1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Google Links Redirect and Many Many other problems!!!!

Discussion in 'Virus & Other Malware Removal' started by AphexTwins, Jun 22, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. AphexTwins

    AphexTwins Thread Starter

    Joined:
    Jun 22, 2007
    Messages:
    14
    Hello. I've been scanning like crazy with all sorts of stuff lately like AVG, SuperAntiSpyware, and other things. They keep coming up with things like Virtumonde, Smitfraud and countless other things and everytime I delete them, they come back. Also whenever I go to google and click a link it usually redirects me to a site like ebay. Here is my HijackThis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 11:54, on 2007-06-22
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\scchk32.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\ARPWRMSG.EXE
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Documents and Settings\All Users\Application Data\pkforids.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
    C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\Hijackthis\HijackThis.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
    O2 - BHO: (no name) - {EF885EBA-76E2-4D84-B094-C8B4E9492927} - C:\WINDOWS\system32\wvuturq.dll (file missing)
    O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [pkforids.exe] "C:\Documents and Settings\All Users\Application Data\pkforids.exe"
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.trymedia.com (HKLM)
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179799146341
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179799134498
    O16 - DPF: {CEE326E8-7571-4086-B347-3C0ACA9A9DE8} (PcubeSet Class) - http://config.hyosungcdn.com/download/hsloadset.cab
    O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.pjio.com/download/pjio_gamelauncher.CAB
    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupgames.ph/keycrypt/npkcx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3D339EF2-F450-433C-81A1-A572D7F2CA44}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{53B68F42-EEE0-457E-8A95-34691AA43C0C}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B89B0B0F-A70F-44F4-A37E-BA72C60B7DAD}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\..\{3D339EF2-F450-433C-81A1-A572D7F2CA44}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS3\Services\Tcpip\..\{3D339EF2-F450-433C-81A1-A572D7F2CA44}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: pmkhg - C:\WINDOWS\system32\pmkhg.dll (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: winemx32 - winemx32.dll (file missing)
    O20 - Winlogon Notify: winqtd32 - winqtd32.dll (file missing)
    O20 - Winlogon Notify: winrzf32 - winrzf32.dll (file missing)
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O20 - Winlogon Notify: wvuturq - wvuturq.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
    O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\rbcblbmy.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
     
  2. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Welcome to TSG :)

    Download Combofix and save it to your desktop.
    http://download.bleepingcomputer.com/sUBs/ComboFix.exe


    Note: It is important that it is saved directly to your desktop

    Close any open browsers.

    Double click on combofix.exe & follow the prompts.
    When finished, it shall produce a log for you.

    Post the ComboFix.txt and a fresh Hijackthis log in your next reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
     
  3. AphexTwins

    AphexTwins Thread Starter

    Joined:
    Jun 22, 2007
    Messages:
    14
    Thank you so much! I can't even begin to say how thankful I am.

    The Combofix log:

    ComboFix 07-06-21.3 - C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
    "HP_Administrator" - 2007-06-22 18:24:59 - Service Pack 2 NTFS


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\Program Files\Conquer 2.0\c3\0003\611\_desktop.ini
    C:\Program Files\Conquer 2.0\c3\0003\741\_desktop.ini
    C:\WINDOWS\wr.txt


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    -------\nm


    ((((((((((((((((((((((((( Files Created from 2007-05-22 to 2007-06-22 )))))))))))))))))))))))))))))))


    2007-06-22 16:54 39,184 --a------ C:\WINDOWS\system32\Ntrights.exe
    2007-06-22 16:54 175,616 --a------ C:\WINDOWS\system32\strings.exe
    2007-06-22 16:54 16,384 --a------ C:\WINDOWS\system32\restart.exe
    2007-06-22 16:54 126,976 --a------ C:\WINDOWS\system32\zip.exe
    2007-06-22 16:54 11,254 --a------ C:\WINDOWS\system32\locate.com
    2007-06-22 16:49 <DIR> d-------- C:\WINDOWS\system32\pmcubosf
    2007-06-22 14:21 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2007-06-22 14:21 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2007-06-22 14:21 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2007-06-22 13:32 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
    2007-06-22 13:21 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\MailFrontier
    2007-06-22 13:16 37,920 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
    2007-06-22 13:16 326,176 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2007-06-22 13:01 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
    2007-06-22 13:01 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
    2007-06-22 13:01 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
    2007-06-22 13:01 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
    2007-06-22 13:01 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
    2007-06-22 13:01 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
    2007-06-22 13:00 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
    2007-06-22 13:00 <DIR> d-------- C:\Program Files\Alwil Software
    2007-06-22 12:50 75,512 --a------ C:\WINDOWS\zllsputility.exe
    2007-06-22 12:50 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
    2007-06-22 12:50 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
    2007-06-22 12:49 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
    2007-06-22 12:49 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
    2007-06-22 12:48 <DIR> d-------- C:\WINDOWS\Internet Logs
    2007-06-22 12:32 <DIR> d-------- C:\Program Files\RogueRemover
    2007-06-22 09:48 <DIR> d-------- C:\Program Files\SpywareBlaster
    2007-06-22 02:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
    2007-06-22 02:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2007-06-22 02:39 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\SUPERAntiSpyware.com
    2007-06-22 02:29 <DIR> d-------- C:\Program Files\SpywareGuard
    2007-06-22 02:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2007-06-22 02:12 2,932 --a------ C:\WINDOWS\system32\tmp.reg
    2007-06-22 02:11 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\DoctorWeb
    2007-06-22 02:07 49,152 --a------ C:\WINDOWS\nircmd.exe
    2007-06-21 22:23 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2007-06-21 17:30 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
    2007-06-21 15:59 <DIR> d-------- C:\Program Files\Windows Live Safety Center
    2007-06-21 15:27 <DIR> d-------- C:\Program Files\Enigma Software Group
    2007-06-21 15:03 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\SpywareBot
    2007-06-21 14:51 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
    2007-06-21 14:50 24,128 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
    2007-06-21 14:50 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
    2007-06-21 14:50 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
    2007-06-21 14:50 160,320 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
    2007-06-21 14:50 1,521,216 --a------ C:\WINDOWS\WRSetup.dll
    2007-06-21 14:50 <DIR> d-------- C:\Program Files\Webroot
    2007-06-21 14:50 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Webroot
    2007-06-21 14:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
    2007-06-21 14:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
    2007-06-21 14:27 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
    2007-06-21 14:27 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
    2007-06-21 14:27 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
    2007-06-21 14:27 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
    2007-06-21 14:27 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
    2007-06-21 14:27 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
    2007-06-21 14:27 <DIR> d-------- C:\Program Files\Spyware Doctor
    2007-06-21 14:27 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\PC Tools
    2007-06-21 14:03 57,344 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\qvydclcl.exe
    2007-06-21 12:46 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
    2007-06-21 08:56 <DIR> d-------- C:\WINDOWS\system32\appmgmt
    2007-06-18 19:55 <DIR> d-------- C:\Program Files\Immortal Defense
    2007-06-18 16:21 <DIR> d-------- C:\Program Files\Lavasoft
    2007-06-18 16:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-06-18 16:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
    2007-06-18 16:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
    2007-06-16 12:00 286,720 --a------ C:\WINDOWS\system32\scchk32.exe
    2007-06-14 11:50 57,344 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\pkforids.exe
    2007-06-11 09:37 <DIR> d-------- C:\WINDOWS\system3232
    2007-06-11 01:59 <DIR> d-------- C:\Program Files\The World
    2007-06-07 12:20 <DIR> d-------- C:\Program Files\CAPCOM
    2007-06-04 20:21 <DIR> d-------- C:\Program Files\BannedStory
    2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
    2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
    2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
    2007-05-28 12:01 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\DivX
    2007-05-28 11:50 <DIR> d-------- C:\Program Files\EuropeMS
    2007-05-27 14:24 <DIR> d-------- C:\Program Files\Blumenmacht
    2007-05-24 20:29 <DIR> d-------- C:\Program Files\GetRight
    2007-05-24 20:28 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\GetRightToGo
    2007-05-22 21:36 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
    2007-05-22 21:35 1,843,584 --a------ C:\WINDOWS\system32\win32k.sys
    2007-05-22 03:01 <DIR> d-------- C:\WINDOWS\system32\PreInstall
    2007-05-22 00:49 271,224 --a------ C:\WINDOWS\system32\mucltui.dll


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-10-23 22:39:49 -------- d-----w C:\Program Files\e-Games
    2007-06-22 18:55:10 -------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-06-22 17:15:15 -------- d-----w C:\Program Files\Google
    2007-06-22 06:15:42 -------- d-----w C:\Program Files\Viewpoint
    2007-06-21 19:11:14 -------- d-----w C:\Program Files\FlashGet
    2007-06-21 12:31:53 -------- d-----w C:\Program Files\Sketch Warriors 2
    2007-06-20 02:51:54 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\LimeWire
    2007-06-20 02:18:21 -------- d-----w C:\Program Files\CamStudio
    2007-06-17 06:01:50 -------- d-----w C:\Program Files\Midi Maker
    2007-06-17 02:46:20 -------- d-----w C:\Program Files\iTunes
    2007-06-17 02:46:11 -------- d-----w C:\Program Files\iPod
    2007-06-17 02:36:55 -------- d-----w C:\Program Files\QuickTime
    2007-06-07 18:27:17 -------- d-----w C:\Program Files\HyCam2
    2007-06-07 05:11:51 3,172 -c--a-w C:\WINDOWS\mozver.dat
    2007-05-28 04:01:46 -------- d-----w C:\Program Files\Conquer 2.0
    2007-05-23 01:51:47 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\AdobeUM
    2007-05-22 03:05:03 -------- d-----w C:\Program Files\Norton Internet Security
    2007-05-20 21:40:19 -------- d-----w C:\Program Files\Game_Maker6
    2007-05-20 00:23:20 278,528 ----a-w C:\WINDOWS\system32\livesnth.dll
    2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    2007-05-15 03:06:18 -------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-05-15 03:06:18 -------- d-----w C:\Program Files\Triggersoft
    2007-05-14 01:38:14 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinRAR
    2007-05-08 01:31:29 -------- d-----w C:\Program Files\Project64 1.6
    2007-05-01 01:24:05 -------- d-----w C:\Program Files\DivX
    2007-04-30 23:39:33 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\FlashGet
    2007-04-25 21:01:37 -------- d-----w C:\Program Files\Common Files\DirectX
    2007-04-25 14:21:15 144,896 ------w C:\WINDOWS\system32\schannel.dll
    2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
    2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
    2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
    2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
    2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
    2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
    2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
    2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
    2007-03-31 20:32:20 261,384 ----a-w C:\WINDOWS\system32\p3xsvr.exe
    2007-03-31 20:32:20 146,696 ----a-w C:\WINDOWS\system32\p3xfer.dll
    2007-03-31 20:32:20 1,121,544 ----a-w C:\WINDOWS\system32\HSDLaxelore.exe
    2007-03-27 07:55:57 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
    2007-03-27 07:55:48 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
    2007-03-27 07:55:31 129,784 ------w C:\WINDOWS\system32\pxafs.dll
    2007-03-27 07:55:31 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
    2007-03-27 07:55:31 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe
    2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
    2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
    2007-03-27 07:49:07 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
    2007-03-27 07:49:07 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
    2007-03-27 07:49:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
    2007-03-27 07:49:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
    2007-03-27 07:49:02 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
    2007-03-27 07:49:02 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
    2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
    2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
    2007-03-27 07:48:59 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
    2007-03-27 07:48:58 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
    2007-03-27 07:48:58 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
    2007-03-27 07:48:58 639,066 ----a-w C:\WINDOWS\system32\DivX.dll
    2007-03-26 23:13:31 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll [2006-10-26 11:28]
    {4A368E80-174F-4872-96B5-0B27DDD11DB2}=C:\Program Files\SpywareGuard\dlprotect.dll [2003-08-02 23:24]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
    {A8F38D8D-E480-4D52-B7A2-731BB6995FDD}=c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll [2006-10-17 14:44]
    {AAAE832A-5FFF-4661-9C8F-369692D1DCB9}=C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll [2006-06-17 23:52]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
    "ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-23 02:19]
    "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 02:19 C:\WINDOWS\arpwrmsg.exe]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-06-17 23:30]
    "RTHDCPL"="RTHDCPL.EXE" [2006-03-08 07:54 C:\WINDOWS\RTHDCPL.EXE]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
    "pkforids.exe"="C:\Documents and Settings\All Users\Application Data\pkforids.exe" [2007-06-14 11:50]
    "PCDrProfiler"="" []
    "nwiz"="nwiz.exe" [2006-01-24 22:15 C:\WINDOWS\system32\nwiz.exe]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
    "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 00:00]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 19:24]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 14:44]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]
    "AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools"=0 (0x0)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhg]
    C:\WINDOWS\system32\pmkhg.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winemx32]
    winemx32.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winqtd32]
    winqtd32.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrzf32]
    winrzf32.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuturq]
    wvuturq.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls"=

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages msv1_0 nwprovau

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight - Tray Icon.lnk
    backup=C:\WINDOWS\pss\GetRight - Tray Icon.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
    backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^SpywareGuard.lnk]
    path=C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\SpywareGuard.lnk
    backup=C:\WINDOWS\pss\SpywareGuard.lnkStartup


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
    "C:\Program Files\AIM\aim.exe" -cnetwait.odl

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
    "C:\Program Files\FlashGet\FlashGet.exe" /min

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qvydclcl.exe]
    "C:\Documents and Settings\All Users\Application Data\qvydclcl.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
    "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareBot]
    "C:\Program Files\SpywareBot\SpywareBot.exe" -boot


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

    *Newly Created Service* - COMHOST

    Contents of the 'Scheduled Tasks' folder
    2007-06-17 02:25:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    2007-05-25 18:42:03 C:\WINDOWS\tasks\HPCeeSchedule.job
    2007-06-16 03:44:18 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - HP_Administrator.job
    2007-06-16 00:00:00 C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - HP_Administrator.job
    2007-06-21 20:33:12 C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job
    2007-03-26 06:51:06 C:\WINDOWS\tasks\Warranty Reminder 11 month.job
    2007-06-21 18:51:00 C:\WINDOWS\tasks\wrSpySweeperTrialSweep.job

    **************************************************************************

    catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-06-22 18:33:01
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-06-22 18:38:20 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-06-22 18:38

    --- E O F ---
     
  4. AphexTwins

    AphexTwins Thread Starter

    Joined:
    Jun 22, 2007
    Messages:
    14
    The Hijackthis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 6:44:12 PM, on 6/22/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\arservice.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\ARPWRMSG.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Documents and Settings\All Users\Application Data\pkforids.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\AIM\aim.exe
    c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
    O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [pkforids.exe] C:\Documents and Settings\All Users\Application Data\pkforids.exe
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.trymedia.com (HKLM)
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179799146341
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179799134498
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {CEE326E8-7571-4086-B347-3C0ACA9A9DE8} (PcubeSet Class) - http://config.hyosungcdn.com/download/hsloadset.cab
    O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.pjio.com/download/pjio_gamelauncher.CAB
    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupgames.ph/keycrypt/npkcx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3D339EF2-F450-433C-81A1-A572D7F2CA44}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{53B68F42-EEE0-457E-8A95-34691AA43C0C}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B89B0B0F-A70F-44F4-A37E-BA72C60B7DAD}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\..\{3D339EF2-F450-433C-81A1-A572D7F2CA44}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS3\Services\Tcpip\..\{3D339EF2-F450-433C-81A1-A572D7F2CA44}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: pmkhg - C:\WINDOWS\system32\pmkhg.dll (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: winemx32 - winemx32.dll (file missing)
    O20 - Winlogon Notify: winqtd32 - winqtd32.dll (file missing)
    O20 - Winlogon Notify: winrzf32 - winrzf32.dll (file missing)
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O20 - Winlogon Notify: wvuturq - wvuturq.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
    O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\rbcblbmy.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
     
  5. AphexTwins

    AphexTwins Thread Starter

    Joined:
    Jun 22, 2007
    Messages:
    14
    Thank you so much. Nothing came up in the vundofix, which may be because of some stuff I did earlier.

    Here is the AWF log:

    Find AWF report by noahdfear ©2006


    bak folders found
    ~~~~~~~~~~~


    Directory of C:\HP\KBD\BAK

    02/02/2005 04:44 PM 61,440 KBD.EXE
    1 File(s) 61,440 bytes

    Directory of C:\PROGRA~1\AIM\BAK

    08/01/2006 04:35 PM 67,112 aim.exe
    1 File(s) 67,112 bytes

    Directory of C:\PROGRA~1\DISC\BAK

    03/16/2006 05:12 AM 1,077,248 DISCover.exe
    03/16/2006 05:11 AM 61,440 DiscUpdMgr.exe
    2 File(s) 1,138,688 bytes

    Directory of C:\PROGRA~1\HPDIGI~1\BAK

    03/20/2006 12:05 PM 90,112 DMAScheduler.exe
    1 File(s) 90,112 bytes

    Directory of C:\PROGRA~1\MESSEN~1\BAK

    0 File(s) 0 bytes

    Directory of C:\PROGRA~1\QUICKT~1\BAK

    02/16/2007 10:54 AM 282,624 qttask.exe
    1 File(s) 282,624 bytes

    Directory of C:\WINDOWS\CREATOR\BAK

    12/14/2004 05:23 AM 663,552 Remind_XP.exe
    1 File(s) 663,552 bytes

    Directory of C:\WINDOWS\EHOME\BAK

    09/30/2005 12:01 AM 67,584 ehtray.exe
    1 File(s) 67,584 bytes

    Directory of C:\WINDOWS\SMINST\BAK

    07/23/2005 01:14 AM 237,568 RECGUARD.EXE
    1 File(s) 237,568 bytes

    Directory of C:\WINDOWS\SYSTEM32\BAK

    08/10/2004 12:00 AM 15,360 ctfmon.exe
    1 File(s) 15,360 bytes

    Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

    0 File(s) 0 bytes

    Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK

    02/16/2006 01:34 AM 249,856 HPBootOp.exe
    1 File(s) 249,856 bytes

    Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

    12/15/2005 09:18 PM 49,152 HPwuSchd2.exe
    1 File(s) 49,152 bytes

    Directory of C:\PROGRA~1\HP\DIGITA~1\{33D6C~1\BAK

    06/02/2005 02:35 AM 49,152 hphupd08.exe
    1 File(s) 49,152 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~

    61440 Feb 2 2005 "C:\hp\KBD\bak\KBD.EXE"
    67112 Aug 1 2006 "C:\Program Files\AIM\aim.exe"
    67112 Aug 1 2006 "C:\Program Files\AIM\bak\aim.exe"
    1077248 Mar 16 2006 "C:\Program Files\DISC\bak\DISCover.exe"
    61440 Mar 16 2006 "C:\Program Files\DISC\bak\DiscUpdMgr.exe"
    90112 Mar 20 2006 "C:\Program Files\HP DigitalMedia Archive\bak\DMAScheduler.exe"
    282624 Apr 27 2007 "C:\Program Files\QuickTime\qttask.exe"
    282624 Feb 16 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
    663552 Dec 14 2004 "C:\WINDOWS\CREATOR\bak\Remind_XP.exe"
    64512 Aug 5 2005 "C:\WINDOWS\$NtUninstallKB908246$\ehtray.exe"
    64512 Aug 5 2005 "C:\WINDOWS\ehome\ehtray.exe"
    67584 Sep 30 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
    237568 Jul 23 2005 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
    15360 Aug 10 2004 "C:\WINDOWS\system32\ctfmon.exe"
    15360 Aug 10 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
    249856 Feb 16 2006 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
    49152 Dec 15 2005 "C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe"
    49152 Jun 2 2005 "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe"


    end of report











    Here is a fresh HijackThis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:58:28 PM, on 6/22/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\ARPWRMSG.EXE
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Documents and Settings\All Users\Application Data\pkforids.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\AIM\aim.exe
    c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
    O2 - BHO: (no name) - {EF885EBA-76E2-4D84-B094-C8B4E9492927} - C:\WINDOWS\system32\wvuturq.dll (file missing)
    O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [pkforids.exe] C:\Documents and Settings\All Users\Application Data\pkforids.exe
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.trymedia.com (HKLM)
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179799146341
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179799134498
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {CEE326E8-7571-4086-B347-3C0ACA9A9DE8} (PcubeSet Class) - http://config.hyosungcdn.com/download/hsloadset.cab
    O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.pjio.com/download/pjio_gamelauncher.CAB
    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupgames.ph/keycrypt/npkcx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3D339EF2-F450-433C-81A1-A572D7F2CA44}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{53B68F42-EEE0-457E-8A95-34691AA43C0C}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B89B0B0F-A70F-44F4-A37E-BA72C60B7DAD}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\..\{3D339EF2-F450-433C-81A1-A572D7F2CA44}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS3\Services\Tcpip\..\{3D339EF2-F450-433C-81A1-A572D7F2CA44}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: pmkhg - C:\WINDOWS\system32\pmkhg.dll (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: winemx32 - winemx32.dll (file missing)
    O20 - Winlogon Notify: winqtd32 - winqtd32.dll (file missing)
    O20 - Winlogon Notify: winrzf32 - winrzf32.dll (file missing)
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O20 - Winlogon Notify: wvuturq - wvuturq.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
    O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\rbcblbmy.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
     
  6. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Please download the attached file named ComboFix-Do.txt and Save it to your Desktop.

    [​IMG]

    Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe


    In your next reply, please post a fresh Combofix log and a fresh Hijackthis log.


    Do not run on any other computer!!!! The Attached file ComboFix-Do.txt is created for this specfic computer. Running it on another system could cause it to crash or worse.

    =================================

    Please download Replace.zip to your Desktop, Extract/Unzip Replace.bat to your Desktop. Please don't run Replace.bat yet!!!!!!

    Reboot your computer in "SAFE MODE" using the F8 method so Windows will start with minimal drivers and running processes. To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". See How to Boot in "SAFE MODE" tutorial if needed.


    Double-Click on Replace.bat and follow all prompts. Let me know if something goes wrong. Thanks.


    ===================================

    Be sure you have your Flash drive plugged in.



    Download the enclosed folder. Save and extract its contents to the desktop. It is a folder containing a Batch file, get autoruns.bat, Written by Mosaic1. Once extracted, open the folder and double click on the get autoruns.bat to run the fix.

    1. The fix will make a report and if any autoruns are found, move them to a backup folder.
    2. If any autoruns are found on the root of your drives, it will kill explorer so that the registry entries in the MountPoints key are fixed.
    3. A document, Part 1.txt, will be created. It will show the pre-cleaning state.
    4. Run get autoruns.bat again immediately.
    5. It will produce a file named Part2.txt and this one will show the state after the cleaning.
    6. Please post the contents of Part1.txt and Part2.txt then along with a fresh Hjackthis log.

    ** It is important that you follow these directions exactly. Don't skip the second run or the reporting sequence, as we will become confused.
     

    Attached Files:

  7. AphexTwins

    AphexTwins Thread Starter

    Joined:
    Jun 22, 2007
    Messages:
    14
    Thanks again for your help.

    Here is the ComboFix log:

    ComboFix 07-06-21.3 - C:\Documents and Settings\HP_ADM~1\Desktop\ComboFix.exe
    "HP_Administrator" - 2007-06-23 18:47:59 - Service Pack 2 NTFS
    Command switches used :: C:\Documents and Settings\HP_ADM~1\Desktop\ComboFix-Do.txt


    ((((((((((((((((((((((((( Files Created from 2007-05-23 to 2007-06-23 )))))))))))))))))))))))))))))))


    2007-06-22 16:54 39,184 --a------ C:\WINDOWS\system32\Ntrights.exe
    2007-06-22 16:54 175,616 --a------ C:\WINDOWS\system32\strings.exe
    2007-06-22 16:54 16,384 --a------ C:\WINDOWS\system32\restart.exe
    2007-06-22 16:54 126,976 --a------ C:\WINDOWS\system32\zip.exe
    2007-06-22 16:54 11,254 --a------ C:\WINDOWS\system32\locate.com
    2007-06-22 16:49 <DIR> d-------- C:\WINDOWS\system32\pmcubosf
    2007-06-22 14:21 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2007-06-22 14:21 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2007-06-22 14:21 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2007-06-22 13:32 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
    2007-06-22 13:21 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\MailFrontier
    2007-06-22 13:16 37,920 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
    2007-06-22 13:16 326,176 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2007-06-22 13:00 <DIR> d-------- C:\Program Files\Alwil Software
    2007-06-22 12:50 75,512 --a------ C:\WINDOWS\zllsputility.exe
    2007-06-22 12:50 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
    2007-06-22 12:50 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
    2007-06-22 12:49 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
    2007-06-22 12:49 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
    2007-06-22 12:48 <DIR> d-------- C:\WINDOWS\Internet Logs
    2007-06-22 09:48 <DIR> d-------- C:\Program Files\SpywareBlaster
    2007-06-22 02:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
    2007-06-22 02:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2007-06-22 02:39 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\SUPERAntiSpyware.com
    2007-06-22 02:29 <DIR> d-------- C:\Program Files\SpywareGuard
    2007-06-22 02:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2007-06-22 02:12 2,932 --a------ C:\WINDOWS\system32\tmp.reg
    2007-06-22 02:11 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\DoctorWeb
    2007-06-22 02:07 49,152 --a------ C:\WINDOWS\nircmd.exe
    2007-06-21 22:23 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2007-06-21 17:30 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
    2007-06-21 15:59 <DIR> d-------- C:\Program Files\Windows Live Safety Center
    2007-06-21 15:27 <DIR> d-------- C:\Program Files\Enigma Software Group
    2007-06-21 15:03 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\SpywareBot
    2007-06-21 14:51 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
    2007-06-21 14:50 24,128 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
    2007-06-21 14:50 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
    2007-06-21 14:50 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
    2007-06-21 14:50 160,320 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
    2007-06-21 14:50 1,521,216 --a------ C:\WINDOWS\WRSetup.dll
    2007-06-21 14:50 <DIR> d-------- C:\Program Files\Webroot
    2007-06-21 14:50 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Webroot
    2007-06-21 14:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
    2007-06-21 14:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
    2007-06-21 14:27 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
    2007-06-21 14:27 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
    2007-06-21 14:27 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
    2007-06-21 14:27 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
    2007-06-21 14:27 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
    2007-06-21 14:27 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
    2007-06-21 14:27 <DIR> d-------- C:\Program Files\Spyware Doctor
    2007-06-21 14:27 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\PC Tools
    2007-06-21 12:46 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
    2007-06-21 08:56 <DIR> d-------- C:\WINDOWS\system32\appmgmt
    2007-06-18 19:55 <DIR> d-------- C:\Program Files\Immortal Defense
    2007-06-18 16:21 <DIR> d-------- C:\Program Files\Lavasoft
    2007-06-18 16:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-06-18 16:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
    2007-06-18 16:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
    2007-06-16 12:00 286,720 --a------ C:\WINDOWS\system32\scchk32.exe
    2007-06-14 11:50 57,344 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\pkforids.exe
    2007-06-11 09:37 <DIR> d-------- C:\WINDOWS\system3232
    2007-06-11 01:59 <DIR> d-------- C:\Program Files\The World
    2007-06-07 12:20 <DIR> d-------- C:\Program Files\CAPCOM
    2007-06-04 20:21 <DIR> d-------- C:\Program Files\BannedStory
    2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
    2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
    2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
    2007-05-28 12:01 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\DivX
    2007-05-28 11:50 <DIR> d-------- C:\Program Files\EuropeMS
    2007-05-27 14:24 <DIR> d-------- C:\Program Files\Blumenmacht
    2007-05-24 20:29 <DIR> d-------- C:\Program Files\GetRight
    2007-05-24 20:28 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\GetRightToGo


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-10-23 22:39:49 -------- d-----w C:\Program Files\e-Games
    2007-06-23 22:43:04 -------- d-----w C:\Program Files\HP DigitalMedia Archive
    2007-06-23 22:43:04 -------- d-----w C:\Program Files\DISC
    2007-06-23 04:17:55 -------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-06-22 17:15:15 -------- d-----w C:\Program Files\Google
    2007-06-22 06:15:42 -------- d-----w C:\Program Files\Viewpoint
    2007-06-21 19:11:14 -------- d-----w C:\Program Files\FlashGet
    2007-06-21 12:31:53 -------- d-----w C:\Program Files\Sketch Warriors 2
    2007-06-20 02:51:54 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\LimeWire
    2007-06-20 02:18:21 -------- d-----w C:\Program Files\CamStudio
    2007-06-17 06:01:50 -------- d-----w C:\Program Files\Midi Maker
    2007-06-17 02:46:20 -------- d-----w C:\Program Files\iTunes
    2007-06-17 02:46:11 -------- d-----w C:\Program Files\iPod
    2007-06-17 02:36:55 -------- d-----w C:\Program Files\QuickTime
    2007-06-07 18:27:17 -------- d-----w C:\Program Files\HyCam2
    2007-06-07 05:11:51 3,172 -c--a-w C:\WINDOWS\mozver.dat
    2007-05-28 04:01:46 -------- d-----w C:\Program Files\Conquer 2.0
    2007-05-23 01:51:47 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\AdobeUM
    2007-05-23 01:36:30 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
    2007-05-22 03:05:03 -------- d-----w C:\Program Files\Norton Internet Security
    2007-05-20 21:40:19 -------- d-----w C:\Program Files\Game_Maker6
    2007-05-20 00:23:20 278,528 ----a-w C:\WINDOWS\system32\livesnth.dll
    2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    2007-05-15 03:06:18 -------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-05-15 03:06:18 -------- d-----w C:\Program Files\Triggersoft
    2007-05-14 01:38:14 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinRAR
    2007-05-08 01:31:29 -------- d-----w C:\Program Files\Project64 1.6
    2007-05-01 01:24:05 -------- d-----w C:\Program Files\DivX
    2007-04-30 23:39:33 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\FlashGet
    2007-04-25 21:01:37 -------- d-----w C:\Program Files\Common Files\DirectX
    2007-04-25 14:21:15 144,896 ------w C:\WINDOWS\system32\schannel.dll
    2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
    2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
    2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
    2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
    2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
    2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
    2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
    2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
    2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
    2007-03-31 20:32:20 261,384 ----a-w C:\WINDOWS\system32\p3xsvr.exe
    2007-03-31 20:32:20 146,696 ----a-w C:\WINDOWS\system32\p3xfer.dll
    2007-03-31 20:32:20 1,121,544 ----a-w C:\WINDOWS\system32\HSDLaxelore.exe
    2007-03-27 07:55:57 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
    2007-03-27 07:55:48 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
    2007-03-27 07:55:31 129,784 ------w C:\WINDOWS\system32\pxafs.dll
    2007-03-27 07:55:31 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
    2007-03-27 07:55:31 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe
    2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
    2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
    2007-03-27 07:49:07 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
    2007-03-27 07:49:07 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
    2007-03-27 07:49:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
    2007-03-27 07:49:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
    2007-03-27 07:49:02 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
    2007-03-27 07:49:02 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
    2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
    2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
    2007-03-27 07:48:59 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
    2007-03-27 07:48:58 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
    2007-03-27 07:48:58 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
    2007-03-27 07:48:58 639,066 ----a-w C:\WINDOWS\system32\DivX.dll
    2007-03-26 23:13:31 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll [2006-10-26 11:28]
    {4A368E80-174F-4872-96B5-0B27DDD11DB2}=C:\Program Files\SpywareGuard\dlprotect.dll [2003-08-02 23:24]
    {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
    {A8F38D8D-E480-4D52-B7A2-731BB6995FDD}=c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll [2006-10-17 14:44]
    {AAAE832A-5FFF-4661-9C8F-369692D1DCB9}=C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll [2006-06-17 23:52]
    {EF885EBA-76E2-4D84-B094-C8B4E9492927}=C:\WINDOWS\system32\wvuturq.dll []

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 00:00]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 19:24]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 14:44]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]
    "AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{EF885EBA-76E2-4D84-B094-C8B4E9492927}"="C:\WINDOWS\system32\wvuturq.dll " []
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls"=

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages msv1_0 nwprovau

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight - Tray Icon.lnk
    backup=C:\WINDOWS\pss\GetRight - Tray Icon.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
    backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^SpywareGuard.lnk]
    path=C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\SpywareGuard.lnk
    backup=C:\WINDOWS\pss\SpywareGuard.lnkStartup


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
    "C:\Program Files\AIM\aim.exe" -cnetwait.odl

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
    "C:\Program Files\FlashGet\FlashGet.exe" /min

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qvydclcl.exe]
    "C:\Documents and Settings\All Users\Application Data\qvydclcl.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
    "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

    *Newly Created Service* - COMHOST

    Contents of the 'Scheduled Tasks' folder
    2007-06-17 02:25:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    2007-05-25 18:42:03 C:\WINDOWS\tasks\HPCeeSchedule.job
    2007-06-23 02:07:49 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - HP_Administrator.job
    2007-06-23 00:00:00 C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - HP_Administrator.job
    2007-06-21 20:33:12 C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job
    2007-03-26 06:51:06 C:\WINDOWS\tasks\Warranty Reminder 11 month.job
    2007-06-21 18:51:00 C:\WINDOWS\tasks\wrSpySweeperTrialSweep.job

    **************************************************************************

    catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-06-23 18:49:58
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-06-23 18:50:56
    C:\ComboFix-quarantined-files.txt ... 2007-06-23 18:50
    C:\ComboFix2.txt ... 2007-06-23 18:40
    C:\ComboFix3.txt ... 2007-06-22 18:38

    --- E O F ---
     
  8. AphexTwins

    AphexTwins Thread Starter

    Joined:
    Jun 22, 2007
    Messages:
    14
    This is the Part1 log:


    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\Shell]
    @="AutoRun"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\Shell\AutoRun]
    @="Auto&Play"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\Shell\AutoRun\command]
    @="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0e877032-db64-11db-88e0-806d6172696f}]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0e877033-db64-11db-88e0-806d6172696f}]
    "BaseClass"="Drive"
    "_CommentFromDesktopINI"=""

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0e877034-db64-11db-88e0-806d6172696f}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,cf,5f,5f,5f,5f,01,00,ff,ff,\
    ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,00,60,00,00,00,0a,00,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1ae48796-fe3a-11da-a2c8-806d6172696f}]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1ae48797-fe3a-11da-a2c8-806d6172696f}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
    5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
    cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,df,df,df,5f,df,df,01,01,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,00,01,00,00,00,08,00,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1ae48798-fe3a-11da-a2c8-806d6172696f}]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1ae4879a-fe3a-11da-a2c8-eec7eb7bc78a}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,cf,5f,5f,5f,5f,5f,cf,\
    cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,cf,cf,cf,5f,cf,cf,cf,5f,5f,5f,5f,5f,5f,5f,5f,\
    5f,5f,00,00,10,00,00,00,00,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1ae4879b-fe3a-11da-a2c8-eec7eb7bc78a}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
    5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
    cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,cf,cf,cf,5f,cf,cf,cf,5f,5f,5f,5f,5f,5f,5f,5f,\
    5f,5f,00,00,10,00,00,00,00,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1ae4879c-fe3a-11da-a2c8-eec7eb7bc78a}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
    5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
    cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,cf,cf,cf,5f,cf,cf,cf,5f,5f,5f,5f,5f,5f,5f,5f,\
    5f,5f,00,00,10,00,00,00,00,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1ae4879d-fe3a-11da-a2c8-eec7eb7bc78a}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
    5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
    cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,cf,cf,cf,5f,cf,cf,cf,5f,5f,5f,5f,5f,5f,5f,5f,\
    5f,5f,00,00,10,00,00,00,00,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2c4c4b4b-db66-11db-a2d1-001731c64ea4}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
    5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
    cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,00,00,10,00,00,08,00,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2c4c4b4b-db66-11db-a2d1-001731c64ea4}\shell]
    @="None"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2c4c4b4b-db66-11db-a2d1-001731c64ea4}\shell\Autoplay]
    "MUIVerb"="@shell32.dll,-8504"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2c4c4b4b-db66-11db-a2d1-001731c64ea4}\shell\Autoplay\DropTarget]
    "CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5877fd00-db65-11db-a2d0-806d6172696f}]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5877fd01-db65-11db-a2d0-806d6172696f}]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5877fd02-db65-11db-a2d0-806d6172696f}]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5877fd03-db65-11db-a2d0-806d6172696f}]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a436e46a-199f-11da-8f8d-806d6172696f}]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a436e46b-199f-11da-8f8d-806d6172696f}]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a436e46d-199f-11da-8f8d-806d6172696f}]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ab885357-de61-11db-a2df-000f66104650}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
    5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
    cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,00,00,10,00,00,08,00,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0e877032-db64-11db-88e0-806d6172696f}]
    "Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
    47,00,45,00,23,00,56,00,6f,00,6c,00,75,00,6d,00,65,00,23,00,31,00,26,00,33,\
    00,30,00,61,00,39,00,36,00,35,00,39,00,38,00,26,00,30,00,26,00,53,00,69,00,\
    67,00,6e,00,61,00,74,00,75,00,72,00,65,00,43,00,41,00,42,00,31,00,30,00,42,\
    00,45,00,45,00,4f,00,66,00,66,00,73,00,65,00,74,00,37,00,45,00,30,00,30,00,\
    4c,00,65,00,6e,00,67,00,74,00,68,00,33,00,38,00,30,00,35,00,31,00,43,00,38,\
    00,32,00,30,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,36,00,33,00,30,00,\
    64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,00,30,00,2d,00,39,\
    00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,39,00,31,00,65,00,\
    66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
    65,00,7b,00,30,00,65,00,38,00,37,00,37,00,30,00,33,00,32,00,2d,00,64,00,62,\
    00,36,00,34,00,2d,00,31,00,31,00,64,00,62,00,2d,00,38,00,38,00,65,00,30,00,\
    2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
    00,7d,00,5c,00,00,00,48,00,50,00,5f,00,50,00,41,00,56,00,49,00,4c,00,49,00,\
    4f,00,4e,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,4e,00,\
    54,00,46,00,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,08,00,00,00,01,10,00,\
    00,ff,00,07,00,ff,00,00,00,36,00,00,00,08,47,88,78,00,00,00,00,00,00,00,30,\
    00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
    00
    "Generation"=dword:00000001

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0e877033-db64-11db-88e0-806d6172696f}]
    "Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
    47,00,45,00,23,00,56,00,6f,00,6c,00,75,00,6d,00,65,00,23,00,31,00,26,00,33,\
    00,30,00,61,00,39,00,36,00,35,00,39,00,38,00,26,00,30,00,26,00,53,00,69,00,\
    67,00,6e,00,61,00,74,00,75,00,72,00,65,00,43,00,41,00,42,00,31,00,30,00,42,\
    00,45,00,45,00,4f,00,66,00,66,00,73,00,65,00,74,00,33,00,38,00,30,00,35,00,\
    39,00,33,00,32,00,30,00,30,00,30,00,4c,00,65,00,6e,00,67,00,74,00,68,00,32,\
    00,33,00,32,00,46,00,30,00,38,00,30,00,30,00,30,00,23,00,7b,00,35,00,33,00,\
    66,00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,\
    00,31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,\
    30,00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
    65,00,7b,00,30,00,65,00,38,00,37,00,37,00,30,00,33,00,33,00,2d,00,64,00,62,\
    00,36,00,34,00,2d,00,31,00,31,00,64,00,62,00,2d,00,38,00,38,00,65,00,30,00,\
    2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
    00,7d,00,5c,00,00,00,48,00,50,00,5f,00,52,00,45,00,43,00,4f,00,56,00,45,00,\
    52,00,59,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,46,00,\
    41,00,54,00,33,00,32,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,08,00,00,00,01,10,00,\
    00,06,00,00,00,ff,00,00,00,10,00,00,00,c0,6b,6e,4b,00,00,00,00,00,00,00,30,\
    00,e0,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
    00
    "Generation"=dword:00000001

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0e877034-db64-11db-88e0-806d6172696f}]
    "Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,49,00,44,00,45,00,23,00,43,00,\
    64,00,52,00,6f,00,6d,00,48,00,4c,00,2d,00,44,00,54,00,2d,00,53,00,54,00,5f,\
    00,44,00,56,00,44,00,52,00,52,00,57,00,5f,00,47,00,53,00,41,00,2d,00,48,00,\
    32,00,31,00,4c,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,\
    00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,4c,00,36,00,30,00,32,00,5f,00,5f,00,\
    5f,00,5f,00,23,00,35,00,26,00,33,00,61,00,64,00,34,00,61,00,32,00,30,00,63,\
    00,26,00,30,00,26,00,30,00,2e,00,30,00,2e,00,30,00,23,00,7b,00,35,00,33,00,\
    66,00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,\
    00,31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,\
    30,00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
    65,00,7b,00,30,00,65,00,38,00,37,00,37,00,30,00,33,00,34,00,2d,00,64,00,62,\
    00,36,00,34,00,2d,00,31,00,31,00,64,00,62,00,2d,00,38,00,38,00,65,00,30,00,\
    2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
    00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
    6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,10,00,00,00,7f,01,00,\
    00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
    00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
    00
    "Generation"=dword:00000001

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5877fd00-db65-11db-a2d0-806d6172696f}]
    "Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
    47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
    00,65,00,64,00,69,00,61,00,23,00,37,00,26,00,31,00,39,00,64,00,31,00,32,00,\
    62,00,66,00,35,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,\
    00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,\
    31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,\
    00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
    65,00,7b,00,35,00,38,00,37,00,37,00,66,00,64,00,30,00,30,00,2d,00,64,00,62,\
    00,36,00,35,00,2d,00,31,00,31,00,64,00,62,00,2d,00,61,00,32,00,64,00,30,00,\
    2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
    00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
    6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,90,00,\
    00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
    00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
    00
    "Generation"=dword:00000001

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5877fd01-db65-11db-a2d0-806d6172696f}]
    "Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
    47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
    00,65,00,64,00,69,00,61,00,23,00,37,00,26,00,35,00,39,00,61,00,31,00,61,00,\
    34,00,31,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,00,35,\
    00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,\
    64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,\
    00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
    65,00,7b,00,35,00,38,00,37,00,37,00,66,00,64,00,30,00,31,00,2d,00,64,00,62,\
    00,36,00,35,00,2d,00,31,00,31,00,64,00,62,00,2d,00,61,00,32,00,64,00,30,00,\
    2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
    00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
    6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,90,00,\
    00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
    00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
    00
    "Generation"=dword:00000001

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5877fd02-db65-11db-a2d0-806d6172696f}]
    "Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
    47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
    00,65,00,64,00,69,00,61,00,23,00,37,00,26,00,33,00,34,00,33,00,35,00,39,00,\
    38,00,64,00,62,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,\
    00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,\
    31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,\
    00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
    65,00,7b,00,35,00,38,00,37,00,37,00,66,00,64,00,30,00,32,00,2d,00,64,00,62,\
    00,36,00,35,00,2d,00,31,00,31,00,64,00,62,00,2d,00,61,00,32,00,64,00,30,00,\
    2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
    00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
    6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,90,00,\
    00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
    00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
    00
    "Generation"=dword:00000001

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5877fd03-db65-11db-a2d0-806d6172696f}]
    "Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
    47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
    00,65,00,64,00,69,00,61,00,23,00,37,00,26,00,32,00,35,00,35,00,34,00,39,00,\
    33,00,66,00,31,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,\
    00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,\
    31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,\
    00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
    65,00,7b,00,35,00,38,00,37,00,37,00,66,00,64,00,30,00,33,00,2d,00,64,00,62,\
    00,36,00,35,00,2d,00,31,00,31,00,64,00,62,00,2d,00,61,00,32,00,64,00,30,00,\
    2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
    00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
    6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,90,00,\
    00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
    00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
    00
    "Generation"=dword:00000001

    Part1 Report
    Sat 06/23/2007 19:42:30.31

    No Autorun files found in C:\WINDOWS

    No Autorun files found in C:\WINDOWS\system32

    No Autorun files found in root of C:


    Files found on D:
    Autorun.inf


    Contents of autorun.inf on D:
    [AUTORUN]
    ShellExecute=Info.exe protect.ed 480 480
     
  9. AphexTwins

    AphexTwins Thread Starter

    Joined:
    Jun 22, 2007
    Messages:
    14
    Part2 log:

    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\Shell]
    @="AutoRun"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\Shell\AutoRun]
    @="Auto&Play"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\Shell\AutoRun\command]
    @="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0e877032-db64-11db-88e0-806d6172696f}]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0e877033-db64-11db-88e0-806d6172696f}]
    "BaseClass"="Drive"
    "_CommentFromDesktopINI"=""

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0e877034-db64-11db-88e0-806d6172696f}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,cf,5f,5f,5f,5f,01,00,ff,ff,\
    ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,00,60,00,00,00,0a,00,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1ae48796-fe3a-11da-a2c8-806d6172696f}]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1ae48797-fe3a-11da-a2c8-806d6172696f}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
    5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
    cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,df,df,df,5f,df,df,01,01,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,00,01,00,00,00,08,00,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1ae48798-fe3a-11da-a2c8-806d6172696f}]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1ae4879a-fe3a-11da-a2c8-eec7eb7bc78a}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,cf,5f,5f,5f,5f,5f,cf,\
    cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,cf,cf,cf,5f,cf,cf,cf,5f,5f,5f,5f,5f,5f,5f,5f,\
    5f,5f,00,00,10,00,00,00,00,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1ae4879b-fe3a-11da-a2c8-eec7eb7bc78a}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
    5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
    cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,cf,cf,cf,5f,cf,cf,cf,5f,5f,5f,5f,5f,5f,5f,5f,\
    5f,5f,00,00,10,00,00,00,00,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1ae4879c-fe3a-11da-a2c8-eec7eb7bc78a}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
    5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
    cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,cf,cf,cf,5f,cf,cf,cf,5f,5f,5f,5f,5f,5f,5f,5f,\
    5f,5f,00,00,10,00,00,00,00,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1ae4879d-fe3a-11da-a2c8-eec7eb7bc78a}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
    5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
    cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,cf,cf,cf,5f,cf,cf,cf,5f,5f,5f,5f,5f,5f,5f,5f,\
    5f,5f,00,00,10,00,00,00,00,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2c4c4b4b-db66-11db-a2d1-001731c64ea4}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
    5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
    cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,00,00,10,00,00,08,00,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2c4c4b4b-db66-11db-a2d1-001731c64ea4}\shell]
    @="None"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2c4c4b4b-db66-11db-a2d1-001731c64ea4}\shell\Autoplay]
    "MUIVerb"="@shell32.dll,-8504"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2c4c4b4b-db66-11db-a2d1-001731c64ea4}\shell\Autoplay\DropTarget]
    "CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5877fd00-db65-11db-a2d0-806d6172696f}]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5877fd01-db65-11db-a2d0-806d6172696f}]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5877fd02-db65-11db-a2d0-806d6172696f}]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5877fd03-db65-11db-a2d0-806d6172696f}]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a436e46a-199f-11da-8f8d-806d6172696f}]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a436e46b-199f-11da-8f8d-806d6172696f}]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a436e46d-199f-11da-8f8d-806d6172696f}]
    "BaseClass"="Drive"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ab885357-de61-11db-a2df-000f66104650}]
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
    5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
    cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,00,00,10,00,00,08,00,00,00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0e877032-db64-11db-88e0-806d6172696f}]
    "Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
    47,00,45,00,23,00,56,00,6f,00,6c,00,75,00,6d,00,65,00,23,00,31,00,26,00,33,\
    00,30,00,61,00,39,00,36,00,35,00,39,00,38,00,26,00,30,00,26,00,53,00,69,00,\
    67,00,6e,00,61,00,74,00,75,00,72,00,65,00,43,00,41,00,42,00,31,00,30,00,42,\
    00,45,00,45,00,4f,00,66,00,66,00,73,00,65,00,74,00,37,00,45,00,30,00,30,00,\
    4c,00,65,00,6e,00,67,00,74,00,68,00,33,00,38,00,30,00,35,00,31,00,43,00,38,\
    00,32,00,30,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,36,00,33,00,30,00,\
    64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,00,30,00,2d,00,39,\
    00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,39,00,31,00,65,00,\
    66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
    65,00,7b,00,30,00,65,00,38,00,37,00,37,00,30,00,33,00,32,00,2d,00,64,00,62,\
    00,36,00,34,00,2d,00,31,00,31,00,64,00,62,00,2d,00,38,00,38,00,65,00,30,00,\
    2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
    00,7d,00,5c,00,00,00,48,00,50,00,5f,00,50,00,41,00,56,00,49,00,4c,00,49,00,\
    4f,00,4e,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,4e,00,\
    54,00,46,00,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,08,00,00,00,01,10,00,\
    00,ff,00,07,00,ff,00,00,00,36,00,00,00,08,47,88,78,00,00,00,00,00,00,00,30,\
    00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
    00
    "Generation"=dword:00000002

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0e877033-db64-11db-88e0-806d6172696f}]
    "Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
    47,00,45,00,23,00,56,00,6f,00,6c,00,75,00,6d,00,65,00,23,00,31,00,26,00,33,\
    00,30,00,61,00,39,00,36,00,35,00,39,00,38,00,26,00,30,00,26,00,53,00,69,00,\
    67,00,6e,00,61,00,74,00,75,00,72,00,65,00,43,00,41,00,42,00,31,00,30,00,42,\
    00,45,00,45,00,4f,00,66,00,66,00,73,00,65,00,74,00,33,00,38,00,30,00,35,00,\
    39,00,33,00,32,00,30,00,30,00,30,00,4c,00,65,00,6e,00,67,00,74,00,68,00,32,\
    00,33,00,32,00,46,00,30,00,38,00,30,00,30,00,30,00,23,00,7b,00,35,00,33,00,\
    66,00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,\
    00,31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,\
    30,00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
    65,00,7b,00,30,00,65,00,38,00,37,00,37,00,30,00,33,00,33,00,2d,00,64,00,62,\
    00,36,00,34,00,2d,00,31,00,31,00,64,00,62,00,2d,00,38,00,38,00,65,00,30,00,\
    2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
    00,7d,00,5c,00,00,00,48,00,50,00,5f,00,52,00,45,00,43,00,4f,00,56,00,45,00,\
    52,00,59,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,46,00,\
    41,00,54,00,33,00,32,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,08,00,00,00,01,10,00,\
    00,06,00,00,00,ff,00,00,00,10,00,00,00,c0,6b,6e,4b,00,00,00,00,00,00,00,30,\
    00,e0,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
    00
    "Generation"=dword:00000002

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0e877034-db64-11db-88e0-806d6172696f}]
    "Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,49,00,44,00,45,00,23,00,43,00,\
    64,00,52,00,6f,00,6d,00,48,00,4c,00,2d,00,44,00,54,00,2d,00,53,00,54,00,5f,\
    00,44,00,56,00,44,00,52,00,52,00,57,00,5f,00,47,00,53,00,41,00,2d,00,48,00,\
    32,00,31,00,4c,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,\
    00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,4c,00,36,00,30,00,32,00,5f,00,5f,00,\
    5f,00,5f,00,23,00,35,00,26,00,33,00,61,00,64,00,34,00,61,00,32,00,30,00,63,\
    00,26,00,30,00,26,00,30,00,2e,00,30,00,2e,00,30,00,23,00,7b,00,35,00,33,00,\
    66,00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,\
    00,31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,\
    30,00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
    65,00,7b,00,30,00,65,00,38,00,37,00,37,00,30,00,33,00,34,00,2d,00,64,00,62,\
    00,36,00,34,00,2d,00,31,00,31,00,64,00,62,00,2d,00,38,00,38,00,65,00,30,00,\
    2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
    00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
    6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,10,00,00,00,7f,01,00,\
    00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
    00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
    00
    "Generation"=dword:00000002

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5877fd00-db65-11db-a2d0-806d6172696f}]
    "Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
    47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
    00,65,00,64,00,69,00,61,00,23,00,37,00,26,00,31,00,39,00,64,00,31,00,32,00,\
    62,00,66,00,35,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,\
    00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,\
    31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,\
    00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
    65,00,7b,00,35,00,38,00,37,00,37,00,66,00,64,00,30,00,30,00,2d,00,64,00,62,\
    00,36,00,35,00,2d,00,31,00,31,00,64,00,62,00,2d,00,61,00,32,00,64,00,30,00,\
    2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
    00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
    6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,90,00,\
    00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
    00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
    00
    "Generation"=dword:00000002

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5877fd01-db65-11db-a2d0-806d6172696f}]
    "Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
    47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
    00,65,00,64,00,69,00,61,00,23,00,37,00,26,00,35,00,39,00,61,00,31,00,61,00,\
    34,00,31,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,00,35,\
    00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,\
    64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,\
    00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
    65,00,7b,00,35,00,38,00,37,00,37,00,66,00,64,00,30,00,31,00,2d,00,64,00,62,\
    00,36,00,35,00,2d,00,31,00,31,00,64,00,62,00,2d,00,61,00,32,00,64,00,30,00,\
    2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
    00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
    6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,90,00,\
    00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
    00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
    00
    "Generation"=dword:00000002

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5877fd02-db65-11db-a2d0-806d6172696f}]
    "Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
    47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
    00,65,00,64,00,69,00,61,00,23,00,37,00,26,00,33,00,34,00,33,00,35,00,39,00,\
    38,00,64,00,62,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,\
    00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,\
    31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,\
    00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
    65,00,7b,00,35,00,38,00,37,00,37,00,66,00,64,00,30,00,32,00,2d,00,64,00,62,\
    00,36,00,35,00,2d,00,31,00,31,00,64,00,62,00,2d,00,61,00,32,00,64,00,30,00,\
    2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
    00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
    6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,90,00,\
    00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
    00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
    00
    "Generation"=dword:00000002

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5877fd03-db65-11db-a2d0-806d6172696f}]
    "Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
    47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
    00,65,00,64,00,69,00,61,00,23,00,37,00,26,00,32,00,35,00,35,00,34,00,39,00,\
    33,00,66,00,31,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,\
    00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,\
    31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,\
    00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
    65,00,7b,00,35,00,38,00,37,00,37,00,66,00,64,00,30,00,33,00,2d,00,64,00,62,\
    00,36,00,35,00,2d,00,31,00,31,00,64,00,62,00,2d,00,61,00,32,00,64,00,30,00,\
    2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
    00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
    6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,90,00,\
    00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
    00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
    00
    "Generation"=dword:00000002

    Part2 Report
    Sat 06/23/2007 19:42:46.54

    No Autorun files found in C:\WINDOWS

    No Autorun files found in C:\WINDOWS\system32

    No Autorun files found in root of C:


    No Autorun files found in root of D:
     
  10. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Good job, did Replace.bat work okay???

    Please download the attached file cleanupautorun.zip, Extract/Unzip cleanupautorun.reg to your Desktop. Double-Click on cleanupautorun.reg and allow it to be merged into Windows Registry. Reboot your computer


    ==================================


    Please post a fresh Hijackthis log. How is everything running???
     

    Attached Files:

  11. AphexTwins

    AphexTwins Thread Starter

    Joined:
    Jun 22, 2007
    Messages:
    14
    Everything seems to be running fine. The Replace.bat ran fine too. I haven't got the google redirect thing and my virus scanner didn't find Vundo or anything on my last scan. I appreciate all the help!!!

    Here is the fresh HijackThis log you requested. See anything else that could be potentially dangerous?

    Logfile of HijackThis v1.99.1
    Scan saved at 11:26:32 PM, on 6/23/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
    C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Hijackthis\HijackThis.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
    O2 - BHO: (no name) - {EF885EBA-76E2-4D84-B094-C8B4E9492927} - C:\WINDOWS\system32\wvuturq.dll (file missing)
    O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.trymedia.com (HKLM)
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179799146341
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179799134498
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {CEE326E8-7571-4086-B347-3C0ACA9A9DE8} (PcubeSet Class) - http://config.hyosungcdn.com/download/hsloadset.cab
    O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.pjio.com/download/pjio_gamelauncher.CAB
    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupgames.ph/keycrypt/npkcx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3D339EF2-F450-433C-81A1-A572D7F2CA44}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{53B68F42-EEE0-457E-8A95-34691AA43C0C}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B89B0B0F-A70F-44F4-A37E-BA72C60B7DAD}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\..\{3D339EF2-F450-433C-81A1-A572D7F2CA44}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS3\Services\Tcpip\..\{3D339EF2-F450-433C-81A1-A572D7F2CA44}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
    O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\rbcblbmy.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
     
  12. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Run HijackThis, and press "Do a System Scan Only".
    1. When the scan is complete place a check mark next to the following entries:

    O2 - BHO: (no name) - {EF885EBA-76E2-4D84-B094-C8B4E9492927} - C:\WINDOWS\system32\wvuturq.dll (file missing)

    2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked." Then, reboot your computer...


    =====================================

    Please DELETE the following folder(s) IF STILL PRESENT. You can use Windows Explorer to navigate or use Windows Search feature to locate them.

    Folders:

    C:\hp\KBD\bak <-- this folder
    C:\Program Files\AIM\bak <-- this folder
    C:\Program Files\DISCbak <-- this folder
    C:\Program Files\HP DigitalMedia Archive\bak <-- this folder
    C:\Program Files\QuickTime\bak <-- this folder
    C:\WINDOWS\CREATOR\bak <-- this folder
    C:\WINDOWS\ehome\bak <-- this folder
    C:\WINDOWS\SMINST\bak <-- this folder
    C:\WINDOWS\system32\bak <-- this folder
    C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak <-- this folder
    C:\Program Files\HP\HP Software Update\bak <-- this folder
    C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak <-- this folder


    =========================================

    Panda Activescan
    http://www.pandasoftware.com/products/activescan.htm
    1. Once you are on the Panda site click the Scan your PC button
    2. A new window will open...click the Check Now button
    3. Enter your Country
    4. Enter your State/Province
    5. Enter your e-mail address and click send
    6. Select either Home User or Company
    7. Click the big Scan Now button
    8. If it wants to install an ActiveX component allow it
    9. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    10. When download is complete, click on Local Disks to start the scan
    11. When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.


    In your next reply, please include a fresh HIjackthis log and panda Activescan log. thanks
     
  13. AphexTwins

    AphexTwins Thread Starter

    Joined:
    Jun 22, 2007
    Messages:
    14
    Gah! Seems I still have some stuff:

    HijackThis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 3:17:33 AM, on 6/24/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
    O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.trymedia.com (HKLM)
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179799146341
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179799134498
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {CEE326E8-7571-4086-B347-3C0ACA9A9DE8} (PcubeSet Class) - http://config.hyosungcdn.com/download/hsloadset.cab
    O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.pjio.com/download/pjio_gamelauncher.CAB
    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupgames.ph/keycrypt/npkcx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3D339EF2-F450-433C-81A1-A572D7F2CA44}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{53B68F42-EEE0-457E-8A95-34691AA43C0C}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B89B0B0F-A70F-44F4-A37E-BA72C60B7DAD}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\..\{3D339EF2-F450-433C-81A1-A572D7F2CA44}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS3\Services\Tcpip\..\{3D339EF2-F450-433C-81A1-A572D7F2CA44}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
    O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\rbcblbmy.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe







    Activescan log:


    Incident Status Location

    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@2o7[1].txt
    Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@advertising[2].txt
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@atwola[1].txt
    Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe[nircmd.exe]
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\HP_Administrator\Desktop\l2mfix\Process.exe
    Virus:Trj/Shutdown.Z Disinfected C:\Documents and Settings\HP_Administrator\Desktop\l2mfix\restart.exe
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\HP_Administrator\Desktop\l2mfix.exe[l2mfix/Process.exe]
    Virus:Trj/Shutdown.Z Disinfected C:\Documents and Settings\HP_Administrator\Desktop\l2mfix.exe[l2mfix/restart.exe]
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\Process.exe
    Virus:Trj/Shutdown.Z Disinfected C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\restart.exe
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
    Virus:Trj/Shutdown.Z Disinfected C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix.zip[SmitfraudFix/restart.exe]
    Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
    Spyware:Spyware/PeoplePC Not disinfected C:\Program Files\Online Services\PeoplePC\ISP5900\Dll\RAS.DLL
    Potentially unwanted tool:Application/ViewPoint Not disinfected C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
    Virus:Trj/Downloader.PBM Disinfected C:\QooBox\Quarantine\C\DOCUME~1\ALLUSE~1\APPLIC~1\qvydclcl.exe.vir
    Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ssttt.dll.bad
    Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\uswnhhje.dll.bad
    Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ybwrfkoq.dll.bad
    Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
    Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
    Virus:Trj/Shutdown.Z Disinfected C:\WINDOWS\system32\restart.exe
     
  14. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Nope, that came out clean. Panda doesn't like some of the custom tools we use to fix malware, because these tools have to be powerful. How is everything running???
     
  15. AphexTwins

    AphexTwins Thread Starter

    Joined:
    Jun 22, 2007
    Messages:
    14
    Ahh I see. Everything seems to be running well. I could never have fixed this without you. Thank you so much! Have a great day!
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/587195