There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
 
Tag Cloud
audio avg avg 8 backup bios boot browser bsod computer cpu crash css desktop driver dvd email error excel explorer firefox firefox 3 freeze game graphics hard drive hardware help please hijackthis hjt install internet internet explorer itunes javascript keyboard lan laptop malware missing monitor msn network networking openoffice outlook outlook 2003 outlook express php popups problem router screen seo slow sound sp3 spyware trojan usb video virtumonde virus vista vundo windows windows vista windows xp wireless word youtube
Malware Removal & HijackThis Logs
Search
Search in:
 
Advanced Search
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Solved: cmds and MS Juan


HELLO AND WELCOME! Before you can post your question, you'll have to register -- it's completely free! Click here to join today! We highly recommend that you print a copy of our Guide for New Members. Enjoy!

Page 1 of 2 1 2 >
 
Thread Tools
emilioh's Avatar
Computer Specs
Junior Member with 9 posts.
  
Join Date: Apr 2008
Experience: Intermediate
02-Apr-2008, 04:35 PM #1
Solved: cmds and MS Juan
Hi guys,

I'd be eternally grateful if you could help me in any way!

OS: Windows Vista
Machine: Acer Aspire 5715Z laptop

Unfortunately a family member used my machine, and since then the machine has become infected with a virus (or two...). They used Firefox, and downloaded some software that they subsequently deleted, so I can't be sure what it was.

Symptoms:

Open an IE window > extra tabs are opened with a random IP address in the address bar (all beginning 8).
Try to close IE > other IE windows are spawned.
Open Windows Explorer > Task bar disappears and Windows Explorer immediately closes

The symptoms can be temporarily relieved by disabling the processes in the Startup tab of MSConfig (named cmds and BM1fa22c55), and deleting the Registry entries at HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Run. The virus is creating a couple of obvious dlls in the following locations (although I know next to nothing about dlls/viruses etc.!):

Rundll32.exe "C:\Users\Emily\AppData\Local\Temp\myqxuect.dll",s
rundll32.exe C:\Users\Emily\AppData\Local\Temp\wvuSjgDW.dll,c

I cannot delete the files as I get the old "the file is open in another program". When deleted from the registry, the two main culprit dlls reappear immediately. I've seen the name "MS Juan" in the registry, and also in autoruns/processexplorer - is this the actual virus? Lavasoft Ad Aware SE Personal reported a total of 5 other viruses/trojans that I marked to be removed. Spybot came back clean.

I ran HijackThis, and the resultant log is pasted below. The machine is relatively new so fortunately only has bits of other software installed:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:10:29, on 02/04/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\notepad.exe
C:\ProcessExplorer\procexp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot -

Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05

\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SetPanel] C:\Acer\APanel\APanel.cmd
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Emily\AppData\Local\Temp\wvuSjgDW.dll,c
O4 - HKCU\..\Run: [BM1fa22c55] Rundll32.exe "C:\Users\Emily\AppData\Local\Temp\myqxuect.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL

SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User

'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK

SERVICE')
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12

\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2

\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1

\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12

\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search

& Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-

58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007

\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program

Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard

Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program

Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe

-
End of file - 5429 bytes


I've bolded the suspect registry entries. Please just holler if you need any more information.

I'm a software developer so kind of know my way around the machine... Just rubbish at this security stuff, obviously!

I appreciate any time and effort you can spare me.

Thanks,

Emily.
JSntgRvr's Avatar
Distinguished Member with 14,228 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
02-Apr-2008, 07:45 PM #2
Hi, emilioh

Welcome!

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Emily\AppData\Local\Temp\wvuSjgDW.dll,c
O4 - HKCU\..\Run: [BM1fa22c55] Rundll32.exe C:\Users\Emily\AppData\Local\Temp\myqxuect.dll",s


Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Quote:
    C:\Users\Emily\AppData\Local\Temp\wvuSjgDW.dll
    C:\Users\Emily\AppData\Local\Temp\myqxuect.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Download Deckard's System Scanner (DSS) from here or here to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of both, the main.txt and the extra.txt in your next reply.
If the files are too long, attach them to a reply:
  1. Scroll down and click the [Manage Attachments] button
  2. Browse to the following folder:
    • C:\Deckard\System Scanner
  3. Click Upload to upload these files one by one
  4. Submit your reply
__________________
Sometimes I think I understand everything,
then I regain consciousness.



If i have helped you, please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here

Unanswered threads for 5 days will no longer be part of my subscriptions. For further help, please send me a Private Message. This applies only to the original thread starter. Everyone else please begin a New Thread.
emilioh's Avatar
Computer Specs
Junior Member with 9 posts.
  
Join Date: Apr 2008
Experience: Intermediate
03-Apr-2008, 01:07 PM #3
cmds and MS Juan update
Hi JSntgRvr,

Thanks for your lightening fast reply!

The results of the OTMoveIt2 process are below:


*********************** OTMoveIt2 ***********************

DllUnregisterServer procedure not found in C:\Users\Emily\AppData\Local\Temp\vksqgvis.dll
C:\Users\Emily\AppData\Local\Temp\vksqgvis.dll NOT unregistered.
C:\Users\Emily\AppData\Local\Temp\vksqgvis.dll moved successfully.
DllUnregisterServer procedure not found in C:\Users\Emily\AppData\Local\Temp\wvuSjgDW.dll
C:\Users\Emily\AppData\Local\Temp\wvuSjgDW.dll NOT unregistered.
File move failed. C:\Users\Emily\AppData\Local\Temp\wvuSjgDW.dll scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\Users\Emily\AppData\Local\Temp\myqxuect.dll
C:\Users\Emily\AppData\Local\Temp\myqxuect.dll NOT unregistered.
C:\Users\Emily\AppData\Local\Temp\myqxuect.dll moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.0 log created on 04032008_174707

**********************************************************

The DSS log files are attached.

I've noticed that the following dll has survived:

C:\Users\Emily\AppData\Local\Temp\wvuSjgDW.dll

Where do I go from here?

Thanks for your continuing help!

Em.
Attached Files
File Type: txt main.txt (18.5 KB, 80 views)
File Type: txt extra.txt (19.9 KB, 227 views)
emilioh's Avatar
Computer Specs
Junior Member with 9 posts.
  
Join Date: Apr 2008
Experience: Intermediate
03-Apr-2008, 02:52 PM #4
Hmmm, suspicious...
... Hi again.

Not sure if it's any use to you, but I've just been having a poke about in ProcessExplorer, and the rogue dll has the following Path in the Environment tab:

C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\IDM Computer Solutions\UltraEdit\

Now, the aforementioned family member downloaded and installed UltraEdit - Although I have no clue from where...? Would uninstalling UltraEdit help to iradicate the virus?

Thanks again for your help!

Em.
JSntgRvr's Avatar
Distinguished Member with 14,228 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
03-Apr-2008, 07:01 PM #5
Hi, emilioh

UltraEdit should be a trial version. You can removed it, but there is no relation between its installation and the malware that was found in your computer.

The visible malware was removed. Only registry entries remain. You must disable the Real time protection offered by Windows Defender and Spybot Search and Destroy, as they may hinder the removal of these entries.

SPYBOT TEATIMER
  • Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
  • On the left hand side, click on Tools, then click on the Resident Icon in the list.
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • Click on the "System Startup" icon in the List
  • Uncheck the "TeaTimer" box and "OK" any prompts.
  • If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
  • Exit Spybot S&D when done.
  • (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]
WINDOWS DEFENDER
  • Click Start > Programs > Windows Defender or launch from the system tray icon.
  • Click on Tools & Settings > Options.
  • Under Real-time protection options, uncheck the "Real-time protection" check box.
  • Click Save.
  • Go to Start > Control Panel > Security > Windows Defender, at the bottom of the Window Defenders page uncheck under Administrator Options "use Windows Defender" and then Save.
  • (When we are done, you can re-enable Defender using the same steps but this time place a check next to "Turn on real-time protection" check box.)

Perform Disk Cleanup:
  1. Click Start, and then click Computer.
  2. Right-click the drive you want to clean (C: ), and then click Properties. On the Properties dialog, click Disk Cleanup.
  3. Click Files From All Users On This Computer.
  4. On the Disk Cleanup tab, select the files to delete (All temporary files), and then click OK.
Check if the file C:\Users\Emily\AppData\Local\Temp\wvuSjgDW.dll survives the Cleanup. Present or not, complete the following process.

Download the enclosed folder. Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, Regfix.reg . Once extracted, double click on the Regfix.reg file and select Yes when prompted to merge it into the registry.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a Hijackthis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Attached Files
File Type: zip Regfix.zip (260 Bytes, 17 views)
__________________
Sometimes I think I understand everything,
then I regain consciousness.



If i have helped you, please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here

Unanswered threads for 5 days will no longer be part of my subscriptions. For further help, please send me a Private Message. This applies only to the original thread starter. Everyone else please begin a New Thread.
Last edited by JSntgRvr : 03-Apr-2008 07:06 PM.
emilioh's Avatar
Computer Specs
Junior Member with 9 posts.
  
Join Date: Apr 2008
Experience: Intermediate
04-Apr-2008, 01:50 AM #6
cmds and MS Juan progress...
Hi JSntgRvr,

Thanks for your continuing help!

OK, I've followed your instructions (although TeaTimer didn't appear in System Startup). When I rebooted I get a message to say the troublesome dll couldn't be found... Progress?! The MBAM log is below.

********************** MBAM log *******************************

Malwarebytes' Anti-Malware 1.10
Database version: 589

Scan type: Quick Scan
Objects scanned: 27358
Time elapsed: 4 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Emily\Local Settings\Temporary Internet Files\Content.IE5\KYXFWFW4\ptch[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\Temp\wvuSjgDW.dll (Trojan.Agent) -> Delete on reboot.

*******************************************************


cmds still exists in Startup in MSConfig, but seems to have disappeared from Sysinternals ProcessExplorer... Anything else I can do?

Thank you, thank you, thank you!

Em.
JSntgRvr's Avatar
Distinguished Member with 14,228 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
04-Apr-2008, 11:51 AM #7
Hi, emilioh

Let me see a fresh Hijackthis log and a DSS repoprt.
emilioh's Avatar
Computer Specs
Junior Member with 9 posts.
  
Join Date: Apr 2008
Experience: Intermediate
04-Apr-2008, 02:47 PM #8
cmds and MS Juan dying... Wha ha ha!
Good evening!

At the risk of sounding like a broken record, thank you again for your help!

Logs:

************************** HJT **************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:22:29, on 04/04/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SetPanel] C:\Acer\APanel\APanel.cmd
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 5069 bytes

*********************************************************


************************** DSS **************************

Deckard's System Scanner v20071014.68
Run by Emily on 2008-04-04 19:34:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Emily.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:34:48, on 04/04/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Users\Emily\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Emily.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SetPanel] C:\Acer\APanel\APanel.cmd
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 5086 bytes

-- Files created between 2008-03-04 and 2008-04-04 -----------------------------

2008-04-04 06:36:43 0 d-------- C:\Users\All Users\Malwarebytes
2008-04-04 06:36:42 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-01 22:19:43 0 d-------- C:\Program Files\Trend Micro
2008-03-30 12:25:50 0 d-------- C:\Program Files\7-Zip
2008-03-30 12:15:23 0 d-------- C:\Program Files\uTorrent
2008-03-30 11:37:43 0 d-------- C:\Program Files\Paint.NET
2008-03-30 11:36:16 0 d-------- C:\ProcessExplorer
2008-03-30 11:29:11 0 d-------- C:\Autoruns
2008-03-30 11:23:14 0 d-a------ C:\Users\All Users\TEMP
2008-03-30 11:22:51 0 d-------- C:\Program Files\SpywareBlaster
2008-03-29 20:28:58 0 d-------- C:\Program Files\ClipX
2008-03-20 22:02:32 0 d-------- C:\Program Files\Google
2008-03-20 22:02:21 0 d-------- C:\Program Files\Picasa2
2008-03-17 11:05:51 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-17 10:44:49 0 d-------- C:\Program Files\Java
2008-03-17 10:43:53 0 d-------- C:\Program Files\Common Files\Java
2008-03-17 10:14:17 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-17 10:14:06 0 d-------- C:\Program Files\Windows Live
2008-03-17 10:13:38 0 d-------- C:\Users\All Users\WLInstaller


-- Find3M Report ---------------------------------------------------------------

2008-04-04 06:37:03 0 d-------- C:\Users\Emily\AppData\Roaming\Malwarebytes
2008-04-01 21:35:47 174 --ahs---- C:\Program Files\desktop.ini
2008-04-01 21:33:30 0 d-------- C:\Program Files\Windows Calendar
2008-04-01 21:33:26 0 d-------- C:\Program Files\Windows Mail
2008-03-30 12:33:39 0 d-------- C:\Users\Emily\AppData\Roaming\uTorrent
2008-03-30 12:28:22 0 d-------- C:\Users\Emily\AppData\Roaming\IDMComp
2008-03-19 10:28:25 0 d-------- C:\Users\Emily\AppData\Roaming\Adobe
2008-03-17 10:43:53 0 d-------- C:\Program Files\Common Files
2008-02-26 21:13:03 0 d-------- C:\Program Files\Opera
2008-02-15 22:27:11 0 d-------- C:\Program Files\Windows Sidebar
2008-02-15 22:11:34 0 d-------- C:\Program Files\Lavasoft
2008-02-15 22:11:00 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-15 21:57:37 0 d-------- C:\Program Files\MSXML 4.0
2008-02-15 21:52:03 0 d-------- C:\Program Files\Acer GameZone
2008-02-15 21:51:51 0 d-------- C:\Program Files\Yahoo!
2008-02-15 21:40:44 0 d-------- C:\Program Files\Norton Internet Security
2008-02-15 21:15:20 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-15 21:03:38 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-15 20:50:30 0 d-------- C:\Users\Emily\AppData\Roaming\Opera
2008-02-15 20:47:50 0 --a------ C:\Windows\nsreg.dat
2008-02-15 20:47:47 0 d-------- C:\Users\Emily\AppData\Roaming\Mozilla
2008-02-15 20:39:48 0 d-------- C:\Program Files\Common Files\Motive
2008-02-15 20:38:54 0 d-------- C:\Program Files\BroadJump
2008-02-15 20:19:20 0 d-------- C:\Users\Emily\AppData\Roaming\Identities
2008-02-15 20:18:52 70104 --a------ C:\Windows\system32\GDIPFONTCACHEV1.DAT
2008-02-15 20:18:41 0 d-------- C:\Users\Emily\AppData\Roaming\Macromedia


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [26/07/2007 03:13]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [26/04/2007 00:33]
"Acer Tour"="" []
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [06/06/2007 09:06]
"eRecoveryService"="" []
"SetPanel"="C:\Acer\APanel\APanel.cmd" []
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [02/01/2008 18:07]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [02/01/2008 18:06]
"Persistence"="C:\Windows\system32\igfxpers.exe" [02/01/2008 18:07]
"MSConfig"="C:\Windows\system32\msconfig.exe" [02/11/2006 10:45]
"Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [01/04/2008 18:13]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [15/02/2008 21:59]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 12:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawser vice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInf o]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSv c]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Tablet InputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Truste dInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr .sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr x.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf010 00.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5 B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1 FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D4817 9BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE 5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM1fa22c55]
Rundll32.exe "C:\Users\Emily\AppData\Local\Temp\myqxuect.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmds]
rundll32.exe C:\Users\Emily\AppData\Local\Temp\wvuSjgDW.dll,c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-04-04 19:35:11 ------------

*********************************************************

Those two annoying dlls (myqxuect.dll and wvuSjgDW.dll) still have registry entries in the MSConfig Startupreg directory - how can I get rid of them please?!

Thank you and good night

Em.
Last edited by emilioh : 04-Apr-2008 02:51 PM. Reason: Correction
JSntgRvr's Avatar
Distinguished Member with 14,228 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
04-Apr-2008, 06:58 PM #9
Hi, emilioh

Please remove OTMoveit2 from your computer and download the latest version of OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM1fa22c55
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | MSConfig
C:\Users\Emily\AppData\Local\Temp\myqxuect.dll
C:\Users\Emily\AppData\Local\Temp\wvuSjgDW.dll
C:\Windows\system32\msconfig.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply along with DSS report.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
__________________
Sometimes I think I understand everything,
then I regain consciousness.



If i have helped you, please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here

Unanswered threads for 5 days will no longer be part of my subscriptions. For further help, please send me a Private Message. This applies only to the original thread starter. Everyone else please begin a New Thread.
emilioh's Avatar
Computer Specs
Junior Member with 9 posts.
  
Join Date: Apr 2008
Experience: Intermediate
05-Apr-2008, 05:37 AM #10
cmds and MS Juan - Latest logs
Good morning!

Latest logs are below - it looks like the MoveIt2 process didn't manage to shift the registry entries... Any more ideas?

************************************* OT2 *************************************

File/Folder HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BM1fa22c55 not found.
File/Folder HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\cmds not found.
File/Folder HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | MSConfig not found.
File/Folder C:\Users\Emily\AppData\Local\Temp\myqxuect.dll not found.
File/Folder C:\Users\Emily\AppData\Local\Temp\wvuSjgDW.dll not found.
File move failed. C:\Windows\system32\msconfig.exe scheduled to be moved on reboot.

OTMoveIt2 by OldTimer - Version 1.0.4.0 log created on 04052008_103009

Files moved on Reboot...
File move failed. C:\Windows\system32\msconfig.exe scheduled to be moved on reboot.

*************************************************************************** ****



************************************* DSS *************************************

Deckard's System Scanner v20071014.68
Run by Emily on 2008-04-05 10:32:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Emily.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:23, on 05/04/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TextPad 5\TextPad.exe
C:\Users\Emily\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Emily.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SetPanel] C:\Acer\APanel\APanel.cmd
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 5178 bytes

-- Files created between 2008-03-05 and 2008-04-05 -----------------------------

2008-04-04 20:57:42 0 d-------- C:\Program Files\TextPad 5
2008-04-04 06:36:43 0 d-------- C:\Users\All Users\Malwarebytes
2008-04-04 06:36:42 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-01 22:19:43 0 d-------- C:\Program Files\Trend Micro
2008-03-30 12:25:50 0 d-------- C:\Program Files\7-Zip
2008-03-30 12:15:23 0 d-------- C:\Program Files\uTorrent
2008-03-30 11:37:43 0 d-------- C:\Program Files\Paint.NET
2008-03-30 11:36:16 0 d-------- C:\ProcessExplorer
2008-03-30 11:29:11 0 d-------- C:\Autoruns
2008-03-30 11:23:14 0 d-a------ C:\Users\All Users\TEMP
2008-03-30 11:22:51 0 d-------- C:\Program Files\SpywareBlaster
2008-03-29 20:28:58 0 d-------- C:\Program Files\ClipX
2008-03-20 22:02:32 0 d-------- C:\Program Files\Google
2008-03-20 22:02:21 0 d-------- C:\Program Files\Picasa2
2008-03-17 11:05:51 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-17 10:44:49 0 d-------- C:\Program Files\Java
2008-03-17 10:43:53 0 d-------- C:\Program Files\Common Files\Java
2008-03-17 10:14:17 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-17 10:14:06 0 d-------- C:\Program Files\Windows Live
2008-03-17 10:13:38 0 d-------- C:\Users\All Users\WLInstaller


-- Find3M Report ---------------------------------------------------------------

2008-04-04 21:14:52 0 d-------- C:\Users\Emily\AppData\Roaming\Helios
2008-04-04 06:37:03 0 d-------- C:\Users\Emily\AppData\Roaming\Malwarebytes
2008-04-01 21:35:47 174 --ahs---- C:\Program Files\desktop.ini
2008-04-01 21:33:30 0 d-------- C:\Program Files\Windows Calendar
2008-04-01 21:33:26 0 d-------- C:\Program Files\Windows Mail
2008-03-30 12:33:39 0 d-------- C:\Users\Emily\AppData\Roaming\uTorrent
2008-03-30 12:28:22 0 d-------- C:\Users\Emily\AppData\Roaming\IDMComp
2008-03-19 10:28:25 0 d-------- C:\Users\Emily\AppData\Roaming\Adobe
2008-03-17 10:43:53 0 d-------- C:\Program Files\Common Files
2008-02-26 21:13:03 0 d-------- C:\Program Files\Opera
2008-02-15 22:27:11 0 d-------- C:\Program Files\Windows Sidebar
2008-02-15 22:11:34 0 d-------- C:\Program Files\Lavasoft
2008-02-15 22:11:00 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-15 21:57:37 0 d-------- C:\Program Files\MSXML 4.0
2008-02-15 21:52:03 0 d-------- C:\Program Files\Acer GameZone
2008-02-15 21:51:51 0 d-------- C:\Program Files\Yahoo!
2008-02-15 21:40:44 0 d-------- C:\Program Files\Norton Internet Security
2008-02-15 21:15:20 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-15 21:03:38 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-15 20:50:30 0 d-------- C:\Users\Emily\AppData\Roaming\Opera
2008-02-15 20:47:50 0 --a------ C:\Windows\nsreg.dat
2008-02-15 20:47:47 0 d-------- C:\Users\Emily\AppData\Roaming\Mozilla
2008-02-15 20:39:48 0 d-------- C:\Program Files\Common Files\Motive
2008-02-15 20:38:54 0 d-------- C:\Program Files\BroadJump
2008-02-15 20:19:20 0 d-------- C:\Users\Emily\AppData\Roaming\Identities
2008-02-15 20:18:52 70104 --a------ C:\Windows\system32\GDIPFONTCACHEV1.DAT
2008-02-15 20:18:41 0 d-------- C:\Users\Emily\AppData\Roaming\Macromedia


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [26/07/2007 03:13]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [26/04/2007 00:33]
"Acer Tour"="" []
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [06/06/2007 09:06]
"eRecoveryService"="" []
"SetPanel"="C:\Acer\APanel\APanel.cmd" []
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [02/01/2008 18:07]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [02/01/2008 18:06]
"Persistence"="C:\Windows\system32\igfxpers.exe" [02/01/2008 18:07]
"MSConfig"="C:\Windows\system32\msconfig.exe" [02/11/2006 10:45]
"Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [01/04/2008 18:13]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [15/02/2008 21:59]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [18/10/2007 12:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawser vice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInf o]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSv c]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Tablet InputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Truste dInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr .sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr x.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf010 00.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5 B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1 FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D4817 9BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE 5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM1fa22c55]
Rundll32.exe "C:\Users\Emily\AppData\Local\Temp\myqxuect.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmds]
rundll32.exe C:\Users\Emily\AppData\Local\Temp\wvuSjgDW.dll,c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-04-05 10:32:50 ------------


*************************************************************************** ****

Thanks for your continuing help!

Em
JSntgRvr's Avatar
Distinguished Member with 14,228 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
05-Apr-2008, 12:57 PM #11
Hi, emilioh

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
__________________
Sometimes I think I understand everything,
then I regain consciousness.



If i have helped you, please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here

Unanswered threads for 5 days will no longer be part of my subscriptions. For further help, please send me a Private Message. This applies only to the original thread starter. Everyone else please begin a New Thread.
emilioh's Avatar
Computer Specs
Junior Member with 9 posts.
  
Join Date: Apr 2008
Experience: Intermediate
05-Apr-2008, 03:53 PM #12
cmds and MS Juan - Have we won...?
Hi JSntgRvr,

Hopefully this'll be the last time I have to pester you! Please find the logs below:

********************************** ComboFix **********************************

ComboFix 08-04-04.1 - Emily 2008-04-05 20:36:23.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1280 [GMT 1:00]
Running from: C:\Users\Emily\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\x64

.
((((((((((((((((((((((((( Files Created from 2008-03-05 to 2008-04-05 )))))))))))))))))))))))))))))))
.

2008-04-04 21:14 . 2008-04-04 21:14 <DIR> d-------- C:\Users\Emily\AppData\Roaming\Helios
2008-04-04 20:57 . 2008-04-04 20:57 <DIR> d-------- C:\Program Files\TextPad 5
2008-04-04 06:37 . 2008-04-04 06:37 <DIR> d-------- C:\Users\Emily\AppData\Roaming\Malwarebytes
2008-04-04 06:36 . 2008-04-04 06:36 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-04-04 06:36 . 2008-04-04 06:36 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-04-04 06:36 . 2008-04-04 06:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-03 17:51 . 2008-04-03 17:51 <DIR> d-------- C:\Deckard
2008-04-03 17:47 . 2008-04-03 17:47 <DIR> d-------- C:\_OTMoveIt
2008-04-01 22:19 . 2008-04-01 22:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-01 21:02 . 2008-01-10 06:50 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-04-01 20:57 . 2007-12-16 23:50 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-04-01 20:57 . 2007-12-16 10:56 41,984 --a------ C:\Windows\System32\drivers\monitor.sys
2008-03-30 12:28 . 2008-03-30 12:28 <DIR> d-------- C:\Users\Emily\AppData\Roaming\IDMComp
2008-03-30 12:25 . 2008-03-30 12:25 <DIR> d-------- C:\Program Files\7-Zip
2008-03-30 12:15 . 2008-03-30 12:33 <DIR> d-------- C:\Users\Emily\AppData\Roaming\uTorrent
2008-03-30 12:15 . 2008-03-30 12:15 <DIR> d-------- C:\Program Files\uTorrent
2008-03-30 11:37 . 2008-03-30 11:37 <DIR> d-------- C:\Program Files\Paint.NET
2008-03-30 11:36 . 2008-04-04 19:11 <DIR> d-------- C:\ProcessExplorer
2008-03-30 11:29 . 2008-03-30 11:35 <DIR> d-------- C:\Autoruns
2008-03-30 11:23 . 2008-04-05 20:34 <DIR> d-a------ C:\Users\All Users\TEMP
2008-03-30 11:23 . 2008-04-05 20:34 <DIR> d-a------ C:\ProgramData\TEMP
2008-03-30 11:22 . 2008-04-01 22:02 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-30 11:22 . 2005-08-25 18:19 115,920 --a------ C:\Windows\System32\MSINET.OCX
2008-03-29 20:28 . 2008-03-29 20:29 <DIR> d---