Find your solution!

**JSntgRvr** · 26-Mar-2007, 01:41 PM **#16**

Hi, Andeee

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Andeee · 26-Mar-2007, 03:42 PM **#17**

Hi again JSntgRvr

Wow this is proving to be quite difficult to shift... Thanks for all the suggestions so far.

Ok. Safemode wouldn't run at first. The "Are you sure you want to run in safemode?" box kept popping up every few seconds and the desktop dissapearing until at one point the desktop never came back. I re-ran VundoFix and booted from that into safemode, That seemed to work. Removed offending entries with HJT (again) and ran SDFix. Soon after reboot, virus warning and pop-ups.

Tried again, this time disabling the internet connection and deleting Hidden Files found by SDFix in System32. All good until I reconnect to the web when I received viruses and pop-ups. Tried again with Windows Firewall enabled, same result.

Perhaps a decent firewall would help (as I don't have one. Silly I know, but have never needed one as I'm behind a router.)

Here are the logs from after the last run (but before I deleted the System32 files):

SDFix: Version 1.74

Run by Mr. Poo - 26/03/2007 - 21:16:30.82

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found...

ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019"
"F:\\Apps\\utorrent.exe"="F:\\Apps\\utorrent.exe:*:Enabled:utorrent"
"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"="C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp:*:Enabled:KazaaLite"
"F:\\test\\emule\\emule\\emule.exe"="F:\\test\\emule\\emule\\emule.exe:*:En abled:eMule"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger"
"C:\\Program Files\\Trillian Pro\\trillian.exe"="C:\\Program Files\\Trillian Pro\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Checking For Files with Hidden Attributes :

C:\Program Files\Common Files\Ahead\AudioPlugins\lpaccodec.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\lpac_codec_api.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\PNCRT.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\atrc3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\auth3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\cook3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\drv13260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\drv23260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\drv33260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\drv43260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\pnen3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\pnvi3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\pnxr3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\ramf3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rare3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rims3290.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rmff3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rmse3290.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rmwr3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rnlt3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rorw3290.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rtae3290.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rtin3290.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rtve3290.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rv103260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rv203260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rv303260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rv403260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rvre3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\sipr3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\smpl3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\vsrl3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\xmlp3261.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\zipf3260.dll
C:\WINDOWS\system32\awtsp.dll.vir
C:\WINDOWS\system32\awvtq.dll
C:\WINDOWS\system32\jkhhe.dll
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Program Files\Common Files\Ahead\AudioPlugins\AACMP4.EXE
C:\Program Files\Common Files\Ahead\AudioPlugins\OFR.EXE
C:\Program Files\Common Files\Ahead\AudioPlugins\RMADEC.EXE
C:\Program Files\Common Files\Ahead\AudioPlugins\MusePack\MPPDEC.EXE
C:\Program Files\Common Files\Ahead\AudioPlugins\MusePack\MPPENC.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\LocalService\NTUSER.tmp.LOG
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.tmp.LOG
C:\Documents and Settings\Mr. Poo\NTUSER.tmp.LOG
C:\Documents and Settings\Mr. Poo\Local Settings\Application Data\Microsoft\Windows\UsrClass.tmp.LOG
C:\Documents and Settings\NetworkService\NTUSER.tmp.LOG
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.tmp.LOG
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Finished

Logfile of HijackThis v1.99.1
Scan saved at 21:31:38, on 26/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Mr. Poo\Desktop\MyPoppy.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 203.200.164.117:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\Copernic Agent\CopernicAgentExt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5F9EED6A-8F0D-4736-BCBA-C9828F2E8130} - C:\WINDOWS\system32\pmnnk.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Controlled StartUp] C:\Program Files\StartUp Organizer\Ctrl.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\Program Files\Copernic Agent\CopernicAgent.exe
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\Program Files\Copernic Agent\CopernicAgent.exe
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\Program Files\Copernic Agent\CopernicAgent.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0792.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0792.00.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O20 - Winlogon Notify: pmnnk - C:\WINDOWS\system32\pmnnk.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

**JSntgRvr** · 07:32 PM

Hi, Andeee

Still infected with Vundo.

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote:

Files to delete:
C:\WINDOWS\system32\awtsp.dll.vir
C:\WINDOWS\system32\awvtq.dll
C:\WINDOWS\system32\jkhhe.dll
C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\system32\ddabx.dll
C:\WINDOWS\system32\ddcya.dll
C:\WINDOWS\system32\vtsqr.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your next reply.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Andeee · 28-Mar-2007, 04:26 AM **#19**

Hi JSntgRvr.

I executed the Avenger script you gave me (no log, sorry, see below) and after the reboot, before I could run the Kaspersky scan, AntiVir started poping up virus warnings, ActiveX popup ads in Firefox and IE and the BHO objects back in the HJT scan.

After running the Kaspersky scan (log posted below) I executed the following Avenger script:

Files to delete:
C:\!KillBox\ddcya.dll
C:\!KillBox\ddcya.dll( 1)
C:\avenger\backup.zip
C:\Documents and Settings\Mr. Poo\Local Settings\Temporary Internet Files\Content.IE5\83YZCVQF\lo1[1]
C:\VundoFix Backups\crtsmjgc.exe.bad
C:\VundoFix Backups\ddcya.dll.bad
C:\VundoFix Backups\gebya.dll.bad
C:\VundoFix Backups\geebb.dll.bad
C:\VundoFix Backups\hpjdagru.exe.bad
C:\VundoFix Backups\kenfrgun.exe.bad
C:\VundoFix Backups\kvkotauw.exe.badC:\VundoFix Backups\lrvwrpiv.exe.bad
C:\VundoFix Backups\mljgf.dll.bad
C:\VundoFix Backups\mljjg.dll.bad
C:\VundoFix Backups\mljji.dll.bad
C:\VundoFix Backups\nganlsfq.exe.bad
C:\VundoFix Backups\ssqrs.dll.bad
C:\VundoFix Backups\yxmyempu.exe.bad
C:\WINDOWS\system32\cgksihww.exe
C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\eyqfmvqc.exe
C:\WINDOWS\system32\tfrafacx.exe

with the same effect (log to follow). Directly after reboot the virus warning were back, and the pop-up ads. Here are the Kaspersky, Avenger and HJT logs:

KASPERSKY ONLINE SCANNER REPORT
Wednesday, March 28, 2007 9:31:49 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 27/03/2007
Kaspersky Anti-Virus database records: 287124
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
F:\
Q:\
Scan Statistics
Total number of scanned objects 101829
Number of viruses found 3
Number of infected objects 25 / 0
Number of suspicious objects 0
Duration of the scan process 02:55:11

Infected Object Name Virus Name Last Action
C:\!KillBox\ddcya.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\!KillBox\ddcya.dll( 1) Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\avenger\backup.zip/avenger/pmnnk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\avenger\backup.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\cert8.db Object is locked skipped
C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\flashgot.log Object is locked skipped
C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\history.dat Object is locked skipped
C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\key3.db Object is locked skipped
C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Mr. Poo\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mr. Poo\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mr. Poo\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mr. Poo\Local Settings\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Mr. Poo\Local Settings\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Mr. Poo\Local Settings\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Mr. Poo\Local Settings\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Mr. Poo\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mr. Poo\Local Settings\History\History.IE5\MSHist012007032820070329\index.dat Object is locked skipped
C:\Documents and Settings\Mr. Poo\Local Settings\Temporary Internet Files\Content.IE5\83YZCVQF\lo1[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\Documents and Settings\Mr. Poo\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mr. Poo\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mr. Poo\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Mr. Poo\UserData\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\FRITZ!DSL\access\access.lock Object is locked skipped
C:\Program Files\mIRC\backup\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\VundoFix Backups\crtsmjgc.exe.bad Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\VundoFix Backups\ddcya.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\VundoFix Backups\gebya.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\VundoFix Backups\geebb.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\VundoFix Backups\hpjdagru.exe.bad Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\VundoFix Backups\kenfrgun.exe.bad Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\VundoFix Backups\kvkotauw.exe.bad Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\VundoFix Backups\lrvwrpiv.exe.bad Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\VundoFix Backups\mljgf.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\VundoFix Backups\mljjg.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\VundoFix Backups\mljji.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\VundoFix Backups\nganlsfq.exe.bad Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\VundoFix Backups\ssqrs.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\VundoFix Backups\yxmyempu.exe.bad Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A482083E-1C5C-44E5-B7C5-1F18FECCD844}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\cgksihww.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\ddcyy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped
C:\WINDOWS\system32\eyqfmvqc.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
[b]C:\WINDOWS\system32\tfrafacx.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped[/b}
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6e8.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\rrpvwrru

*******************

Script file located at: \??\C:\WINDOWS\foqflvhk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\!KillBox\ddcya.dll deleted successfully.
File C:\!KillBox\ddcya.dll( 1) deleted successfully.
File C:\avenger\backup.zip deleted successfully.

File C:\Documents and Settings\Mr. Poo\Local Settings\Temporary Internet Files\Content.IE5\83YZCVQF\lo1[1] not found!
Deletion of file C:\Documents and Settings\Mr. Poo\Local Settings\Temporary Internet Files\Content.IE5\83YZCVQF\lo1[1] failed!

Could not process line:
C:\Documents and Settings\Mr. Poo\Local Settings\Temporary Internet Files\Content.IE5\83YZCVQF\lo1[1]
Status: 0xc0000034

File C:\VundoFix Backups\crtsmjgc.exe.bad deleted successfully.
File C:\VundoFix Backups\ddcya.dll.bad deleted successfully.
File C:\VundoFix Backups\gebya.dll.bad deleted successfully.
File C:\VundoFix Backups\geebb.dll.bad deleted successfully.
File C:\VundoFix Backups\hpjdagru.exe.bad deleted successfully.
File C:\VundoFix Backups\kenfrgun.exe.bad deleted successfully.

Could not open file C:\VundoFix Backups\kvkotauw.exe.badC:\VundoFix Backups\lrvwrpiv.exe.bad for deletion
Deletion of file C:\VundoFix Backups\kvkotauw.exe.badC:\VundoFix Backups\lrvwrpiv.exe.bad failed!

Could not process line:
C:\VundoFix Backups\kvkotauw.exe.badC:\VundoFix Backups\lrvwrpiv.exe.bad
Status: 0xc0000033

File C:\VundoFix Backups\mljgf.dll.bad deleted successfully.
File C:\VundoFix Backups\mljjg.dll.bad deleted successfully.
File C:\VundoFix Backups\mljji.dll.bad deleted successfully.
File C:\VundoFix Backups\nganlsfq.exe.bad deleted successfully.
File C:\VundoFix Backups\ssqrs.dll.bad deleted successfully.
File C:\VundoFix Backups\yxmyempu.exe.bad deleted successfully.
File C:\WINDOWS\system32\cgksihww.exe deleted successfully.
File C:\WINDOWS\system32\ddcyy.dll deleted successfully.
File C:\WINDOWS\system32\eyqfmvqc.exe deleted successfully.
File C:\WINDOWS\system32\tfrafacx.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 10:16:16, on 28/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mr. Poo\Desktop\MyPoppy.exe
C:\Notepad2.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 203.200.164.117:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\Copernic Agent\CopernicAgentExt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0D80FC82-225A-4535-9D63-EE22F17FAD90} - C:\WINDOWS\system32\ddcyy.dll (file missing)
O2 - BHO: (no name) - {646F0435-8B13-4CE8-9642-A21A1F505EB3} - C:\WINDOWS\system32\pmnnk.dll (file missing)
O2 - BHO: (no name) - {6F30293C-F3BD-400A-B429-F6E08F2247A8} - C:\WINDOWS\system32\jkhfd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKCU\..\Run: [Controlled StartUp] C:\Program Files\StartUp Organizer\Ctrl.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\Program Files\Copernic Agent\CopernicAgent.exe
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\Program Files\Copernic Agent\CopernicAgent.exe
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\Program Files\Copernic Agent\CopernicAgent.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0792.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0792.00.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O20 - Winlogon Notify: ddcyy - C:\WINDOWS\system32\ddcyy.dll (file missing)
O20 - Winlogon Notify: jkhfd - C:\WINDOWS\system32\jkhfd.dll
O20 - Winlogon Notify: pmnnk - C:\WINDOWS\system32\pmnnk.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Andeee · 28-Mar-2007, 05:40 AM **#20**

I was googling for more info in Vundo and noticed that Atribune had a new version of VundoFix out (v6.3.18 only a 0.0.01 update). So I downloaded that, disabled all non-essential processes and ran it (log to follow) than booted into safemode ran ATF-Cleaner and HJT (logs to follow) and rebooted into normal mode. I also ran Blacklight Rootkit detector which found nothing.

So far so good.

No popups, no virus warnings, HJT scan still clean, no internet activity without me doing something. I'm going to try running a Panda/ Kaspersky scan again to make sure, but it looks like it's fixed. Thanks for all your help.

VundoFix V6.3.18

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 11:05:57 28/03/2007

Listing files found while scanning....

C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\dfhkj.bak1
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\iwsvtqgj.exe
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\system32\qomkjjk.dll
C:\WINDOWS\system32\yycdd.bak1
C:\WINDOWS\system32\yycdd.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\dfhkj.bak1
C:\WINDOWS\system32\dfhkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\iwsvtqgj.exe
C:\WINDOWS\system32\iwsvtqgj.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\jkhfd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qomkjjk.dll
C:\WINDOWS\system32\qomkjjk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yycdd.bak1
C:\WINDOWS\system32\yycdd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yycdd.ini
C:\WINDOWS\system32\yycdd.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.18

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 11:15:03 28/03/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

Logfile of HijackThis v1.99.1
Scan saved at 11:38:02, on 28/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Notepad2.exe
C:\Documents and Settings\Mr. Poo\Desktop\MyPoppy.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 203.200.164.117:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\Copernic Agent\CopernicAgentExt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Controlled StartUp] C:\Program Files\StartUp Organizer\Ctrl.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\Program Files\Copernic Agent\CopernicAgent.exe
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\Program Files\Copernic Agent\CopernicAgent.exe
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\Program Files\Copernic Agent\CopernicAgent.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0792.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0792.00.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

**JSntgRvr** · 28-Mar-2007, 07:36 PM **#21**

Hi, Andeee

Lets take a look at some folders:

Download the enclosed folder. Extract and save its contents to the desktop. It is a folder with a batch file. Once extracted, double click on the batch file. A new document will be produced. Please attach that report to your next reply.

Andeee · 29-Mar-2007, 04:28 AM **#22**

Hi again

I ran a Critical System scan with Kaspersky (Panda still refusing to work) as all of the previuos problems showed up in the system folder, and it came back clean. Still no more signs of infection (no popups, no virus warnings).

I ran the folder scan and here are the results:

Volume in drive C has no label.
Volume Serial Number is 9864-C038

Directory of C:\Program Files

02/02/2006 23:38 <DIR> Outlook Express
02/02/2006 23:39 <DIR> Online Services
02/02/2006 23:57 <DIR> AvRack
03/02/2006 00:34 <DIR> VideoLAN
03/02/2006 20:13 <DIR> Nero
03/02/2006 21:11 <DIR> DVD Decrypter
03/02/2006 21:11 <DIR> DVD Shrink
03/02/2006 21:12 <DIR> XP Codec Pack
03/02/2006 21:14 <DIR> Haali
06/02/2006 16:27 <DIR> OpenOffice.org 2.0
08/02/2006 19:07 <DIR> CCleaner
09/02/2006 11:55 <DIR> Atomic Clock Sync
23/02/2006 15:36 <DIR> URUSoft
02/03/2006 21:44 <DIR> Aspyr Media, Inc
09/03/2006 17:42 <DIR> Real
10/03/2006 13:41 <DIR> SmartFTP Client 2.0
18/03/2006 20:24 <DIR> FolderSize
18/03/2006 21:03 <DIR> Alcohol Soft
21/03/2006 16:06 <DIR> XviD
05/04/2006 16:59 <DIR> Canon
24/04/2006 12:04 <DIR> Viewpoint
28/04/2006 11:31 <DIR> PADI
04/07/2006 18:25 <DIR> FRITZ!Box
14/07/2006 09:34 <DIR> Safer Networking
18/07/2006 19:59 <DIR> Netscape
18/07/2006 20:18 <DIR> FRITZ!DSL
21/07/2006 01:14 <DIR> Photoshop
25/07/2006 15:51 <DIR> MSN Messenger
05/08/2006 16:26 <DIR> PowerISO
06/08/2006 17:19 <DIR> Saitek
12/08/2006 14:54 <DIR> Windows Media Player
16/08/2006 13:11 <DIR> ScanSoft
16/08/2006 23:16 <DIR> Voice
21/08/2006 11:39 <DIR> DAMN NFO Viewer
21/08/2006 11:39 <DIR> DOSBox-0.63
27/08/2006 11:43 <DIR> SolSuite
27/08/2006 22:12 <DIR> Kyodai Mahjongg 2006
08/09/2006 03:10 <DIR> Seagate
13/09/2006 19:25 <DIR> WinBoard
28/09/2006 14:12 <DIR> Europa-Fhrerschein 2006
30/09/2006 10:50 <DIR> Intersil
03/10/2006 18:01 <DIR> WinAce
08/10/2006 12:39 <DIR> Ubi Soft
08/10/2006 16:51 <DIR> Natwarlal
09/10/2006 10:25 <DIR> StartUp Organizer
10/10/2006 16:01 <DIR> QuickTime
14/10/2006 13:29 <DIR> Browser MOUSE
20/10/2006 12:51 <DIR> Activision
21/10/2006 13:55 <DIR> igowin
23/10/2006 12:41 <DIR> PopUp Eraser
24/10/2006 13:42 <DIR> Opera
28/10/2006 11:38 <DIR> ID3-TagIT 3
01/11/2006 11:22 <DIR> Philips
02/11/2006 14:45 <DIR> Accessdiver
03/11/2006 20:10 <DIR> Steganos Tuning 7
06/11/2006 15:14 <DIR> Copernic Agent
07/11/2006 01:07 <DIR> NVTray
07/11/2006 01:10 <DIR> Internet Explorer
08/11/2006 23:59 <DIR> mIRC
12/11/2006 18:24 <DIR> Intel
12/11/2006 18:36 <DIR> Nvidia Omega Drivers
13/11/2006 00:27 <DIR> WinRAR
13/11/2006 12:44 <DIR> Raxco
13/11/2006 21:05 <DIR> Realtek AC97
13/11/2006 21:31 <DIR> DriverGuide Toolkit
13/11/2006 22:05 <DIR> PSCS2
14/11/2006 17:16 <DIR> TimeAdjuster
14/11/2006 18:11 <DIR> SubMagic
16/11/2006 20:07 <DIR> Apple Software Update
20/11/2006 18:51 <DIR> CyberLink
20/11/2006 21:51 <DIR> Pegasys Inc
20/11/2006 22:19 <DIR> MPEG Converter
20/11/2006 22:38 <DIR> Allok AVI MPEG Converter
06/12/2006 20:28 <DIR> Total Training
15/12/2006 15:30 <DIR> Telefonica
15/12/2006 15:39 <DIR> Kit ADSL USB
15/12/2006 18:06 <DIR> Adobe
15/12/2006 20:11 <DIR> epson
21/12/2006 20:47 <DIR> Download Plugin
30/12/2006 02:36 <DIR> Nici
30/12/2006 15:06 <DIR> Suunto
02/01/2007 18:39 <DIR> WDPS
10/01/2007 16:51 <DIR> MissionRisk
11/01/2007 21:49 <DIR> Google
12/01/2007 23:13 <DIR> D-Fend
15/01/2007 13:50 <DIR> PowerQuest
22/01/2007 21:27 <DIR> mhead32
27/01/2007 01:17 <DIR> uTorrent
27/01/2007 02:37 <DIR> HHS
27/01/2007 03:23 <DIR> DecoChek
27/01/2007 13:29 <DIR> decoplan
27/01/2007 18:47 <DIR> SubFind
03/02/2007 01:48 <DIR> Combined Community Codec Pack
03/02/2007 18:21 <DIR> BBBike
09/02/2007 14:04 <DIR> Mozilla Thunderbird
07/03/2007 14:42 <DIR> Skype
07/03/2007 15:14 <DIR> SmartTrak
08/03/2007 13:55 <DIR> IrfanView
12/03/2007 12:25 <DIR> The New English-German Dictionary
22/03/2007 05:31 <DIR> Soulseek
23/03/2007 23:14 <DIR> Traction Software
24/03/2007 23:14 <DIR> AntiVir PersonalEdition Classic
25/03/2007 22:41 <DIR> Kazaa Lite K++
25/03/2007 23:09 <DIR> Java
26/03/2007 02:14 <DIR> Grisoft
26/03/2007 12:42 <DIR> LizardTech
26/03/2007 20:17 <DIR> Winamp
26/03/2007 22:04 <DIR> Mozilla Firefox
27/03/2007 23:58 <DIR> Kaspersky Lab
28/03/2007 13:31 <DIR> Common Files
28/03/2007 13:55 <DIR> Mgtweak
28/03/2007 14:00 <DIR> Avi2Dvd
28/03/2007 14:00 <DIR> AviSynth 2.5
28/03/2007 14:01 <DIR> Flock
28/03/2007 14:01 <DIR> GetRight
28/03/2007 14:25 <DIR> Trillian Pro
28/03/2007 14:26 <DIR> Voyager
28/03/2007 16:52 <DIR> Spybot - Search & Destroy
28/03/2007 22:02 <DIR> eMule
29/03/2007 08:10 <DIR> .
29/03/2007 08:10 <DIR> ..
0 File(s) 0 bytes
121 Dir(s) 12,284,555,264 bytes free
Volume in drive C has no label.
Volume Serial Number is 9864-C038

Directory of C:\Program Files\Common Files

02/02/2006 23:38 <DIR> System
02/02/2006 23:38 <DIR> MSSoap
02/02/2006 23:38 <DIR> Services
03/02/2006 20:15 <DIR> Ahead
21/03/2006 15:05 <DIR> Adobe Systems Shared
24/04/2006 12:03 <DIR> Nullsoft
24/04/2006 12:05 <DIR> aolback
18/07/2006 20:14 <DIR> AVM
16/08/2006 13:14 <DIR> InstallShield
20/08/2006 20:51 <DIR> Real
20/08/2006 20:51 <DIR> xing shared
21/08/2006 11:39 <DIR> aol
21/08/2006 13:55 <DIR> SWF Studio
23/08/2006 11:13 <DIR> NSV
08/10/2006 16:51 <DIR> Microsoft Shared
06/11/2006 15:14 <DIR> Copernic
15/12/2006 18:10 <DIR> Adobe
15/12/2006 18:27 <DIR> Macrovision Shared
30/12/2006 22:45 <DIR> Raxco
22/01/2007 21:27 <DIR> MachineheadSoftware
07/03/2007 14:42 <DIR> Skype
25/03/2007 23:09 <DIR> Java
28/03/2007 13:31 <DIR> .
28/03/2007 13:31 <DIR> ..
11/12/2000 10:57 21,841 tppupd2k.dll
1 File(s) 21,841 bytes
24 Dir(s) 12,284,555,264 bytes free
Volume in drive C has no label.
Volume Serial Number is 9864-C038

Directory of C:\Windows\System32

03/01/1996 05:53 290,816 GSW32.EXE
02/09/1998 10:28 63,488 unam4ie.exe
04/12/2000 12:55 86,456 TPPUN.EXE
09/07/2001 11:50 155,648 NeroCheck.exe
15/11/2001 20:44 61,440 AVSReub.exe
19/11/2001 22:16 15,840 Machnm1.exe
16/09/2002 19:16 1,357,032 XMNT2002.exe
31/12/2002 14:00 40,448 osuninst.exe
31/12/2002 14:00 21,504 pathping.exe
31/12/2002 14:00 15,360 pentnt.exe
31/12/2002 14:00 11,264 attrib.exe
31/12/2002 14:00 126,464 nwscript.exe
31/12/2002 14:00 33,280 ping6.exe
31/12/2002 14:00 20,480 nbtstat.exe
31/12/2002 14:00 6,656 msswchx.exe
31/12/2002 14:00 9,216 print.exe
31/12/2002 14:00 19,456 arp.exe
31/12/2002 14:00 136,704 bootcfg.exe
31/12/2002 14:00 4,608 bootok.exe
31/12/2002 14:00 5,120 bootvrfy.exe
31/12/2002 14:00 18,432 cacls.exe
31/12/2002 14:00 114,688 calc.exe
31/12/2002 14:00 32,256 wupdmgr.exe
31/12/2002 14:00 11,776 chkdsk.exe
31/12/2002 14:00 11,264 chkntfs.exe
31/12/2002 14:00 20,992 msg.exe
31/12/2002 14:00 7,680 ckcnv.exe
31/12/2002 14:00 16,896 qappsrv.exe
31/12/2002 14:00 22,016 qwinsta.exe
31/12/2002 14:00 817 mscdexnt.exe
31/12/2002 14:00 10,368 wowexec.exe
31/12/2002 14:00 2,736 wowdeb.exe
31/12/2002 14:00 2,112 winspool.exe
31/12/2002 14:00 8,192 winhlp32.exe
31/12/2002 14:00 1,129 vwipxspx.exe
31/12/2002 14:00 15,872 comp.exe
31/12/2002 14:00 17,408 compact.exe
31/12/2002 14:00 11,776 rasautou.exe
31/12/2002 14:00 33,792 vssadmin.exe
31/12/2002 14:00 8,192 control.exe
31/12/2002 14:00 13,824 convert.exe
31/12/2002 14:00 98,304 verifier.exe
31/12/2002 14:00 47,872 user.exe
31/12/2002 14:00 4,096 unlodctr.exe
31/12/2002 14:00 5,120 dcomcnfg.exe
31/12/2002 14:00 12,498 append.exe
31/12/2002 14:00 20,634 debug.exe
31/12/2002 14:00 36,352 typeperf.exe
31/12/2002 14:00 12,800 mrinfo.exe
31/12/2002 14:00 16,896 tsshutdn.exe
31/12/2002 14:00 16,384 tskill.exe
31/12/2002 14:00 14,848 tsdiscon.exe
31/12/2002 14:00 17,920 diskperf.exe
31/12/2002 14:00 11,264 rasdial.exe
31/12/2002 14:00 4,608 dllhst3g.exe
31/12/2002 14:00 14,848 tscon.exe
31/12/2002 14:00 31,744 tracert6.exe
31/12/2002 14:00 10,752 doskey.exe
31/12/2002 14:00 7,168 recover.exe
31/12/2002 14:00 3,252 nw16.exe
31/12/2002 14:00 16,896 tftp.exe
31/12/2002 14:00 19,456 tcpsvcs.exe
31/12/2002 14:00 58,368 driverquery.exe
31/12/2002 14:00 12,288 tcmsetup.exe
31/12/2002 14:00 15,360 taskman.exe
31/12/2002 14:00 72,192 tasklist.exe
31/12/2002 14:00 12,642 edlin.exe
31/12/2002 14:00 39,424 esentutl.exe
31/12/2002 14:00 72,192 taskkill.exe
31/12/2002 14:00 77,824 eventtriggers.exe
31/12/2002 14:00 8,704 eventvwr.exe
31/12/2002 14:00 8,424 exe2bin.exe
31/12/2002 14:00 15,872 expand.exe
31/12/2002 14:00 3,072 systray.exe
31/12/2002 14:00 882 fastopen.exe
31/12/2002 14:00 14,848 fc.exe
31/12/2002 14:00 9,216 find.exe
31/12/2002 14:00 68,096 systeminfo.exe
31/12/2002 14:00 9,216 finger.exe
31/12/2002 14:00 3,072 fixmapi.exe
31/12/2002 14:00 36,864 syskey.exe
31/12/2002 14:00 18,896 sysedit.exe
31/12/2002 14:00 7,168 forcedos.exe
31/12/2002 14:00 9,216 subst.exe
31/12/2002 14:00 56,320 fsutil.exe
31/12/2002 14:00 9,728 sprestrt.exe
31/12/2002 14:00 24,576 gdi.exe
31/12/2002 14:00 55,296 getmac.exe
31/12/2002 14:00 22,016 mpnotify.exe
31/12/2002 14:00 57,344 gpupdate.exe
31/12/2002 14:00 23,552 sort.exe
31/12/2002 14:00 7,052 nlsfunc.exe
31/12/2002 14:00 14,848 help.exe
31/12/2002 14:00 7,680 hostname.exe
31/12/2002 14:00 138,752 sndvol32.exe
31/12/2002 14:00 882 share.exe
31/12/2002 14:00 14,848 shadow.exe
31/12/2002 14:00 44,032 ipsec6.exe
31/12/2002 14:00 9,728 sfc.exe
31/12/2002 14:00 11,753 setver.exe
31/12/2002 14:00 31,232 sc.exe
31/12/2002 14:00 15,872 rwinsta.exe
31/12/2002 14:00 132,608 rsvp.exe
31/12/2002 14:00 62,976 rsopprov.exe
31/12/2002 14:00 25,600 routemon.exe
31/12/2002 14:00 8,192 mountvol.exe
31/12/2002 14:00 9,728 label.exe
31/12/2002 14:00 29,696 lights.exe
31/12/2002 14:00 19,968 route.exe
31/12/2002 14:00 5,120 lodctr.exe
31/12/2002 14:00 9,728 reset.exe
31/12/2002 14:00 12,800 replace.exe
31/12/2002 14:00 15,360 logoff.exe
31/12/2002 14:00 3,584 regedt32.exe
31/12/2002 14:00 6,144 lpq.exe
31/12/2002 14:00 8,192 lpr.exe
31/12/2002 14:00 32,768 relog.exe
31/12/2002 14:00 32,256 asr_ldm.exe
31/12/2002 14:00 4,608 regwiz.exe
31/12/2002 14:00 39,274 mem.exe
31/12/2002 14:00 33,792 regini.exe
31/12/2002 14:00 31,744 ntsd.exe
25/06/2003 17:05 266,360 TweakUI.exe
04/08/2003 23:54 215,552 PRISMSTA.exe
05/07/2004 12:52 15,259 compress.exe
26/07/2004 13:01 122,880 Nx.exe
26/07/2004 13:02 40,960 REnum.exe
26/07/2004 13:02 163,840 PrfAct.exe
04/08/2004 07:48 3,338 redir.exe
04/08/2004 07:49 92,224 krnl386.exe
04/08/2004 07:51 53,840 dosx.exe
04/08/2004 07:59 44,544 tscupgrd.exe
04/08/2004 07:59 12,800 spiisupd.exe
04/08/2004 07:59 407,552 mstsc.exe
04/08/2004 09:56 20,480 cliconfg.exe
04/08/2004 09:56 33,280 clipsrv.exe
04/08/2004 09:56 11,264 autolfn.exe
04/08/2004 09:56 64,000 cleanmgr.exe
04/08/2004 09:56 602,624 autoconv.exe
04/08/2004 09:56 588,800 autochk.exe
04/08/2004 09:56 14,336 auditusr.exe
04/08/2004 09:56 11,264 atmadm.exe
04/08/2004 09:56 25,088 at.exe
04/08/2004 09:56 32,768 asr_pfu.exe
04/08/2004 09:56 56,320 cipher.exe
04/08/2004 09:56 30,208 asr_fmt.exe
04/08/2004 09:56 44,544 alg.exe
04/08/2004 09:56 98,304 ahui.exe
04/08/2004 09:56 4,096 actmovie.exe
04/08/2004 09:56 580,608 autofmt.exe
04/08/2004 09:56 104,960 dfrgntfs.exe
04/08/2004 09:56 18,432 dpnsvr.exe
04/08/2004 09:56 83,456 dpvsetup.exe
04/08/2004 09:56 82,432 dfrgfat.exe
04/08/2004 09:56 17,920 dvdupgrd.exe
04/08/2004 09:56 1,298,432 dxdiag.exe
04/08/2004 09:56 50,176 eventcreate.exe
04/08/2004 09:56 45,568 extrac32.exe
04/08/2004 09:56 388,608 cmd.exe
04/08/2004 09:56 47,104 cmdl32.exe
04/08/2004 09:56 27,136 findstr.exe
04/08/2004 09:56 22,528 fltMc.exe
04/08/2004 09:56 20,992 fontview.exe
04/08/2004 09:56 85,504 diantz.exe
04/08/2004 09:56 193,024 fsquirt.exe
04/08/2004 09:56 42,496 ftp.exe
04/08/2004 09:56 39,936 cmmon32.exe
04/08/2004 09:56 25,088 defrag.exe
04/08/2004 09:56 119,808 gpresult.exe
04/08/2004 09:56 39,424 grpconv.exe
04/08/2004 09:56 15,872 dmremote.exe
04/08/2004 09:56 63,488 cmstp.exe
04/08/2004 09:56 30,208 ddeshare.exe
04/08/2004 09:56 15,360 ctfmon.exe
04/08/2004 09:56 6,144 csrss.exe
04/08/2004 09:56 224,768 dmadmin.exe
04/08/2004 09:56 30,208 dplaysvr.exe
04/08/2004 09:56 98,304 cscript.exe
04/08/2004 09:56 27,648 conime.exe
04/08/2004 09:56 5,120 dllhost.exe
04/08/2004 09:56 163,840 diskpart.exe
04/08/2004 09:56 59,392 logman.exe
04/08/2004 09:56 114,688 iexpress.exe
04/08/2004 09:56 55,808 ipconfig.exe
04/08/2004 09:56 53,248 ipv6.exe
04/08/2004 09:56 23,552 ipxroute.exe
04/08/2004 09:56 75,264 locator.exe
04/08/2004 09:56 34,304 ie4uinit.exe
04/08/2004 09:56 514,560 logonui.exe
04/08/2004 09:56 13,312 lsass.exe
04/08/2004 09:56 85,504 makecab.exe
04/08/2004 09:56 815,104 mmc.exe
04/08/2004 09:56 143,360 mobsync.exe
04/08/2004 09:56 29,184 mshta.exe
04/08/2004 09:56 158,208 msconfig.exe
04/08/2004 09:56 12,288 mstinit.exe
04/08/2004 09:56 117,248 mqtgsvc.exe
04/08/2004 09:56 19,968 mqbkup.exe
04/08/2004 09:56 4,608 mqsvc.exe
04/08/2004 09:56 6,144 msdtc.exe
04/08/2004 09:56 13,824 rdsaddin.exe
04/08/2004 09:56 50,176 reg.exe
04/08/2004 09:56 62,464 rdpclip.exe
04/08/2004 09:56 21,504 rcp.exe
04/08/2004 09:56 11,776 regsvr32.exe
04/08/2004 09:56 35,840 rcimlby.exe
04/08/2004 09:56 20,480 qprocess.exe
04/08/2004 09:56 67,072 rdshost.exe
04/08/2004 09:56 49,152 powercfg.exe
04/08/2004 09:56 69,120 notepad.exe
04/08/2004 09:56 13,824 rexec.exe
04/08/2004 09:56 419,840 ntvdm.exe
04/08/2004 09:56 36,864 netstat.exe
04/08/2004 09:56 14,848 rsh.exe
04/08/2004 09:56 86,016 netsh.exe
04/08/2004 09:56 17,920 ping.exe
04/08/2004 09:56 77,312 rtcshare.exe
04/08/2004 09:56 32,768 odbcad32.exe
04/08/2004 09:56 33,280 rundll32.exe
04/08/2004 09:56 14,336 runonce.exe
04/08/2004 09:56 15,872 perfmon.exe
04/08/2004 09:56 13,312 savedump.exe
04/08/2004 09:56 42,496 net.exe
04/08/2004 09:56 95,744 scardsvr.exe
04/08/2004 09:56 121,856 schtasks.exe
04/08/2004 09:56 77,312 sdbinst.exe
04/08/2004 09:56 18,432 secedit.exe
04/08/2004 09:56 108,032 services.exe
04/08/2004 09:56 69,632 odbcconf.exe
04/08/2004 09:56 67,584 openfiles.exe
04/08/2004 09:56 56,832 rasphone.exe
04/08/2004 09:56 109,568 progman.exe
04/08/2004 09:56 76,800 nslookup.exe
04/08/2004 09:56 9,216 proxycfg.exe
04/08/2004 09:56 111,104 netdde.exe
04/08/2004 09:56 124,928 net1.exe
04/08/2004 09:56 4,096 nddeapir.exe
04/08/2004 09:56 50,176 proquota.exe
04/08/2004 09:56 70,144 sigverif.exe
04/08/2004 09:56 26,112 skeys.exe
04/08/2004 09:56 8,192 smbinst.exe
04/08/2004 09:56 89,600 smlogsvc.exe
04/08/2004 09:56 50,688 smss.exe
04/08/2004 09:56 77,824 shrpubw.exe
04/08/2004 09:56 42,496 shmgrate.exe
04/08/2004 09:56 12,288 tracert.exe
04/08/2004 09:56 11,776 spnpinst.exe
04/08/2004 09:56 502,272 winlogon.exe
04/08/2004 09:56 140,800 sessmgr.exe
04/08/2004 09:56 259,584 tracerpt.exe
04/08/2004 09:56 14,848 stimon.exe
04/08/2004 09:56 16,896 upnpcont.exe
04/08/2004 09:56 14,336 svchost.exe
04/08/2004 09:56 24,576 userinit.exe
04/08/2004 09:56 5,632 winver.exe
04/08/2004 09:56 105,984 sysocmgr.exe
04/08/2004 09:56 23,040 setup.exe
04/08/2004 09:56 32,256 wpabaln.exe
04/08/2004 09:56 32,256 wpnpinst.exe
04/08/2004 09:56 114,688 wscript.exe
04/08/2004 09:56 433,664 wiaacmgr.exe
04/08/2004 09:56 135,680 taskmgr.exe
04/08/2004 09:56 289,792 vssvc.exe
04/08/2004 09:56 65,536 wextract.exe
04/08/2004 09:56 30,720 xcopy.exe
04/08/2004 09:56 19,456 shutdown.exe
04/08/2004 10:02 329,728 netsetup.exe
29/11/2004 16:08 40,960 CNDNDlg.exe
29/11/2004 17:43 81,920 sherlock2.exe
28/01/2005 14:44 96,768 logagent.exe
28/01/2005 14:44 38,912 wdfmgr.exe
28/01/2005 14:44 47,104 uwdf.exe
25/02/2005 05:35 22,752 spupdsvc.exe
02/03/2005 02:34 2,015,232 ntkrnlpa.exe
02/03/2005 02:57 2,135,552 ntoskrnl.exe
12/03/2005 00:48 108,544 pxcpyi64.exe
04/05/2005 15:45 78,848 msiexec.exe
26/05/2005 05:16 172,312 wuauclt1.exe
26/05/2005 05:16 124,184 wuauclt.exe
11/06/2005 01:53 57,856 spoolsv.exe
17/06/2005 19:03 86,016 pctspk.exe
17/06/2005 21:03 152,576 irftp.exe
18/06/2005 04:14 55,296 dvdplay.exe
18/06/2005 04:14 61,508 usrprbda.exe
18/06/2005 04:14 69,700 usrshuta.exe
18/06/2005 04:14 77,891 usrmlnka.exe
10/12/2005 04:06 131,139 nvsvc32.exe
10/12/2005 04:06 1,519,616 nwiz.exe
10/12/2005 04:06 147,456 nvcolor.exe
10/12/2005 04:06 1,339,392 nvdspsch.exe
10/12/2005 04:06 425,984 keystone.exe
10/12/2005 04:06 442,368 nvappbar.exe
17/03/2006 02:38 28,672 verclsid.exe
07/07/2006 03:21 6,757,792 MRT.exe
14/07/2006 10:19 2,275,328 TUKernel.exe
01/08/2006 16:02 49,152 ChCfg.exe
02/08/2006 17:02 37,270 OggDSUninst.exe
10/08/2006 08:27 10,528,768 RTLCPL.exe
25/08/2006 05:47 115,880 pxinsi64.exe
25/08/2006 05:47 62,632 pxinsa64.exe
25/08/2006 05:47 63,144 pxcpya64.exe
22/10/2006 13:22 794,624 nvcplui.exe
22/10/2006 13:22 208,896 nvudisp.exe
20/11/2006 21:50 53,248 pxhpinst.exe
02/02/2007 08:50 227,856 PDBoot.exe
25/03/2007 23:09 135,168 java.exe
25/03/2007 23:09 135,168 javaw.exe
25/03/2007 23:09 139,264 javaws.exe
308 File(s) 50,802,576 bytes
0 Dir(s) 12,284,538,880 bytes free
Volume in drive C has no label.
Volume Serial Number is 9864-C038

Directory of C:\Windows\System32

31/12/2002 14:00 218,003 dssec.dat
31/12/2002 14:00 272,128 perfi009.dat
31/12/2002 14:00 28,626 perfd009.dat
31/12/2002 14:00 673,088 mlang.dat
31/12/2002 14:00 4,463 oembios.dat
02/08/2004 23:20 4,569 secupd.dat
17/06/2005 19:04 456 pthsp.dat
02/02/2006 23:38 21,640 emptyregdb.dat
11/10/2006 14:56 664 d3d9caps.dat
13/11/2006 00:12 8 nvModes.dat
02/01/2007 17:37 113,376 FNTCACHE.DAT
28/03/2007 11:28 61,272 perfc009.dat
28/03/2007 11:28 398,792 perfh009.dat
13 File(s) 1,797,085 bytes
0 Dir(s) 12,284,538,880 bytes free
Volume in drive C has no label.
Volume Serial Number is 9864-C038

Directory of C:\Windows\System32

02/02/2006 23:39 749 cdplayer.exe.manifest
24/03/2007 22:33 1,709,409 cvbdmshm.ini
24/03/2007 23:01 1,709,349 djdakalu.ini
24/03/2007 22:43 409 ehhkj.ini
07/02/2006 10:50 <DIR> GroupPolicy
26/03/2007 21:29 621,918 knnmp.bak1
27/03/2007 21:02 631,764 knnmp.ini
02/02/2006 23:39 488 logonui.exe.manifest
24/03/2007 12:28 1,687,955 mwfjbmws.ini
02/02/2006 23:39 749 ncpa.cpl.manifest
02/02/2006 23:39 749 nwc.cpl.manifest
24/03/2007 21:24 474,078 pstwa.bak1
24/03/2007 22:28 481,278 pstwa.ini
24/03/2007 22:43 353 qtvwa.ini
02/02/2006 23:39 749 sapi.cpl.manifest
02/02/2006 23:39 488 WindowsLogon.manifest
02/02/2006 23:39 749 wuaucpl.cpl.manifest
10/02/2006 14:08 4,212 zllictbl.dat
17 File(s) 7,325,446 bytes
1 Dir(s) 12,284,538,880 bytes free
Volume in drive C has no label.
Volume Serial Number is 9864-C038

Directory of C:\Windows

09/06/1996 13:52 34,864 Unwise.exe
26/02/1997 23:00 71,680 ST5UNST.EXE
20/03/1998 13:01 299,008 uninst.exe
29/10/1998 16:45 306,688 IsUninst.exe
17/11/1998 13:44 328,704 IsUn0407.exe
02/08/2000 14:47 26,112 RunUnDrv.exe
11/07/2001 16:09 109,782 CopernicAgentUninstall.exe
05/05/2002 18:06 24,576 slrundll.exe
31/12/2002 14:00 15,360 TASKMAN.EXE
31/12/2002 14:00 256,192 winhelp.exe
31/12/2002 14:00 49,680 twunk_16.exe
31/12/2002 14:00 25,600 twunk_32.exe
20/08/2003 12:03 118,784 TPPALDR.EXE
20/08/2003 12:03 282,624 TPPNTTRY.EXE
04/08/2004 09:56 1,032,192 explorer.exe
04/08/2004 09:56 146,432 regedit.exe
04/08/2004 09:56 69,120 NOTEPAD.EXE
04/08/2004 09:56 283,648 winhlp32.exe
27/05/2005 01:22 10,752 hh.exe
12/09/2005 16:13 233,472 UNNeroVision.exe
12/09/2005 16:13 233,472 UNNeroMediaHome.exe
12/09/2005 16:13 233,472 UNNeroBackItUp.exe
12/09/2005 16:13 233,472 UNRecode.exe
12/09/2005 16:13 233,472 UNNeroShowTime.exe
15/11/2005 01:51 59,152 zllsputility.exe
27/01/2006 21:52 46,345 NSSetDefaultBrowser.EXE
03/02/2006 00:02 99,965 UninstallThunderbird.exe
03/02/2006 00:10 107,132 UninstallFirefox.exe
03/05/2006 00:38 72,444 SetBrowser.exe
31/07/2006 12:19 315,392 alcupd.exe
31/07/2006 12:27 217,088 Alcrmv.exe
03/08/2006 06:12 577,536 soundman.exe
16/08/2006 09:34 796,672 GPInstall.exe
21/08/2006 12:21 45,056 NCUNINST.EXe
21/08/2006 12:21 40,960 NCLAUNCH.EXe
12/11/2006 18:36 737,280 iun6002.exe
28/11/2006 15:23 573,440 gmer.exe
22/01/2007 21:27 73,216 ST6UNST.EXE
22/01/2007 21:27 364,544 Setup1.exe
39 File(s) 8,785,380 bytes
0 Dir(s) 12,284,534,784 bytes free
Volume in drive C has no label.
Volume Serial Number is 9864-C038

Directory of C:\Windows

24/04/2006 12:00 335 nsreg.dat
25/09/2006 01:07 0 PowerReg.dat
13/11/2006 13:29 9,533 mozver.dat
3 File(s) 9,868 bytes
0 Dir(s) 12,284,534,784 bytes free
Volume in drive C has no label.
Volume Serial Number is 9864-C038

Directory of C:\

04/10/2000 20:47 26,780 Bios.exe
03/03/2004 19:55 81,920 Port Scanner.exe
04/11/2005 01:00 552,960 Notepad2.exe
3 File(s) 661,660 bytes
0 Dir(s) 12,284,534,784 bytes free
Volume in drive C has no label.
Volume Serial Number is 9864-C038

Directory of C:\

**JSntgRvr** · 29-Mar-2007, 12:10 PM **#23**

Hi, Andeee

Use the following script in Avenger and post the report:

Quote:

Files to delete:
C:\Program Files\Common Files\tppupd2k.dll
C:\Windows\System32\cvbdmshm.ini
C:\Windows\System32\djdakalu.ini
C:\Windows\System32\ehhkj.ini
C:\Windows\System32\knnmp.bak1
C:\Windows\System32\knnmp.ini
C:\Windows\System32\mwfjbmws.ini
C:\Windows\System32\pstwa.bak1
C:\Windows\System32\pstwa.ini
C:\Windows\System32\qtvwa.ini

Post also a fresh Hijackthis log and let me know how is the computer doing.

Andeee · 02-Apr-2007, 03:10 PM **#24**

Hi again.

Sorry for the long delay. Ok here are the logs. The machine is still not showing any virus reports, and no popups, but is running very slow. It takes a long time to boot an the internet has slowed right down... so I guess there is still a problem, somewhere.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\xxhhqfwo

*******************

Script file located at: \??\C:\WINDOWS\mmynesnl.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Program Files\Common Files\tppupd2k.dll deleted successfully.
File C:\Windows\System32\cvbdmshm.ini deleted successfully.
File C:\Windows\System32\djdakalu.ini deleted successfully.
File C:\Windows\System32\ehhkj.ini deleted successfully.
File C:\Windows\System32\knnmp.bak1 deleted successfully.
File C:\Windows\System32\knnmp.ini deleted successfully.
File C:\Windows\System32\mwfjbmws.ini deleted successfully.
File C:\Windows\System32\pstwa.bak1 deleted successfully.
File C:\Windows\System32\pstwa.ini deleted successfully.
File C:\Windows\System32\qtvwa.ini deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 21:08:22, on 02/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Mr. Poo\Desktop\MyPoppy.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Controlled StartUp] C:\Program Files\StartUp Organizer\Ctrl.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\Program Files\Copernic Agent\CopernicAgent.exe
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\Program Files\Copernic Agent\CopernicAgent.exe
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\Program Files\Copernic Agent\CopernicAgent.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0792.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0792.00.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

**JSntgRvr** · 02-Apr-2007, 04:42 PM **#25**

Hi, Andeee

Lets take a deeper look:

Click here to download WinPFind.

Right Click the Zip Folder and Select "Extract All"
Extract it somewhere you will remember like the Desktop
Dont do anything with it yet!

Reboot into Safe Mode

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Double click WinPFind.exe
Click "Start Scan"
It will scan the entire System, so please be patient!
Once the Scan is Complete, restart the computer back in Normal Mode.
Go to the WinPFind folder
Locate WinPFind.txt
Place those results in the next reply!

Andeee · 03-Apr-2007, 04:07 AM **#26**

ok heres the log. I uninstalled AVG and the machine runs a little faster but not much, and the web runs somewhat smoother now.

WinPFind logfile created on: 03/04/2007 00:44:02
WinPFind by OldTimer - v2.0.2 Folder = C:\Documents and Settings\Mr. Poo\Desktop\WinPFind\

»»»»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»

Product Name: Microsoft Windows XP Service Pack 2 | Version: 5.1.2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»»»»» Memory/Drive Info »»»»»»»»»»»»»»»»»»»»»»»»»»

1309676 Kb Total Physical Memory | 1033844 Kb Available Physical Memory | 78.94% Memory free
1945528 Kb Paging File | 1853504 Kb Available in Paging File | 95.27% Paging File free
Paging file location: C:\pagefile.sys 768 1536

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 39062012 Kb Total Space | 13076692 Kb Free Space | 33.48% Space Free
Drive D: | 4365952 Kb Total Space | 0 Kb Free Space | 0.00% Space Free
E: Drive not present or media not loaded
Drive F: | 195358400 Kb Total Space | 88557640 Kb Free Space | 45.33% Space Free

»»»»»»»»»»»»»»»»»»»» Running Processes (Non-Microsoft) »»»»»»»»

C:\Documents and Settings\Mr. Poo\Desktop\WinPFind\WinPFind.exe (OldTimer Tools)

»»»»»»»»»»»»»»»»»»»» Win32 Services (Non-Microsoft) »»»»»»»»»»»

(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped]
= C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe Systems)

(AntiVirScheduler) AntiVir PersonalEdition Classic Scheduler [Win32_Own | Auto | Stopped]
= C:\Program Files\AntiVir PersonalEdition Classic\sched.exe (Avira GmbH)

(AntiVirService) AntiVir PersonalEdition Classic Guard [Win32_Own | Auto | Stopped]
= C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe (AVIRA GmbH)

(AVM IGD CTRL Service) AVM IGD CTRL Service [Win32_Own | Auto | Stopped]
= C:\Program Files\FRITZ!DSL\IGDCTRL.EXE (AVM Berlin)

(de_serv) AVM FRITZ!web Routing Service [Win32_Own | On_Demand | Stopped]
= C:\Program Files\Common Files\AVM\De_serv.exe (AVM Berlin)

(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped]
= C:\WINDOWS\system32\dmadmin.exe (Microsoft Corp., Veritas Software)

(FLEXnet Licensing Service) FLEXnet Licensing Service [Win32_Own | On_Demand | Stopped]
= C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)

(FolderSize) Folder Size [Win32_Own | Auto | Stopped]
= C:\Program Files\FolderSize\FolderSizeSvc.exe (Brio)

(NVSvc) NVIDIA Display Driver Service [Win32_Own | Disabled | Stopped]
= C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)

(Pctspk) PCTEL Speaker Phone [Win32_Own | Disabled | Stopped]
= C:\WINDOWS\system32\pctspk.exe (PCtel, Inc.)

(PDAgent) PDAgent [Win32_Own | Auto | Stopped]
= C:\Program Files\Raxco\PerfectDisk\PDAgent.exe (Raxco Software, Inc.)

(PDEngine) PDEngine [Win32_Own | On_Demand | Stopped]
= C:\Program Files\Raxco\PerfectDisk\PDEngine.exe (Raxco Software, Inc.)

(RichVideo) Cyberlink RichVideo Service(CRVS) [Win32_Own | Auto | Stopped]
= C:\Program Files\CyberLink\Shared files\RichVideo.exe ()

(StarWindService) StarWind iSCSI Service [Win32_Own | Disabled | Stopped]
= C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (Rocket Division Software)

»»»»»»»»»»»»»»»»»»»» Registry Items (Non-Microsoft) »»»»»»»»»»»

>>>>> Run Keys and Auto-Start Folders <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
avgnt = C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe (Avira GmbH)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Controlled StartUp = C:\Program Files\StartUp Organizer\ctrl.exe ()
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]*

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]*

< Common Startup Folder = C:\Documents and Settings\All Users\Start Menu\Programs\Startup >
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

< User Startup Folder = C:\Documents and Settings\Mr. Poo\Start Menu\Programs\Startup >
C:\Documents and Settings\Mr. Poo\Start Menu\Programs\Startup\desktop.ini ()

>>>>> MsConfig Disabled Items <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]*

>>>>> Disabled Startup Folder Items <<<<<

>>>>> File Associations <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\]
.bat [@ = batfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.cmd [@ = cmdfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.com [@ = comfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.cpl [@ = cplfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.exe [@ = exefile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.hta [@ = htafile] -> PersistentHandler = Reg Data - Key not found
.html [@ = FirefoxHTML] -> PersistentHandler = Reg Data - Key not found
.inf [@ = inffile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.ini [@ = inifile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.url [@ = InternetShortcut] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.js [@ = JSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.jse [@ = JSEFile] -> PersistentHandler = Reg Data - Key not found
.pif [@ = piffile] -> PersistentHandler = Reg Data - Key not found
.reg [@ = regfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.scr [@ = scrfile] -> PersistentHandler = Reg Data - Key not found
.txt [@ = txtfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.vbe [@ = VBEFile] -> PersistentHandler = Reg Data - Key not found
.vbs [@ = VBSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.wsf [@ = WSFFile] -> PersistentHandler = Reg Data - Key not found
.wsh [@ = WSHFile] -> PersistentHandler = Reg Data - Key not found

>>>>> Registry Shell Spawning <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -> "%1" %* (File not found)
batfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

cmdfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -> "%1" %* (File not found)
cmdfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

comfile [open] -> "%1" %* (File not found)

cplfile [cplopen] -> rundll32.exe shell32.dll,Control_RunDLL "%1",%* (Microsoft Corporation)

exefile [open] -> "%1" %* (File not found)

htafile [open] -> C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)

htmlfile [edit] -> Reg Data - Key not found
htmlfile [open] -> "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -> "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -> rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)

http [open] -> C:\PROGRA~1\MOZILL~2\FIREFOX.EXE -url "%1" -requestPending (Mozilla Corporation)

https [open] -> C:\PROGRA~1\MOZILL~2\FIREFOX.EXE -url "%1" -requestPending (Mozilla Corporation)

inffile [install] -> %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

inifile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

InternetShortcut [open] -> rundll32.exe shdocvw.dll,OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -> rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)

jsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

jsefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

piffile [open] -> "%1" %* (File not found)

regfile [edit] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -> regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -> Reg Data - Key not found
regfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

scrfile [config] -> "%1" (File not found)
scrfile [install] -> rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -> "%1" /S (File not found)

txtfile [edit] -> Reg Data - Key not found
txtfile [open] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -> %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)

vbefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

vbsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wsffile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wshfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)

Unknown [openas] -> %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 (Microsoft Corporation)

Directory [Winamp.Enqueue] -> "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -> "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)

Folder [open] -> %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -> %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -> "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -> "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

>>>>> ActiveX StubPath settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mswmp.inf,PerUserStub

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

>>>>> WOW Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW]
cmdline = %SystemRoot%\system32\ntvdm.exe
wowcmdline = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

>>>>> Session Manager Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
BootExecute = SsiEfr.e;
ExcludeFromKnownDlls =

>>>>> SafeBoot Option Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option]

>>>>> Items Started Through Miscellaneous Registry Keys <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks]
{182B90A3-F372-438A-800C-6814B4DE417B} =

>>>>> Security Providers <<<<<

>>>>> Winlogon Keys <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet]
Control_RunDLL (File not found)
>>>>> Policy Keys <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explo rer]
ConfirmFileDelete = 0
NoDriveTypeAutoRun = ( 181 0 0 0 ) - µ
NoDesktopCleanupWizard = 1
NoResolveTrack = 1
NoRecentDocsHistory = 1
NoFavoritesMenu = 1
NoUserNameInStartMenu = 1
NoSimpleStartMenu = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEn um]
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = 1
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 1073741857
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = 32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\syste m]
legalnoticecaption =
legalnoticetext =
undockwithoutlogon = 1
NoInternetOpenWith = 1
ShutdownWithoutLogon = 1
DontDisplayLastUserName = 0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ComDlg 32]
NoFileMru = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explor er]
NoSMHelp = 1
NoDriveTypeAutoRun = ( 149 0 0 0 ) - •
NoSMConfigurePrograms = 1
NoInternetIcon = 1
NoRecentDocsMenu = 1
GreyMSIAds = 1
CDRAutoRun = 0
NoInstrumentation = 1
NoRecentDocsHistory = 1
ClearRecentDocsOnExit = 1
NoDriveAutoRun = ( 52 0 0 0 ) - 4
NoCDBurning = 0
NoDrives = 0
NoFavoritesMenu = 1
NoUserNameInStartMenu = 1
NoSimpleStartMenu = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
DisableRegistryTools = 0

>>>>> Desktop Components <<<<<

>>>>> HOSTS File <<<<<

HOSTS file found at: C:\WINDOWS\System32\drivers\etc\Hosts (Size: 686 bytes | Modified Date: 26/03/2007 21:16:54)
127.0.0.1 localhost

>>>>> Internet Explorer Settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
Local Page = %SystemRoot%\system32\blank.htm
Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
SearchAssistant = http://www.google.com/ie

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
Local Page = C:\windows\system32\blank.htm
Search Page = http://www.google.com
Start Page = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyEnable = 0

>>>>> Browser Helper Objects <<<<<

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
- Adobe PDF Reader Link Helper ( HKLM = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
- ( HKLM = C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
- SSVHelper Class ( HKLM = C:\Program Files\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
- Adobe PDF Conversion Toolbar Helper ( HKLM = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) )

>>>>> Bars, Toolbars and Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{182EC0BE-5110-49C8-A062-BEB1D02A220B}]
- Adobe PDF ( HKLM = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{6F480F82-C3A6-4D35-96F7-B297AD49FBE8}]
- Copernic Agent Results ( HKLM = C:\Program Files\Copernic Agent\CopernicAgentExt.dll (Copernic Technologies Inc.) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{F2E259E8-0FC8-438C-A6E0-342DD80FA53E}]
- Copernic Agent ( HKLM = C:\Program Files\Copernic Agent\CopernicAgentExt.dll (Copernic Technologies Inc.) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF ( HKLM = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) )
{F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - Copernic Agent ( HKLM = C:\Program Files\Copernic Agent\CopernicAgentExt.dll (Copernic Technologies Inc.) )

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\ToolBar\WebBrowser]
{00000000-5736-4205-0008-F7ED0776FB27} - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF ( HKLM = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) )
{F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - Copernic Agent ( HKLM = C:\Program Files\Copernic Agent\CopernicAgentExt.dll (Copernic Technologies Inc.) )

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} = 8193 - Reg Data - Value does not exist ( HKLM = Reg Data - Key not found (File not found) )
{0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} = 8195 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} = 8196 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} = 8198 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{688DC797-DC11-46A7-9F1B-445F4F58CE6E} = 8197 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{B13B4423-2647-4cfc-A4B3-C7D56CB83487} = 8192 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} = 8194 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
NextId = 8199

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}]
MenuText = Sun Java Console
ClsidExtension = {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - Java Plug-in 1.6.0 ( HKLM C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll (Sun Microsystems, Inc.) )
ClsidExtension = {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - Java Plug-in 1.6.0 ( HKCU C:\Program Files\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{193B17B0-7C9F-4D5B-AEAB-8D3605EFC084}]
MenuText = Launch Copernic Agent
Exec = C:\Program Files\Copernic Agent\CopernicAgent.exe (Copernic Technologies Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{688DC797-DC11-46A7-9F1B-445F4F58CE6E}]
ButtonText = Copernic Agent
Exec = C:\Program Files\Copernic Agent\CopernicAgent.exe (Copernic Technologies Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}]
ButtonText = Real.com

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Append to existing PDF]
@ = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm (File not found)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Convert link target to Adobe PDF]
@ = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm (File not found)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Convert link target to existing PDF]
@ = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm (File not found)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Convert selected links to Adobe PDF]
@ = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll\AcroIECaptureSelLinks.htm (File not found)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Convert selected links to existing PDF]
@ = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll\AcroIEAppendSelLinks.htm (File not found)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Convert selection to Adobe PDF]
@ = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm (File not found)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Convert selection to existing PDF]
@ = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm (File not found)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Convert to Adobe PDF]
@ = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm (File not found)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Search Using Copernic Agent]
@ = NTEGRATION_MENU_SEARCHEXT (File not found)

>>>>> Approved Shell Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} = Shell Autoplay for Slideshow ( HKLM = Reg Data - Key not found (File not found) )
{087B3AE3-E237-4467-B8DB-5A38AB959AC9} = OpenOffice.org Infotip Handler ( HKLM = C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll (Sun Microsystems, Inc.) )
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = Taskbar and Start Menu ( HKLM = Reg Data - Key not found (File not found) )
{1CDB2949-8F65-4355-8456-263E7C208A5D} = Desktop Explorer ( HKLM = C:\WINDOWS\system32\nvshell.dll () )
{1E9B04FB-F9E5-4718-997B-B8DA88302A47} = Desktop Explorer Menu ( HKLM = C:\WINDOWS\system32\nvshell.dll () )
{1E9B04FB-F9E5-4718-997B-B8DA88302A48} = nView Desktop Context Menu ( HKLM = C:\WINDOWS\system32\nvshell.dll () )
{32020A01-506E-484D-A2A8-BE3CF17601C3} = AlcoholShellEx ( HKLM = C:\Program Files\Alcohol Soft\Alcohol 120\AXShlEx.dll (Alcohol Soft Development Team) )
{3B092F0C-7696-40E3-A80F-68D74DA84210} = OpenOffice.org Thumbnail Viewer ( HKLM = C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll (Sun Microsystems, Inc.) )
{42071714-76d4-11d1-8b24-00a0c9068ff3} = Display Panning CPL Extension ( HKLM = deskpan.dll (File not found) )
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = Shell Extension for Malware scanning ( HKLM = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH) )
{63542C48-9552-494A-84F7-73AA6A7C99C1} = OpenOffice.org Property Sheet Handler ( HKLM = C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll (Sun Microsystems, Inc.) )
{764BF0E1-F219-11ce-972D-00AA00A14F56} = Shell extensions for file compression ( CLSID not found! )
{7A9D77BD-5403-11d2-8785-2E0420524153} = User Accounts ( HKLM = Reg Data - Key not found (File not found) )
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = Webroot Spy Sweeper Context Menu Integration ( CLSID not found! )
{7F1CF152-04F8-453A-B34C-E609530A9DC8} = NeroDigitalPropSheetHandler Class ( HKLM = C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll (Nero AG) )
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} = Encryption Context Menu ( CLSID not found! )
{8FF88D21-7BD0-11D1-BFB7-00AA00262A11} = WinAceContext Menu Extension ( HKLM = C:\Program Files\WinAce\arcext.dll (e-merge GmbH) )
{8FF88D23-7BD0-11D1-BFB7-00AA00262A11} = WinAceProperty Sheet Extension ( HKLM = C:\Program Files\WinAce\arcext.dll (e-merge GmbH) )
{8FF88D25-7BD0-11D1-BFB7-00AA00262A11} = WinAceDrag-Drop Extension ( HKLM = C:\Program Files\WinAce\arcext.dll (e-merge GmbH) )
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = WinAceContext Menu (Add) Extension ( HKLM = C:\Program Files\WinAce\arcext.dll (e-merge GmbH) )
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = PowerISO ( HKLM = C:\Program Files\PowerISO\PowerISOShell.dll (PowerISO Computing, Inc.) )
{A70C977A-BF00-412C-90B7-034C51DA2439} = DesktopContext Class ( HKLM = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation) )
{B327765E-D724-4347-8B16-78AE18552FC3} = NeroDigitalIconHandler Class ( HKLM = C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll (Nero AG) )
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = WinRAR ( HKLM = C:\Program Files\WinRAR\RarExt.dll () )
{B8323370-FF27-11D2-97B6-204C4F4F5020} = SmartFTP Shell Extension DLL ( HKLM = C:\Program Files\SmartFTP Client 2.0\smarthook.dll (SmartFTP) )
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} = OpenOffice.org Column Handler ( HKLM = C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll (Sun Microsystems, Inc.) )
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = Acrobat Elements Context Menu ( HKLM = C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll (Adobe Systems Inc.) )
{D9872D13-7651-4471-9EEE-F0A00218BEBB} = Multiscan ( CLSID not found! )
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} = RealOne Player Context Menu Class ( HKLM = C:\Program Files\Real\RealPlayer\rpshell.dll (RealNetworks, Inc.) )
{FFB699E0-306A-11d3-8BD1-00104B6F7516} = NVIDIA CPL Extension ( HKLM = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation) )

Andeee · 03-Apr-2007, 12:41 PM **#27**

>>>>> Approved Shell Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} = Shell Autoplay for Slideshow ( HKLM = Reg Data - Key not found (File not found) )
{087B3AE3-E237-4467-B8DB-5A38AB959AC9} = OpenOffice.org Infotip Handler ( HKLM = C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll (Sun Microsystems, Inc.) )
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = Taskbar and Start Menu ( HKLM = Reg Data - Key not found (File not found) )
{1CDB2949-8F65-4355-8456-263E7C208A5D} = Desktop Explorer ( HKLM = C:\WINDOWS\system32\nvshell.dll () )
{1E9B04FB-F9E5-4718-997B-B8DA88302A47} = Desktop Explorer Menu ( HKLM = C:\WINDOWS\system32\nvshell.dll () )
{1E9B04FB-F9E5-4718-997B-B8DA88302A48} = nView Desktop Context Menu ( HKLM = C:\WINDOWS\system32\nvshell.dll () )
{32020A01-506E-484D-A2A8-BE3CF17601C3} = AlcoholShellEx ( HKLM = C:\Program Files\Alcohol Soft\Alcohol 120\AXShlEx.dll (Alcohol Soft Development Team) )
{3B092F0C-7696-40E3-A80F-68D74DA84210} = OpenOffice.org Thumbnail Viewer ( HKLM = C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll (Sun Microsystems, Inc.) )
{42071714-76d4-11d1-8b24-00a0c9068ff3} = Display Panning CPL Extension ( HKLM = deskpan.dll (File not found) )
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = Shell Extension for Malware scanning ( HKLM = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH) )
{63542C48-9552-494A-84F7-73AA6A7C99C1} = OpenOffice.org Property Sheet Handler ( HKLM = C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll (Sun Microsystems, Inc.) )
{764BF0E1-F219-11ce-972D-00AA00A14F56} = Shell extensions for file compression ( CLSID not found! )
{7A9D77BD-5403-11d2-8785-2E0420524153} = User Accounts ( HKLM = Reg Data - Key not found (File not found) )
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = Webroot Spy Sweeper Context Menu Integration ( CLSID not found! )
{7F1CF152-04F8-453A-B34C-E609530A9DC8} = NeroDigitalPropSheetHandler Class ( HKLM = C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll (Nero AG) )
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} = Encryption Context Menu ( CLSID not found! )
{8FF88D21-7BD0-11D1-BFB7-00AA00262A11} = WinAceContext Menu Extension ( HKLM = C:\Program Files\WinAce\arcext.dll (e-merge GmbH) )
{8FF88D23-7BD0-11D1-BFB7-00AA00262A11} = WinAceProperty Sheet Extension ( HKLM = C:\Program Files\WinAce\arcext.dll (e-merge GmbH) )
{8FF88D25-7BD0-11D1-BFB7-00AA00262A11} = WinAceDrag-Drop Extension ( HKLM = C:\Program Files\WinAce\arcext.dll (e-merge GmbH) )
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = WinAceContext Menu (Add) Extension ( HKLM = C:\Program Files\WinAce\arcext.dll (e-merge GmbH) )
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = PowerISO ( HKLM = C:\Program Files\PowerISO\PowerISOShell.dll (PowerISO Computing, Inc.) )
{A70C977A-BF00-412C-90B7-034C51DA2439} = DesktopContext Class ( HKLM = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation) )
{B327765E-D724-4347-8B16-78AE18552FC3} = NeroDigitalIconHandler Class ( HKLM = C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll (Nero AG) )
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = WinRAR ( HKLM = C:\Program Files\WinRAR\RarExt.dll () )
{B8323370-FF27-11D2-97B6-204C4F4F5020} = SmartFTP Shell Extension DLL ( HKLM = C:\Program Files\SmartFTP Client 2.0\smarthook.dll (SmartFTP) )
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} = OpenOffice.org Column Handler ( HKLM = C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll (Sun Microsystems, Inc.) )
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = Acrobat Elements Context Menu ( HKLM = C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll (Adobe Systems Inc.) )
{D9872D13-7651-4471-9EEE-F0A00218BEBB} = Multiscan ( CLSID not found! )
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} = RealOne Player Context Menu Class ( HKLM = C:\Program Files\Real\RealPlayer\rpshell.dll (RealNetworks, Inc.) )
{FFB699E0-306A-11d3-8BD1-00104B6F7516} = NVIDIA CPL Extension ( HKLM = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation) )

>>>>> Context Menu Handlers / Column Handlers <<<<<

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208}]
- NBShellHook Class ( HKLM = C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG) )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\PowerISO]
@ = {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} ( HKLM = C:\Program Files\PowerISO\PowerISOShell.dll (PowerISO Computing, Inc.) )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\Shell Extension for Malware scanning]
@ = {45AC2688-0253-4ED8-97DE-B5370FA7D48A} ( HKLM = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH) )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\P owerISO]
@ = {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} ( HKLM = C:\Program Files\PowerISO\PowerISOShell.dll (PowerISO Computing, Inc.) )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMen uHandlers\00nView]
@ = {1E9B04FB-F9E5-4718-997B-B8DA88302A48} ( HKLM = C:\WINDOWS\system32\nvshell.dll () )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMen uHandlers\NvCplDesktopContext]
@ = {A70C977A-BF00-412C-90B7-034C51DA2439} ( HKLM = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\{EB4 D3CFE-E2AA-4C6E-B2FE-2A749F95D208}]
- NBShellHook Class ( HKLM = C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\Adob e.Acrobat.ContextMenu]
@ = {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} ( HKLM = C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll (Adobe Systems Inc.) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\Powe rISO]
@ = {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} ( HKLM = C:\Program Files\PowerISO\PowerISOShell.dll (PowerISO Computing, Inc.) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\Shel l Extension for Malware scanning]
@ = {45AC2688-0253-4ED8-97DE-B5370FA7D48A} ( HKLM = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\WinR AR]
@ = {B41DB860-8EE4-11D2-9906-E49FADC173CA} ( HKLM = C:\Program Files\WinRAR\RarExt.dll () )

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{04DAAD08-70EF-450E-834A-DCFAF9B48748}]
- Reg Data - Value does not exist ( HKLM = C:\Program Files\FolderSize\FolderSizeColumn.dll (Brio) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7D4D6379-F301-4311-BEBA-E26EB0561882}]
- NeroDigitalColumnHandler Class ( HKLM = C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll (Nero AG) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}]
- Reg Data - Value does not exist ( HKLM = C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll (Sun Microsystems, Inc.) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}]
- PDF Shell Extension ( HKLM = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\pdfshell.dll (Adobe Systems, Inc.) )

>>>>> User Agent Post Platform <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
Alcohol Search =
SV1 =

>>>>> TCP/IP Configuration <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter faces\{19AC5BC7-17CC-41AF-A35D-B8464671D970}]
DefaultGateway =
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
NameServer =
SubnetMask = 0.0.0.0;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter faces\{219D91A8-509B-4D10-AE80-AEB783FEE085}] ( 1394 Net Adapter )
DefaultGateway =
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
NameServer =
SubnetMask = 0.0.0.0;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter faces\{789F4325-0086-43F7-8413-77F688EDEBBA}] ( PRISM 802.11g Wireless Adapter (3890) )
DefaultGateway =
DhcpIPAddress = 192.168.178.21
DhcpServer = 192.168.178.1
DhcpSubnetMask = 255.255.255.0
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
IPAutoconfigurationAddress = 0.0.0.0
NameServer =
SubnetMask = 0.0.0.0;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter faces\{9A5D13AE-72BF-401D-9DFF-14AC23821F49}] ( Realtek RTL8139 Family PCI Fast Ethernet NIC )
DefaultGateway =
DhcpDefaultGateway = 192.168.178.1;
DhcpIPAddress = 192.168.178.20
DhcpNameServer = 192.168.178.1
DhcpServer = 192.168.178.1
DhcpSubnetMask = 255.255.255.0
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
IPAutoconfigurationAddress = 0.0.0.0
NameServer =
SubnetMask = 0.0.0.0;

>>>>> WinSock2 Parameters <<<<<

>>>>> Protocol Handlers <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\copernicagent]
CLSID = {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - ( HKLM C:\Program Files\Copernic Agent\CopernicAgentExt.dll (Copernic Technologies Inc.) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\copernicagentcache]
CLSID = {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - ( HKLM C:\Program Files\Copernic Agent\CopernicAgentExt.dll (Copernic Technologies Inc.) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\skype4com]
CLSID = {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - ( HKLM C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) )

>>>>> Protocol Filters <<<<<

>>>>> Downloaded Program Files <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}\DownloadInformation]
CODEBASE = http://www.kaspersky.com/kos/eng/par...an_unicode.cab
INF = C:\WINDOWS\Downloaded Program Files\kavwebscan.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.6.0/jin...ndows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}\DownloadInformation]
CODEBASE = http://acs.pandasoftware.com/actives...ree/asinst.cab
INF = C:\WINDOWS\Downloaded Program Files\asinst.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.6.0/jin...ndows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.6.0/jin...ndows-i586.cab
INF =

»»»»»»»»»»»»»»»»»»»» Files Created Within 30 Days »»»»»»»»»»»»»

C:\Documents and Settings\Mr. Poo\My Documents\backup.reg [Ver = | Size = 940 bytes | Created Date = 23/03/2007 20:33:38 | Attr = ]
C:\Documents and Settings\Mr. Poo\My Documents\MUDiplomav2.pdf [Ver = | Size = 427063 bytes | Created Date = 21/03/2007 23:32:30 | Attr = ]
C:\Documents and Settings\Mr. Poo\My Documents\reportkaspersky.html [Ver = | Size = 51670 bytes | Created Date = 28/03/2007 07:36:14 | Attr = ]
C:\Documents and Settings\All Users\Desktop\AntiVir PE Classic.lnk [Ver = | Size = 1777 bytes | Created Date = 24/03/2007 22:07:24 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\A History Of Greek Philosophy Vol I From The Earliest Period To The Time Of Socrates - Eduard Zeller.djvu [Ver = | Size = 14269534 bytes | Created Date = 20/03/2007 02:27:28 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\ATF-Cleaner.exe Atribune.org [Ver = 3.00.0002 | Size = 50688 bytes | Created Date = 26/03/2007 01:12:25 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\avenger.exe [Ver = | Size = 130048 bytes | Created Date = 27/03/2007 20:00:36 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\avenger.zip [Ver = | Size = 127378 bytes | Created Date = 27/03/2007 20:00:22 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\avgas-setup-7.5.0.50.exe [Ver = | Size = 6469352 bytes | Created Date = 26/03/2007 01:14:28 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\blbeta.exe F-Secure Corporation [Ver = 2, 2, 1055, 0 | Size = 899960 bytes | Created Date = 28/03/2007 09:44:48 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\catchme.exe [Ver = | Size = 28672 bytes | Created Date = 25/03/2007 10:14:05 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\DJVUCNTL_61_EN.EXE Lizardtech [Ver = 6.1.0 | Size = 6910136 bytes | Created Date = 26/03/2007 11:39:39 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\ffdshow-20051115.exe [Ver = | Size = 2906319 bytes | Created Date = 28/03/2007 14:16:03 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\kaspersky.report.html [Ver = | Size = 51670 bytes | Created Date = 28/03/2007 08:31:49 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\Mega MP3splitter.exe [Ver = | Size = 556032 bytes | Created Date = 29/03/2007 07:14:45 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\mkvinst_b99.exe [Ver = | Size = 1239813 bytes | Created Date = 28/03/2007 14:15:52 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\MyPoppy.exe Soeperman Enterprises Ltd. [Ver = 1.99.0001 | Size = 218112 bytes | Created Date = 24/03/2007 23:32:10 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\SDFix.exe [Ver = | Size = 699657 bytes | Created Date = 26/03/2007 19:16:48 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\Search.zip [Ver = | Size = 260 bytes | Created Date = 29/03/2007 07:06:33 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\VundoFix.exe Atribune.org [Ver = 6.03.0018 | Size = 96768 bytes | Created Date = 25/03/2007 19:00:23 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\winpfind.exe [Ver = | Size = 264211 bytes | Created Date = 02/04/2007 23:37:44 | Attr = ]
C:\WINDOWS\gmer.dll [Ver = 1, 0, 12, 12011 | Size = 565311 bytes | Created Date = 25/03/2007 10:14:28 | Attr = ]
C:\WINDOWS\gmer.exe [Ver = 1, 0, 12, 12011 | Size = 573440 bytes | Created Date = 25/03/2007 10:14:28 | Attr = ]
C:\WINDOWS\gmer.ini [Ver = | Size = 250 bytes | Created Date = 25/03/2007 10:14:30 | Attr = ]
C:\WINDOWS\gmer_uninstall.cmd [Ver = | Size = 80 bytes | Created Date = 25/03/2007 10:14:28 | Attr = ]
C:\WINDOWS\System32\Help.ico [Ver = | Size = 1406 bytes | Created Date = 26/03/2007 08:21:44 | Attr = ]
C:\WINDOWS\System32\java.exe Sun Microsystems, Inc. [Ver = 6.0.0.105 | Size = 135168 bytes | Created Date = 25/03/2007 22:10:23 | Attr = ]
C:\WINDOWS\System32\javacpl.cpl Sun Microsystems, Inc. [Ver = 6.0.0.105 | Size = 69632 bytes | Created Date = 25/03/2007 22:10:23 | Attr = ]
C:\WINDOWS\System32\javaw.exe Sun Microsystems, Inc. [Ver = 6.0.0.105 | Size = 135168 bytes | Created Date = 25/03/2007 22:10:23 | Attr = ]
C:\WINDOWS\System32\javaws.exe Sun Microsystems, Inc. [Ver = 6.0.0.105 | Size = 139264 bytes | Created Date = 25/03/2007 22:10:23 | Attr = ]
C:\WINDOWS\System32\pavas.ico [Ver = | Size = 30590 bytes | Created Date = 26/03/2007 08:21:43 | Attr = ]
C:\WINDOWS\System32\tmp.reg [Ver = | Size = 1122 bytes | Created Date = 24/03/2007 23:39:38 | Attr = ]
C:\WINDOWS\System32\Uninstall.ico [Ver = | Size = 2550 bytes | Created Date = 26/03/2007 08:21:44 | Attr = ]
C:\WINDOWS\System32\drivers\avgntdd.sys AVIRA GmbH [Ver = 6.37.00.02 | Size = 34304 bytes | Created Date = 24/03/2007 22:07:14 | Attr = ]
C:\WINDOWS\System32\drivers\avgntmgr.sys AVIRA GmbH [Ver = 6.37.01.01 | Size = 14848 bytes | Created Date = 24/03/2007 22:07:14 | Attr = ]
C:\WINDOWS\System32\drivers\gmer.sys GMER [Ver = 1, 0, 12, 3721 | Size = 68961 bytes | Created Date = 25/03/2007 10:14:28 | Attr = ]
C:\WINDOWS\System32\drivers\nmejbml^.sys [Ver = | Size = 60416 bytes | Created Date = 28/03/2007 09:00:01 | Attr = ]

»»»»»»»»»»»»»»»»»»»» Files Modified Within 30 Days »»»»»»»»»»»»»

C:\boot.ini [Ver = | Size = 226 bytes | Modified Date = 28/03/2007 13:22:30 | Attr = RHS]
C:\Documents and Settings\Mr. Poo\My Documents\backup.reg [Ver = | Size = 940 bytes | Modified Date = 23/03/2007 21:33:40 | Attr = ]
C:\Documents and Settings\Mr. Poo\My Documents\MUDiplomav2.pdf [Ver = | Size = 427063 bytes | Modified Date = 22/03/2007 00:32:32 | Attr = ]
C:\Documents and Settings\Mr. Poo\My Documents\reportkaspersky.html [Ver = | Size = 51670 bytes | Modified Date = 28/03/2007 08:36:16 | Attr = ]
C:\Documents and Settings\All Users\Desktop\AntiVir PE Classic.lnk [Ver = | Size = 1777 bytes | Modified Date = 24/03/2007 23:07:26 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\A History Of Greek Philosophy Vol I From The Earliest Period To The Time Of Socrates - Eduard Zeller.djvu [Ver = | Size = 14269534 bytes | Modified Date = 20/03/2007 03:27:28 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\ATF-Cleaner.exe Atribune.org [Ver = 3.00.0002 | Size = 50688 bytes | Modified Date = 26/03/2007 02:12:20 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\avenger.zip [Ver = | Size = 127378 bytes | Modified Date = 27/03/2007 21:00:18 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\avgas-setup-7.5.0.50.exe [Ver = | Size = 6469352 bytes | Modified Date = 26/03/2007 02:14:36 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\blbeta.exe F-Secure Corporation [Ver = 2, 2, 1055, 0 | Size = 899960 bytes | Modified Date = 28/03/2007 10:44:42 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\catchme.exe [Ver = | Size = 28672 bytes | Modified Date = 25/03/2007 11:14:00 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\DJVUCNTL_61_EN.EXE Lizardtech [Ver = 6.1.0 | Size = 6910136 bytes | Modified Date = 26/03/2007 12:41:40 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\ffdshow-20051115.exe [Ver = | Size = 2906319 bytes | Modified Date = 28/03/2007 15:16:30 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\kaspersky.report.html [Ver = | Size = 51670 bytes | Modified Date = 28/03/2007 09:31:50 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\mkvinst_b99.exe [Ver = | Size = 1239813 bytes | Modified Date = 28/03/2007 15:15:50 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\SDFix.exe [Ver = | Size = 699657 bytes | Modified Date = 26/03/2007 20:16:34 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\Search.zip [Ver = | Size = 260 bytes | Modified Date = 29/03/2007 08:06:20 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\VundoFix.exe Atribune.org [Ver = 6.03.0018 | Size = 96768 bytes | Modified Date = 28/03/2007 10:34:08 | Attr = ]
C:\Documents and Settings\Mr. Poo\Desktop\winpfind.exe [Ver = | Size = 264211 bytes | Modified Date = 03/04/2007 00:37:30 | Attr = ]
C:\WINDOWS\bootstat.dat [Ver = | Size = 2048 bytes | Modified Date = 03/04/2007 00:41:08 | Attr = S]
C:\WINDOWS\gmer.dll [Ver = 1, 0, 12, 12011 | Size = 565311 bytes | Modified Date = 25/03/2007 11:14:30 | Attr = ]
C:\WINDOWS\gmer.ini [Ver = | Size = 250 bytes | Modified Date = 26/03/2007 09:47:30 | Attr = ]
C:\WINDOWS\gmer_uninstall.cmd [Ver = | Size = 80 bytes | Modified Date = 25/03/2007 11:14:30 | Attr = ]
C:\WINDOWS\NeroDigital.ini [Ver = | Size = 116 bytes | Modified Date = 29/03/2007 20:43:48 | Attr = ]
C:\WINDOWS\QTFont.qfn [Ver = | Size = 54156 bytes | Modified Date = 28/03/2007 10:54:42 | Attr = H ]
C:\WINDOWS\System32\Help.ico [Ver = | Size = 1406 bytes | Modified Date = 28/03/2007 11:43:34 | Attr = ]
C:\WINDOWS\System32\java.exe Sun Microsystems, Inc. [Ver = 6.0.0.105 | Size = 135168 bytes | Modified Date = 25/03/2007 23:09:48 | Attr = ]
C:\WINDOWS\System32\javacpl.cpl Sun Microsystems, Inc. [Ver = 6.0.0.105 | Size = 69632 bytes | Modified Date = 25/03/2007 23:09:48 | Attr = ]
C:\WINDOWS\System32\javaw.exe Sun Microsystems, Inc. [Ver = 6.0.0.105 | Size = 135168 bytes | Modified Date = 25/03/2007 23:09:48 | Attr = ]
C:\WINDOWS\System32\javaws.exe Sun Microsystems, Inc. [Ver = 6.0.0.105 | Size = 139264 bytes | Modified Date = 25/03/2007 23:09:48 | Attr = ]
C:\WINDOWS\System32\NvApps.xml [Ver = | Size = 0 bytes | Modified Date = 02/04/2007 20:53:44 | Attr = ]
C:\WINDOWS\System32\pavas.ico [Ver = | Size = 30590 bytes | Modified Date = 28/03/2007 11:43:34 | Attr = ]
C:\WINDOWS\System32\perfc009.dat [Ver = | Size = 61272 bytes | Modified Date = 02/04/2007 20:59:18 | Attr = ]
C:\WINDOWS\System32\perfh009.dat [Ver = | Size = 398792 bytes | Modified Date = 02/04/2007 20:59:18 | Attr = ]
C:\WINDOWS\System32\PerfStringBackup.INI [Ver = | Size = 466868 bytes | Modified Date = 02/04/2007 20:59:18 | Attr = ]
C:\WINDOWS\System32\tmp.reg [Ver = | Size = 1122 bytes | Modified Date = 25/03/2007 01:08:50 | Attr = ]
C:\WINDOWS\System32\Uninstall.ico [Ver = | Size = 2550 bytes | Modified Date = 28/03/2007 11:43:34 | Attr = ]
C:\WINDOWS\System32\wpa.dbl [Ver = | Size = 2206 bytes | Modified Date = 30/03/2007 10:28:36 | Attr = ]
C:\WINDOWS\System32\drivers\gmer.sys GMER [Ver = 1, 0, 12, 3721 | Size = 68961 bytes | Modified Date = 25/03/2007 11:14:30 | Attr = ]
C:\WINDOWS\System32\drivers\nmejbml^.sys [Ver = | Size = 60416 bytes | Modified Date = 28/03/2007 10:00:02 | Attr = ]

»»»»»»»»»»»»»»»»»»»» File String Scan (Non-Microsoft Only) »»»»»
[UPX! , ]C:\Bios.exe ()
File scan skipped for file C:\Child_dev.ISO. File size too big (2102853632 bytes)
@Alternate Data Stream - C:\Documents and Settings\Mr. Poo\Application Data\desktop.ini:KAVICHS (36 bytes)
[UPX! , ]C:\Documents and Settings\Mr. Poo\My Documents\EOSDRXT350DIM-EN.pdf ()
[UPX! , UPX0 , ]C:\Documents and Settings\Mr. Poo\Desktop\ATF-Cleaner.exe (Atribune.org)
[UPX! , UPX0 , ]C:\Documents and Settings\Mr. Poo\Desktop\ffdshow-20051115.exe ()
[KavSvc , ]C:\Documents and Settings\Mr. Poo\Desktop\hijackthis.again.log ()
[UPX! , UPX0 , ]C:\Documents and Settings\Mr. Poo\Desktop\MyPoppy.exe (Soeperman Enterprises Ltd.)
[PEC2 , PECompact2 , ]C:\Documents and Settings\Mr. Poo\Desktop\VundoFix.exe (Atribune.org)
@Alternate Data Stream - C:\WINDOWS\Disktool.INI:KAVICHS (100 bytes)
@Alternate Data Stream - C:\WINDOWS\fwupgrade.ini:KAVICHS (100 bytes)
@Alternate Data Stream - C:\WINDOWS\GenAmvTool.INI:KAVICHS (100 bytes)
@Alternate Data Stream - C:\WINDOWS\PCGWIN32.LI4:KAVICHS (100 bytes)
@Alternate Data Stream - C:\WINDOWS\RunUnDrv.exe:KAVICHS (100 bytes)
@Alternate Data Stream - C:\WINDOWS\SoundCon.INI:KAVICHS (100 bytes)
@Alternate Data Stream - C:\WINDOWS\TPPALDR.EXE:KAVICHS (100 bytes)
@Alternate Data Stream - C:\WINDOWS\TPPNTTRY.EXE:KAVICHS (100 bytes)
@Alternate Data Stream - C:\WINDOWS\System32\$winnt$.inf:KAVICHS (36 bytes)
@Alternate Data Stream - C:\WINDOWS\System32\12520437.cpx:KAVICHS (36 bytes)
@Alternate Data Stream - C:\WINDOWS\System32\12520850.cpx:KAVICHS (36 bytes)
@Alternate Data Stream - C:\WINDOWS\System32\34CoInstaller.dll:KAVICHS (36 bytes)
@Alternate Data Stream - C:\WINDOWS\System32\a3d.dll:KAVICHS (36 bytes)
@Alternate Data Stream - C:\WINDOWS\System32\ac3filter.ax:KAVICHS (36 bytes)
@Alternate Data Stream - C:\WINDOWS\System32\ac3filter.cpl:KAVICHS (36 bytes)
@Alternate Data Stream - C:\WINDOWS\System32\acelpdec.ax:KAVICHS (36 bytes)
[WSUD , ]C:\WINDOWS\System32\alsndmgr.cpl (Realtek Semiconductor Corp.)
[PEC2 , ]C:\WINDOWS\System32\dfrg.msc ()
@Alternate Data Stream - C:\WINDOWS\System32\dmserver.dll:KAVICHS (36 bytes)
@Alternate Data Stream - C:\WINDOWS\System32\geo.nls:KAVICHS (36 bytes)
[PTech , ]C:\WINDOWS\System32\LegitCheckControl.dll (Microsoft® Corporation)
[PTech , ]C:\WINDOWS\System32\mtlstrm.vxd ()
@Alternate Data Stream - C:\WINDOWS\System32\nvcpl.dll:KAVICHS (36 bytes)
@Alternate Data Stream - C:\WINDOWS\System32\nvshell.dll:KAVICHS (36 bytes)
[Thawte Consulting , ]C:\WINDOWS\System32\pxcpya64.exe (Sonic Solutions)
[Thawte Consulting , ]C:\WINDOWS\System32\pxinsa64.exe (Sonic Solutions)
[Thawte Consulting , ]C:\WINDOWS\System32\pxinsi64.exe (Sonic Solutions)
@Alternate Data Stream - C:\WINDOWS\System32\rasctrnm.h:KAVICHS (36 bytes)
@Alternate Data Stream - C:\WINDOWS\System32\SHELLLNK.TLB:KAVICHS (36 bytes)
@Alternate Data Stream - C:\WINDOWS\System32\SLGen.dll:KAVICHS (36 bytes)
@Alternate Data Stream - C:\WINDOWS\System32\drivers\alcxwdm.sys:KAVICHS (68 bytes)

< End of report >

**JSntgRvr** · 03-Apr-2007, 02:46 PM **#28**

Hi, Andeee

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous. As a precaution, we will make a backup of the registry first.

Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing. Please follow the steps that are listed below EXACTLY. If you cannot preform some of these steps, or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry

Go Here and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
Make sure that at least the first two check boxes are ticked
Press OK
Press YES to create the folder.

Registry Modifications

Download the enclosed file. Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, Regfix.reg . Once extracted, open the folder and double click on the Regfix.reg file and select Yes when prompted to merge it into the registry.

Restart the computer.

There is a file in your computer that is huge, 2 Gigabites, C:\Child_dev.ISO. Looks like a CD_ROM image file. Do you recognize this file?

Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
- C:\WINDOWS\System32\drivers\nmejbml^.sys
Click on the submit button
Please post the results in your next reply.

Andeee · 04-Apr-2007, 09:40 AM **#29**

ok. here are the results.

and c:\child_dev.iso is an image file I made whic is waiting to be burned. It's ok.

Scanner results
Scan taken on 04 Apr 2007 13:37:12 (GMT)
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found W32/Backdoor.AHIA
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

**JSntgRvr** · 04-Apr-2007, 01:58 PM **#30**

Hi, Andeee

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote:

Files to delete:
C:\WINDOWS\System32\drivers\nmejbml^.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log

Tag Cloud
audio bios blue screen boot bsod computer crash dell desktop driver drivers email error excel firefox freeze google hard drive hardware hijackthis install internet laptop linux malware network no sound outlook problem reboot recovery redirect router screen slow sound speakers spyware startup trojan usb video virus vista vundo windows windows 7 windows vista windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)