moe\xrt_wpmh.exe and D:\DOCUME~1\BROTHE~1\LOCALS~1\Temp\csrssc.exe to www.virustotal.com and /www.uploadmalware.com. Post the results from VirusTotal here.

    Now, please download Combofix.
    With Combofix, at the download window, please rename it to Combo-fix(.exe) before downloading it.

    Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    Also disable your internet connection.


    • Run Combo-Fix.exe and follow the prompts.
    **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Do not click on the Comobofix window, as it may cause it to stall.

    Best Regards :D
     
  3. dracomoe

    dracomoe Guest

    Your help is greatly appriciated! Thank you cdavfrew.

    *O1 - Hosts: 64.207.166.100 www.gmail.com
    *O1 - Hosts: 64.207.166.100 gmail.com
    removed: O2 - BHO: (no name) - {6271797D-8480-4443-B96E-732B68B1780B} - D:\WINDOWS\system32\hgGxULdA.dll (file missing)
    *O4 - HKCU\..\Run: [xrt_Shell] D:\Documents and Settings\Brother Moe\xrt_wpmh.exe
    *O4 - HKCU\..\Run: [Jnskdfmf9eldfd] D:\DOCUME~1\BROTHE~1\LOCALS~1\Temp\csrssc.exe
    removed: O20 - Winlogon Notify: ddcDuTLD - ddcDuTLD.dll (file missing)

    When I ran Hijackthis the same results didnt show up as I had posted prviously. I am assuming that this had to do with me running WinsockxpFix this morning in attempt to fix another issue that is affecting my computer system, Neverwinter Nights Diamond edition was running fine last night and is now running all choppy and slow. I am hoping that this trojan/virus issue resolves my game play issue. I put an * next to the name of the registry finds that didnt show up the second time. Those with out the astrisk I found and removed. Therefore, I did not have the two files to upload on the websites www.virustotal.com and /www.uploadmalware.com.


    I downloaded ComboFix and renamed it, and clicked it thinking it was a zip. The scan began w/ my programs running, screen changed, pc restarted, and all that and I have the results if you would like to see them. In order to follow your instructions properly, I ran ComboFix with my interned disconnected and all my applications shut down; however, while running I had an error, windows report window came up beacuase of grep.ctexe and the Find3M failed in the ComboFix scan. When completed I got the log and have those results if you would like to see them.
    So, I ran it a third time and it seemed to go smoothlie, here are the results from the log:

    ComboFix 08-09-05.03 - Brother Moe 2008-09-07 15:43:41.3 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.639 [GMT -4:00]
    Running from: I:\Downloaded\Files\ComboFx.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 )))))))))))))))))))))))))))))))
    .

    2008-09-06 14:20 . 2008-09-06 14:20 <DIR> d-------- D:\Program Files\DAEMON Tools Lite
    2008-09-05 21:45 . 2008-09-05 21:45 <DIR> d-------- D:\Documents and Settings\Brother Moe\Application Data\DAEMON Tools
    2008-09-05 21:45 . 2008-09-05 21:45 717,296 --a------ D:\WINDOWS\system32\drivers\sptd.sys
    2008-09-05 21:35 . 2008-09-05 21:35 98,304 --a------ D:\WINDOWS\system32\CmdLineExt.dll
    2008-09-05 21:29 . 2008-09-05 21:29 <DIR> d-------- D:\Documents and Settings\Brother Moe\Application Data\Leadertech
    2008-09-05 21:28 . 2008-09-05 21:29 <DIR> d-------- D:\Program Files\GameSpy Arcade
    2008-09-05 20:41 . 2008-09-05 20:41 <DIR> d-------- D:\Documents and Settings\Brother Moe\Application Data\Malwarebytes
    2008-09-05 19:55 . 2008-09-05 19:55 <DIR> d-------- D:\Program Files\CloneDVD
    2008-09-05 19:55 . 2008-09-05 19:55 <DIR> d-------- D:\Documents and Settings\Brother Moe\Application Data\Vso
    2008-09-05 19:55 . 2008-09-05 19:55 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\DVDXStudio
    2008-09-05 19:55 . 2008-09-05 19:55 81,920 --a------ D:\Documents and Settings\Brother Moe\Application Data\ezpinst.exe
    2008-09-05 19:55 . 2008-09-05 19:55 47,360 --a------ D:\WINDOWS\system32\drivers\pcouffin.sys
    2008-09-05 19:55 . 2008-09-05 19:55 47,360 --a------ D:\Documents and Settings\Brother Moe\Application Data\pcouffin.sys
    2008-09-05 18:56 . 2008-09-05 18:56 <DIR> d-------- D:\WINDOWS\system32\SuperAdBlocker.com
    2008-09-05 18:56 . 2008-09-05 18:56 1,049 --a------ D:\WINDOWS\mozver.dat
    2008-09-05 11:16 . 2008-09-05 11:16 <DIR> d-------- D:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
    2008-09-05 10:57 . 2008-06-10 02:32 73,728 --a------ D:\WINDOWS\system32\javacpl.cpl
    2008-09-05 10:56 . 2008-09-05 10:56 <DIR> d-------- D:\Program Files\Common Files\Java
    2008-09-04 22:46 . 2008-09-04 22:46 0 --a------ D:\WINDOWS\nsreg.dat
    2008-09-04 21:59 . 2008-09-04 23:10 <DIR> d-------- D:\Program Files\Malwarebytes' Anti-Malware
    2008-09-04 21:59 . 2008-09-04 21:59 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-09-04 21:59 . 2008-09-04 21:59 <DIR> d-------- D:\Documents and Settings\Administrator\Application Data\Malwarebytes
    2008-09-04 21:59 . 2008-09-02 00:16 38,528 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-09-04 21:59 . 2008-09-02 00:16 17,200 --a------ D:\WINDOWS\system32\drivers\mbam.sys
    2008-09-04 21:56 . 2008-09-04 21:56 <DIR> d-------- D:\Documents and Settings\Administrator
    2008-09-01 23:28 . 2008-09-01 23:28 <DIR> d-------- D:\Program Files\SUPERAntiSpyware
    2008-09-01 23:28 . 2008-09-01 23:28 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
    2008-09-01 23:28 . 2008-09-01 23:28 <DIR> d-------- D:\Documents and Settings\Brother Moe\Application Data\SUPERAntiSpyware.com
    2008-09-01 23:28 . 2008-09-01 23:28 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-09-01 22:36 . 2008-04-13 20:12 22,528 --a------ D:\WINDOWS\system32\wsock32.dlb
    2008-09-01 22:35 . 2008-09-01 22:35 <DIR> d-------- D:\Program Files\CBOClean
    2008-09-01 22:35 . 2008-09-01 22:55 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\BOC427
    2008-09-01 22:35 . 2008-07-14 05:09 212,728 --a------ D:\WINDOWS\CMDLIC.DLL
    2008-09-01 22:35 . 2008-07-14 05:09 205,560 --a------ D:\WINDOWS\UNBOC.EXE
    2008-09-01 22:35 . 2008-09-07 15:21 8,990 --a------ D:\WINDOWS\BOC427.INI
    2008-09-01 21:06 . 2008-09-01 21:06 <DIR> d-------- D:\Program Files\Avira
    2008-09-01 21:06 . 2008-09-01 21:06 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Avira
    2008-09-01 20:09 . 2008-09-01 20:09 <DIR> d-------- D:\Documents and Settings\Brother Moe\Application Data\Genie-Soft
    2008-09-01 20:08 . 2008-09-01 20:08 <DIR> d-------- D:\Program Files\GBMPro8
    2008-09-01 20:08 . 2006-11-02 00:50 128,104 --a------ D:\WINDOWS\system32\drivers\WimFltr.sys
    2008-09-01 18:26 . 2008-09-05 10:38 <DIR> d-------- D:\Program Files\Logs
    2008-09-01 17:33 . 2008-09-01 17:33 0 --a------ D:\WINDOWS\PowerReg.dat
    2008-09-01 17:31 . 2008-09-01 17:31 <DIR> d-------- D:\Program Files\SystemRequirementsLab
    2008-09-01 17:15 . 2008-09-01 17:15 <DIR> d-------- D:\Program Files\NeverwinterNights
    2008-08-27 22:26 . 2008-08-27 22:26 <DIR> d-------- D:\Program Files\CCleaner
    2008-08-21 20:39 . 2008-08-21 20:39 <DIR> d-------- D:\WINDOWS\system32\scripting
    2008-08-21 20:39 . 2008-08-21 20:39 <DIR> d-------- D:\WINDOWS\system32\en
    2008-08-21 20:39 . 2008-08-21 20:39 <DIR> d-------- D:\WINDOWS\l2schemas
    2008-08-19 18:15 . 2008-08-19 18:15 <DIR> d-------- D:\Documents and Settings\Brother Moe\Application Data\Apple Computer
    2008-08-19 09:09 . 2008-08-19 09:10 <DIR> d-------- D:\Program Files\Total Video Converter
    2008-08-17 18:17 . 2008-09-07 09:10 664 --a------ D:\WINDOWS\system32\d3d9caps.dat
    2008-08-15 23:32 . 2008-08-16 00:21 <DIR> d-------- D:\Program Files\MediaCoder
    2008-08-15 22:02 . 2008-08-15 22:02 <DIR> d-------- D:\Program Files\Apple Software Update
    2008-08-15 22:02 . 2008-08-15 22:02 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Apple
    2008-08-15 21:32 . 2008-03-21 13:57 14,640 --a------ D:\WINDOWS\system32\spmsgXP_2k3.dll
    2008-08-15 21:32 . 2008-08-15 21:32 0 --ah----- D:\WINDOWS\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
    2008-08-15 21:32 . 2008-08-15 21:32 0 --ah----- D:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
    2008-08-15 21:30 . 2008-08-15 21:34 <DIR> d-------- D:\Program Files\Zune
    2008-08-14 16:24 . 2008-04-11 15:04 691,712 -----c--- D:\WINDOWS\system32\dllcache\inetcomm.dll
    2008-08-14 16:06 . 2008-05-01 10:33 331,776 -----c--- D:\WINDOWS\system32\dllcache\msadce.dll
    2008-08-12 21:57 . 2008-09-07 10:50 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Google Updater

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-07 05:39 --------- d-----w D:\Program Files\BitComet
    2008-09-05 22:33 --------- d-----w D:\Program Files\Opera
    2008-09-05 14:57 --------- d-----w D:\Program Files\Java
    2008-09-02 18:06 --------- d-----w D:\Program Files\Intel(R) Active Monitor
    2008-09-02 00:28 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-09-02 00:18 507,904 ----a-w D:\WINDOWS\system32\winlogon.exe
    2008-09-02 00:18 295,424 ----a-w D:\WINDOWS\system32\termsrv.dll
    2008-09-01 21:18 --------- d--h--w D:\Program Files\InstallShield Installation Information
    2008-08-28 01:28 361,600 ----a-w D:\WINDOWS\system32\drivers\tcpip.sys
    2008-08-24 02:27 --------- d-----w D:\Documents and Settings\Brother Moe\Application Data\LimeWire
    2008-08-23 00:24 --------- d-----w D:\Program Files\World of Warcraft
    2008-08-16 02:03 --------- d-----w D:\Program Files\QuickTime
    2008-08-16 02:03 --------- d-----w D:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-08-13 02:24 --------- d-----w D:\Program Files\Common Files\Adobe
    2008-08-13 01:57 --------- d-----w D:\Program Files\Google
    2008-08-02 20:55 --------- d-----w D:\Program Files\Clone DVD
    2008-07-19 02:10 94,920 ----a-w D:\WINDOWS\system32\cdm.dll
    2008-07-19 02:10 53,448 ----a-w D:\WINDOWS\system32\wuauclt.exe
    2008-07-19 02:10 45,768 ----a-w D:\WINDOWS\system32\wups2.dll
    2008-07-19 02:10 36,552 ----a-w D:\WINDOWS\system32\wups.dll
    2008-07-19 02:09 563,912 ----a-w D:\WINDOWS\system32\wuapi.dll
    2008-07-19 02:09 325,832 ----a-w D:\WINDOWS\system32\wucltui.dll
    2008-07-19 02:09 205,000 ----a-w D:\WINDOWS\system32\wuweb.dll
    2008-07-19 02:09 1,811,656 ----a-w D:\WINDOWS\system32\wuaueng.dll
    2008-07-07 20:26 253,952 ----a-w D:\WINDOWS\system32\es.dll
    2008-06-24 16:43 74,240 ----a-w D:\WINDOWS\system32\mscms.dll
    2008-06-23 16:57 826,368 ----a-w D:\WINDOWS\system32\wininet.dll
    2008-06-20 17:46 245,248 ----a-w D:\WINDOWS\system32\mswsock.dll
    .
    Code:
    <pre>
    ----a-w           401,720 2007-09-07 02:46:02  D:\Documents and Settings\Brother Moe\Desktop\Maintanence\scanner.exe .exe
    </pre>

    ------- Sigcheck -------

    2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 D:\WINDOWS\$hf_mig$\KB917953\SP2GDR\tcpip.sys
    2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 D:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
    2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 D:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
    2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 D:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
    2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d D:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
    2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e D:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
    2008-06-20 06:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 D:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
    2004-08-04 02:14 359040 9f4b36614a0fc234525ba224957de55c D:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
    2002-08-29 08:00 332928 244a2f9816bc9b593957281ef577d976 D:\WINDOWS\$NtUninstallKB917953_0$\tcpip.sys
    2007-07-29 00:44 359808 de891ad282e856acfd40990094a63b6f D:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
    2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 D:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
    2008-02-02 21:52 360064 8283a4d489b207991efdc8328733d0bc D:\WINDOWS\$NtUninstallKB951748_0$\tcpip.sys
    2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 D:\WINDOWS\ServicePackFiles\i386\tcpip.sys
    2008-08-27 21:28 361600 3cf3a7b11e4a1df6cd13b41a76e8b53e D:\WINDOWS\system32\dllcache\tcpip.sys
    2008-08-27 21:28 361600 3cf3a7b11e4a1df6cd13b41a76e8b53e D:\WINDOWS\system32\drivers\tcpip.sys

    2004-08-04 03:56 502272 01c3346c241652f43aed8e2149881bfe D:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
    2008-04-13 20:12 507904 ed0ef0a136dec83df69f04118870003e D:\WINDOWS\ServicePackFiles\i386\winlogon.exe
    2008-09-01 20:18 507904 3969440ba384d35317dbbdeeaae641ce D:\WINDOWS\system32\winlogon.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024]
    "BitComet"="D:\Program Files\BitComet\BitComet.exe" [2008-07-17 2599224]
    "GBMPro8Agent"="D:\Program Files\GBMPro8\GBMAgent.exe" [2008-04-16 189056]
    "SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 1576176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMONTRAY"="D:\Program Files\Intel(R) Active Monitor\imontray.exe" [2003-01-10 32768]
    "WinFast Schedule"="D:\Program Files\WinFast\WFDTV\WFWIZ.exe" [2007-09-06 413696]
    "ArcSoft Connection Service"="D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
    "Zune Launcher"="D:\Program Files\Zune\ZuneLauncher.exe" [2008-04-29 158624]
    "GBMPro8Agent"="D:\Program Files\GBMPro8\GBMAgent.exe" [2008-04-16 189056]
    "avgnt"="D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
    "BOC-427"="D:\PROGRA~1\CBOClean\BOC427.exe" [2008-07-14 351480]
    "PtiuPbmd"="ulutil2.dll" [2003-11-05 D:\WINDOWS\system32\ulutil2.dll]
    "AsioReg"="CTASIO.DLL" [2003-04-11 D:\WINDOWS\system32\CTASIO.DLL]

    D:\Documents and Settings\Brother Moe\Start Menu\Programs\Startup\
    Shortcut to nost_LM.lnk - D:\Program Files\Nostromo\nost_LM.exe [2004-04-06 454656]

    D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    TMMonitor.lnk - D:\Program Files\TotalMedia 3\TMMonitor.exe [2008-06-19 258048]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-07-23 16:28 352256 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk.disabled]
    path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled
    backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnk.disabledCommon Startup

    [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk.disabled]
    path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk.disabled
    backup=D:\WINDOWS\pss\Adobe Reader Synchronizer.lnk.disabledCommon Startup

    [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Loadout Manager.lnk]
    path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Loadout Manager.lnk
    backup=D:\WINDOWS\pss\Loadout Manager.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eyeball Chat]
    --a------ 2002-10-11 14:52 2863176 D:\PROGRA~1\Eyeball\EYEBAL~1\EyeballChat.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-05-27 10:50 413696 D:\Program Files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
    --a------ 2002-12-03 18:06 45056 D:\Program Files\Creative\SB Drive Det\SBDrvDet.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    --a------ 2007-08-27 16:19 4670704 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "SpybotSD TeaTimer"=D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    "Skype"="D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    "Yahoo! Pager"="D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    "DAEMON Tools Lite"="D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
    "Jnskdfmf9eldfd"=D:\DOCUME~1\BROTHE~1\LOCALS~1\Temp\csrssc.exe
    "xrt_Shell"=D:\Documents and Settings\Brother Moe\xrt_wpmh.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "HP Software Update"="D:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    "HP Component Manager"="D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    "SBDrvDet"=D:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    "CTHelper"=CTHELPER.EXE
    "RemoteControl"=D:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
    "SNPSTD2"=D:\WINDOWS\vsnpstd2.exe
    "UpdReg"=D:\WINDOWS\UpdReg.EXE
    "SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    "NBKeyScan"="D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    "NeroFilterCheck"=D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    "QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" -atboottime

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "D:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
    "D:\\Program Files\\BitComet\\BitComet.exe"=
    "D:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
    "D:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
    "D:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "D:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
    "D:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
    "D:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
    "D:\\Program Files\\World of Warcraft\\Repair.exe"=
    "D:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
    "D:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
    "D:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.10.6448-enUS-downloader.exe"=
    "D:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
    "D:\\Program Files\\LimeWire\\LimeWire.exe"=
    "D:\\Program Files\\Opera\\Opera.exe"=
    "D:\\Program Files\\Nero\\Nero8\\Nero ShowTime\\ShowTime.exe"=
    "D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "D:\\Program Files\\NeverwinterNights\\NWN\\nwmain.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "25049:TCP"= 25049:TCP:BitComet 25049 TCP
    "25049:UDP"= 25049:UDP:BitComet 25049 UDP

    R0 dontgo;Promise Removable Disk Control Driver;D:\WINDOWS\system32\DRIVERS\DontGo.sys [2004-06-29 7680]
    R0 ulsata2;ulsata2;D:\WINDOWS\system32\DRIVERS\ulsata2.sys [2005-06-29 125952]
    R2 ACDaemon;ArcSoft Connect Daemon;D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2008-04-17 102712]
    R2 UtMsgSvc;UtMsgAgt;D:\Program Files\Promise Disk Controller Manager\UtMsgAgt.exe [2004-09-22 229376]
    R2 zumbus;Zune Bus Enumerator Driver;D:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 40704]
    R2 ZuneBusEnum;Zune Bus Enumerator;D:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 61856]
    R3 3xHybrid;WinFast HDTV Cinema;D:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2007-08-09 1120128]
    R3 UTDpcService;ULEVTBDG;D:\Program Files\Promise Disk Controller Manager\ULEVTBDG.sys [2004-09-20 6656]
    S3 bcgame;Nostromo HID Device Minidriver;D:\WINDOWS\system32\drivers\bcgame.sys [2003-07-24 22821]
    S3 ctgame;Game Port;D:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-12-30 12160]
    S3 restore;restore;D:\WINDOWS\system32\drivers\restore.sys [ ]
    S3 snpstd2;USB PC Camera (SN9C103);D:\WINDOWS\system32\DRIVERS\snpstd2.sys [2004-03-22 302720]
    S3 usbprint;Microsoft USB PRINTER Class;D:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
    S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;D:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 245664]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - D:\Documents and Settings\Brother Moe\Application Data\Mozilla\Firefox\Profiles\cxvs9ehs.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://bl110w.blu110.mail.live.com/mail/InboxLight.aspx?FolderID=00000000-0000-0000-0000-000000000001&InboxSortAscending=False&InboxSortBy=Date&n=1937004759|http://www.youtube.com/watch?v=YF0SCxIQ6PU&NR=1|http://www.scroogle.org/cgi-bin/scraper.htm
    FF -: plugin - D:\Documents and Settings\Brother Moe\Application Data\Mozilla\Firefox\Profiles\cxvs9ehs.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
    FF -: plugin - D:\Program Files\Google\Google Updater\2.3.1314.1135\npCIDetect12.dll
    FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npqtplugin8.dll
    FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npsabffx.dll
    FF -: plugin - D:\Program Files\Opera\program\plugins\npdivx32.dll
    FF -: plugin - D:\Program Files\Opera\program\plugins\npqtplugin8.dll
    FF -: plugin - D:\Program Files\QuickTime\Plugins\npqtplugin8.dll
    FF -: plugin - D:\Program Files\Yahoo!\Shared\npYState.dll
    FF -: plugin - D:\WINDOWS\system32\SuperAdBlocker.com\npsabffx.dll
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-07 15:45:04
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    **************************************************************************
    .
    Completion time: 2008-09-07 15:47:34
    ComboFix-quarantined-files.txt 2008-09-07 19:46:31
    ComboFix2.txt 2008-09-07 19:41:32
    ComboFix3.txt 2008-09-07 19:26:08

    Pre-Run: 15,951,634,432 bytes free
    Post-Run: 15,934,558,208 bytes free

    261 --- E O F --- 2008-08-23 07:03:14
     
  4. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    oops, posted in wrong place... :(
     
    Last edited: Sep 7, 2008
  5. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hey dracomoe

    Please post the virustotal results here, before I can proceed.

    Best Regards :D
     
  6. dracomoe

    dracomoe Guest

    The files were no longer found on my PC. I attempted to run Hijackthis to give you a current report, but it is freezing up while running, when it gets to scanning the 04 - Registry and Start Menue Autoruns.
     
  7. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hey dracomoe

    Can you really check to see if those files do not exist anymore?

    I didn't ask you to remove the HijackThis entries and add an asterisk in front of them.

    Also, can you try to do a HijackThis log in safe mode (repeatedly press F8 after you press the power button). That might not cause it to freeze.

    Best Regards :D
     
  8. dracomoe

    dracomoe Guest

    Here is the requested log. Again, I thank you for your help and patients.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:01:16 AM, on 9/9/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Safe mode

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\Explorer.EXE
    D:\Documents and Settings\Brother Moe\Desktop\Maintanence\scanner.exe .exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [IMONTRAY] D:\Program Files\Intel(R) Active Monitor\imontray.exe
    O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
    O4 - HKLM\..\Run: [WinFast Schedule] D:\Program Files\WinFast\WFDTV\WFWIZ.exe
    O4 - HKLM\..\Run: [ArcSoft Connection Service] D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    O4 - HKLM\..\Run: [Zune Launcher] "D:\Program Files\Zune\ZuneLauncher.exe"
    O4 - HKLM\..\Run: [GBMPro8Agent] D:\Program Files\GBMPro8\GBMAgent.exe
    O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [BOC-427] D:\PROGRA~1\CBOClean\BOC427.exe
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] "D:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe"
    O4 - Global Startup: TMMonitor.lnk = D:\Program Files\TotalMedia 3\TMMonitor.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
    O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: BOCore - COMODO - D:\Program Files\CBOClean\BOCORE.exe
    O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - D:\Program Files\Intel(R) Active Monitor\imonnt.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: UtMsgAgt (UtMsgSvc) - Promise Technology Inc. - D:\Program Files\Promise Disk Controller Manager\UtMsgAgt.exe

    --
    End of file - 4596 bytes
     
    Last edited by a moderator: Sep 10, 2008
  9. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hmmm.... odd. Your HijackThis log is clean.

    Please tell me all problems you are currently facing. I will look over what we have done to see if we skipped any step.

    Best Regards :D
     
  10. dracomoe

    dracomoe Guest

    Your help in eliminating this virus has been a great blessing.

    The following are the problems I am having:
    -When starting up or restarting the screen that says windows XP this the loading bar appears and runs in a slower motion then it use to.
    -My wife's PC on my network had the Antivirus XP 2008 on it and I ran through all the steps you gave me and it appears to be cleaned up.
    -My Zune player is no longer working
    -Neverwinter Nights crashes too often
    -PC crashes, causing it to restart and gives me a Microsoft error message when I log back on.

    This is a post of my HiJackThis when running in normal mode (the last one was run in safty mode):

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:33:43 PM, on 09/14/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    D:\Program Files\CBOClean\BOCORE.exe
    D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Promise Disk Controller Manager\UtMsgAgt.exe
    D:\WINDOWS\system32\ZuneBusEnum.exe
    D:\Program Files\Intel(R) Active Monitor\imonnt.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\Intel(R) Active Monitor\imontray.exe
    D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    D:\Program Files\Zune\ZuneLauncher.exe
    D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    D:\PROGRA~1\CBOClean\BOC427.exe
    D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
    D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    D:\Program Files\TotalMedia 3\TMMonitor.exe
    D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    D:\Program Files\Nostromo\nost_LM.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Opera\opera.exe
    D:\Program Files\Mozilla Firefox\firefox.exe
    D:\Program Files\Ventrilo\Ventrilo.exe
    D:\Documents and Settings\Brother Moe\Desktop\Maintanence\scanner.exe .exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle.org/cgi-bin/scraper.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [IMONTRAY] D:\Program Files\Intel(R) Active Monitor\imontray.exe
    O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
    O4 - HKLM\..\Run: [WinFast Schedule] D:\Program Files\WinFast\WFDTV\WFWIZ.exe
    O4 - HKLM\..\Run: [ArcSoft Connection Service] D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    O4 - HKLM\..\Run: [Zune Launcher] "D:\Program Files\Zune\ZuneLauncher.exe"
    O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [BOC-427] D:\PROGRA~1\CBOClean\BOC427.exe
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [BitComet] "D:\Program Files\BitComet\BitComet.exe" /tray
    O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Startup: Shortcut to nost_LM.lnk = D:\Program Files\Nostromo\nost_LM.exe
    O4 - Global Startup: TMMonitor.lnk = D:\Program Files\TotalMedia 3\TMMonitor.exe
    O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
    O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: BOCore - COMODO - D:\Program Files\CBOClean\BOCORE.exe
    O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - D:\Program Files\Intel(R) Active Monitor\imonnt.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: UtMsgAgt (UtMsgSvc) - Promise Technology Inc. - D:\Program Files\Promise Disk Controller Manager\UtMsgAgt.exe

    --
    End of file - 6630 bytes
     
  11. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    ok... that's weird

    Let's do more analysis.

    Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") to download Silent Runners.

    • Save it to the desktop.
    • Run Silent Runners by double-clicking the "Silent Runners" icon on your desktop.
    • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
    • Once you receive the prompt "All Done!", double-click the new text file on the desktop, copy that entire log, and paste it here.

    *NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

    Best Regards :D
     
  12. dracomoe

    dracomoe Guest

    I followed the instructions you have given me and here are the results:

    "Silent Runners.vbs", revision 58, http://www.silentrunners.org/
    Operating System: Windows XP
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:
    ---------------------------------

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"" ["Nero AG"]
    "BitComet" = ""D:\Program Files\BitComet\BitComet.exe" /tray" ["www.BitComet.com"]
    "SUPERAntiSpyware" = "D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "IMONTRAY" = "D:\Program Files\Intel(R) Active Monitor\imontray.exe" [empty string]
    "PtiuPbmd" = "Rundll32.exe ulutil2.dll,SetWriteBack" [MS]
    "WinFast Schedule" = "D:\Program Files\WinFast\WFDTV\WFWIZ.exe" ["Leadtek Research Inc."]
    "ArcSoft Connection Service" = "D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" ["ArcSoft Inc."]
    "Zune Launcher" = ""D:\Program Files\Zune\ZuneLauncher.exe"" [MS]
    "avgnt" = ""D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
    "BOC-427" = "D:\PROGRA~1\CBOClean\BOC427.exe" ["COMODO"]
    "AsioReg" = "REGSVR32.EXE /S CTASIO.DLL" [MS]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture"
    -> {HKLM...CLSID} = "BitComet Helper"
    \InProcServer32\(Default) = "D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll" ["BitComet"]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "SSVHelper Class"
    \InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
    \InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
    "{0873D142-79EF-49fa-81B5-211AAC0B0A7F}" = "Target Finder Shell Extension"
    -> {HKLM...CLSID} = "TargetFinderShlExt Class"
    \InProcServer32\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\Creator Classic\TargetFinder.dll" [empty string]
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
    "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
    -> {HKLM...CLSID} = "RealOne Player Context Menu Class"
    \InProcServer32\(Default) = "D:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
    "{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
    -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
    \InProcServer32\(Default) = "D:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
    "{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
    -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
    \InProcServer32\(Default) = "D:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
    "{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"
    -> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"
    \InProcServer32\(Default) = "D:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
    "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
    -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
    \InProcServer32\(Default) = "D:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
    <<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
    -> {HKLM...CLSID} = "SABShellExecuteHook Class"
    \InProcServer32\(Default) = "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
    -> {HKLM...CLSID} = "WPDShServiceObj Class"
    \InProcServer32\(Default) = "D:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    <<!>> !SASWinLogon\DLLName = "D:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
    <<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
    <<!>> dimsntfy\DLLName = "D:\WINDOWS\System32\dimsntfy.dll" [MS]

    HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
    <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

    HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
    {7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
    -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
    \InProcServer32\(Default) = "D:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
    {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
    -> {HKLM...CLSID} = "PDF Shell Extension"
    \InProcServer32\(Default) = "D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

    HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
    Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"
    -> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"
    \InProcServer32\(Default) = "D:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
    Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
    -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
    \InProcServer32\(Default) = "D:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
    MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
    -> {HKLM...CLSID} = "MBAMShlExt Class"
    \InProcServer32\(Default) = "D:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
    Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
    -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
    \InProcServer32\(Default) = "D:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
    MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
    -> {HKLM...CLSID} = "MBAMShlExt Class"
    \InProcServer32\(Default) = "D:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


    Default executables:
    --------------------

    <<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"


    Group Policies {policy setting}:
    --------------------------------

    Note: detected settings may not have any effect.

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

    "NoDrives" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

    "NoDrives" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    "HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    "HideLogoffScripts" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    "RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
    {unrecognized setting}

    "RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    "HideStartupScripts" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

    "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
    {Shutdown: Allow system to be shut down without having to log on}

    "undockwithoutlogon" = (REG_DWORD) dword:0x00000001
    {Devices: Allow undock without having to log on}

    "DisableRegistryTools" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    "HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    "HideLogoffScripts" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    "RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
    {unrecognized setting}

    "RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    "HideStartupScripts" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}


    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop may be disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
    HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
    "Wallpaper" = "%APPDATA%\Opera\Opera\profile\skin\pic-8939.bmp"

    Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
    HKCU\Control Panel\Desktop\
    "Wallpaper" = "D:\Documents and Settings\Brother Moe\Application Data\Opera\Opera\profile\skin\pic-7396.bmp"


    Enabled Screen Saver:
    ---------------------

    HKCU\Control Panel\Desktop\
    "SCRNSAVE.EXE" = "D:\WINDOWS\System32\ssmypics.scr" [MS]


    Windows Portable Device AutoPlay Handlers
    -----------------------------------------

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

    ArcSoftTMAudioCDArrival\
    "Provider" = "ArcSoft TotalMedia 3"
    "InvokeProgID" = "TotalMediaOpenAudioCD"
    "InvokeVerb" = "open"
    HKLM\SOFTWARE\Classes\TotalMediaOpenAudioCD\shell\open\command\(Default) = "D:\Program Files\TotalMedia 3\TotalMedia.exe -a %L" ["ArcSoft, Inc."]

    ArcSoftTMDVDArrival\
    "Provider" = "ArcSoft TotalMedia 3"
    "InvokeProgID" = "TotalMediaOpenDVD"
    "InvokeVerb" = "open"
    HKLM\SOFTWARE\Classes\TotalMediaOpenDVD\shell\open\command\(Default) = "D:\Program Files\TotalMedia 3\TotalMedia.exe -d %L" ["ArcSoft, Inc."]

    ArcSoftTMMusicArrival\
    "Provider" = "ArcSoft TotalMedia 3"
    "InvokeProgID" = "TotalMediaOpenMusic"
    "InvokeVerb" = "open"
    HKLM\SOFTWARE\Classes\TotalMediaOpenMusic\shell\open\command\(Default) = "D:\Program Files\TotalMedia 3\TotalMedia.exe -a %L" ["ArcSoft, Inc."]

    ArcSoftTMPictureArrival\
    "Provider" = "ArcSoft TotalMedia 3"
    "InvokeProgID" = "TotalMediaOpen"
    "InvokeVerb" = "open"
    HKLM\SOFTWARE\Classes\TotalMediaOpen\shell\open\command\(Default) = "D:\Program Files\TotalMedia 3\TotalMedia.exe -r %L" ["ArcSoft, Inc."]

    ArcSoftTMVideoArrival\
    "Provider" = "ArcSoft TotalMedia 3"
    "InvokeProgID" = "TotalMediaOpenVideo"
    "InvokeVerb" = "open"
    HKLM\SOFTWARE\Classes\TotalMediaOpenVideo\shell\open\command\(Default) = "D:\Program Files\TotalMedia 3\TotalMedia.exe -v %L" ["ArcSoft, Inc."]

    ArcSoftTMVideoCameraArrival\
    "Provider" = "ArcSoft TotalMedia 3"
    "ProgID" = "Shell.HWEventHandlerShellExecute"
    "InitCmdLine" = "D:\PROGRA~1\TOTALM~1\TOTALM~1.EXE -c"
    HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
    -> {HKLM...CLSID} = "ShellExecute HW Event Handler"
    \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

    MSWPDShellNamespaceHandler\
    "Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
    "CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
    "InitCmdLine" = " "
    -> {HKLM...CLSID} = "WPDShextAutoplay"
    \LocalServer32\(Default) = "D:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

    NeroAutoPlay8AudioToNeroDigital\
    "Provider" = "Nero Burning ROM"
    "InvokeProgID" = "Nero.AutoPlay8"
    "InvokeVerb" = "AudioToNeroDigital_PlayCDAudioOnArrival"
    HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\AudioToNeroDigital_PlayCDAudioOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]

    NeroAutoPlay8CDAudio\
    "Provider" = "Nero Express"
    "InvokeProgID" = "Nero.AutoPlay8"
    "InvokeVerb" = "CDAudio_HandleCDBurningOnArrival"
    HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CDAudio_HandleCDBurningOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:AudioCD" ["Nero AG"]

    NeroAutoPlay8CopyCD\
    "Provider" = "Nero Burning ROM"
    "InvokeProgID" = "Nero.AutoPlay8"
    "InvokeVerb" = "CopyCD_PlayMusicFilesOnArrival"
    HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CopyCD_PlayMusicFilesOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:DiscCopy %L" ["Nero AG"]

    NeroAutoPlay8DataDisc_CD\
    "Provider" = "Nero Express"
    "InvokeProgID" = "Nero.AutoPlay8"
    "InvokeVerb" = "DataDisc_CD_HandleCDBurningOnArrival"
    HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_CD_HandleCDBurningOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:CD %L" ["Nero AG"]

    NeroAutoPlay8DataDisc_DVD\
    "Provider" = "Nero Express"
    "InvokeProgID" = "Nero.AutoPlay8"
    "InvokeVerb" = "DataDisc_DVD_HandleDVDBurningOnArrival"
    HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_DVD_HandleDVDBurningOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:DVD %L" ["Nero AG"]

    NeroAutoPlay8LaunchNeroStartSmart\
    "Provider" = "Nero StartSmart"
    "InvokeProgID" = "Nero.AutoPlay8"
    "InvokeVerb" = "LaunchNeroStartSmart_HandleDVDBurningOnArrival"
    HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\LaunchNeroStartSmart_HandleDVDBurningOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero StartSmart\NeroStartSmart.exe /AutoPlay" ["Nero AG"]

    NeroAutoPlay8PlayAudioCD\
    "Provider" = "Nero ShowTime"
    "InvokeProgID" = "Nero.AutoPlay8"
    "InvokeVerb" = "PlayAudioCD_PlayMusicFilesOnArrival"
    HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayAudioCD_PlayMusicFilesOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]

    NeroAutoPlay8PlayDVD\
    "Provider" = "Nero ShowTime"
    "InvokeProgID" = "Nero.AutoPlay8"
    "InvokeVerb" = "PlayDVD_PlayVideoFilesOnArrival"
    HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayDVD_PlayVideoFilesOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]

    NeroAutoPlay8RipCD\
    "Provider" = "Nero Burning ROM"
    "InvokeProgID" = "Nero.AutoPlay8"
    "InvokeVerb" = "RipCD_PlayCDAudioOnArrival"
    HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\RipCD_PlayCDAudioOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]

    NeroAutoPlay8TranscodeVideo\
    "Provider" = "Nero Recode"
    "InvokeProgID" = "Nero.AutoPlay8"
    "InvokeVerb" = "TranscodeVideo_PlayDVDMovieOnArrival"
    HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\TranscodeVideo_PlayDVDMovieOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Recode\Recode.exe /New:CopyDVDVideo" ["Nero AG"]

    NeroAutoPlay8VideoCapture\
    "Provider" = "Nero Vision"
    "ProgID" = "Shell.HWEventHandlerShellExecute"
    "InitCmdLine" = ""D:\Program Files\Nero\Nero8\Nero Vision\NeroVision.exe" /New:VideoCapture"
    HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
    -> {HKLM...CLSID} = "ShellExecute HW Event Handler"
    \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

    NeroAutoPlay8ViewPhotos\
    "Provider" = "Nero PhotoSnap Viewer"
    "InvokeProgID" = "Nero.AutoPlay8"
    "InvokeVerb" = "ViewPhotos_ShowPicturesOnArrival"
    HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\ViewPhotos_ShowPicturesOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero PhotoSnap\PhotoSnapViewer.exe /" ["Nero AG"]

    PDVDPlayDVDMovieOnArrival\
    "Provider" = "PowerDVD"
    "InvokeProgID" = "DVD"
    "InvokeVerb" = "PlayWithPowerDVD"
    HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""D:\Program Files\PowerDVD\PowerDVD.exe" "%l"" ["CyberLink Corp."]

    RoxioCapturePhotos\
    "Provider" = "Roxio Capture"
    "InvokeProgID" = "RoxioCaptureUtility"
    "InvokeVerb" = "Photo"
    HKLM\SOFTWARE\Classes\RoxioCaptureUtility\shell\Photo\command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\Capture\RoxioCapture7.exe -photo %L" ["Sonic Solutions"]

    RoxioCAPVideoCamera\
    "Provider" = "Roxio Capture"
    "ProgID" = "Shell.HWEventHandlerShellExecute"
    "InitCmdLine" = "D:\Program Files\Roxio\Easy Media Creator 7\Capture\RoxioCapture7.exe"
    HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
    -> {HKLM...CLSID} = "ShellExecute HW Event Handler"
    \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

    RoxioCreatorPlayCDAudioOnArrival\
    "Provider" = "Roxio Creator Classic"
    "InvokeProgID" = "Creator7"
    "InvokeVerb" = "open"
    HKLM\SOFTWARE\Classes\Creator7\shell\open\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\Creator Classic\creator7.exe" ["Roxio"]

    RoxioDiscCopierPlayCDAudioOnArrival\
    "Provider" = "Roxio Disc Copier"
    "InvokeProgID" = "disccopier"
    "InvokeVerb" = "open"
    HKLM\SOFTWARE\Classes\disccopier\shell\open\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\Disc Copier\DiscCopier7.exe" ["Roxio"]

    RoxioEMCBDAudioCD\
    "Provider" = "Easy Media Creator 7 Basic DVD Edition"
    "InvokeProgID" = "RoxioEMCBDHome"
    "InvokeVerb" = "Get"
    HKLM\SOFTWARE\Classes\RoxioEMCBDHome\shell\Get\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\BasicDVD Home Page\BasicDVDHomePageApp.exe" ["Roxio, Inc."]

    RoxioEMCBDBurning\
    "Provider" = "Easy Media Creator 7 Basic DVD Edition"
    "InvokeProgID" = "RoxioEMCBDHome"
    "InvokeVerb" = "Get"
    HKLM\SOFTWARE\Classes\RoxioEMCBDHome\shell\Get\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\BasicDVD Home Page\BasicDVDHomePageApp.exe" ["Roxio, Inc."]

    RoxioEMCBDDVD\
    "Provider" = "Easy Media Creator 7 Basic DVD Edition"
    "InvokeProgID" = "RoxioEMCBDHome"
    "InvokeVerb" = "Get"
    HKLM\SOFTWARE\Classes\RoxioEMCBDHome\shell\Get\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\BasicDVD Home Page\BasicDVDHomePageApp.exe" ["Roxio, Inc."]

    RoxioEMCBDMixedContent\
    "Provider" = "Easy Media Creator 7 Basic DVD Edition"
    "InvokeProgID" = "RoxioEMCBDHome"
    "InvokeVerb" = "Get"
    HKLM\SOFTWARE\Classes\RoxioEMCBDHome\shell\Get\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\BasicDVD Home Page\BasicDVDHomePageApp.exe" ["Roxio, Inc."]

    RoxioEMCBDMusic\
    "Provider" = "Easy Media Creator 7 Basic DVD Edition"
    "InvokeProgID" = "RoxioEMCBDHome"
    "InvokeVerb" = "Get"
    HKLM\SOFTWARE\Classes\RoxioEMCBDHome\shell\Get\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\BasicDVD Home Page\BasicDVDHomePageApp.exe" ["Roxio, Inc."]

    RoxioEMCBDVideos\
    "Provider" = "Easy Media Creator 7 Basic DVD Edition"
    "InvokeProgID" = "RoxioEMCBDHome"
    "InvokeVerb" = "Get"
    HKLM\SOFTWARE\Classes\RoxioEMCBDHome\shell\Get\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\BasicDVD Home Page\BasicDVDHomePageApp.exe" ["Roxio, Inc."]

    RoxioPlayRoxioDVDOnArrival\
    "Provider" = "Roxio DVDMax Player"
    "InvokeProgID" = "DVD"
    "InvokeVerb" = "PlayWithRoxioDVDMAXPlayer"
    HKLM\SOFTWARE\Classes\DVD\shell\PlayWithRoxioDVDMAXPlayer\Command\(Default) = ""D:\Program Files\Roxio\Roxio DVDMax Player\Roxio DVDMax Player.exe" "%l"" ["CyberLink Corp."]

    RPCDBurningOnArrival\
    "Provider" = "RealPlayer"
    "InvokeProgID" = "RealPlayer.CDBurn.6"
    "InvokeVerb" = "open"
    HKLM\SOFTWARE\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = ""D:\Program Files\Real\RealPlayer\RealPlay.exe" /burn "%1"" ["RealNetworks, Inc."]

    RPDeviceOnArrival\
    "Provider" = "RealPlayer"
    "ProgID" = "RealPlayer.HWEventHandler"
    HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
    -> {HKLM...CLSID} = "RealNetworks Scheduler"
    \LocalServer32\(Default) = ""D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]

    RPPlayCDAudioOnArrival\
    "Provider" = "RealPlayer"
    "InvokeProgID" = "RealPlayer.AudioCD.6"
    "InvokeVerb" = "play"
    HKLM\SOFTWARE\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = ""D:\Program Files\Real\RealPlayer\RealPlay.exe" /play %1 " ["RealNetworks, Inc."]

    RPPlayDVDMovieOnArrival\
    "Provider" = "RealPlayer"
    "InvokeProgID" = "RealPlayer.DVD.6"
    "InvokeVerb" = "play"
    HKLM\SOFTWARE\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = ""D:\Program Files\Real\RealPlayer\RealPlay.exe" /dvd %1 " ["RealNetworks, Inc."]

    RPPlayMediaOnArrival\
    "Provider" = "RealPlayer"
    "InvokeProgID" = "RealPlayer.AutoPlay.6"
    "InvokeVerb" = "open"
    HKLM\SOFTWARE\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = ""D:\Program Files\Real\RealPlayer\RealPlay.exe" /autoplay "%1"" ["RealNetworks, Inc."]

    ZunePlayCDAudioOnArrival\
    "Provider" = "@D:\Program Files\Zune\en-US\ZuneResources.dll.mui,-603"
    "InvokeProgID" = "Microsoft.Zune.2.AudioCD"
    "InvokeVerb" = "Play"
    HKLM\SOFTWARE\Classes\Microsoft.Zune.2.AudioCD\shell\Play\Command\(Default) = ""D:\Program Files\Zune\Zune.exe" /PlayCD:"%L"" [MS]

    ZunePlayMediaOnArrival\
    "Provider" = "@D:\Program Files\Zune\en-US\ZuneResources.dll.mui,-603"
    "InvokeProgID" = "Microsoft.Zune.2.PlayMedia"
    "InvokeVerb" = "Play"
    HKLM\SOFTWARE\Classes\Microsoft.Zune.2.PlayMedia\shell\Play\Command\(Default) = ""D:\Program Files\Zune\Zune.exe" /PlayMedia:"%L"" [MS]

    ZuneRipCDAudioOnArrival\
    "Provider" = "@D:\Program Files\Zune\en-US\ZuneResources.dll.mui,-603"
    "InvokeProgID" = "Microsoft.Zune.2.RipCD"
    "InvokeVerb" = "Rip"
    HKLM\SOFTWARE\Classes\Microsoft.Zune.2.RipCD\shell\Rip\Command\(Default) = ""D:\Program Files\Zune\Zune.exe" /RipCD:"%L"" [MS]


    Startup items in "Brother Moe" & "All Users" startup folders:
    -------------------------------------------------------------

    D:\Documents and Settings\Brother Moe\Start Menu\Programs\Startup
    "Shortcut to nost_LM" -> shortcut to: "D:\Program Files\Nostromo\nost_LM.exe" [empty string]

    D:\Documents and Settings\All Users\Start Menu\Programs\Startup
    "TMMonitor" -> shortcut to: "D:\Program Files\TotalMedia 3\TMMonitor.exe" ["ArcSoft, Inc."]


    Enabled Scheduled Tasks:
    ------------------------

    "User_Feed_Synchronization-{F8B02283-8566-4937-861C-19274E72CBE0}" -> launches: "D:\WINDOWS\system32\msfeedssync.exe sync" [MS]


    Winsock2 Service Provider DLLs:
    -------------------------------

    Namespace Service Providers

    HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

    Transport Service Providers

    HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


    Toolbars, Explorer Bars, Extensions:
    ------------------------------------

    Toolbars

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
    "{F2CF5485-4E02-4F68-819C-B92DE9277049}"
    -> {HKLM...CLSID} = "&Links"
    \InProcServer32\(Default) = "D:\WINDOWS\system32\ieframe.dll" [MS]

    Explorer Bars

    HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

    HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
    Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
    InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console"
    "CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}"
    -> {HKCU...CLSID} = "Java Plug-in 1.6.0_07"
    \InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
    -> {HKLM...CLSID} = "Java Plug-in 1.6.0_07"
    \InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."]

    {92780B25-18CC-41C8-B9BE-3C9C571A8263}\
    "ButtonText" = "Research"

    {D18A0B52-D63C-4ED0-AFC6-C1E3DC1AF43A}\
    "ButtonText" = "BitComet"
    "Script" = "res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206" ["BitComet"]

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]


    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------

    ArcSoft Connect Daemon, ACDaemon, "D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe" ["ArcSoft Inc."]
    Ati HotKey Poller, Ati HotKey Poller, "D:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
    Avira AntiVir Personal - Free Antivirus Guard, AntiVirService, ""D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"]
    Avira AntiVir Personal - Free Antivirus Scheduler, AntiVirScheduler, ""D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"]
    BOCore, BOCore, "D:\Program Files\CBOClean\BOCORE.exe" ["COMODO"]
    Google Updater Service, gusvc, ""D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"]
    Intel(R) Active Monitor, imonNT, "D:\Program Files\Intel(R) Active Monitor\imonnt.exe" ["Intel Corp."]
    Nero BackItUp Scheduler 3, Nero BackItUp Scheduler 3, "D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe" ["Nero AG"]
    NMIndexingService, NMIndexingService, ""D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe"" ["Nero AG"]
    UtMsgAgt, UtMsgSvc, ""D:\Program Files\Promise Disk Controller Manager\UtMsgAgt.exe"" ["Promise Technology Inc."]
    Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "D:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"D:\WINDOWS\System32\WUDFSvc.dll" [MS]}
    Zune Bus Enumerator, ZuneBusEnum, "D:\WINDOWS\system32\ZuneBusEnum.exe" [MS]


    Print Monitors:
    ---------------

    HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
    Canon BJ Language Monitor MP830\Driver = "CNMLM7Q.DLL" ["CANON INC."]
    Canon MP FAX Language Monitor MP830\Driver = "CNCF2Lb.DLL" ["Canon Inc."]
    hpzsnt09\Driver = "hpzsnt09.dll" ["HP"]
    Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


    ---------- (launch time: 2008-09-16 22:21:12)
    <<!>>: Suspicious data at a malware launch point.

    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + To search all directories of local fixed drives for DESKTOP.INI
    DLL launch points, use the -supp parameter or answer "No" at the
    first message box and "Yes" at the second message box.
    ---------- (total run time: 46 seconds)
     
  13. dracomoe

    dracomoe Guest

    I followed the instructions that you gave me and hear are the results:


    "Silent Runners.vbs", revision 58, http://www.silentrunners.org/
    Operating System: Windows XP
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:
    ---------------------------------

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"" ["Nero AG"]
    "BitComet" = ""D:\Program Files\BitComet\BitComet.exe" /tray" ["www.BitComet.com"]
    "SUPERAntiSpyware" = "D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "IMONTRAY" = "D:\Program Files\Intel(R) Active Monitor\imontray.exe" [empty string]
    "PtiuPbmd" = "Rundll32.exe ulutil2.dll,SetWriteBack" [MS]
    "WinFast Schedule" = "D:\Program Files\WinFast\WFDTV\WFWIZ.exe" ["Leadtek Research Inc."]
    "ArcSoft Connection Service" = "D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" ["ArcSoft Inc."]
    "Zune Launcher" = ""D:\Program Files\Zune\ZuneLauncher.exe"" [MS]
    "avgnt" = ""D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
    "BOC-427" = "D:\PROGRA~1\CBOClean\BOC427.exe" ["COMODO"]
    "AsioReg" = "REGSVR32.EXE /S CTASIO.DLL" [MS]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture"
    -> {HKLM...CLSID} = "BitComet Helper"
    \InProcServer32\(Default) = "D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll" ["BitComet"]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "SSVHelper Class"
    \InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
    \InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
    "{0873D142-79EF-49fa-81B5-211AAC0B0A7F}" = "Target Finder Shell Extension"
    -> {HKLM...CLSID} = "TargetFinderShlExt Class"
    \InProcServer32\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\Creator Classic\TargetFinder.dll" [empty string]
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
    "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
    -> {HKLM...CLSID} = "RealOne Player Context Menu Class"
    \InProcServer32\(Default) = "D:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
    "{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
    -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
    \InProcServer32\(Default) = "D:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
    "{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
    -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
    \InProcServer32\(Default) = "D:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
    "{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"
    -> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"
    \InProcServer32\(Default) = "D:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
    "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
    -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
    \InProcServer32\(Default) = "D:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
    <<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
    -> {HKLM...CLSID} = "SABShellExecuteHook Class"
    \InProcServer32\(Default) = "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
    -> {HKLM...CLSID} = "WPDShServiceObj Class"
    \InProcServer32\(Default) = "D:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    <<!>> !SASWinLogon\DLLName = "D:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
    <<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
    <<!>> dimsntfy\DLLName = "D:\WINDOWS\System32\dimsntfy.dll" [MS]

    HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
    <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

    HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
    {7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
    -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
    \InProcServer32\(Default) = "D:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
    {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
    -> {HKLM...CLSID} = "PDF Shell Extension"
    \InProcServer32\(Default) = "D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

    HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
    Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"
    -> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"
    \InProcServer32\(Default) = "D:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
    Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
    -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
    \InProcServer32\(Default) = "D:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
    MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
    -> {HKLM...CLSID} = "MBAMShlExt Class"
    \InProcServer32\(Default) = "D:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
    Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
    -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
    \InProcServer32\(Default) = "D:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
    MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
    -> {HKLM...CLSID} = "MBAMShlExt Class"
    \InProcServer32\(Default) = "D:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


    Default executables:
    --------------------

    <<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"


    Group Policies {policy setting}:
    --------------------------------

    Note: detected settings may not have any effect.

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

    "NoDrives" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

    "NoDrives" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    "HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    "HideLogoffScripts" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    "RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
    {unrecognized setting}

    "RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    "HideStartupScripts" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

    "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
    {Shutdown: Allow system to be shut down without having to log on}

    "undockwithoutlogon" = (REG_DWORD) dword:0x00000001
    {Devices: Allow undock without having to log on}

    "DisableRegistryTools" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    "HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    "HideLogoffScripts" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    "RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
    {unrecognized setting}

    "RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    "HideStartupScripts" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}


    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop may be disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
    HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
    "Wallpaper" = "%APPDATA%\Opera\Opera\profile\skin\pic-8939.bmp"

    Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
    HKCU\Control Panel\Desktop\
    "Wallpaper" = "D:\Documents and Settings\Brother Moe\Application Data\Opera\Opera\profile\skin\pic-7396.bmp"


    Enabled Screen Saver:
    ---------------------

    HKCU\Control Panel\Desktop\
    "SCRNSAVE.EXE" = "D:\WINDOWS\System32\ssmypics.scr" [MS]


    Windows Portable Device AutoPlay Handlers
    -----------------------------------------

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

    ArcSoftTMAudioCDArrival\
    "Provider" = "ArcSoft TotalMedia 3"
    "InvokeProgID" = "TotalMediaOpenAudioCD"
    "InvokeVerb" = "open"
    HKLM\SOFTWARE\Classes\TotalMediaOpenAudioCD\shell\open\command\(Default) = "D:\Program Files\TotalMedia 3\TotalMedia.exe -a %L" ["ArcSoft, Inc."]

    ArcSoftTMDVDArrival\
    "Provider" = "ArcSoft TotalMedia 3"
    "InvokeProgID" = "TotalMediaOpenDVD"
    "InvokeVerb" = "open"
    HKLM\SOFTWARE\Classes\TotalMediaOpenDVD\shell\open\command\(Default) = "D:\Program Files\TotalMedia 3\TotalMedia.exe -d %L" ["ArcSoft, Inc."]

    ArcSoftTMMusicArrival\
    "Provider" = "ArcSoft TotalMedia 3"
    "InvokeProgID" = "TotalMediaOpenMusic"
    "InvokeVerb" = "open"
    HKLM\SOFTWARE\Classes\TotalMediaOpenMusic\shell\open\command\(Default) = "D:\Program Files\TotalMedia 3\TotalMedia.exe -a %L" ["ArcSoft, Inc."]

    ArcSoftTMPictureArrival\
    "Provider" = "ArcSoft TotalMedia 3"
    "InvokeProgID" = "TotalMediaOpen"
    "InvokeVerb" = "open"
    HKLM\SOFTWARE\Classes\TotalMediaOpen\shell\open\command\(Default) = "D:\Program Files\TotalMedia 3\TotalMedia.exe -r %L" ["ArcSoft, Inc."]

    ArcSoftTMVideoArrival\
    "Provider" = "ArcSoft TotalMedia 3"
    "InvokeProgID" = "TotalMediaOpenVideo"
    "InvokeVerb" = "open"
    HKLM\SOFTWARE\Classes\TotalMediaOpenVideo\shell\open\command\(Default) = "D:\Program Files\TotalMedia 3\TotalMedia.exe -v %L" ["ArcSoft, Inc."]

    ArcSoftTMVideoCameraArrival\
    "Provider" = "ArcSoft TotalMedia 3"
    "ProgID" = "Shell.HWEventHandlerShellExecute"
    "InitCmdLine" = "D:\PROGRA~1\TOTALM~1\TOTALM~1.EXE -c"
    HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
    -> {HKLM...CLSID} = "ShellExecute HW Event Handler"
    \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

    MSWPDShellNamespaceHandler\
    "Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
    "CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
    "InitCmdLine" = " "
    -> {HKLM...CLSID} = "WPDShextAutoplay"
    \LocalServer32\(Default) = "D:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

    NeroAutoPlay8AudioToNeroDigital\
    "Provider" = "Nero Burning ROM"
    "InvokeProgID" = "Nero.AutoPlay8"
    "InvokeVerb" = "AudioToNeroDigital_PlayCDAudioOnArrival"
    HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\AudioToNeroDigital_PlayCDAudioOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]

    NeroAutoPlay8CDAudio\
    "Provider" = "Nero Express"
    "InvokeProgID" = "Nero.AutoPlay8"
    "InvokeVerb" = "CDAudio_HandleCDBurningOnArrival"
    HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CDAudio_HandleCDBurningOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:AudioCD" ["Nero AG"]

    NeroAutoPlay8CopyCD\
    "Provider" = "Nero Burning ROM"
    "InvokeProgID" = "Nero.AutoPlay8"
    "InvokeVerb" = "CopyCD_PlayMusicFilesOnArrival"
    HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CopyCD_PlayMusicFilesOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:DiscCopy %L" ["Nero AG"]

    NeroAutoPlay8DataDisc_CD\
    "Provider" = "Nero Express"
    "InvokeProgID" = "Nero.AutoPlay8"
    "InvokeVerb" = "DataDisc_CD_HandleCDBurningOnArrival"
    HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_CD_HandleCDBurningOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:CD %L" ["Nero AG"]

    NeroAutoPlay8DataDisc_DVD\
    "Provider" = "Nero Express"
    "InvokeProgID" = "Nero.AutoPlay8"
    "InvokeVerb" = "DataDisc_DVD_HandleDVDBurningOnArrival"
    HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_DVD_HandleDVDBurningOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:DVD %L" ["Nero AG"]

    NeroAutoPlay8LaunchNeroStartSmart\
    "Provider" = "Nero StartSmart"
    "InvokeProgID" = "Nero.AutoPlay8"
    "InvokeVerb" = "LaunchNeroStartSmart_HandleDVDBurningOnArrival"
    HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\LaunchNeroStartSmart_HandleDVDBurningOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero StartSmart\NeroStartSmart.exe /AutoPlay" ["Nero AG"]

    NeroAutoPlay8PlayAudioCD\
    "Provider" = "Nero ShowTime"
    "InvokeProgID" = "Nero.AutoPlay8"
    "InvokeVerb" = "PlayAudioCD_PlayMusicFilesOnArrival"
    HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayAudioCD_PlayMusicFilesOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]

    NeroAutoPlay8PlayDVD\
    "Provider" = "Nero ShowTime"
    "InvokeProgID" = "Nero.AutoPlay8"
    "InvokeVerb" = "PlayDVD_PlayVideoFilesOnArrival"
    HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayDVD_PlayVideoFilesOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]

    NeroAutoPlay8RipCD\
    "Provider" = "Nero Burning ROM"
    "InvokeProgID" = "Nero.AutoPlay8"
    "InvokeVerb" = "RipCD_PlayCDAudioOnArrival"
    HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\RipCD_PlayCDAudioOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]

    NeroAutoPlay8TranscodeVideo\
    "Provider" = "Nero Recode"
    "InvokeProgID" = "Nero.AutoPlay8"
    "InvokeVerb" = "TranscodeVideo_PlayDVDMovieOnArrival"
    HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\TranscodeVideo_PlayDVDMovieOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Recode\Recode.exe /New:CopyDVDVideo" ["Nero AG"]

    NeroAutoPlay8VideoCapture\
    "Provider" = "Nero Vision"
    "ProgID" = "Shell.HWEventHandlerShellExecute"
    "InitCmdLine" = ""D:\Program Files\Nero\Nero8\Nero Vision\NeroVision.exe" /New:VideoCapture"
    HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
    -> {HKLM...CLSID} = "ShellExecute HW Event Handler"
    \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

    NeroAutoPlay8ViewPhotos\
    "Provider" = "Nero PhotoSnap Viewer"
    "InvokeProgID" = "Nero.AutoPlay8"
    "InvokeVerb" = "ViewPhotos_ShowPicturesOnArrival"
    HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\ViewPhotos_ShowPicturesOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero PhotoSnap\PhotoSnapViewer.exe /" ["Nero AG"]

    PDVDPlayDVDMovieOnArrival\
    "Provider" = "PowerDVD"
    "InvokeProgID" = "DVD"
    "InvokeVerb" = "PlayWithPowerDVD"
    HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""D:\Program Files\PowerDVD\PowerDVD.exe" "%l"" ["CyberLink Corp."]

    RoxioCapturePhotos\
    "Provider" = "Roxio Capture"
    "InvokeProgID" = "RoxioCaptureUtility"
    "InvokeVerb" = "Photo"
    HKLM\SOFTWARE\Classes\RoxioCaptureUtility\shell\Photo\command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\Capture\RoxioCapture7.exe -photo %L" ["Sonic Solutions"]

    RoxioCAPVideoCamera\
    "Provider" = "Roxio Capture"
    "ProgID" = "Shell.HWEventHandlerShellExecute"
    "InitCmdLine" = "D:\Program Files\Roxio\Easy Media Creator 7\Capture\RoxioCapture7.exe"
    HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
    -> {HKLM...CLSID} = "ShellExecute HW Event Handler"
    \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

    RoxioCreatorPlayCDAudioOnArrival\
    "Provider" = "Roxio Creator Classic"
    "InvokeProgID" = "Creator7"
    "InvokeVerb" = "open"
    HKLM\SOFTWARE\Classes\Creator7\shell\open\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\Creator Classic\creator7.exe" ["Roxio"]

    RoxioDiscCopierPlayCDAudioOnArrival\
    "Provider" = "Roxio Disc Copier"
    "InvokeProgID" = "disccopier"
    "InvokeVerb" = "open"
    HKLM\SOFTWARE\Classes\disccopier\shell\open\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\Disc Copier\DiscCopier7.exe" ["Roxio"]

    RoxioEMCBDAudioCD\
    "Provider" = "Easy Media Creator 7 Basic DVD Edition"
    "InvokeProgID" = "RoxioEMCBDHome"
    "InvokeVerb" = "Get"
    HKLM\SOFTWARE\Classes\RoxioEMCBDHome\shell\Get\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\BasicDVD Home Page\BasicDVDHomePageApp.exe" ["Roxio, Inc."]

    RoxioEMCBDBurning\
    "Provider" = "Easy Media Creator 7 Basic DVD Edition"
    "InvokeProgID" = "RoxioEMCBDHome"
    "InvokeVerb" = "Get"
    HKLM\SOFTWARE\Classes\RoxioEMCBDHome\shell\Get\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\BasicDVD Home Page\BasicDVDHomePageApp.exe" ["Roxio, Inc."]

    RoxioEMCBDDVD\
    "Provider" = "Easy Media Creator 7 Basic DVD Edition"
    "InvokeProgID" = "RoxioEMCBDHome"
    "InvokeVerb" = "Get"
    HKLM\SOFTWARE\Classes\RoxioEMCBDHome\shell\Get\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\BasicDVD Home Page\BasicDVDHomePageApp.exe" ["Roxio, Inc."]

    RoxioEMCBDMixedContent\
    "Provider" = "Easy Media Creator 7 Basic DVD Edition"
    "InvokeProgID" = "RoxioEMCBDHome"
    "InvokeVerb" = "Get"
    HKLM\SOFTWARE\Classes\RoxioEMCBDHome\shell\Get\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\BasicDVD Home Page\BasicDVDHomePageApp.exe" ["Roxio, Inc."]

    RoxioEMCBDMusic\
    "Provider" = "Easy Media Creator 7 Basic DVD Edition"
    "InvokeProgID" = "RoxioEMCBDHome"
    "InvokeVerb" = "Get"
    HKLM\SOFTWARE\Classes\RoxioEMCBDHome\shell\Get\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\BasicDVD Home Page\BasicDVDHomePageApp.exe" ["Roxio, Inc."]

    RoxioEMCBDVideos\
    "Provider" = "Easy Media Creator 7 Basic DVD Edition"
    "InvokeProgID" = "RoxioEMCBDHome"
    "InvokeVerb" = "Get"
    HKLM\SOFTWARE\Classes\RoxioEMCBDHome\shell\Get\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\BasicDVD Home Page\BasicDVDHomePageApp.exe" ["Roxio, Inc."]

    RoxioPlayRoxioDVDOnArrival\
    "Provider" = "Roxio DVDMax Player"
    "InvokeProgID" = "DVD"
    "InvokeVerb" = "PlayWithRoxioDVDMAXPlayer"
    HKLM\SOFTWARE\Classes\DVD\shell\PlayWithRoxioDVDMAXPlayer\Command\(Default) = ""D:\Program Files\Roxio\Roxio DVDMax Player\Roxio DVDMax Player.exe" "%l"" ["CyberLink Corp."]

    RPCDBurningOnArrival\
    "Provider" = "RealPlayer"
    "InvokeProgID" = "RealPlayer.CDBurn.6"
    "InvokeVerb" = "open"
    HKLM\SOFTWARE\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = ""D:\Program Files\Real\RealPlayer\RealPlay.exe" /burn "%1"" ["RealNetworks, Inc."]

    RPDeviceOnArrival\
    "Provider" = "RealPlayer"
    "ProgID" = "RealPlayer.HWEventHandler"
    HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
    -> {HKLM...CLSID} = "RealNetworks Scheduler"
    \LocalServer32\(Default) = ""D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]

    RPPlayCDAudioOnArrival\
    "Provider" = "RealPlayer"
    "InvokeProgID" = "RealPlayer.AudioCD.6"
    "InvokeVerb" = "play"
    HKLM\SOFTWARE\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = ""D:\Program Files\Real\RealPlayer\RealPlay.exe" /play %1 " ["RealNetworks, Inc."]

    RPPlayDVDMovieOnArrival\
    "Provider" = "RealPlayer"
    "InvokeProgID" = "RealPlayer.DVD.6"
    "InvokeVerb" = "play"
    HKLM\SOFTWARE\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = ""D:\Program Files\Real\RealPlayer\RealPlay.exe" /dvd %1 " ["RealNetworks, Inc."]

    RPPlayMediaOnArrival\
    "Provider" = "RealPlayer"
    "InvokeProgID" = "RealPlayer.AutoPlay.6"
    "InvokeVerb" = "open"
    HKLM\SOFTWARE\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = ""D:\Program Files\Real\RealPlayer\RealPlay.exe" /autoplay "%1"" ["RealNetworks, Inc."]

    ZunePlayCDAudioOnArrival\
    "Provider" = "@D:\Program Files\Zune\en-US\ZuneResources.dll.mui,-603"
    "InvokeProgID" = "Microsoft.Zune.2.AudioCD"
    "InvokeVerb" = "Play"
    HKLM\SOFTWARE\Classes\Microsoft.Zune.2.AudioCD\shell\Play\Command\(Default) = ""D:\Program Files\Zune\Zune.exe" /PlayCD:"%L"" [MS]

    ZunePlayMediaOnArrival\
    "Provider" = "@D:\Program Files\Zune\en-US\ZuneResources.dll.mui,-603"
    "InvokeProgID" = "Microsoft.Zune.2.PlayMedia"
    "InvokeVerb" = "Play"
    HKLM\SOFTWARE\Classes\Microsoft.Zune.2.PlayMedia\shell\Play\Command\(Default) = ""D:\Program Files\Zune\Zune.exe" /PlayMedia:"%L"" [MS]

    ZuneRipCDAudioOnArrival\
    "Provider" = "@D:\Program Files\Zune\en-US\ZuneResources.dll.mui,-603"
    "InvokeProgID" = "Microsoft.Zune.2.RipCD"
    "InvokeVerb" = "Rip"
    HKLM\SOFTWARE\Classes\Microsoft.Zune.2.RipCD\shell\Rip\Command\(Default) = ""D:\Program Files\Zune\Zune.exe" /RipCD:"%L"" [MS]


    Startup items in "Brother Moe" & "All Users" startup folders:
    -------------------------------------------------------------

    D:\Documents and Settings\Brother Moe\Start Menu\Programs\Startup
    "Shortcut to nost_LM" -> shortcut to: "D:\Program Files\Nostromo\nost_LM.exe" [empty string]

    D:\Documents and Settings\All Users\Start Menu\Programs\Startup
    "TMMonitor" -> shortcut to: "D:\Program Files\TotalMedia 3\TMMonitor.exe" ["ArcSoft, Inc."]


    Enabled Scheduled Tasks:
    ------------------------

    "User_Feed_Synchronization-{F8B02283-8566-4937-861C-19274E72CBE0}" -> launches: "D:\WINDOWS\system32\msfeedssync.exe sync" [MS]


    Winsock2 Service Provider DLLs:
    -------------------------------

    Namespace Service Providers

    HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

    Transport Service Providers

    HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


    Toolbars, Explorer Bars, Extensions:
    ------------------------------------

    Toolbars

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
    "{F2CF5485-4E02-4F68-819C-B92DE9277049}"
    -> {HKLM...CLSID} = "&Links"
    \InProcServer32\(Default) = "D:\WINDOWS\system32\ieframe.dll" [MS]

    Explorer Bars

    HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

    HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
    Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
    InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console"
    "CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}"
    -> {HKCU...CLSID} = "Java Plug-in 1.6.0_07"
    \InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
    -> {HKLM...CLSID} = "Java Plug-in 1.6.0_07"
    \InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."]

    {92780B25-18CC-41C8-B9BE-3C9C571A8263}\
    "ButtonText" = "Research"

    {D18A0B52-D63C-4ED0-AFC6-C1E3DC1AF43A}\
    "ButtonText" = "BitComet"
    "Script" = "res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206" ["BitComet"]

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]


    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------

    ArcSoft Connect Daemon, ACDaemon, "D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe" ["ArcSoft Inc."]
    Ati HotKey Poller, Ati HotKey Poller, "D:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
    Avira AntiVir Personal - Free Antivirus Guard, AntiVirService, ""D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"]
    Avira AntiVir Personal - Free Antivirus Scheduler, AntiVirScheduler, ""D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"]
    BOCore, BOCore, "D:\Program Files\CBOClean\BOCORE.exe" ["COMODO"]
    Google Updater Service, gusvc, ""D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"]
    Intel(R) Active Monitor, imonNT, "D:\Program Files\Intel(R) Active Monitor\imonnt.exe" ["Intel Corp."]
    Nero BackItUp Scheduler 3, Nero BackItUp Scheduler 3, "D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe" ["Nero AG"]
    NMIndexingService, NMIndexingService, ""D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe"" ["Nero AG"]
    UtMsgAgt, UtMsgSvc, ""D:\Program Files\Promise Disk Controller Manager\UtMsgAgt.exe"" ["Promise Technology Inc."]
    Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "D:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"D:\WINDOWS\System32\WUDFSvc.dll" [MS]}
    Zune Bus Enumerator, ZuneBusEnum, "D:\WINDOWS\system32\ZuneBusEnum.exe" [MS]


    Print Monitors:
    ---------------

    HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
    Canon BJ Language Monitor MP830\Driver = "CNMLM7Q.DLL" ["CANON INC."]
    Canon MP FAX Language Monitor MP830\Driver = "CNCF2Lb.DLL" ["Canon Inc."]
    hpzsnt09\Driver = "hpzsnt09.dll" ["HP"]
    Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


    ---------- (launch time: 2008-09-16 22:21:12)
    <<!>>: Suspicious data at a malware launch point.

    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + To search all directories of local fixed drives for DESKTOP.INI
    DLL launch points, use the -supp parameter or answer "No" at the
    first message box and "Yes" at the second message box.
    ---------- (total run time: 46 seconds)
     
  14. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hey dracomoe.

    That's funny... you look squeaky clean. There's no indication in your logs that you would be having problems. The only reason I can think of is WinsockXPFix changed something that we do not know about. Can you tell me when your problems started?

    Also, we can try a generic cleanup and speedup.

    Download CCleaner and run it.
    Defragment your computer.

    Also, you might want to reinstall Zune player.

    Best Regards :D
     
  15. dracomoe

    dracomoe Guest

    I did as you suggested and it had no effect upon the issues that have been occurring on my PC. I was hoping that you could take a look at the results from a scan I did w/ combofix on ~my wife's PC~ (it was also effected by this virus/trojan). Here is the resulting log:

    ComboFix 08-09-20.05 - Nathalie 2008-09-20 16:34:44.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.721 [GMT -7:00]
    Running from: C:\Documents and Settings\Nathalie\My Documents\DOWNLOAD\Combo-Fix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Nathalie\Cookies\nathalie@isohunt[1].txt
    C:\Documents and Settings\Nathalie\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
    C:\WINDOWS\system32\casino1.ico
    C:\WINDOWS\system32\casino2.ico
    C:\WINDOWS\system32\casino3.ico
    C:\WINDOWS\system32\tdsspopup.dll
    C:\WINDOWS\system32\tdsspopup1.url
    C:\WINDOWS\system32\tdsspopup2.url
    C:\WINDOWS\system32\tdsspopup3.url

    .
    ((((((((((((((((((((((((( Files Created from 2008-08-20 to 2008-09-20 )))))))))))))))))))))))))))))))
    .

    2008-09-13 11:32 . 2008-09-13 11:33 <DIR> d-------- C:\Documents and Settings\Nathalie\Application Data\Ventrilo
    2008-09-13 11:31 . 2008-09-13 11:31 <DIR> d-------- C:\Program Files\Ventrilo
    2008-09-13 10:33 . 2008-09-13 10:35 <DIR> d-------- C:\WINDOWS\nview
    2008-09-13 10:33 . 2008-09-13 10:33 <DIR> d-------- C:\NVIDIA
    2008-09-13 10:33 . 2005-02-24 07:32 176,128 --a------ C:\WINDOWS\system32\nvudisp.exe
    2008-09-13 10:33 . 2005-02-24 07:32 14,435 --a------ C:\WINDOWS\system32\nvdisp.nvu
    2008-09-11 03:20 . 2008-09-11 03:20 <DIR> d-------- C:\Program Files\CCleaner
    2008-09-10 16:36 . 2008-09-10 16:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-09-10 16:36 . 2008-09-10 16:36 <DIR> d-------- C:\Documents and Settings\Nathalie\Application Data\Malwarebytes
    2008-09-10 16:36 . 2008-09-10 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-09-10 16:36 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-09-10 16:36 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-09-10 15:53 . 2008-09-10 15:55 <DIR> d-------- C:\327882R2FWJFW
    2008-09-10 15:48 . 2008-09-10 15:48 <DIR> d-------- C:\Program Files\Avira
    2008-09-10 15:48 . 2008-09-10 15:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
    2008-09-10 15:44 . 2008-09-10 15:44 <DIR> d-------- C:\Clean Up
    2008-09-07 14:21 . 2008-09-07 14:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-09-07 14:21 . 2008-09-13 11:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-09-07 14:21 . 2008-09-07 14:21 <DIR> d-------- C:\Documents and Settings\Nathalie\Application Data\SUPERAntiSpyware.com
    2008-09-07 14:21 . 2008-09-07 14:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-09-06 20:01 . 2008-09-06 20:01 <DIR> d-------- C:\Program Files\GameSpy Arcade
    2008-09-06 20:01 . 2008-09-06 20:01 <DIR> d-------- C:\Documents and Settings\Nathalie\Application Data\Leadertech
    2008-09-06 19:14 . 2008-09-06 19:14 <DIR> d-------- C:\NeverwinterNights
    2008-09-04 04:07 . 2008-09-04 04:32 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
    2008-08-23 19:10 . 2008-08-23 19:10 <DIR> d-------- C:\Program Files\Real
    2008-08-23 19:10 . 2008-08-23 19:10 <DIR> d-------- C:\Program Files\Common Files\xing shared
    2008-08-23 19:10 . 2008-08-23 19:10 <DIR> d-------- C:\Program Files\Common Files\Real
    2008-08-22 18:04 . 2008-08-22 18:04 <DIR> d-------- C:\Logs

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-18 21:03 --------- d-----w C:\Program Files\World of Warcraft
    2008-09-09 01:54 --------- d-----w C:\Documents and Settings\Nathalie\Application Data\AdobeUM
    2008-09-07 02:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-08-24 02:10 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
    2008-08-24 02:10 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
    2008-08-16 01:40 --------- d-----w C:\Program Files\XviD
    2008-08-16 01:39 --------- d-----w C:\Program Files\Combined Community Codec Pack
    2008-08-13 03:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-08-13 02:57 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    2008-08-13 02:57 --------- d-----w C:\Program Files\Common Files\AOL
    2008-08-13 01:58 --------- d-----w C:\Program Files\MySpace
    2008-08-13 01:55 --------- d--h--r C:\Documents and Settings\Nathalie\Application Data\yahoo!
    2008-08-13 01:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
    2008-08-08 18:52 --------- d-----w C:\Program Files\ZNES
    2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
    2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
    2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
    2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
    2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
    2008-06-25 01:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
    2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
    2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
    2008-01-14 00:24 80 --sh--r C:\WINDOWS\system32\A381395259.dll
    .
    Code:
    <pre>
    ----a-w           401,720 2007-09-07 02:46:02  C:\Clean Up\scanner.exe .exe
    </pre>

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 1576176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
    "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-08-23 185896]
    "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-02-24 5537792]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-02-24 86016]
    "CTHelper"="CTHELPER.EXE" [2003-04-10 C:\WINDOWS\system32\CTHELPER.EXE]
    "AsioReg"="CTASIO.DLL" [2003-04-10 C:\WINDOWS\system32\CTASIO.DLL]
    "nwiz"="nwiz.exe" [2005-02-24 C:\WINDOWS\system32\nwiz.exe]

    C:\Documents and Settings\Nathalie\Start Menu\Programs\Startup\
    HotSync Manager.lnk.disabled [2007-04-21 1490]
    Neverwinter Nights Registration.lnk - C:\NeverwinterNights\NWN\ereg\ATR1.EXE [2008-09-06 4947968]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Loadout Manager.lnk.disabled [2007-02-10 1732]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.X264"= x264vfw.dll
    "vidc.hfyu"= huffyuv.dll
    "msacm.divxa32"= DivXa32.acm
    "msacm.l3codec"= l3codecp.acm

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk.disabled]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnk.disabledCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-04 05:00 15360 C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
    C:\Program Files\MySpace\IM\MySpaceIM.exe [N/A]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    --a------ 2001-07-09 03:50 155648 C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [N/A]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
    "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\NeverwinterNights\\NWN\\nwmain.exe"=
    "C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "14493:TCP"= 14493:TCP:BitComet 14493 TCP
    "14493:UDP"= 14493:UDP:BitComet 14493 UDP
    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

    R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
    R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-12-29 12160]
    S3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\DRIVERS\BCGAME.SYS [2003-07-24 22821]
    S3 bcgbus;Nostromo USB Device Driver;C:\WINDOWS\system32\DRIVERS\BCGBUS.SYS [ ]
    S3 NPF;WinPcap Packet Driver (NPF);C:\WINDOWS\system32\drivers\NPF.sys [2006-10-17 35072]

    *Newly Created Service* - PROCEXP90
    .
    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\Nathalie\Application Data\Mozilla\Firefox\Profiles\aacr47n0.default\
    FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
    FF -: plugin - C:\Program Files\Java\jre1.5.0_08\bin\NPJava11.dll
    FF -: plugin - C:\Program Files\Java\jre1.5.0_08\bin\NPJava12.dll
    FF -: plugin - C:\Program Files\Java\jre1.5.0_08\bin\NPJava13.dll
    FF -: plugin - C:\Program Files\Java\jre1.5.0_08\bin\NPJava14.dll
    FF -: plugin - C:\Program Files\Java\jre1.5.0_08\bin\NPJava32.dll
    FF -: plugin - C:\Program Files\Java\jre1.5.0_08\bin\NPJPI150_08.dll
    FF -: plugin - C:\Program Files\Java\jre1.5.0_08\bin\NPOJI610.dll
    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
    FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-20 16:36:50
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv]
    "imagepath"="\systemroot\system32\drivers\TDSSserv.sys"
    .
    Completion time: 2008-09-20 16:39:39
    ComboFix-quarantined-files.txt 2008-09-20 23:39:03

    Pre-Run: 7,469,780,992 bytes free
    Post-Run: 7,495,630,848 bytes free

    197 --- E O F --- 2008-09-10 10:00:36
     
  16. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hey dracomoe

    Any problems after running Combofix on your wife's pc? Please follow the instructions below on your wife's pc.

    Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    Also disable your internet connection.


    Open Notepad and copy/paste the text in the code box below into it:

    Code:
    File::
    C:\WINDOWS\system32\A381395259.dll
    Save this as CFScript.txt in the same folder as ComboFix.

    Then drag the CFScript.txt into Combo-Fix.exe.

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the ComboFix log here. The log will be located at C:\ComboFix(.txt).

    Do not click on the ComoboFix window, as it may cause it to stall.

    On your own computer, the malware most probably damaged system files, therefore it would be good if you could reinstall windows and all programs that are not functioning properly. That is the only way left.

    Best Wishes :D

     
  17. dracomoe

    dracomoe Guest

    I had dificulty trying to figure out how to turn Avira Antivirus off, so I just uninstalled it. I followed your directions as you had instructed and here are the results of the combofix scan done w/ the notepad file dropped on it:


    ComboFix 08-09-20.05 - Nathalie 2008-09-21 17:39:36.4 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.626 [GMT -7:00]
    Running from: C:\Clean Up\ComboFix.exe
    Command switches used :: C:\Combo-Fx\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\WINDOWS\system32\A381395259.dll
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\A381395259.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 )))))))))))))))))))))))))))))))
    .

    2008-09-21 16:56 . 2008-09-21 17:39 <DIR> d-------- C:\Combo-Fx
    2008-09-13 11:32 . 2008-09-13 11:33 <DIR> d-------- C:\Documents and Settings\Nathalie\Application Data\Ventrilo
    2008-09-13 11:31 . 2008-09-13 11:31 <DIR> d-------- C:\Program Files\Ventrilo
    2008-09-13 10:33 . 2008-09-13 10:35 <DIR> d-------- C:\WINDOWS\nview
    2008-09-13 10:33 . 2008-09-13 10:33 <DIR> d-------- C:\NVIDIA
    2008-09-13 10:33 . 2005-02-24 07:32 176,128 --a------ C:\WINDOWS\system32\nvudisp.exe
    2008-09-13 10:33 . 2005-02-24 07:32 14,435 --a------ C:\WINDOWS\system32\nvdisp.nvu
    2008-09-11 03:20 . 2008-09-11 03:20 <DIR> d-------- C:\Program Files\CCleaner
    2008-09-10 16:36 . 2008-09-10 16:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-09-10 16:36 . 2008-09-10 16:36 <DIR> d-------- C:\Documents and Settings\Nathalie\Application Data\Malwarebytes
    2008-09-10 16:36 . 2008-09-10 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-09-10 16:36 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-09-10 16:36 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-09-10 15:48 . 2008-09-10 15:48 <DIR> d-------- C:\Program Files\Avira
    2008-09-10 15:44 . 2008-09-21 17:15 <DIR> d-------- C:\Clean Up
    2008-09-07 14:21 . 2008-09-07 14:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-09-07 14:21 . 2008-09-13 11:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-09-07 14:21 . 2008-09-07 14:21 <DIR> d-------- C:\Documents and Settings\Nathalie\Application Data\SUPERAntiSpyware.com
    2008-09-07 14:21 . 2008-09-07 14:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-09-06 20:01 . 2008-09-06 20:01 <DIR> d-------- C:\Program Files\GameSpy Arcade
    2008-09-06 20:01 . 2008-09-06 20:01 <DIR> d-------- C:\Documents and Settings\Nathalie\Application Data\Leadertech
    2008-09-06 19:14 . 2008-09-06 19:14 <DIR> d-------- C:\NeverwinterNights
    2008-09-04 04:07 . 2008-09-04 04:32 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
    2008-08-23 19:10 . 2008-08-23 19:10 <DIR> d-------- C:\Program Files\Real
    2008-08-23 19:10 . 2008-08-23 19:10 <DIR> d-------- C:\Program Files\Common Files\xing shared
    2008-08-23 19:10 . 2008-08-23 19:10 <DIR> d-------- C:\Program Files\Common Files\Real
    2008-08-22 18:04 . 2008-08-22 18:04 <DIR> d-------- C:\Logs

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-18 21:03 --------- d-----w C:\Program Files\World of Warcraft
    2008-09-09 01:54 --------- d-----w C:\Documents and Settings\Nathalie\Application Data\AdobeUM
    2008-09-07 02:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-08-24 02:10 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
    2008-08-24 02:10 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
    2008-08-16 01:40 --------- d-----w C:\Program Files\XviD
    2008-08-16 01:39 --------- d-----w C:\Program Files\Combined Community Codec Pack
    2008-08-13 03:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-08-13 02:57 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    2008-08-13 02:57 --------- d-----w C:\Program Files\Common Files\AOL
    2008-08-13 01:58 --------- d-----w C:\Program Files\MySpace
    2008-08-13 01:55 --------- d--h--r C:\Documents and Settings\Nathalie\Application Data\yahoo!
    2008-08-13 01:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
    2008-08-08 18:52 --------- d-----w C:\Program Files\ZNES
    2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
    2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
    2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
    2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
    2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
    2008-06-25 01:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
    2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
    2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
    .
    Code:
    <pre>
    ----a-w           401,720 2007-09-07 02:46:02  C:\Clean Up\scanner.exe .exe
    </pre>

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 1576176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
    "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-08-23 185896]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-02-24 5537792]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-02-24 86016]
    "CTHelper"="CTHELPER.EXE" [2003-04-10 C:\WINDOWS\system32\CTHELPER.EXE]
    "AsioReg"="CTASIO.DLL" [2003-04-10 C:\WINDOWS\system32\CTASIO.DLL]
    "nwiz"="nwiz.exe" [2005-02-24 C:\WINDOWS\system32\nwiz.exe]

    C:\Documents and Settings\Nathalie\Start Menu\Programs\Startup\
    HotSync Manager.lnk.disabled [2007-04-21 1490]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Loadout Manager.lnk.disabled [2007-02-10 1732]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.X264"= x264vfw.dll
    "vidc.hfyu"= huffyuv.dll
    "msacm.divxa32"= DivXa32.acm
    "msacm.l3codec"= l3codecp.acm

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk.disabled]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnk.disabledCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-04 05:00 15360 C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
    C:\Program Files\MySpace\IM\MySpaceIM.exe [N/A]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    --a------ 2001-07-09 03:50 155648 C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [N/A]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
    "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\NeverwinterNights\\NWN\\nwmain.exe"=
    "C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "14493:TCP"= 14493:TCP:BitComet 14493 TCP
    "14493:UDP"= 14493:UDP:BitComet 14493 UDP
    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

    R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
    R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-12-29 12160]
    S3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\DRIVERS\BCGAME.SYS [2003-07-24 22821]
    S3 bcgbus;Nostromo USB Device Driver;C:\WINDOWS\system32\DRIVERS\BCGBUS.SYS [ ]
    S3 NPF;WinPcap Packet Driver (NPF);C:\WINDOWS\system32\drivers\NPF.sys [2006-10-17 35072]
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-21 17:40:33
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-09-21 17:41:49
    ComboFix-quarantined-files.txt 2008-09-22 00:41:24
    ComboFix2.txt 2008-09-22 00:29:07
    ComboFix3.txt 2008-09-22 00:04:58
    ComboFix4.txt 2008-09-20 23:39:40

    Pre-Run: 7,437,135,872 bytes free
    Post-Run: 7,421,984,768 bytes free

    172 --- E O F --- 2008-09-10 10:00:36
     
  18. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    So... any more problems on your wife's computer?

    And how about your current computer? I still recommend a reinstall of Windows.

    Best Wishes :D
     
  19. moggser

    moggser Regular member

    Joined:
    Jun 13, 2007
    Messages:
    977
    Likes Received:
    0
    Trophy Points:
    26
    hey
    cdavfrew


    dont want to inturpt there but just wondering if you know what gets the antivirus xp programe of the lap top ?
     
  20. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    @moggser

    There are many ways Antivirus XP and other rogue antimalware programs can get into a computer. The most common are among browser exploits and being bundled with other software.

    By using "holes" in a browser, malware can download itself onto your computer, which is why updates are always important, especially for Java, and don't forget to uninstall all previous versions after you update to the latest Java.

    Often, antimalware software will detect malware if it is bundled with software, but sometimes, it may be a new malware that the world has never seen, as antivirus xp 2008 most probably did when it just came out. This is why safe surfing is always important: Only download from trusted sites, such as manufacturer's site. Only download trusted software, and be sure to research it first. Torrents are discouraged, because they are most commonly bundled with malware.

    For more information, look here as well:
    http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I

    Best Regards :D
     

Share This Page