Antivirus XP 2008: wraping up the cleaning up

After hearing about this website, I read up on other threads that had this Antivirus XP 2008 virus/trojan issue. I followed the steps that 2oldGeek had given to a few others that had this issue. I Downloaded the progams he mentioned: ATF Cleaner, SUPERAntiSpyware, Avira AntiVir, and MalwareBytes.
I installed and ran Anira AntiVir and SUPERAntiSpyware. I then restared my PC in safe mode and ran the ATF cleaner and MalwareBytes. After doing these actions, it seems to have cleared the apparent issues: screen saver of blue-screen-of-death, inhibiting of changing backround and screen saver settings, trojans attempting to get on the internet, etc.
My brother, s/n: Waltfarie, faced this same issue and is strogly recommending me to post my HIjackthis log for further review.

Please tell me if there is anything that may pose any future problems, thank you greatly for your time.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:09:44 PM, on 09/05/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\CBOClean\BOCORE.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Promise Disk Controller Manager\UtMsgAgt.exe
D:\WINDOWS\system32\ZuneBusEnum.exe
D:\Program Files\Intel(R) Active Monitor\imonnt.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Intel(R) Active Monitor\imontray.exe
D:\WINDOWS\vsnpstd2.exe
D:\Program Files\WinFast\WFDTV\WFWIZ.exe
D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
D:\Program Files\Zune\ZuneLauncher.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\PROGRA~1\CBOClean\BOC427.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
D:\Program Files\BitComet\BitComet.exe
D:\Program Files\GBMPro8\GBMAgent.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
D:\Program Files\TotalMedia 3\TMMonitor.exe
D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
D:\Program Files\Nostromo\nost_LM.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Brother Moe\Desktop\Maintanence\scanner.exe .exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\WINDOWS\System32\NOTEPAD.EXE
D:\Program Files\Opera\opera.exe
D:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/
O1 - Hosts: 64.207.166.100 www.gmail.com
O1 - Hosts: 64.207.166.100 gmail.com
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
O2 - BHO: (no name) - {6271797D-8480-4443-B96E-732B68B1780B} - D:\WINDOWS\system32\hgGxULdA.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IMONTRAY] D:\Program Files\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [SNPSTD2] D:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
O4 - HKLM\..\Run: [WinFast Schedule] D:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Zune Launcher] "D:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GBMPro8Agent] D:\Program Files\GBMPro8\GBMAgent.exe
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [BOC-427] D:\PROGRA~1\CBOClean\BOC427.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitComet] "D:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [GBMPro8Agent] D:\Program Files\GBMPro8\GBMAgent.exe
O4 - HKCU\..\Run: [xrt_Shell] D:\Documents and Settings\Brother Moe\xrt_wpmh.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] D:\DOCUME~1\BROTHE~1\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Shortcut to nost_LM.lnk = D:\Program Files\Nostromo\nost_LM.exe
O4 - Global Startup: TMMonitor.lnk = D:\Program Files\TotalMedia 3\TMMonitor.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddcDuTLD - ddcDuTLD.dll (file missing)
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BOCore - COMODO - D:\Program Files\CBOClean\BOCORE.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - D:\Program Files\Intel(R) Active Monitor\imonnt.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm12.exe
O23 - Service: UtMsgAgt (UtMsgSvc) - Promise Technology Inc. - D:\Program Files\Promise Disk Controller Manager\UtMsgAgt.exe

--
End of file - 7833 bytes

 

Hey dracomoe

Your brother was right. You do need to post the log to remove some of the traces left by the malware.

Please run HijackThis.

• Click on the button which says Main Menu, then Do a system scan only.
• Please wait for the scan to be completed.
• After the scan has completed, check the following entries.

*****R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/
O1 - Hosts: 64.207.166.100 www.gmail.com
O1 - Hosts: 64.207.166.100 gmail.com
O2 - BHO: (no name) - {6271797D-8480-4443-B96E-732B68B1780B} - D:\WINDOWS\system32\hgGxULdA.dll (file missing)
O4 - HKCU\..\Run: [xrt_Shell] D:\Documents and Settings\Brother Moe\xrt_wpmh.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] D:\DOCUME~1\BROTHE~1\LOCALS~1\Temp\csrssc.exe
O20 - Winlogon Notify: ddcDuTLD - ddcDuTLD.dll (file missing)


Click on the button Fix checked

NOTE:: Close all browsers before fixing anything.

After that, reboot.

*****Note: If you wanted google.atcomet.com to be your homepage, then ignore this entry.

Also, I'm sorry to say that you aren't completely clean yet. I see traces of a trojan on your system still active.

First, please upload these two files: D:\Documents and Settings\Brother Moe\xrt_wpmh.exe and D:\DOCUME~1\BROTHE~1\LOCALS~1\Temp\csrssc.exe to www.virustotal.com and /www.uploadmalware.com. Post the results from VirusTotal here.

Now, please download Combofix.
With Combofix, at the download window, please rename it to Combo-fix(.exe) before downloading it.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

• Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the Comobofix window, as it may cause it to stall.

Best Regards

 

Your help is greatly appriciated! Thank you cdavfrew.

*O1 - Hosts: 64.207.166.100 www.gmail.com
*O1 - Hosts: 64.207.166.100 gmail.com
removed: O2 - BHO: (no name) - {6271797D-8480-4443-B96E-732B68B1780B} - D:\WINDOWS\system32\hgGxULdA.dll (file missing)
*O4 - HKCU\..\Run: [xrt_Shell] D:\Documents and Settings\Brother Moe\xrt_wpmh.exe
*O4 - HKCU\..\Run: [Jnskdfmf9eldfd] D:\DOCUME~1\BROTHE~1\LOCALS~1\Temp\csrssc.exe
removed: O20 - Winlogon Notify: ddcDuTLD - ddcDuTLD.dll (file missing)

When I ran Hijackthis the same results didnt show up as I had posted prviously. I am assuming that this had to do with me running WinsockxpFix this morning in attempt to fix another issue that is affecting my computer system, Neverwinter Nights Diamond edition was running fine last night and is now running all choppy and slow. I am hoping that this trojan/virus issue resolves my game play issue. I put an * next to the name of the registry finds that didnt show up the second time. Those with out the astrisk I found and removed. Therefore, I did not have the two files to upload on the websites www.virustotal.com and /www.uploadmalware.com.


I downloaded ComboFix and renamed it, and clicked it thinking it was a zip. The scan began w/ my programs running, screen changed, pc restarted, and all that and I have the results if you would like to see them. In order to follow your instructions properly, I ran ComboFix with my interned disconnected and all my applications shut down; however, while running I had an error, windows report window came up beacuase of grep.ctexe and the Find3M failed in the ComboFix scan. When completed I got the log and have those results if you would like to see them.
So, I ran it a third time and it seemed to go smoothlie, here are the results from the log:

ComboFix 08-09-05.03 - Brother Moe 2008-09-07 15:43:41.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.639 [GMT -4:00]
Running from: I:\Downloaded\Files\ComboFx.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 )))))))))))))))))))))))))))))))
.

2008-09-06 14:20 . 2008-09-06 14:20 <DIR> d-------- D:\Program Files\DAEMON Tools Lite
2008-09-05 21:45 . 2008-09-05 21:45 <DIR> d-------- D:\Documents and Settings\Brother Moe\Application Data\DAEMON Tools
2008-09-05 21:45 . 2008-09-05 21:45 717,296 --a------ D:\WINDOWS\system32\drivers\sptd.sys
2008-09-05 21:35 . 2008-09-05 21:35 98,304 --a------ D:\WINDOWS\system32\CmdLineExt.dll
2008-09-05 21:29 . 2008-09-05 21:29 <DIR> d-------- D:\Documents and Settings\Brother Moe\Application Data\Leadertech
2008-09-05 21:28 . 2008-09-05 21:29 <DIR> d-------- D:\Program Files\GameSpy Arcade
2008-09-05 20:41 . 2008-09-05 20:41 <DIR> d-------- D:\Documents and Settings\Brother Moe\Application Data\Malwarebytes
2008-09-05 19:55 . 2008-09-05 19:55 <DIR> d-------- D:\Program Files\CloneDVD
2008-09-05 19:55 . 2008-09-05 19:55 <DIR> d-------- D:\Documents and Settings\Brother Moe\Application Data\Vso
2008-09-05 19:55 . 2008-09-05 19:55 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\DVDXStudio
2008-09-05 19:55 . 2008-09-05 19:55 81,920 --a------ D:\Documents and Settings\Brother Moe\Application Data\ezpinst.exe
2008-09-05 19:55 . 2008-09-05 19:55 47,360 --a------ D:\WINDOWS\system32\drivers\pcouffin.sys
2008-09-05 19:55 . 2008-09-05 19:55 47,360 --a------ D:\Documents and Settings\Brother Moe\Application Data\pcouffin.sys
2008-09-05 18:56 . 2008-09-05 18:56 <DIR> d-------- D:\WINDOWS\system32\SuperAdBlocker.com
2008-09-05 18:56 . 2008-09-05 18:56 1,049 --a------ D:\WINDOWS\mozver.dat
2008-09-05 11:16 . 2008-09-05 11:16 <DIR> d-------- D:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-09-05 10:57 . 2008-06-10 02:32 73,728 --a------ D:\WINDOWS\system32\javacpl.cpl
2008-09-05 10:56 . 2008-09-05 10:56 <DIR> d-------- D:\Program Files\Common Files\Java
2008-09-04 22:46 . 2008-09-04 22:46 0 --a------ D:\WINDOWS\nsreg.dat
2008-09-04 21:59 . 2008-09-04 23:10 <DIR> d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-09-04 21:59 . 2008-09-04 21:59 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-04 21:59 . 2008-09-04 21:59 <DIR> d-------- D:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-04 21:59 . 2008-09-02 00:16 38,528 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-04 21:59 . 2008-09-02 00:16 17,200 --a------ D:\WINDOWS\system32\drivers\mbam.sys
2008-09-04 21:56 . 2008-09-04 21:56 <DIR> d-------- D:\Documents and Settings\Administrator
2008-09-01 23:28 . 2008-09-01 23:28 <DIR> d-------- D:\Program Files\SUPERAntiSpyware
2008-09-01 23:28 . 2008-09-01 23:28 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-09-01 23:28 . 2008-09-01 23:28 <DIR> d-------- D:\Documents and Settings\Brother Moe\Application Data\SUPERAntiSpyware.com
2008-09-01 23:28 . 2008-09-01 23:28 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-01 22:36 . 2008-04-13 20:12 22,528 --a------ D:\WINDOWS\system32\wsock32.dlb
2008-09-01 22:35 . 2008-09-01 22:35 <DIR> d-------- D:\Program Files\CBOClean
2008-09-01 22:35 . 2008-09-01 22:55 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\BOC427
2008-09-01 22:35 . 2008-07-14 05:09 212,728 --a------ D:\WINDOWS\CMDLIC.DLL
2008-09-01 22:35 . 2008-07-14 05:09 205,560 --a------ D:\WINDOWS\UNBOC.EXE
2008-09-01 22:35 . 2008-09-07 15:21 8,990 --a------ D:\WINDOWS\BOC427.INI
2008-09-01 21:06 . 2008-09-01 21:06 <DIR> d-------- D:\Program Files\Avira
2008-09-01 21:06 . 2008-09-01 21:06 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Avira
2008-09-01 20:09 . 2008-09-01 20:09 <DIR> d-------- D:\Documents and Settings\Brother Moe\Application Data\Genie-Soft
2008-09-01 20:08 . 2008-09-01 20:08 <DIR> d-------- D:\Program Files\GBMPro8
2008-09-01 20:08 . 2006-11-02 00:50 128,104 --a------ D:\WINDOWS\system32\drivers\WimFltr.sys
2008-09-01 18:26 . 2008-09-05 10:38 <DIR> d-------- D:\Program Files\Logs
2008-09-01 17:33 . 2008-09-01 17:33 0 --a------ D:\WINDOWS\PowerReg.dat
2008-09-01 17:31 . 2008-09-01 17:31 <DIR> d-------- D:\Program Files\SystemRequirementsLab
2008-09-01 17:15 . 2008-09-01 17:15 <DIR> d-------- D:\Program Files\NeverwinterNights
2008-08-27 22:26 . 2008-08-27 22:26 <DIR> d-------- D:\Program Files\CCleaner
2008-08-21 20:39 . 2008-08-21 20:39 <DIR> d-------- D:\WINDOWS\system32\scripting
2008-08-21 20:39 . 2008-08-21 20:39 <DIR> d-------- D:\WINDOWS\system32\en
2008-08-21 20:39 . 2008-08-21 20:39 <DIR> d-------- D:\WINDOWS\l2schemas
2008-08-19 18:15 . 2008-08-19 18:15 <DIR> d-------- D:\Documents and Settings\Brother Moe\Application Data\Apple Computer
2008-08-19 09:09 . 2008-08-19 09:10 <DIR> d-------- D:\Program Files\Total Video Converter
2008-08-17 18:17 . 2008-09-07 09:10 664 --a------ D:\WINDOWS\system32\d3d9caps.dat
2008-08-15 23:32 . 2008-08-16 00:21 <DIR> d-------- D:\Program Files\MediaCoder
2008-08-15 22:02 . 2008-08-15 22:02 <DIR> d-------- D:\Program Files\Apple Software Update
2008-08-15 22:02 . 2008-08-15 22:02 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Apple
2008-08-15 21:32 . 2008-03-21 13:57 14,640 --a------ D:\WINDOWS\system32\spmsgXP_2k3.dll
2008-08-15 21:32 . 2008-08-15 21:32 0 --ah----- D:\WINDOWS\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-08-15 21:32 . 2008-08-15 21:32 0 --ah----- D:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-08-15 21:30 . 2008-08-15 21:34 <DIR> d-------- D:\Program Files\Zune
2008-08-14 16:24 . 2008-04-11 15:04 691,712 -----c--- D:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-14 16:06 . 2008-05-01 10:33 331,776 -----c--- D:\WINDOWS\system32\dllcache\msadce.dll
2008-08-12 21:57 . 2008-09-07 10:50 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Google Updater

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-07 05:39 --------- d-----w D:\Program Files\BitComet
2008-09-05 22:33 --------- d-----w D:\Program Files\Opera
2008-09-05 14:57 --------- d-----w D:\Program Files\Java
2008-09-02 18:06 --------- d-----w D:\Program Files\Intel(R) Active Monitor
2008-09-02 00:28 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-02 00:18 507,904 ----a-w D:\WINDOWS\system32\winlogon.exe
2008-09-02 00:18 295,424 ----a-w D:\WINDOWS\system32\termsrv.dll
2008-09-01 21:18 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-08-28 01:28 361,600 ----a-w D:\WINDOWS\system32\drivers\tcpip.sys
2008-08-24 02:27 --------- d-----w D:\Documents and Settings\Brother Moe\Application Data\LimeWire
2008-08-23 00:24 --------- d-----w D:\Program Files\World of Warcraft
2008-08-16 02:03 --------- d-----w D:\Program Files\QuickTime
2008-08-16 02:03 --------- d-----w D:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-13 02:24 --------- d-----w D:\Program Files\Common Files\Adobe
2008-08-13 01:57 --------- d-----w D:\Program Files\Google
2008-08-02 20:55 --------- d-----w D:\Program Files\Clone DVD
2008-07-19 02:10 94,920 ----a-w D:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w D:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w D:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w D:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w D:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w D:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w D:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w D:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:26 253,952 ----a-w D:\WINDOWS\system32\es.dll
2008-06-24 16:43 74,240 ----a-w D:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w D:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w D:\WINDOWS\system32\mswsock.dll
.

Code:

<pre>
----a-w           401,720 2007-09-07 02:46:02  D:\Documents and Settings\Brother Moe\Desktop\Maintanence\scanner.exe .exe
</pre>

------- Sigcheck -------

2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 D:\WINDOWS\$hf_mig$\KB917953\SP2GDR\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 D:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 D:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 D:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d D:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e D:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 06:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 D:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 02:14 359040 9f4b36614a0fc234525ba224957de55c D:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2002-08-29 08:00 332928 244a2f9816bc9b593957281ef577d976 D:\WINDOWS\$NtUninstallKB917953_0$\tcpip.sys
2007-07-29 00:44 359808 de891ad282e856acfd40990094a63b6f D:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 D:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2008-02-02 21:52 360064 8283a4d489b207991efdc8328733d0bc D:\WINDOWS\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 D:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2008-08-27 21:28 361600 3cf3a7b11e4a1df6cd13b41a76e8b53e D:\WINDOWS\system32\dllcache\tcpip.sys
2008-08-27 21:28 361600 3cf3a7b11e4a1df6cd13b41a76e8b53e D:\WINDOWS\system32\drivers\tcpip.sys

2004-08-04 03:56 502272 01c3346c241652f43aed8e2149881bfe D:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2008-04-13 20:12 507904 ed0ef0a136dec83df69f04118870003e D:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2008-09-01 20:18 507904 3969440ba384d35317dbbdeeaae641ce D:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024]
"BitComet"="D:\Program Files\BitComet\BitComet.exe" [2008-07-17 2599224]
"GBMPro8Agent"="D:\Program Files\GBMPro8\GBMAgent.exe" [2008-04-16 189056]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMONTRAY"="D:\Program Files\Intel(R) Active Monitor\imontray.exe" [2003-01-10 32768]
"WinFast Schedule"="D:\Program Files\WinFast\WFDTV\WFWIZ.exe" [2007-09-06 413696]
"ArcSoft Connection Service"="D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"Zune Launcher"="D:\Program Files\Zune\ZuneLauncher.exe" [2008-04-29 158624]
"GBMPro8Agent"="D:\Program Files\GBMPro8\GBMAgent.exe" [2008-04-16 189056]
"avgnt"="D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"BOC-427"="D:\PROGRA~1\CBOClean\BOC427.exe" [2008-07-14 351480]
"PtiuPbmd"="ulutil2.dll" [2003-11-05 D:\WINDOWS\system32\ulutil2.dll]
"AsioReg"="CTASIO.DLL" [2003-04-11 D:\WINDOWS\system32\CTASIO.DLL]

D:\Documents and Settings\Brother Moe\Start Menu\Programs\Startup\
Shortcut to nost_LM.lnk - D:\Program Files\Nostromo\nost_LM.exe [2004-04-06 454656]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
TMMonitor.lnk - D:\Program Files\TotalMedia 3\TMMonitor.exe [2008-06-19 258048]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk.disabled]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled
backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnk.disabledCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk.disabled]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk.disabled
backup=D:\WINDOWS\pss\Adobe Reader Synchronizer.lnk.disabledCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Loadout Manager.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Loadout Manager.lnk
backup=D:\WINDOWS\pss\Loadout Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eyeball Chat]
--a------ 2002-10-11 14:52 2863176 D:\PROGRA~1\Eyeball\EYEBAL~1\EyeballChat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 D:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
--a------ 2002-12-03 18:06 45056 D:\Program Files\Creative\SB Drive Det\SBDrvDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-27 16:19 4670704 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"Skype"="D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
"Yahoo! Pager"="D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
"DAEMON Tools Lite"="D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
"Jnskdfmf9eldfd"=D:\DOCUME~1\BROTHE~1\LOCALS~1\Temp\csrssc.exe
"xrt_Shell"=D:\Documents and Settings\Brother Moe\xrt_wpmh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"="D:\Program Files\HP\HP Software Update\HPWuSchd.exe"
"HP Component Manager"="D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"SBDrvDet"=D:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
"CTHelper"=CTHELPER.EXE
"RemoteControl"=D:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
"SNPSTD2"=D:\WINDOWS\vsnpstd2.exe
"UpdReg"=D:\WINDOWS\UpdReg.EXE
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
"NBKeyScan"="D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"NeroFilterCheck"=D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"D:\\Program Files\\BitComet\\BitComet.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\Repair.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.10.6448-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"D:\\Program Files\\Opera\\Opera.exe"=
"D:\\Program Files\\Nero\\Nero8\\Nero ShowTime\\ShowTime.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\NeverwinterNights\\NWN\\nwmain.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25049:TCP"= 25049:TCP:BitComet 25049 TCP
"25049:UDP"= 25049:UDP:BitComet 25049 UDP

R0 dontgo;Promise Removable Disk Control Driver;D:\WINDOWS\system32\DRIVERS\DontGo.sys [2004-06-29 7680]
R0 ulsata2;ulsata2;D:\WINDOWS\system32\DRIVERS\ulsata2.sys [2005-06-29 125952]
R2 ACDaemon;ArcSoft Connect Daemon;D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2008-04-17 102712]
R2 UtMsgSvc;UtMsgAgt;D:\Program Files\Promise Disk Controller Manager\UtMsgAgt.exe [2004-09-22 229376]
R2 zumbus;Zune Bus Enumerator Driver;D:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 40704]
R2 ZuneBusEnum;Zune Bus Enumerator;D:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 61856]
R3 3xHybrid;WinFast HDTV Cinema;D:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2007-08-09 1120128]
R3 UTDpcService;ULEVTBDG;D:\Program Files\Promise Disk Controller Manager\ULEVTBDG.sys [2004-09-20 6656]
S3 bcgame;Nostromo HID Device Minidriver;D:\WINDOWS\system32\drivers\bcgame.sys [2003-07-24 22821]
S3 ctgame;Game Port;D:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-12-30 12160]
S3 restore;restore;D:\WINDOWS\system32\drivers\restore.sys [ ]
S3 snpstd2;USB PC Camera (SN9C103);D:\WINDOWS\system32\DRIVERS\snpstd2.sys [2004-03-22 302720]
S3 usbprint;Microsoft USB PRINTER Class;D:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;D:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 245664]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - D:\Documents and Settings\Brother Moe\Application Data\Mozilla\Firefox\Profiles\cxvs9ehs.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://bl110w.blu110.mail.live.com/mail/InboxLight.aspx?FolderID=00000000-0000-0000-0000-000000000001&InboxSortAscending=False&InboxSortBy=Date&n=1937004759|http://www.youtube.com/watch?v=YF0SCxIQ6PU&NR=1|http://www.scroogle.org/cgi-bin/scraper.htm
FF -: plugin - D:\Documents and Settings\Brother Moe\Application Data\Mozilla\Firefox\Profiles\cxvs9ehs.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF -: plugin - D:\Program Files\Google\Google Updater\2.3.1314.1135\npCIDetect12.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npqtplugin8.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npsabffx.dll
FF -: plugin - D:\Program Files\Opera\program\plugins\npdivx32.dll
FF -: plugin - D:\Program Files\Opera\program\plugins\npqtplugin8.dll
FF -: plugin - D:\Program Files\QuickTime\Plugins\npqtplugin8.dll
FF -: plugin - D:\Program Files\Yahoo!\Shared\npYState.dll
FF -: plugin - D:\WINDOWS\system32\SuperAdBlocker.com\npsabffx.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-07 15:45:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-09-07 15:47:34
ComboFix-quarantined-files.txt 2008-09-07 19:46:31
ComboFix2.txt 2008-09-07 19:41:32
ComboFix3.txt 2008-09-07 19:26:08

Pre-Run: 15,951,634,432 bytes free
Post-Run: 15,934,558,208 bytes free

261 --- E O F --- 2008-08-23 07:03:14

 

oops, posted in wrong place...

 

Hey dracomoe

Please post the virustotal results here, before I can proceed.

Best Regards

 

The files were no longer found on my PC. I attempted to run Hijackthis to give you a current report, but it is freezing up while running, when it gets to scanning the 04 - Registry and Start Menue Autoruns.

 

Hey dracomoe

Can you really check to see if those files do not exist anymore?

I didn't ask you to remove the HijackThis entries and add an asterisk in front of them.

Also, can you try to do a HijackThis log in safe mode (repeatedly press F8 after you press the power button). That might not cause it to freeze.

Best Regards

 

Here is the requested log. Again, I thank you for your help and patients.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:16 AM, on 9/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Safe mode

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Documents and Settings\Brother Moe\Desktop\Maintanence\scanner.exe .exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IMONTRAY] D:\Program Files\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
O4 - HKLM\..\Run: [WinFast Schedule] D:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Zune Launcher] "D:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [GBMPro8Agent] D:\Program Files\GBMPro8\GBMAgent.exe
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [BOC-427] D:\PROGRA~1\CBOClean\BOC427.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] "D:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe"
O4 - Global Startup: TMMonitor.lnk = D:\Program Files\TotalMedia 3\TMMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BOCore - COMODO - D:\Program Files\CBOClean\BOCORE.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - D:\Program Files\Intel(R) Active Monitor\imonnt.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm12.exe
O23 - Service: UtMsgAgt (UtMsgSvc) - Promise Technology Inc. - D:\Program Files\Promise Disk Controller Manager\UtMsgAgt.exe

--
End of file - 4596 bytes

 

Hmmm.... odd. Your HijackThis log is clean.

Please tell me all problems you are currently facing. I will look over what we have done to see if we skipped any step.

Best Regards

 

Your help in eliminating this virus has been a great blessing.

The following are the problems I am having:
-When starting up or restarting the screen that says windows XP this the loading bar appears and runs in a slower motion then it use to.
-My wife's PC on my network had the Antivirus XP 2008 on it and I ran through all the steps you gave me and it appears to be cleaned up.
-My Zune player is no longer working
-Neverwinter Nights crashes too often
-PC crashes, causing it to restart and gives me a Microsoft error message when I log back on.

This is a post of my HiJackThis when running in normal mode (the last one was run in safty mode):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:43 PM, on 09/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\CBOClean\BOCORE.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Promise Disk Controller Manager\UtMsgAgt.exe
D:\WINDOWS\system32\ZuneBusEnum.exe
D:\Program Files\Intel(R) Active Monitor\imonnt.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Intel(R) Active Monitor\imontray.exe
D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
D:\Program Files\Zune\ZuneLauncher.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\PROGRA~1\CBOClean\BOC427.exe
D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\TotalMedia 3\TMMonitor.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\Program Files\Nostromo\nost_LM.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Opera\opera.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Ventrilo\Ventrilo.exe
D:\Documents and Settings\Brother Moe\Desktop\Maintanence\scanner.exe .exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle.org/cgi-bin/scraper.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IMONTRAY] D:\Program Files\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
O4 - HKLM\..\Run: [WinFast Schedule] D:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Zune Launcher] "D:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [BOC-427] D:\PROGRA~1\CBOClean\BOC427.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitComet] "D:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Shortcut to nost_LM.lnk = D:\Program Files\Nostromo\nost_LM.exe
O4 - Global Startup: TMMonitor.lnk = D:\Program Files\TotalMedia 3\TMMonitor.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BOCore - COMODO - D:\Program Files\CBOClean\BOCORE.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - D:\Program Files\Intel(R) Active Monitor\imonnt.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm12.exe
O23 - Service: UtMsgAgt (UtMsgSvc) - Promise Technology Inc. - D:\Program Files\Promise Disk Controller Manager\UtMsgAgt.exe

--
End of file - 6630 bytes

 

ok... that's weird

Let's do more analysis.

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") to download Silent Runners.

• Save it to the desktop.
• Run Silent Runners by double-clicking the "Silent Runners" icon on your desktop.
• You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
• Once you receive the prompt "All Done!", double-click the new text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Best Regards

 

I followed the instructions you have given me and here are the results:

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"" ["Nero AG"]
"BitComet" = ""D:\Program Files\BitComet\BitComet.exe" /tray" ["www.BitComet.com"]
"SUPERAntiSpyware" = "D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IMONTRAY" = "D:\Program Files\Intel(R) Active Monitor\imontray.exe" [empty string]
"PtiuPbmd" = "Rundll32.exe ulutil2.dll,SetWriteBack" [MS]
"WinFast Schedule" = "D:\Program Files\WinFast\WFDTV\WFWIZ.exe" ["Leadtek Research Inc."]
"ArcSoft Connection Service" = "D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" ["ArcSoft Inc."]
"Zune Launcher" = ""D:\Program Files\Zune\ZuneLauncher.exe"" [MS]
"avgnt" = ""D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"BOC-427" = "D:\PROGRA~1\CBOClean\BOC427.exe" ["COMODO"]
"AsioReg" = "REGSVR32.EXE /S CTASIO.DLL" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture"
-> {HKLM...CLSID} = "BitComet Helper"
\InProcServer32\(Default) = "D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll" ["BitComet"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{0873D142-79EF-49fa-81B5-211AAC0B0A7F}" = "Target Finder Shell Extension"
-> {HKLM...CLSID} = "TargetFinderShlExt Class"
\InProcServer32\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\Creator Classic\TargetFinder.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "D:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "D:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "D:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"
-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"
\InProcServer32\(Default) = "D:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "D:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "D:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "D:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> dimsntfy\DLLName = "D:\WINDOWS\System32\dimsntfy.dll" [MS]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "D:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"
-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"
\InProcServer32\(Default) = "D:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "D:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "D:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "D:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "D:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


Default executables:
--------------------

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Opera\Opera\profile\skin\pic-8939.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\Documents and Settings\Brother Moe\Application Data\Opera\Opera\profile\skin\pic-7396.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "D:\WINDOWS\System32\ssmypics.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

ArcSoftTMAudioCDArrival\
"Provider" = "ArcSoft TotalMedia 3"
"InvokeProgID" = "TotalMediaOpenAudioCD"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\TotalMediaOpenAudioCD\shell\open\command\(Default) = "D:\Program Files\TotalMedia 3\TotalMedia.exe -a %L" ["ArcSoft, Inc."]

ArcSoftTMDVDArrival\
"Provider" = "ArcSoft TotalMedia 3"
"InvokeProgID" = "TotalMediaOpenDVD"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\TotalMediaOpenDVD\shell\open\command\(Default) = "D:\Program Files\TotalMedia 3\TotalMedia.exe -d %L" ["ArcSoft, Inc."]

ArcSoftTMMusicArrival\
"Provider" = "ArcSoft TotalMedia 3"
"InvokeProgID" = "TotalMediaOpenMusic"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\TotalMediaOpenMusic\shell\open\command\(Default) = "D:\Program Files\TotalMedia 3\TotalMedia.exe -a %L" ["ArcSoft, Inc."]

ArcSoftTMPictureArrival\
"Provider" = "ArcSoft TotalMedia 3"
"InvokeProgID" = "TotalMediaOpen"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\TotalMediaOpen\shell\open\command\(Default) = "D:\Program Files\TotalMedia 3\TotalMedia.exe -r %L" ["ArcSoft, Inc."]

ArcSoftTMVideoArrival\
"Provider" = "ArcSoft TotalMedia 3"
"InvokeProgID" = "TotalMediaOpenVideo"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\TotalMediaOpenVideo\shell\open\command\(Default) = "D:\Program Files\TotalMedia 3\TotalMedia.exe -v %L" ["ArcSoft, Inc."]

ArcSoftTMVideoCameraArrival\
"Provider" = "ArcSoft TotalMedia 3"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "D:\PROGRA~1\TOTALM~1\TOTALM~1.EXE -c"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "D:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

NeroAutoPlay8AudioToNeroDigital\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "AudioToNeroDigital_PlayCDAudioOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\AudioToNeroDigital_PlayCDAudioOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]

NeroAutoPlay8CDAudio\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "CDAudio_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CDAudio_HandleCDBurningOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:AudioCD" ["Nero AG"]

NeroAutoPlay8CopyCD\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "CopyCD_PlayMusicFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CopyCD_PlayMusicFilesOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /DialogiscCopy %L" ["Nero AG"]

NeroAutoPlay8DataDisc_CD\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "DataDisc_CD_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_CD_HandleCDBurningOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:CD %L" ["Nero AG"]

NeroAutoPlay8DataDisc_DVD\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "DataDisc_DVD_HandleDVDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_DVD_HandleDVDBurningOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /MediaVD %L" ["Nero AG"]

NeroAutoPlay8LaunchNeroStartSmart\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "LaunchNeroStartSmart_HandleDVDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\LaunchNeroStartSmart_HandleDVDBurningOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero StartSmart\NeroStartSmart.exe /AutoPlay" ["Nero AG"]

NeroAutoPlay8PlayAudioCD\
"Provider" = "Nero ShowTime"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "PlayAudioCD_PlayMusicFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayAudioCD_PlayMusicFilesOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]

NeroAutoPlay8PlayDVD\
"Provider" = "Nero ShowTime"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "PlayDVD_PlayVideoFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayDVD_PlayVideoFilesOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]

NeroAutoPlay8RipCD\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "RipCD_PlayCDAudioOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\RipCD_PlayCDAudioOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]

NeroAutoPlay8TranscodeVideo\
"Provider" = "Nero Recode"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "TranscodeVideo_PlayDVDMovieOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\TranscodeVideo_PlayDVDMovieOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Recode\Recode.exe /New:CopyDVDVideo" ["Nero AG"]

NeroAutoPlay8VideoCapture\
"Provider" = "Nero Vision"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""D:\Program Files\Nero\Nero8\Nero Vision\NeroVision.exe" /New:VideoCapture"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

NeroAutoPlay8ViewPhotos\
"Provider" = "Nero PhotoSnap Viewer"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "ViewPhotos_ShowPicturesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\ViewPhotos_ShowPicturesOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero PhotoSnap\PhotoSnapViewer.exe /" ["Nero AG"]

PDVDPlayDVDMovieOnArrival\
"Provider" = "PowerDVD"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPowerDVD"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""D:\Program Files\PowerDVD\PowerDVD.exe" "%l"" ["CyberLink Corp."]

RoxioCapturePhotos\
"Provider" = "Roxio Capture"
"InvokeProgID" = "RoxioCaptureUtility"
"InvokeVerb" = "Photo"
HKLM\SOFTWARE\Classes\RoxioCaptureUtility\shell\Photo\command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\Capture\RoxioCapture7.exe -photo %L" ["Sonic Solutions"]

RoxioCAPVideoCamera\
"Provider" = "Roxio Capture"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "D:\Program Files\Roxio\Easy Media Creator 7\Capture\RoxioCapture7.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

RoxioCreatorPlayCDAudioOnArrival\
"Provider" = "Roxio Creator Classic"
"InvokeProgID" = "Creator7"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\Creator7\shell\open\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\Creator Classic\creator7.exe" ["Roxio"]

RoxioDiscCopierPlayCDAudioOnArrival\
"Provider" = "Roxio Disc Copier"
"InvokeProgID" = "disccopier"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\disccopier\shell\open\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\Disc Copier\DiscCopier7.exe" ["Roxio"]

RoxioEMCBDAudioCD\
"Provider" = "Easy Media Creator 7 Basic DVD Edition"
"InvokeProgID" = "RoxioEMCBDHome"
"InvokeVerb" = "Get"
HKLM\SOFTWARE\Classes\RoxioEMCBDHome\shell\Get\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\BasicDVD Home Page\BasicDVDHomePageApp.exe" ["Roxio, Inc."]

RoxioEMCBDBurning\
"Provider" = "Easy Media Creator 7 Basic DVD Edition"
"InvokeProgID" = "RoxioEMCBDHome"
"InvokeVerb" = "Get"
HKLM\SOFTWARE\Classes\RoxioEMCBDHome\shell\Get\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\BasicDVD Home Page\BasicDVDHomePageApp.exe" ["Roxio, Inc."]

RoxioEMCBDDVD\
"Provider" = "Easy Media Creator 7 Basic DVD Edition"
"InvokeProgID" = "RoxioEMCBDHome"
"InvokeVerb" = "Get"
HKLM\SOFTWARE\Classes\RoxioEMCBDHome\shell\Get\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\BasicDVD Home Page\BasicDVDHomePageApp.exe" ["Roxio, Inc."]

RoxioEMCBDMixedContent\
"Provider" = "Easy Media Creator 7 Basic DVD Edition"
"InvokeProgID" = "RoxioEMCBDHome"
"InvokeVerb" = "Get"
HKLM\SOFTWARE\Classes\RoxioEMCBDHome\shell\Get\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\BasicDVD Home Page\BasicDVDHomePageApp.exe" ["Roxio, Inc."]

RoxioEMCBDMusic\
"Provider" = "Easy Media Creator 7 Basic DVD Edition"
"InvokeProgID" = "RoxioEMCBDHome"
"InvokeVerb" = "Get"
HKLM\SOFTWARE\Classes\RoxioEMCBDHome\shell\Get\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\BasicDVD Home Page\BasicDVDHomePageApp.exe" ["Roxio, Inc."]

RoxioEMCBDVideos\
"Provider" = "Easy Media Creator 7 Basic DVD Edition"
"InvokeProgID" = "RoxioEMCBDHome"
"InvokeVerb" = "Get"
HKLM\SOFTWARE\Classes\RoxioEMCBDHome\shell\Get\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\BasicDVD Home Page\BasicDVDHomePageApp.exe" ["Roxio, Inc."]

RoxioPlayRoxioDVDOnArrival\
"Provider" = "Roxio DVDMax Player"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithRoxioDVDMAXPlayer"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithRoxioDVDMAXPlayer\Command\(Default) = ""D:\Program Files\Roxio\Roxio DVDMax Player\Roxio DVDMax Player.exe" "%l"" ["CyberLink Corp."]

RPCDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = ""D:\Program Files\Real\RealPlayer\RealPlay.exe" /burn "%1"" ["RealNetworks, Inc."]

RPDeviceOnArrival\
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
-> {HKLM...CLSID} = "RealNetworks Scheduler"
\LocalServer32\(Default) = ""D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]

RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = ""D:\Program Files\Real\RealPlayer\RealPlay.exe" /play %1 " ["RealNetworks, Inc."]

RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = ""D:\Program Files\Real\RealPlayer\RealPlay.exe" /dvd %1 " ["RealNetworks, Inc."]

RPPlayMediaOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = ""D:\Program Files\Real\RealPlayer\RealPlay.exe" /autoplay "%1"" ["RealNetworks, Inc."]

ZunePlayCDAudioOnArrival\
"Provider" = "@D:\Program Files\Zune\en-US\ZuneResources.dll.mui,-603"
"InvokeProgID" = "Microsoft.Zune.2.AudioCD"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Microsoft.Zune.2.AudioCD\shell\Play\Command\(Default) = ""D:\Program Files\Zune\Zune.exe" /PlayCD:"%L"" [MS]

ZunePlayMediaOnArrival\
"Provider" = "@D:\Program Files\Zune\en-US\ZuneResources.dll.mui,-603"
"InvokeProgID" = "Microsoft.Zune.2.PlayMedia"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Microsoft.Zune.2.PlayMedia\shell\Play\Command\(Default) = ""D:\Program Files\Zune\Zune.exe" /PlayMedia:"%L"" [MS]

ZuneRipCDAudioOnArrival\
"Provider" = "@D:\Program Files\Zune\en-US\ZuneResources.dll.mui,-603"
"InvokeProgID" = "Microsoft.Zune.2.RipCD"
"InvokeVerb" = "Rip"
HKLM\SOFTWARE\Classes\Microsoft.Zune.2.RipCD\shell\Rip\Command\(Default) = ""D:\Program Files\Zune\Zune.exe" /RipCD:"%L"" [MS]


Startup items in "Brother Moe" & "All Users" startup folders:
-------------------------------------------------------------

D:\Documents and Settings\Brother Moe\Start Menu\Programs\Startup
"Shortcut to nost_LM" -> shortcut to: "D:\Program Files\Nostromo\nost_LM.exe" [empty string]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup
"TMMonitor" -> shortcut to: "D:\Program Files\TotalMedia 3\TMMonitor.exe" ["ArcSoft, Inc."]


Enabled Scheduled Tasks:
------------------------

"User_Feed_Synchronization-{F8B02283-8566-4937-861C-19274E72CBE0}" -> launches: "D:\WINDOWS\system32\msfeedssync.exe sync" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "D:\WINDOWS\system32\ieframe.dll" [MS]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_07"
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_07"
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{D18A0B52-D63C-4ED0-AFC6-C1E3DC1AF43A}\
"ButtonText" = "BitComet"
"Script" = "res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206" ["BitComet"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ArcSoft Connect Daemon, ACDaemon, "D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe" ["ArcSoft Inc."]
Ati HotKey Poller, Ati HotKey Poller, "D:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Avira AntiVir Personal - Free Antivirus Guard, AntiVirService, ""D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"]
Avira AntiVir Personal - Free Antivirus Scheduler, AntiVirScheduler, ""D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"]
BOCore, BOCore, "D:\Program Files\CBOClean\BOCORE.exe" ["COMODO"]
Google Updater Service, gusvc, ""D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"]
Intel(R) Active Monitor, imonNT, "D:\Program Files\Intel(R) Active Monitor\imonnt.exe" ["Intel Corp."]
Nero BackItUp Scheduler 3, Nero BackItUp Scheduler 3, "D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe" ["Nero AG"]
NMIndexingService, NMIndexingService, ""D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe"" ["Nero AG"]
UtMsgAgt, UtMsgSvc, ""D:\Program Files\Promise Disk Controller Manager\UtMsgAgt.exe"" ["Promise Technology Inc."]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "D:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"D:\WINDOWS\System32\WUDFSvc.dll" [MS]}
Zune Bus Enumerator, ZuneBusEnum, "D:\WINDOWS\system32\ZuneBusEnum.exe" [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor MP830\Driver = "CNMLM7Q.DLL" ["CANON INC."]
Canon MP FAX Language Monitor MP830\Driver = "CNCF2Lb.DLL" ["Canon Inc."]
hpzsnt09\Driver = "hpzsnt09.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


---------- (launch time: 2008-09-16 22:21:12)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 46 seconds)

 

I followed the instructions that you gave me and hear are the results:


"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"" ["Nero AG"]
"BitComet" = ""D:\Program Files\BitComet\BitComet.exe" /tray" ["www.BitComet.com"]
"SUPERAntiSpyware" = "D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IMONTRAY" = "D:\Program Files\Intel(R) Active Monitor\imontray.exe" [empty string]
"PtiuPbmd" = "Rundll32.exe ulutil2.dll,SetWriteBack" [MS]
"WinFast Schedule" = "D:\Program Files\WinFast\WFDTV\WFWIZ.exe" ["Leadtek Research Inc."]
"ArcSoft Connection Service" = "D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" ["ArcSoft Inc."]
"Zune Launcher" = ""D:\Program Files\Zune\ZuneLauncher.exe"" [MS]
"avgnt" = ""D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"BOC-427" = "D:\PROGRA~1\CBOClean\BOC427.exe" ["COMODO"]
"AsioReg" = "REGSVR32.EXE /S CTASIO.DLL" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture"
-> {HKLM...CLSID} = "BitComet Helper"
\InProcServer32\(Default) = "D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll" ["BitComet"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{0873D142-79EF-49fa-81B5-211AAC0B0A7F}" = "Target Finder Shell Extension"
-> {HKLM...CLSID} = "TargetFinderShlExt Class"
\InProcServer32\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\Creator Classic\TargetFinder.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "D:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "D:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "D:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"
-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"
\InProcServer32\(Default) = "D:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "D:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "D:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "D:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> dimsntfy\DLLName = "D:\WINDOWS\System32\dimsntfy.dll" [MS]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "D:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"
-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"
\InProcServer32\(Default) = "D:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "D:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "D:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "D:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "D:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


Default executables:
--------------------

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Opera\Opera\profile\skin\pic-8939.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\Documents and Settings\Brother Moe\Application Data\Opera\Opera\profile\skin\pic-7396.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "D:\WINDOWS\System32\ssmypics.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

ArcSoftTMAudioCDArrival\
"Provider" = "ArcSoft TotalMedia 3"
"InvokeProgID" = "TotalMediaOpenAudioCD"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\TotalMediaOpenAudioCD\shell\open\command\(Default) = "D:\Program Files\TotalMedia 3\TotalMedia.exe -a %L" ["ArcSoft, Inc."]

ArcSoftTMDVDArrival\
"Provider" = "ArcSoft TotalMedia 3"
"InvokeProgID" = "TotalMediaOpenDVD"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\TotalMediaOpenDVD\shell\open\command\(Default) = "D:\Program Files\TotalMedia 3\TotalMedia.exe -d %L" ["ArcSoft, Inc."]

ArcSoftTMMusicArrival\
"Provider" = "ArcSoft TotalMedia 3"
"InvokeProgID" = "TotalMediaOpenMusic"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\TotalMediaOpenMusic\shell\open\command\(Default) = "D:\Program Files\TotalMedia 3\TotalMedia.exe -a %L" ["ArcSoft, Inc."]

ArcSoftTMPictureArrival\
"Provider" = "ArcSoft TotalMedia 3"
"InvokeProgID" = "TotalMediaOpen"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\TotalMediaOpen\shell\open\command\(Default) = "D:\Program Files\TotalMedia 3\TotalMedia.exe -r %L" ["ArcSoft, Inc."]

ArcSoftTMVideoArrival\
"Provider" = "ArcSoft TotalMedia 3"
"InvokeProgID" = "TotalMediaOpenVideo"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\TotalMediaOpenVideo\shell\open\command\(Default) = "D:\Program Files\TotalMedia 3\TotalMedia.exe -v %L" ["ArcSoft, Inc."]

ArcSoftTMVideoCameraArrival\
"Provider" = "ArcSoft TotalMedia 3"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "D:\PROGRA~1\TOTALM~1\TOTALM~1.EXE -c"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "D:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

NeroAutoPlay8AudioToNeroDigital\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "AudioToNeroDigital_PlayCDAudioOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\AudioToNeroDigital_PlayCDAudioOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]

NeroAutoPlay8CDAudio\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "CDAudio_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CDAudio_HandleCDBurningOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:AudioCD" ["Nero AG"]

NeroAutoPlay8CopyCD\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "CopyCD_PlayMusicFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CopyCD_PlayMusicFilesOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /DialogiscCopy %L" ["Nero AG"]

NeroAutoPlay8DataDisc_CD\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "DataDisc_CD_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_CD_HandleCDBurningOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:CD %L" ["Nero AG"]

NeroAutoPlay8DataDisc_DVD\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "DataDisc_DVD_HandleDVDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_DVD_HandleDVDBurningOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /MediaVD %L" ["Nero AG"]

NeroAutoPlay8LaunchNeroStartSmart\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "LaunchNeroStartSmart_HandleDVDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\LaunchNeroStartSmart_HandleDVDBurningOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero StartSmart\NeroStartSmart.exe /AutoPlay" ["Nero AG"]

NeroAutoPlay8PlayAudioCD\
"Provider" = "Nero ShowTime"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "PlayAudioCD_PlayMusicFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayAudioCD_PlayMusicFilesOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]

NeroAutoPlay8PlayDVD\
"Provider" = "Nero ShowTime"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "PlayDVD_PlayVideoFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayDVD_PlayVideoFilesOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]

NeroAutoPlay8RipCD\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "RipCD_PlayCDAudioOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\RipCD_PlayCDAudioOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]

NeroAutoPlay8TranscodeVideo\
"Provider" = "Nero Recode"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "TranscodeVideo_PlayDVDMovieOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\TranscodeVideo_PlayDVDMovieOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Recode\Recode.exe /New:CopyDVDVideo" ["Nero AG"]

NeroAutoPlay8VideoCapture\
"Provider" = "Nero Vision"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""D:\Program Files\Nero\Nero8\Nero Vision\NeroVision.exe" /New:VideoCapture"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

NeroAutoPlay8ViewPhotos\
"Provider" = "Nero PhotoSnap Viewer"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "ViewPhotos_ShowPicturesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\ViewPhotos_ShowPicturesOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero PhotoSnap\PhotoSnapViewer.exe /" ["Nero AG"]

PDVDPlayDVDMovieOnArrival\
"Provider" = "PowerDVD"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPowerDVD"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""D:\Program Files\PowerDVD\PowerDVD.exe" "%l"" ["CyberLink Corp."]

RoxioCapturePhotos\
"Provider" = "Roxio Capture"
"InvokeProgID" = "RoxioCaptureUtility"
"InvokeVerb" = "Photo"
HKLM\SOFTWARE\Classes\RoxioCaptureUtility\shell\Photo\command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\Capture\RoxioCapture7.exe -photo %L" ["Sonic Solutions"]

RoxioCAPVideoCamera\
"Provider" = "Roxio Capture"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "D:\Program Files\Roxio\Easy Media Creator 7\Capture\RoxioCapture7.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

RoxioCreatorPlayCDAudioOnArrival\
"Provider" = "Roxio Creator Classic"
"InvokeProgID" = "Creator7"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\Creator7\shell\open\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\Creator Classic\creator7.exe" ["Roxio"]

RoxioDiscCopierPlayCDAudioOnArrival\
"Provider" = "Roxio Disc Copier"
"InvokeProgID" = "disccopier"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\disccopier\shell\open\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\Disc Copier\DiscCopier7.exe" ["Roxio"]

RoxioEMCBDAudioCD\
"Provider" = "Easy Media Creator 7 Basic DVD Edition"
"InvokeProgID" = "RoxioEMCBDHome"
"InvokeVerb" = "Get"
HKLM\SOFTWARE\Classes\RoxioEMCBDHome\shell\Get\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\BasicDVD Home Page\BasicDVDHomePageApp.exe" ["Roxio, Inc."]

RoxioEMCBDBurning\
"Provider" = "Easy Media Creator 7 Basic DVD Edition"
"InvokeProgID" = "RoxioEMCBDHome"
"InvokeVerb" = "Get"
HKLM\SOFTWARE\Classes\RoxioEMCBDHome\shell\Get\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\BasicDVD Home Page\BasicDVDHomePageApp.exe" ["Roxio, Inc."]

RoxioEMCBDDVD\
"Provider" = "Easy Media Creator 7 Basic DVD Edition"
"InvokeProgID" = "RoxioEMCBDHome"
"InvokeVerb" = "Get"
HKLM\SOFTWARE\Classes\RoxioEMCBDHome\shell\Get\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\BasicDVD Home Page\BasicDVDHomePageApp.exe" ["Roxio, Inc."]

RoxioEMCBDMixedContent\
"Provider" = "Easy Media Creator 7 Basic DVD Edition"
"InvokeProgID" = "RoxioEMCBDHome"
"InvokeVerb" = "Get"
HKLM\SOFTWARE\Classes\RoxioEMCBDHome\shell\Get\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\BasicDVD Home Page\BasicDVDHomePageApp.exe" ["Roxio, Inc."]

RoxioEMCBDMusic\
"Provider" = "Easy Media Creator 7 Basic DVD Edition"
"InvokeProgID" = "RoxioEMCBDHome"
"InvokeVerb" = "Get"
HKLM\SOFTWARE\Classes\RoxioEMCBDHome\shell\Get\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\BasicDVD Home Page\BasicDVDHomePageApp.exe" ["Roxio, Inc."]

RoxioEMCBDVideos\
"Provider" = "Easy Media Creator 7 Basic DVD Edition"
"InvokeProgID" = "RoxioEMCBDHome"
"InvokeVerb" = "Get"
HKLM\SOFTWARE\Classes\RoxioEMCBDHome\shell\Get\Command\(Default) = "D:\Program Files\Roxio\Easy Media Creator 7\BasicDVD Home Page\BasicDVDHomePageApp.exe" ["Roxio, Inc."]

RoxioPlayRoxioDVDOnArrival\
"Provider" = "Roxio DVDMax Player"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithRoxioDVDMAXPlayer"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithRoxioDVDMAXPlayer\Command\(Default) = ""D:\Program Files\Roxio\Roxio DVDMax Player\Roxio DVDMax Player.exe" "%l"" ["CyberLink Corp."]

RPCDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = ""D:\Program Files\Real\RealPlayer\RealPlay.exe" /burn "%1"" ["RealNetworks, Inc."]

RPDeviceOnArrival\
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
-> {HKLM...CLSID} = "RealNetworks Scheduler"
\LocalServer32\(Default) = ""D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]

RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = ""D:\Program Files\Real\RealPlayer\RealPlay.exe" /play %1 " ["RealNetworks, Inc."]

RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = ""D:\Program Files\Real\RealPlayer\RealPlay.exe" /dvd %1 " ["RealNetworks, Inc."]

RPPlayMediaOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = ""D:\Program Files\Real\RealPlayer\RealPlay.exe" /autoplay "%1"" ["RealNetworks, Inc."]

ZunePlayCDAudioOnArrival\
"Provider" = "@D:\Program Files\Zune\en-US\ZuneResources.dll.mui,-603"
"InvokeProgID" = "Microsoft.Zune.2.AudioCD"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Microsoft.Zune.2.AudioCD\shell\Play\Command\(Default) = ""D:\Program Files\Zune\Zune.exe" /PlayCD:"%L"" [MS]

ZunePlayMediaOnArrival\
"Provider" = "@D:\Program Files\Zune\en-US\ZuneResources.dll.mui,-603"
"InvokeProgID" = "Microsoft.Zune.2.PlayMedia"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Microsoft.Zune.2.PlayMedia\shell\Play\Command\(Default) = ""D:\Program Files\Zune\Zune.exe" /PlayMedia:"%L"" [MS]

ZuneRipCDAudioOnArrival\
"Provider" = "@D:\Program Files\Zune\en-US\ZuneResources.dll.mui,-603"
"InvokeProgID" = "Microsoft.Zune.2.RipCD"
"InvokeVerb" = "Rip"
HKLM\SOFTWARE\Classes\Microsoft.Zune.2.RipCD\shell\Rip\Command\(Default) = ""D:\Program Files\Zune\Zune.exe" /RipCD:"%L"" [MS]


Startup items in "Brother Moe" & "All Users" startup folders:
-------------------------------------------------------------

D:\Documents and Settings\Brother Moe\Start Menu\Programs\Startup
"Shortcut to nost_LM" -> shortcut to: "D:\Program Files\Nostromo\nost_LM.exe" [empty string]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup
"TMMonitor" -> shortcut to: "D:\Program Files\TotalMedia 3\TMMonitor.exe" ["ArcSoft, Inc."]


Enabled Scheduled Tasks:
------------------------

"User_Feed_Synchronization-{F8B02283-8566-4937-861C-19274E72CBE0}" -> launches: "D:\WINDOWS\system32\msfeedssync.exe sync" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "D:\WINDOWS\system32\ieframe.dll" [MS]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_07"
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_07"
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{D18A0B52-D63C-4ED0-AFC6-C1E3DC1AF43A}\
"ButtonText" = "BitComet"
"Script" = "res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206" ["BitComet"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ArcSoft Connect Daemon, ACDaemon, "D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe" ["ArcSoft Inc."]
Ati HotKey Poller, Ati HotKey Poller, "D:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Avira AntiVir Personal - Free Antivirus Guard, AntiVirService, ""D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"]
Avira AntiVir Personal - Free Antivirus Scheduler, AntiVirScheduler, ""D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"]
BOCore, BOCore, "D:\Program Files\CBOClean\BOCORE.exe" ["COMODO"]
Google Updater Service, gusvc, ""D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"]
Intel(R) Active Monitor, imonNT, "D:\Program Files\Intel(R) Active Monitor\imonnt.exe" ["Intel Corp."]
Nero BackItUp Scheduler 3, Nero BackItUp Scheduler 3, "D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe" ["Nero AG"]
NMIndexingService, NMIndexingService, ""D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe"" ["Nero AG"]
UtMsgAgt, UtMsgSvc, ""D:\Program Files\Promise Disk Controller Manager\UtMsgAgt.exe"" ["Promise Technology Inc."]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "D:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"D:\WINDOWS\System32\WUDFSvc.dll" [MS]}
Zune Bus Enumerator, ZuneBusEnum, "D:\WINDOWS\system32\ZuneBusEnum.exe" [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor MP830\Driver = "CNMLM7Q.DLL" ["CANON INC."]
Canon MP FAX Language Monitor MP830\Driver = "CNCF2Lb.DLL" ["Canon Inc."]
hpzsnt09\Driver = "hpzsnt09.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


---------- (launch time: 2008-09-16 22:21:12)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 46 seconds)

 

Hey dracomoe.

That's funny... you look squeaky clean. There's no indication in your logs that you would be having problems. The only reason I can think of is WinsockXPFix changed something that we do not know about. Can you tell me when your problems started?

Also, we can try a generic cleanup and speedup.

Download CCleaner and run it.
Defragment your computer.

Also, you might want to reinstall Zune player.

Best Regards

 

I did as you suggested and it had no effect upon the issues that have been occurring on my PC. I was hoping that you could take a look at the results from a scan I did w/ combofix on ~my wife's PC~ (it was also effected by this virus/trojan). Here is the resulting log:

ComboFix 08-09-20.05 - Nathalie 2008-09-20 16:34:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.721 [GMT -7:00]
Running from: C:\Documents and Settings\Nathalie\My Documents\DOWNLOAD\Combo-Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Nathalie\Cookies\nathalie@isohunt[1].txt
C:\Documents and Settings\Nathalie\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\casino1.ico
C:\WINDOWS\system32\casino2.ico
C:\WINDOWS\system32\casino3.ico
C:\WINDOWS\system32\tdsspopup.dll
C:\WINDOWS\system32\tdsspopup1.url
C:\WINDOWS\system32\tdsspopup2.url
C:\WINDOWS\system32\tdsspopup3.url

.
((((((((((((((((((((((((( Files Created from 2008-08-20 to 2008-09-20 )))))))))))))))))))))))))))))))
.

2008-09-13 11:32 . 2008-09-13 11:33 <DIR> d-------- C:\Documents and Settings\Nathalie\Application Data\Ventrilo
2008-09-13 11:31 . 2008-09-13 11:31 <DIR> d-------- C:\Program Files\Ventrilo
2008-09-13 10:33 . 2008-09-13 10:35 <DIR> d-------- C:\WINDOWS\nview
2008-09-13 10:33 . 2008-09-13 10:33 <DIR> d-------- C:\NVIDIA
2008-09-13 10:33 . 2005-02-24 07:32 176,128 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-09-13 10:33 . 2005-02-24 07:32 14,435 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-09-11 03:20 . 2008-09-11 03:20 <DIR> d-------- C:\Program Files\CCleaner
2008-09-10 16:36 . 2008-09-10 16:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-10 16:36 . 2008-09-10 16:36 <DIR> d-------- C:\Documents and Settings\Nathalie\Application Data\Malwarebytes
2008-09-10 16:36 . 2008-09-10 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-10 16:36 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-10 16:36 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-10 15:53 . 2008-09-10 15:55 <DIR> d-------- C:\327882R2FWJFW
2008-09-10 15:48 . 2008-09-10 15:48 <DIR> d-------- C:\Program Files\Avira
2008-09-10 15:48 . 2008-09-10 15:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-09-10 15:44 . 2008-09-10 15:44 <DIR> d-------- C:\Clean Up
2008-09-07 14:21 . 2008-09-07 14:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-07 14:21 . 2008-09-13 11:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-07 14:21 . 2008-09-07 14:21 <DIR> d-------- C:\Documents and Settings\Nathalie\Application Data\SUPERAntiSpyware.com
2008-09-07 14:21 . 2008-09-07 14:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-06 20:01 . 2008-09-06 20:01 <DIR> d-------- C:\Program Files\GameSpy Arcade
2008-09-06 20:01 . 2008-09-06 20:01 <DIR> d-------- C:\Documents and Settings\Nathalie\Application Data\Leadertech
2008-09-06 19:14 . 2008-09-06 19:14 <DIR> d-------- C:\NeverwinterNights
2008-09-04 04:07 . 2008-09-04 04:32 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-23 19:10 . 2008-08-23 19:10 <DIR> d-------- C:\Program Files\Real
2008-08-23 19:10 . 2008-08-23 19:10 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-08-23 19:10 . 2008-08-23 19:10 <DIR> d-------- C:\Program Files\Common Files\Real
2008-08-22 18:04 . 2008-08-22 18:04 <DIR> d-------- C:\Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-18 21:03 --------- d-----w C:\Program Files\World of Warcraft
2008-09-09 01:54 --------- d-----w C:\Documents and Settings\Nathalie\Application Data\AdobeUM
2008-09-07 02:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-24 02:10 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-08-24 02:10 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-08-16 01:40 --------- d-----w C:\Program Files\XviD
2008-08-16 01:39 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-08-13 03:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-13 02:57 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-13 02:57 --------- d-----w C:\Program Files\Common Files\AOL
2008-08-13 01:58 --------- d-----w C:\Program Files\MySpace
2008-08-13 01:55 --------- d--h--r C:\Documents and Settings\Nathalie\Application Data\yahoo!
2008-08-13 01:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-08-08 18:52 --------- d-----w C:\Program Files\ZNES
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-25 01:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-01-14 00:24 80 --sh--r C:\WINDOWS\system32\A381395259.dll
.

Code:

<pre>
----a-w           401,720 2007-09-07 02:46:02  C:\Clean Up\scanner.exe .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-08-23 185896]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-02-24 5537792]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-02-24 86016]
"CTHelper"="CTHELPER.EXE" [2003-04-10 C:\WINDOWS\system32\CTHELPER.EXE]
"AsioReg"="CTASIO.DLL" [2003-04-10 C:\WINDOWS\system32\CTASIO.DLL]
"nwiz"="nwiz.exe" [2005-02-24 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Nathalie\Start Menu\Programs\Startup\
HotSync Manager.lnk.disabled [2007-04-21 1490]
Neverwinter Nights Registration.lnk - C:\NeverwinterNights\NWN\ereg\ATR1.EXE [2008-09-06 4947968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Loadout Manager.lnk.disabled [2007-02-10 1732]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.X264"= x264vfw.dll
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm
"msacm.l3codec"= l3codecp.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 05:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 03:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [N/A]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\NeverwinterNights\\NWN\\nwmain.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14493:TCP"= 14493:TCP:BitComet 14493 TCP
"14493:UDP"= 14493:UDP:BitComet 14493 UDP
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-12-29 12160]
S3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\DRIVERS\BCGAME.SYS [2003-07-24 22821]
S3 bcgbus;Nostromo USB Device Driver;C:\WINDOWS\system32\DRIVERS\BCGBUS.SYS [ ]
S3 NPF;WinPcap Packet Driver (NPF);C:\WINDOWS\system32\drivers\NPF.sys [2006-10-17 35072]

*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Nathalie\Application Data\Mozilla\Firefox\Profiles\aacr47n0.default\
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_08\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_08\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_08\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_08\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_08\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_08\bin\NPJPI150_08.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_08\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-20 16:36:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv]
"imagepath"="\systemroot\system32\drivers\TDSSserv.sys"
.
Completion time: 2008-09-20 16:39:39
ComboFix-quarantined-files.txt 2008-09-20 23:39:03

Pre-Run: 7,469,780,992 bytes free
Post-Run: 7,495,630,848 bytes free

197 --- E O F --- 2008-09-10 10:00:36

 

Hey dracomoe

Any problems after running Combofix on your wife's pc? Please follow the instructions below on your wife's pc.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

Open Notepad and copy/paste the text in the code box below into it:

Code:

File::
C:\WINDOWS\system32\A381395259.dll

Save this as CFScript.txt in the same folder as ComboFix.

Then drag the CFScript.txt into Combo-Fix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the ComboFix log here. The log will be located at C:\ComboFix(.txt).

Do not click on the ComoboFix window, as it may cause it to stall.

On your own computer, the malware most probably damaged system files, therefore it would be good if you could reinstall windows and all programs that are not functioning properly. That is the only way left.

Best Wishes

 

I had dificulty trying to figure out how to turn Avira Antivirus off, so I just uninstalled it. I followed your directions as you had instructed and here are the results of the combofix scan done w/ the notepad file dropped on it:


ComboFix 08-09-20.05 - Nathalie 2008-09-21 17:39:36.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.626 [GMT -7:00]
Running from: C:\Clean Up\ComboFix.exe
Command switches used :: C:\Combo-Fx\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\A381395259.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\A381395259.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 )))))))))))))))))))))))))))))))
.

2008-09-21 16:56 . 2008-09-21 17:39 <DIR> d-------- C:\Combo-Fx
2008-09-13 11:32 . 2008-09-13 11:33 <DIR> d-------- C:\Documents and Settings\Nathalie\Application Data\Ventrilo
2008-09-13 11:31 . 2008-09-13 11:31 <DIR> d-------- C:\Program Files\Ventrilo
2008-09-13 10:33 . 2008-09-13 10:35 <DIR> d-------- C:\WINDOWS\nview
2008-09-13 10:33 . 2008-09-13 10:33 <DIR> d-------- C:\NVIDIA
2008-09-13 10:33 . 2005-02-24 07:32 176,128 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-09-13 10:33 . 2005-02-24 07:32 14,435 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-09-11 03:20 . 2008-09-11 03:20 <DIR> d-------- C:\Program Files\CCleaner
2008-09-10 16:36 . 2008-09-10 16:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-10 16:36 . 2008-09-10 16:36 <DIR> d-------- C:\Documents and Settings\Nathalie\Application Data\Malwarebytes
2008-09-10 16:36 . 2008-09-10 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-10 16:36 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-10 16:36 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-10 15:48 . 2008-09-10 15:48 <DIR> d-------- C:\Program Files\Avira
2008-09-10 15:44 . 2008-09-21 17:15 <DIR> d-------- C:\Clean Up
2008-09-07 14:21 . 2008-09-07 14:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-07 14:21 . 2008-09-13 11:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-07 14:21 . 2008-09-07 14:21 <DIR> d-------- C:\Documents and Settings\Nathalie\Application Data\SUPERAntiSpyware.com
2008-09-07 14:21 . 2008-09-07 14:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-06 20:01 . 2008-09-06 20:01 <DIR> d-------- C:\Program Files\GameSpy Arcade
2008-09-06 20:01 . 2008-09-06 20:01 <DIR> d-------- C:\Documents and Settings\Nathalie\Application Data\Leadertech
2008-09-06 19:14 . 2008-09-06 19:14 <DIR> d-------- C:\NeverwinterNights
2008-09-04 04:07 . 2008-09-04 04:32 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-23 19:10 . 2008-08-23 19:10 <DIR> d-------- C:\Program Files\Real
2008-08-23 19:10 . 2008-08-23 19:10 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-08-23 19:10 . 2008-08-23 19:10 <DIR> d-------- C:\Program Files\Common Files\Real
2008-08-22 18:04 . 2008-08-22 18:04 <DIR> d-------- C:\Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-18 21:03 --------- d-----w C:\Program Files\World of Warcraft
2008-09-09 01:54 --------- d-----w C:\Documents and Settings\Nathalie\Application Data\AdobeUM
2008-09-07 02:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-24 02:10 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-08-24 02:10 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-08-16 01:40 --------- d-----w C:\Program Files\XviD
2008-08-16 01:39 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-08-13 03:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-13 02:57 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-13 02:57 --------- d-----w C:\Program Files\Common Files\AOL
2008-08-13 01:58 --------- d-----w C:\Program Files\MySpace
2008-08-13 01:55 --------- d--h--r C:\Documents and Settings\Nathalie\Application Data\yahoo!
2008-08-13 01:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-08-08 18:52 --------- d-----w C:\Program Files\ZNES
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-25 01:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
.

Code:

<pre>
----a-w           401,720 2007-09-07 02:46:02  C:\Clean Up\scanner.exe .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-08-23 185896]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-02-24 5537792]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-02-24 86016]
"CTHelper"="CTHELPER.EXE" [2003-04-10 C:\WINDOWS\system32\CTHELPER.EXE]
"AsioReg"="CTASIO.DLL" [2003-04-10 C:\WINDOWS\system32\CTASIO.DLL]
"nwiz"="nwiz.exe" [2005-02-24 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Nathalie\Start Menu\Programs\Startup\
HotSync Manager.lnk.disabled [2007-04-21 1490]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Loadout Manager.lnk.disabled [2007-02-10 1732]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.X264"= x264vfw.dll
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm
"msacm.l3codec"= l3codecp.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 05:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 03:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [N/A]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\NeverwinterNights\\NWN\\nwmain.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14493:TCP"= 14493:TCP:BitComet 14493 TCP
"14493:UDP"= 14493:UDP:BitComet 14493 UDP
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-12-29 12160]
S3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\DRIVERS\BCGAME.SYS [2003-07-24 22821]
S3 bcgbus;Nostromo USB Device Driver;C:\WINDOWS\system32\DRIVERS\BCGBUS.SYS [ ]
S3 NPF;WinPcap Packet Driver (NPF);C:\WINDOWS\system32\drivers\NPF.sys [2006-10-17 35072]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 17:40:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-21 17:41:49
ComboFix-quarantined-files.txt 2008-09-22 00:41:24
ComboFix2.txt 2008-09-22 00:29:07
ComboFix3.txt 2008-09-22 00:04:58
ComboFix4.txt 2008-09-20 23:39:40

Pre-Run: 7,437,135,872 bytes free
Post-Run: 7,421,984,768 bytes free

172 --- E O F --- 2008-09-10 10:00:36

 

So... any more problems on your wife's computer?

And how about your current computer? I still recommend a reinstall of Windows.

Best Wishes

 

hey
cdavfrew


dont want to inturpt there but just wondering if you know what gets the antivirus xp programe of the lap top ?

 

@moggser

There are many ways Antivirus XP and other rogue antimalware programs can get into a computer. The most common are among browser exploits and being bundled with other software.

By using "holes" in a browser, malware can download itself onto your computer, which is why updates are always important, especially for Java, and don't forget to uninstall all previous versions after you update to the latest Java.

Often, antimalware software will detect malware if it is bundled with software, but sometimes, it may be a new malware that the world has never seen, as antivirus xp 2008 most probably did when it just came out. This is why safe surfing is always important: Only download from trusted sites, such as manufacturer's site. Only download trusted software, and be sure to research it first. Torrents are discouraged, because they are most commonly bundled with malware.

For more information, look here as well:
http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I

Best Regards