|
| | | New Member
Group: Forum Members
Last Login: 7/6/2008 8:40 PM
Posts: 34, Visits: 63 |
| Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:39 AM, on 11/5/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Windows\system32\svchost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxczcoms.exe
C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
C:\Windows\system32\svchost.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\System32\alg.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Lexmark 1200 Series\LXCZbmgr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Acer\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9d.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://portal.uwe.ac.uk/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcz_device - - C:\Windows\system32\lxczcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 12442 bytes
|
| |
| | | 
Senior Forum Moderator
Group: Moderators
Last Login: 8/9/2008 10:14 AM
Posts: 29,548, Visits: 54,734 |
| Welcome
Disable Spybot S&D’s protection,or it will interfere.
You can enable it after you're clean.
Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Restart the computer.
If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
http://www.russelltexas.com/malware/teatimer.htm
Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
Download and scan with CCleaner.
1. Starting with v1.27.260, CCleaner started installing the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the 'No Toolbar' 'Slim' version instead of the 'Standard Build'.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:
* Clean all entries in the "Internet Explorer" section except Cookies.
* Clean all the entries in the "Windows Explorer" section.
* Clean all entries in the "System" section.
* Clean all entries in the "Advanced" section.
* Clean any others that you choose.
In the Applications Tab:
* Clean all except cookies in the Firefox/Mozilla section if you use it.
* Clean all in the Opera section if you use it.
* Clean Sun Java in the Internet Section.
* Clean any others that you choose.
4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
* Now click on the 'Registry' tab/button on the left.
* Then click on the 'Scan for issues' button at the bottom.
* If CCleaner displays any issues,click on 'Fix selected issues'.
* You'll then be asked 'Do you want to backup changes to the registry',you must click 'YES'.
* Save the backup somewhere safe,your desktop is a good a place as any.
* Then click 'Fix Issues',then click 'Close'.
* Exit CCleaner.
Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u10'.
3. Click the "Download" button to the right.
4. Select the Platform and Language for your download,then check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language - jre-6u10-windows-i586-p.exe' [15.52 MB] and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Click Start and choose Control Panel:
- In Control Panel double click on the "Programs and Features" icon.
- Here you can find all the programs and items which are installed in Windows Vista.
- Now remove all older versions of Sun Java.
9. Click on any item with Java Runtime Environment (JRE or J2SE) in the name to uninstall/remove it.
10. Repeat as many times as necessary to remove each Java version.
11. Reboot your computer once all Java components are removed.
12. Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.
13. If the installer refuses to launch due to insufficient user permissions,follow the info found in this link to Run As Administrator.
Verify your installation of Sun Java:
http://www.java.com/en/download/help/testvm.xml
If you have previously downloaded ComboFix,please delete that version now.
Download Combofix by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop
Close any open browsers.
Click on Start/Run,copy and paste the following bold text into the 'Open:' space,then press OK [See image below]:
"%userprofile%\desktop\combofix.exe" /killall
Combofix.exe will start,please follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.
Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and download Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.
Also post a new Hijackthis log please.
_______________________________________________
ASAP & UNITE member since 2006
 
|
| |
| | | New Member
Group: Forum Members
Last Login: 7/6/2008 8:40 PM
Posts: 34, Visits: 63 |
| ComboFix 08-11-04.02 - Acer 2008-11-05 14:17:38.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1432 [GMT 0:00]
Running from: c:\users\Acer\Desktop\combofix.exe
Command switches used :: /killall
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\MSINET.oca
.
((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 )))))))))))))))))))))))))))))))
.
2008-11-05 14:12 . 2008-11-05 14:12410,976--a------c:\windows\System32\deploytk.dll
2008-11-05 00:11 . 2008-11-05 00:11d--------c:\program files\Trend Micro
2008-10-29 11:04 . 2008-08-12 03:39443,392--a------c:\windows\System32\win32spl.dll
2008-10-29 11:04 . 2008-09-18 04:56147,456--a------c:\windows\System32\Faultrep.dll
2008-10-29 11:04 . 2008-09-18 04:56125,952--a------c:\windows\System32\wersvc.dll
2008-10-16 22:58 . 2008-10-21 01:52d--------C:\temp
2008-10-15 21:49 . 2008-08-27 01:06288,768--a------c:\windows\System32\drivers\srv.sys
2008-10-10 18:00 . 2008-10-10 18:00d--------c:\program files\Western Digital
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 14:26---------d-----wc:\users\Acer\AppData\Roaming\OpenOffice.org2
2008-11-05 14:25---------d---a-wc:\programdata\TEMP
2008-11-05 14:23---------d-----wc:\program files\Spyware Doctor
2008-11-05 14:12---------d-----wc:\program files\Java
2008-11-05 13:36---------d-----wc:\program files\Garena
2008-11-05 00:09---------d-----wc:\users\Acer\AppData\Roaming\Skype
2008-11-05 00:07---------d-----wc:\users\Acer\AppData\Roaming\skypePM
2008-11-04 23:10---------d-----wc:\program files\Warcraft III
2008-10-25 16:31---------d-----wc:\program files\DivX
2008-10-15 21:54---------d-----wc:\program files\Windows Mail
2008-10-02 03:49827,392----a-wc:\windows\System32\wininet.dll
2008-09-30 13:38---------d-----wc:\program files\Nokia
2008-09-30 13:38---------d-----wc:\program files\Common Files\Nokia
2008-09-19 21:55200,704----a-wc:\windows\System32\ssldivx.dll
2008-09-19 21:551,044,480----a-wc:\windows\System32\libdivx.dll
2008-09-18 05:093,601,464----a-wc:\windows\System32tkrnlpa.exe
2008-09-18 05:093,549,240----a-wc:\windows\System32toskrnl.exe
2008-09-18 02:162,032,640----a-wc:\windows\System32\win32k.sys
2008-09-17 00:05---------d-----wc:\users\Acer\AppData\Roaming\FaxCtr
2008-09-16 21:14---------d-----wc:\program files\Lexmark Fax Solutions
2008-09-16 21:14---------d-----wc:\program files\Lexmark 1200 Series
2008-09-16 21:13---------d-----wc:\programdata\FaxCtr
2008-09-16 21:13---------d-----wc:\program files\Abbyy FineReader 6.0 Sprint
2008-09-11 22:55---------d-----wc:\programdata\Avira
2008-09-11 22:55---------d-----wc:\program files\Avira
2008-09-11 22:51---------d-----wc:\programdata\Avg8
2008-09-11 22:15---------d-----wc:\programdata\Installations
2008-09-11 22:14---------d-----wc:\program files\Common Files\PCSuite
2008-09-11 22:12---------d-----wc:\program files\PC Connectivity Solution
2008-08-05 09:49428,544----a-wc:\windows\System32\EncDec.dll
2008-08-05 09:49293,376----a-wc:\windows\System32\psisdecd.dll
2008-07-06 12:0756---ha-wc:\users\All Users\ezsidmv.dat
2008-07-06 12:0756---ha-wc:\programdata\ezsidmv.dat
2008-06-20 11:16174--sha-wc:\program files\desktop.ini
2008-03-23 18:5732----a-wc:\users\All Users\ezsid.dat
2008-03-23 18:5732----a-wc:\programdata\ezsid.dat
2008-07-24 13:2816,384--sha-wc:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-07-24 13:2832,768--sha-wc:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-07-24 13:2816,384--sha-wc:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 49152]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-04-18 817936]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-23 857648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-07 185632]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-04-10 1107848]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 74672]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-05 136600]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-23 c:\windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-04-13 c:\windows\SkyTel.exe]
c:\users\Acer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 393216]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-22 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-01-19 711472]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{2DF1F8FE-EADA-4E98-8F17-4C6042BBAF39}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{DB094131-3ED9-45C1-850F-B3F55BC98491}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"{F4B2006B-55A4-44B5-B6A7-5E034800FCCF}"= UDP:6113:Frozen Throne
"{EDF38800-EAE2-498B-BB35-AC2922B6E453}"= TCP:6113:Frozen Throne 2
"{1D0DE240-2A22-4645-A18A-F87183A611F7}"= UDP:c:\program files\Warcraft III\Frozen Throne.exe:Warcraft III - The Frozen Throne
"{74C3BD53-41CF-47E2-B90F-02113A696756}"= TCP:c:\program files\Warcraft III\Frozen Throne.exe:Warcraft III - The Frozen Throne
"{DCD7E090-DD42-4299-9E1A-10381F4F3778}"= UDP:c:\program files\Warcraft III\Warcraft III.exe:Warcraft III
"{380DBCE7-85BC-4945-AC8E-56D349020E06}"= TCP:c:\program files\Warcraft III\Warcraft III.exe:Warcraft III
"{4CC583F1-5C3C-40C3-9B6E-CB3694A2CB58}"= UDP:c:\program files\Warcraft III\Bprotect.exe:Bprotect
"{221958AB-DA5A-4CD8-9606-D348D1311A44}"= TCP:c:\program files\Warcraft III\Bprotect.exe:Bprotect
"{793CE1A0-AB36-4BE8-B1DE-F78461314EBD}"= UDP:7063:BitComet 7063 TCP
"{F0284331-D1EE-493C-8B11-7DC662DCA858}"= TCP:7063:BitComet 7063 UDP
"TCP Query User{4E21A95D-E8C6-4335-8FD0-09DEEFFA28E9}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{4F9947F5-A8E1-4473-89DE-75E7B2B8D4E2}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"TCP Query User{E833EC57-3C6D-453E-AB13-53F233F7BB22}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{185C49B0-5FB4-4D6A-A51F-93752255088D}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"TCP Query User{77414A2E-7A0F-4375-8CF8-6D4CC52EA1D3}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{869CD31C-62D3-40B7-8909-95FBEB9D0BA6}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{3F667519-51C6-4583-846C-E3BD34D00DD4}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{B20C808A-E364-4661-AB93-BD226F403B91}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{DDDDA117-C72C-4AF6-AE70-DAB0D54111AE}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{EC6FBD81-72AB-4953-AB3C-2A1AC0EE5B5C}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{1E607A7A-80B8-4652-9065-5D6010B6A91E}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{F0190D17-267E-4E19-A5C3-6B6F471F74FC}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{F6BB0D54-A450-4ED1-B217-F7DB722A10CC}c:\\program files\\real\\realplayer\\recordingmanager.exe"= UDP:c:\program files\real\realplayer\recordingmanager.exe:RealNetworks Download and Record Manager
"UDP Query User{A162FDA6-5749-4CA3-B812-D07AE80ECC83}c:\\program files\\real\\realplayer\\recordingmanager.exe"= TCP:c:\program files\real\realplayer\recordingmanager.exe:RealNetworks Download and Record Manager
"TCP Query User{C8206087-5EFA-46FC-BDAD-C5BB32353CF2}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{60E36875-2982-4BCD-8FF1-C33DA7517D60}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"TCP Query User{EAB52BFB-9612-4B62-8D75-89BB65BD2987}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{20063F1F-C1E4-4074-96E7-3C4D3E355073}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{51CFCB4D-AF30-488B-9125-190627788D17}c:\\program files\\ocean technology\\gg e-sports platform\\ggclient.exe"= UDP:c:\program files\ocean technology\gg e-sports platform\ggclient.exe:GG E-Sports Platform Client
"UDP Query User{6E52F608-13AF-483A-915A-25245F3A822C}c:\\program files\\ocean technology\\gg e-sports platform\\ggclient.exe"= TCP:c:\program files\ocean technology\gg e-sports platform\ggclient.exe:GG E-Sports Platform Client
"TCP Query User{092F93D5-3315-4765-B22B-8C5F627E7C4C}c:\\program files\\swat 4\\content\\system\\swat4.exe"= UDP:c:\program files\swat 4\content\system\swat4.exe:SWAT 4
"UDP Query User{12371859-9410-4200-90CE-D66C7A72D02A}c:\\program files\\swat 4\\content\\system\\swat4.exe"= TCP:c:\program files\swat 4\content\system\swat4.exe:SWAT 4
"TCP Query User{B2FBAF43-2816-4863-9651-155B9EFCEBC8}c:\\program files\\swat 4\\content\\system\\swat4.exe"= UDP:c:\program files\swat 4\content\system\swat4.exe:SWAT 4
"UDP Query User{7F128008-AAAA-4A32-8603-66959A434DBA}c:\\program files\\swat 4\\content\\system\\swat4.exe"= TCP:c:\program files\swat 4\content\system\swat4.exe:SWAT 4
"TCP Query User{EF3C96D5-7F54-4BFE-8758-779316FBD582}c:\\windows\\system32\\dplaysvr.exe"= UDP:c:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper
"UDP Query User{00BF5C5A-74B9-4ED7-B842-6233182F8E52}c:\\windows\\system32\\dplaysvr.exe"= TCP:c:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper
"TCP Query User{D283CB50-B293-4DD2-B172-7237ADCC136C}c:\\program files\\typing dead\\tod_e.exe"= UDP:c:\program files\typing dead\tod_e.exe:Tod_e
"UDP Query User{0AA231E0-1471-49C0-8436-C5351DFEB220}c:\\program files\\typing dead\\tod_e.exe"= TCP:c:\program files\typing dead\tod_e.exe:Tod_e
"{6D61AC80-434A-486A-86F7-9EBD35E2A278}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{3609A9FF-50B2-424F-A559-B9BB9A2506F2}c:\\program files\\ea games\\battlefield 1942\\bf1942.exe"= UDP:c:\program files\ea games\battlefield 1942\bf1942.exe:BF1942
"UDP Query User{73262769-C863-4F37-8E10-56139606FC26}c:\\program files\\ea games\\battlefield 1942\\bf1942.exe"= TCP:c:\program files\ea games\battlefield 1942\bf1942.exe:BF1942
"TCP Query User{8DE9A045-FA69-4EBB-A160-1E71511FA29D}c:\\program files\\ea games\\battlefield 1942 (2)\\bf1942.exe"= UDP:c:\program files\ea games\battlefield 1942 (2)\bf1942.exe:BF1942
"UDP Query User{EB202402-9441-4674-AC8B-FBB0DFCF8929}c:\\program files\\ea games\\battlefield 1942 (2)\\bf1942.exe"= TCP:c:\program files\ea games\battlefield 1942 (2)\bf1942.exe:BF1942
"TCP Query User{3DDEDAB1-8CB6-417F-B22D-5321B60BF784}c:\\program files\\ea games\\battlefield 1942 (2)\\bf1942.exe"= UDP:c:\program files\ea games\battlefield 1942 (2)\bf1942.exe:BF1942
"UDP Query User{CC436B27-C759-437F-964C-A0ACD0B5BB77}c:\\program files\\ea games\\battlefield 1942 (2)\\bf1942.exe"= TCP:c:\program files\ea games\battlefield 1942 (2)\bf1942.exe:BF1942
"TCP Query User{D00BDE19-A780-4379-A2C6-AE6FD954900C}c:\\program files\\tom clancy's rainbow six vegas\\binaries\\r6vegas_game.exe"= UDP:c:\program files\tom clancy's rainbow six vegas\binaries\r6vegas_game.exe:R6Vegas_Game
"UDP Query User{47396C0F-4FDC-4E07-ABD9-8A11E317158B}c:\\program files\\tom clancy's rainbow six vegas\\binaries\\r6vegas_game.exe"= TCP:c:\program files\tom clancy's rainbow six vegas\binaries\r6vegas_game.exe:R6Vegas_Game
"{FA8FD754-65F1-43CC-98FE-5C83A214DF82}"= UDP:c:\program files\SightSpeed\SightSpeed.exe:SightSpeed
"{E4562039-6620-4ED7-A3CE-EDEC677CCB9E}"= TCP:c:\program files\SightSpeed\SightSpeed.exe:SightSpeed
"TCP Query User{859506DB-4AAD-4C8B-A631-B38A908B3AAA}c:\\unrealtournament\\system\\unrealtournament.exe"= UDP:c:\unrealtournament\system\unrealtournament.exe:UnrealTournament
"UDP Query User{A46A035B-EA35-4594-86B7-D028302BD57F}c:\\unrealtournament\\system\\unrealtournament.exe"= TCP:c:\unrealtournament\system\unrealtournament.exe:UnrealTournament
"TCP Query User{71D63B35-84E4-4288-BCDE-73A94A13B38E}c:\\unrealtournament\\system\\unrealtournament.exe"= UDP:c:\unrealtournament\system\unrealtournament.exe:UnrealTournament
"UDP Query User{C813F2BC-AEB0-4540-9B11-759EDC20CA9F}c:\\unrealtournament\\system\\unrealtournament.exe"= TCP:c:\unrealtournament\system\unrealtournament.exe:UnrealTournament
"{F59230D6-4D35-49FA-A838-545EE558A936}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D4A4E7F0-EE77-4F99-B22F-18DAEA8857AB}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{A5D9FC2A-6656-48F4-9D97-099C5FA8D930}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{541386A9-B3D3-4E24-8280-2BFE3FD66743}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{148567DA-0284-4193-9584-C7DB10098C46}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{94C16DD9-AA84-4B95-BDFB-56F68FD31618}c:\\program files\\garena\\garena.exe"= UDP:c:\program files\garena\garena.exe:Garena
"UDP Query User{9F5B6962-FC42-43AD-ADE3-E0E7EA4BC689}c:\\program files\\garena\\garena.exe"= TCP:c:\program files\garena\garena.exe:Garena
"TCP Query User{E9215BA8-C5D3-4214-84D2-080D98F02C5E}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{BE4C5861-1EB1-48A9-B49D-981EA444ADE1}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"TCP Query User{F5D51049-AE52-45DA-8D53-4D02F6199142}c:\\users\\acer\\desktop\\warcraft iii\\war3.exe"= UDP:c:\users\acer\desktop\warcraft iii\war3.exe:war3.exe
"UDP Query User{E13FCB0F-1FFA-4588-85EF-0EA37A4309B1}c:\\users\\acer\\desktop\\warcraft iii\\war3.exe"= TCP:c:\users\acer\desktop\warcraft iii\war3.exe:war3.exe
"TCP Query User{4D51704F-8D2E-4D57-BCD3-77F918FBBD0D}c:\\users\\acer\\desktop\\warcraft iii\\war3.exe"= UDP:c:\users\acer\desktop\warcraft iii\war3.exe:war3.exe
"UDP Query User{CB60F59E-3ADB-468E-B931-1A09D18A04BE}c:\\users\\acer\\desktop\\warcraft iii\\war3.exe"= TCP:c:\users\acer\desktop\warcraft iii\war3.exe:war3.exe
"TCP Query User{9442B7EA-D4F6-40FF-B2DB-825A29E6AA20}c:\\program files\okia\okia software updater\su_ui_client.exe"= UDP:c:\program filesokiaokia software updatersu_ui_client.exe:Nokia Software Updater
"UDP Query User{646C3DE3-8B96-4AC4-ABB2-3953F2D6452B}c:\\program files\okia\okia software updater\su_ui_client.exe"= TCP:c:\program filesokiaokia software updatersu_ui_client.exe:Nokia Software Updater
"TCP Query User{EFCA4997-FA01-489C-A48B-7ACDC36EF862}c:\\program files\\common files\okia\\service layer\\a\sl_host_process.exe"= UDP:c:\program files\common filesokia\service layer\asl_host_process.exe:Nokia Service Layer Host Process
"UDP Query User{EDAE9C2C-82E5-46F4-8071-866BBCE64084}c:\\program files\\common files\okia\\service layer\\a\sl_host_process.exe"= TCP:c:\program files\common filesokia\service layer\asl_host_process.exe:Nokia Service Layer Host Process
"TCP Query User{A1C1A880-1D78-45C4-BAB3-7993295B3609}c:\\program files\\garena\\garena.exe"= UDP:c:\program files\garena\garena.exe:Garena
"UDP Query User{D0BC1539-06A2-4BA5-95DA-21F65F929D85}c:\\program files\\garena\\garena.exe"= TCP:c:\program files\garena\garena.exe:Garena
"{1655EBE8-E822-48E4-B3BB-5D8218412269}"= UDP:c:\windows\System32\lxczcoms.exe:Lexmark Communications System
"{BD2F63FF-95B7-4FD6-9A4E-1A3C778BB436}"= TCP:c:\windows\System32\lxczcoms.exe:Lexmark Communications System
"{8DF063EC-805E-42BE-B2F1-3473CDE37F8B}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxczpswx.exe:Printer Status Window
"{00227F54-A6C5-4CDF-B770-4770E3E132A5}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxczpswx.exe:Printer Status Window
"{1D476428-D2F7-4FB3-9E01-552253856476}"= UDP:c:\program files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe:FineScanManager
"{65A1868B-CFC5-4341-8B82-5BE827015AF8}"= TCP:c:\program files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe:FineScanManager
"TCP Query User{BC020E92-9FDF-4436-877B-F253ABE8281A}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{90042BF2-9E0A-42AE-8D4B-E93B653F1CF2}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
R0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2007-04-03 39680]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2007-04-02 35712]
R1 nnrnstdi;nnrnstdi;c:\windows\system32\driversnrnstdi.sys [2007-06-08 13312]
R2 lxcz_device;lxcz_device;c:\windows\system32\lxczcoms.exe [2007-02-08 537520]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 810320]
R3 atikmdag;atikmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2007-04-25 2590720]
R3 b57nd60x;%SvcDispName%;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-19 179712]
S3 btwaudio;Bluetooth Audio Device Service;c:\windows\system32\drivers\btwaudio.sys [2007-01-08 78128]
S3 btwavdt;Bluetooth AVDT Service;c:\windows\system32\drivers\btwavdt.sys [2007-01-08 80688]
S3 btwrchid;btwrchid;c:\windows\system32\DRIVERS\btwrchid.sys [2007-01-08 16560]
S3 flash;flash;c:\windows\system32\drivers\flash.sys [2005-11-17 8064]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcsREG_MULTI_SZ BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{098be7ab-333f-11dc-9a79-806e6f6e6963}]
\shell\AutoRun\command - F:\winstart.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0bef9aee-a0fd-11dc-9b4c-0016d35c8129}]
\shell\AutoRun\command - sxacqlwl.exe
\shell\explore\Command - sxacqlwl.exe
\shell\open\Command - sxacqlwl.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d054362-b985-11dc-bebd-0016d35c8129}]
\shell\Autoplay\command - NTDETECH.com
\shell\AutoRun\command - NTDETECH.com
\shell\OPEN\command - NTDETECH.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62398974-04e7-11dd-a928-001b7751156d}]
\shell\AutoRun\command - H:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{841f0b09-96f4-11dd-9467-0016d35c8129}]
\shell\AutoRun\command - g:\wd_windows_tools\Setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b7cc15f-31be-11dd-9aba-0016d35c8129}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\shell\Open(0)\command - Recycled\ctfmon.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b81a34c4-5340-11dd-a30f-0016d35c8129}]
\shell\AutoRun\command - G:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b81a34c5-5340-11dd-a30f-0016d35c8129}]
\shell\AutoRun\command - G:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c47b930f-51e5-11dd-88e6-0016d35c8129}]
\shell\AutoRun\command - G:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c47b9311-51e5-11dd-88e6-0016d35c8129}]
\shell\AutoRun\command - G:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c47b9321-51e5-11dd-88e6-0016d35c8129}]
\shell\AutoRun\command - G:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c47b9324-51e5-11dd-88e6-0016d35c8129}]
\shell\AutoRun\command - G:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6f90e67-4ed7-11dd-9bc4-0016d35c8129}]
\shell\AutoRun\command - G:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6f90e83-4ed7-11dd-9bc4-0016d35c8129}]
\shell\AutoRun\command - G:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dcdfbdc3-33c6-11dd-bb52-0016d35c8129}]
\shell\Auto\command - F:\printer.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\printer.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e606e176-40c0-11dc-a301-001b7751156d}]
\shell\Auto\command - Macromedia_Setup.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Macromedia_Setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb0abf6e-31b5-11dd-89b8-001b7751156d}]
\shell\AutoRun\command - F:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
2008-11-05 c:\windows\Tasks\User_Feed_Synchronization-{76E67231-0689-4C59-83AA-DACAC0B193C5}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 07:33]
.
- - - - ORPHANS REMOVED - - - -
HKU-Default-Run-Nokia.PCSync - c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\users\Acer\AppData\Roaming\Mozilla\Firefox\Profiles\wm40cxpk.default\
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-05 14:25:06
Windows 6.0.6001 Service Pack 1 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\O2Micro Oz128 Driver\o2flash.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Spyware Doctor\pctsAuxs.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Launch Manager\LManager.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Lexmark 1200 Series\LXCZbmon.exe
c:\program files\OpenOffice.org 2.2\program\soffice.exe
c:\windows\ehome\ehmsas.exe
c:\program files\OpenOffice.org 2.2\program\soffice.bin
c:\users\Acer\AppData\Local\Temp\RtkBtMnt.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2008-11-05 14:31:48 - machine was rebooted [Acer]
ComboFix-quarantined-files.txt 2008-11-05 14:30:27
Pre-Run: 24,918,822,912 bytes free
Post-Run: 24,360,984,576 bytes free
299--- E O F ---2008-10-29 22:29:30
-----------------------------------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:58 PM, on 11/5/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxczcoms.exe
C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
C:\Windows\system32\svchost.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\alg.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Lexmark 1200 Series\LXCZbmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Users\Acer\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\Explorer.exe
C:\Windows\system32otepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://portal.uwe.ac.uk/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcz_device - - C:\Windows\system32\lxczcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 10979 bytes
|
| |
| | | |
|
