1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

IE opens random sites when idle

Discussion in 'Malware and Virus Removal Archive' started by Shaun, 2008/06/16.

  1. 2008/06/16
    Shaun

    Shaun Inactive Thread Starter

    Joined:
    2008/06/16
    Messages:
    4
    Likes Received:
    0
    I currently use mozilla firefox as my primary browser. Today i was going thru my computer files (downloaded things) and came across and arbitrary movie clip. I opened it and WMP told me I didn't have the correct codec installed (should have been my first red flag since i have the k-lite mega pack codec, right after the fact that it was a movie clip of only 58kb. Was being not smart today :p). WMP (or the file not sure) brought me to a website to dl the codec. Not only did I download the "codec" i executed the .exe. I'm sure you guys all know what happens next. Anyways now IE is popping up randomly with what seems like related websites to what I'm browsing on FF. This happens when my computer is idle as well. I've run spybot SnD ad aware and I'm doing and AVG scan atm as well. Spybot and AA had no luck, the problem is still happening. I'm not sure what I need to do in order to get this to stop. Any help?

    **EDIT**

    Also this popped up in IE as one of the random pop ups

    campaign_details.dbm cannot be opened

    2008-06-16 23:50:38 execution of /vtrack.php failed
    IP: 98.165.243.124
    GET: pid=177
    GET: campaignID=2878
    GET: creativeID=2551
    GET: ip=204.160.105.7
    GET: trace=4(1221)8(20694)6(12380)
    GET: cpv_rate=0.003000
    GET: CountryCode=840
    GET: srpname=CPVintern
    GET: said=0
    GET: v_url=http://www.kingsofchaos.com/battlefield.php?start=0
    COOKIE: PARTNER_INFO=2878 1213683353&2878 1213682963&2878 1213671552&2878 1213671247&
    COOKIE: PARTNER_ACTION_TRACK=2878 177 0 4(1221)8(20694)6(12346) 1213683353&




    I guess its tracking where i go in mozila and giving me relevant ads and stuff on IE.... really irritating dunno how to fix.

    Here is a hijackthis log



    Logfile of HijackThis v1.99.1
    Scan saved at 7:55:30 PM, on 6/16/2008
    Platform: Unknown Windows (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16681)

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\System32\mobsync.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Xfire\xfire.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trillian\trillian.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [LSA Shellu] C:\Users\Shaun\lsass.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: WinMySQLadmin.lnk = Shaun\Web Server\xampp\mysql\bin\winmysqladmin.exe
    O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O13 - Gopher Prefix:
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apache2.2 - Unknown owner - C:\Users\Shaun\Desktop\Web Server\xampp\apache\bin\apache.exe" -k runservice (file missing)
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Users\Shaun\Desktop\Web Server\xampp\FileZillaFTP\FileZillaServer.exe
    O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\Windows\444.470.exe (file missing)
    O23 - Service: mysql - Unknown owner - C:\Users\Shaun\Desktop\Web Server\xampp\mysql\bin\mysqld-nt.exe" "--defaults-file=C:\Users\Shaun\Desktop\Web Server\xampp\mysql\bin\my.cnf" mysql (file missing)
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
    O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
    O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Users\Shaun\Web Server\xampp\service.exe (file missing)
     
    Last edited: 2008/06/17
    Shaun,
    #1
  2. 2008/06/17
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi Shaun
    Welcome to Windowsbbs.

    The first thing we need is to get you updated to the new version of HJT.

    Looks like you're running Vista. So go into Programs and features and delete the HJT you have there.

    Then do this and post the dss log.


    Please download and install HijackThis (let it install to the default location) and Run a scan then close HJT, then run Deckard's System Scanner and post the main.txt log here.
    Links and instructions here.

    Thanks
    Geri
     
    Geri,
    #2


  3. to hide this advert.

  4. 2008/06/17
    Shaun

    Shaun Inactive Thread Starter

    Joined:
    2008/06/16
    Messages:
    4
    Likes Received:
    0
    Deckard's System Scanner v20071014.68
    Run by Shaun on 2008-06-17 16:31:01
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    -- Last 5 Restore Point(s) --
    48: 2008-06-17 18:25:17 UTC - RP416 - Windows Update
    47: 2008-06-17 09:00:47 UTC - RP415 - Windows Defender Checkpoint
    46: 2008-06-16 22:49:24 UTC - RP413 - Installed Ad-Aware
    45: 2008-06-16 22:34:54 UTC - RP412 - Installed AVG Free 8.0
    44: 2008-06-16 22:28:09 UTC - RP411 - Installed AVG Free 8.0


    -- First Restore Point --
    1: 2008-05-05 13:35:41 UTC - RP367 - Scheduled Checkpoint


    Backed up registry hives.
    Performed disk cleanup.



    -- HijackThis (run as Shaun.exe) -----------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:23:38 PM, on 6/17/2008
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16681)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\System32\mobsync.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Xfire\xfire.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Trillian\trillian.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Users\Shaun\Desktop\Downloads\dss.exe
    C:\Program Files\WC3Banlist\WC3Banlist.exe
    C:\PROGRA~1\TRENDM~1\HIJACK~1\Shaun.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [LSA Shellu] C:\Users\Shaun\lsass.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: WinMySQLadmin.lnk = Shaun\Web Server\xampp\mysql\bin\winmysqladmin.exe
    O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O13 - Gopher Prefix:
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apache2.2 - Apache Software Foundation - C:\Users\Shaun\Desktop\Web Server\xampp\apache\bin\apache.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Users\Shaun\Desktop\Web Server\xampp\FileZillaFTP\FileZillaServer.exe
    O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\Windows\444.470.exe (file missing)
    O23 - Service: mysql - Unknown owner - C:\Users\Shaun\Desktop\Web Server\xampp\mysql\bin\mysqld-nt.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
    O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Users\Shaun\Web Server\xampp\service.exe (file missing)

    --
    End of file - 6237 bytes

    -- File Associations -----------------------------------------------------------

    All associations okay.


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    R1 VClone - c:\windows\system32\drivers\vclone.sys <Not Verified; Elaborate Bytes AG; Virtual CloneDrive>
    R3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>

    S3 Xponaut_WBD (Xponaut WaveBridge Device (WDM)) - c:\windows\system32\drivers\xpntwbd.sys <Not Verified; Xponaut; Xponaut WaveBridge>


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    R2 Apache2.2 - "c:\users\shaun\desktop\web server\xampp\apache\bin\apache.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
    R2 mysql - "c:\users\shaun\desktop\web server\xampp\mysql\bin\mysqld-nt.exe" "--defaults-file=c:\users\shaun\desktop\web server\xampp\mysql\bin\my.cnf" mysql

    S2 MsSecurity1.209.4 (MsSecurity Updated) - c:\windows\444.470 service (file missing)
    S2 XAMPP (XAMPP Service) - c:\users\shaun\web server\xampp\service.exe (file missing)
    S3 FileZilla Server (FileZilla Server FTP server) - c:\users\shaun\desktop\web server\xampp\filezillaftp\filezillaserver.exe <Not Verified; FileZilla Project; FileZilla Server>
    S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; Remote Packet Capture Daemon>


    -- Device Manager: Disabled ----------------------------------------------------

    No disabled devices found.


    -- Files created between 2008-05-17 and 2008-06-17 -----------------------------

    2008-06-17 17:23:11 0 d-------- C:\Program Files\Trend Micro
    2008-06-16 16:07:26 0 -rahs---- C:\MSDOS.SYS
    2008-06-16 16:07:26 0 -rahs---- C:\IO.SYS
    2008-06-16 15:53:56 0 d--h----- C:\$AVG8.VAULT$
    2008-06-16 15:50:40 74703 --a------ C:\Windows\system32\mfc45.dll
    2008-06-16 15:50:09 0 d-------- C:\Program Files\Lavasoft
    2008-06-16 15:50:08 0 d-------- C:\Users\All Users\Lavasoft
    2008-06-16 15:49:08 0 d-------- C:\Users\All Users\iolo
    2008-06-16 15:35:13 0 d-------- C:\Windows\system32\drivers\Avg
    2008-06-16 15:35:06 0 d-------- C:\Users\All Users\avg8
    2008-06-16 15:35:06 0 d-------- C:\Program Files\AVG
    2008-06-16 13:34:16 0 d-------- C:\Program Files\Registry Defender Platinum
    2008-06-16 13:10:06 86144 --a------ C:\Windows\system32\drivers\BrUsbMdmm.sys
    2008-06-16 13:09:59 0 d--hs---- C:\Windows\U2hhdW4
    2008-06-16 13:09:57 515 --a------ C:\Users\Shaun\315.bat
    2008-06-16 13:09:56 0 d-------- C:\Windows\system32\xc
    2008-06-16 13:09:56 0 d-------- C:\Windows\system32\pb109
    2008-06-16 13:09:56 0 d-------- C:\Windows\system32\dgi
    2008-06-16 13:09:56 0 d-------- C:\Windows\system32\3039a
    2008-06-16 13:09:55 52224 --a------ C:\Users\Shaun\csrss.exe
    2008-06-16 13:09:54 0 d-------- C:\Windows\system32\netrax05
    2008-06-16 13:09:54 0 d-------- C:\Temp
    2008-06-15 00:15:15 0 d-------- C:\Users\All Users\Ad Muncher
    2008-06-15 00:15:15 0 d-------- C:\Program Files\Ad Muncher
    2008-06-03 00:06:02 0 d-------- C:\Program Files\FileZilla FTP Client
    2008-06-02 23:21:13 0 d-------- C:\Users\Shaun\Web Server
    2008-06-02 23:10:04 0 d-------- C:\Program Files\PHP
    2008-06-02 23:03:02 0 d-------- C:\MySQL Datafiles
    2008-06-02 22:58:22 0 d-------- C:\Program Files\MySQL
    2008-06-02 22:33:20 0 d-------- C:\Program Files\Apache Software Foundation
    2008-06-01 09:13:14 0 d-------- C:\Program Files\SecondLife
    2008-05-23 22:11:09 0 d-------- C:\Users\All Users\NVIDIA
    2008-05-23 16:04:06 0 d-------- C:\Windows\nvidia icons
    2008-05-23 15:29:58 0 d-------- C:\Program Files\SystemRequirementsLab


    -- Find3M Report ---------------------------------------------------------------

    2008-06-17 17:23:53 0 d-------- C:\Program Files\Warcraft III
    2008-06-16 21:35:22 0 d-------- C:\Program Files\Trillian
    2008-06-16 17:46:31 0 d-------- C:\Program Files\World of Warcraft
    2008-06-16 17:40:53 0 d-------- C:\Program Files\Steam
    2008-06-16 15:49:36 0 d-------- C:\Users\Shaun\AppData\Roaming\iolo
    2008-06-16 15:49:12 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-06-16 13:07:03 0 d-------- C:\Users\Shaun\AppData\Roaming\Xfire
    2008-06-15 03:10:13 0 d-------- C:\Program Files\Windows Mail
    2008-06-14 22:46:13 0 d-------- C:\Program Files\Common Files\Steam
    2008-06-14 22:40:23 0 d---s---- C:\Program Files\Xfire
    2008-06-03 01:20:45 0 d-------- C:\Users\Shaun\AppData\Roaming\FileZilla
    2008-06-01 09:13:37 0 d-------- C:\Users\Shaun\AppData\Roaming\SecondLife
    2008-05-27 09:08:12 0 d-------- C:\Users\Shaun\AppData\Roaming\Adobe
    2008-05-23 15:59:45 0 d-------- C:\Users\Shaun\AppData\Roaming\SystemRequirementsLab
    2008-05-11 10:42:35 0 d-------- C:\Users\Shaun\AppData\Roaming\Vso
    2008-05-01 18:51:50 0 d-------- C:\Program Files\BitTorrent
    2008-05-01 12:10:33 0 d-------- C:\Users\Shaun\AppData\Roaming\BitTorrent
    2008-04-29 15:29:10 0 d-------- C:\Users\Shaun\AppData\Roaming\uTorrent
    2008-04-27 17:18:57 0 d-------- C:\Program Files\Microsoft Works
    2008-04-27 17:18:30 0 d-------- C:\Program Files\Common Files
    2008-04-27 17:18:05 0 d-------- C:\Program Files\Microsoft.NET
    2008-04-17 16:37:27 0 d-------- C:\Program Files\WC3Banlist
    2008-04-13 17:00:43 97395 --a------ C:\Windows\War3Unin.dat
    2008-04-12 17:01:52 2829 --a------ C:\Windows\War3Unin.pif
    2008-04-12 17:01:52 139264 --a------ C:\Windows\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
    2008-04-10 16:41:23 2540 --a------ C:\Windows\unins000.dat
    2008-04-10 16:40:46 691545 --a------ C:\Windows\unins000.exe
    2008-03-25 17:52:49 73728 --a------ C:\Windows\system32\ElbyVCD.dll <Not Verified; Elaborate Bytes AG; Elaborate Bytes VirtualCloneDrive>


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [08/15/2007 03:02 AM]
    "Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]
    "VirtualCloneDrive "= "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [04/29/2006 06:21 AM]
    "NvCplDaemon "= "C:\Windows\system32\NvCpl.dll" [05/02/2008 10:46 PM]
    "NvMediaCenter "= "C:\Windows\system32\NvMcTray.dll" [05/02/2008 10:46 PM]
    "Ad Muncher "= "C:\Program Files\Ad Muncher\AdMunch.exe" [06/15/2008 12:15 AM]
    "AVG8_TRAY "= "C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/16/2008 03:35 PM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar "= "C:\Program Files\Windows Sidebar\sidebar.exe" [01/09/2008 03:04 AM]
    "ehTray.exe "= "C:\Windows\ehome\ehTray.exe" [11/02/2006 05:35 AM]
    "BitTorrent "= "C:\Program Files\BitTorrent\bittorrent.exe" []
    "Steam "= "c:\program files\steam\steam.exe" [04/09/2008 03:16 AM]
    "LSA Shellu "= "C:\Users\Shaun\lsass.exe" []

    C:\Users\Shaun\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin "=2 (0x2)
    "EnableLUA "=0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls "=avgrsstx.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
    @= "Driver "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
    @= "Driver "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
    @= "Volume shadow copy "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
    @= "IEEE 1394 Bus host controllers "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
    @= "SBP2 IEEE 1394 Devices "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
    @= "SecurityDevices "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{133e91f2-064e-11dc-ad93-806e6f6e6963}]
    AutoRun\command- D:\autoplay.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26113615-1d09-11dc-90bc-0019215aea8c}]
    AutoRun\command- pptview.exe /L "playlist.txt "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c31be55-061d-11dd-a2dd-0019215aea8c}]
    AutoRun\command- E:\autoplay.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    C:\Windows\system32\unregmp2.exe /ShowWMP

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    %SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



    -- Hosts -----------------------------------------------------------------------

    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com
    127.0.0.1 www.032439.com
    127.0.0.1 032439.com

    8724 more entries in hosts file.


    -- End of Deckard's System Scanner: finished at 2008-06-17 17:27:09 ------------



    Is this what your looking for?
     
    Shaun,
    #3
  5. 2008/06/17
    Shaun

    Shaun Inactive Thread Starter

    Joined:
    2008/06/16
    Messages:
    4
    Likes Received:
    0
    is this what your looking for ?


    Deckard's System Scanner v20071014.68
    Run by Shaun on 2008-06-17 16:31:01
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    -- Last 5 Restore Point(s) --
    48: 2008-06-17 18:25:17 UTC - RP416 - Windows Update
    47: 2008-06-17 09:00:47 UTC - RP415 - Windows Defender Checkpoint
    46: 2008-06-16 22:49:24 UTC - RP413 - Installed Ad-Aware
    45: 2008-06-16 22:34:54 UTC - RP412 - Installed AVG Free 8.0
    44: 2008-06-16 22:28:09 UTC - RP411 - Installed AVG Free 8.0


    -- First Restore Point --
    1: 2008-05-05 13:35:41 UTC - RP367 - Scheduled Checkpoint


    Backed up registry hives.
    Performed disk cleanup.



    -- HijackThis (run as Shaun.exe) -----------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:23:38 PM, on 6/17/2008
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16681)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\System32\mobsync.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Xfire\xfire.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Trillian\trillian.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Users\Shaun\Desktop\Downloads\dss.exe
    C:\Program Files\WC3Banlist\WC3Banlist.exe
    C:\PROGRA~1\TRENDM~1\HIJACK~1\Shaun.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [LSA Shellu] C:\Users\Shaun\lsass.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: WinMySQLadmin.lnk = Shaun\Web Server\xampp\mysql\bin\winmysqladmin.exe
    O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O13 - Gopher Prefix:
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apache2.2 - Apache Software Foundation - C:\Users\Shaun\Desktop\Web Server\xampp\apache\bin\apache.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Users\Shaun\Desktop\Web Server\xampp\FileZillaFTP\FileZillaServer.exe
    O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\Windows\444.470.exe (file missing)
    O23 - Service: mysql - Unknown owner - C:\Users\Shaun\Desktop\Web Server\xampp\mysql\bin\mysqld-nt.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
    O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Users\Shaun\Web Server\xampp\service.exe (file missing)

    --
    End of file - 6237 bytes

    -- File Associations -----------------------------------------------------------

    All associations okay.


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    R1 VClone - c:\windows\system32\drivers\vclone.sys <Not Verified; Elaborate Bytes AG; Virtual CloneDrive>
    R3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>

    S3 Xponaut_WBD (Xponaut WaveBridge Device (WDM)) - c:\windows\system32\drivers\xpntwbd.sys <Not Verified; Xponaut; Xponaut WaveBridge>


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    R2 Apache2.2 - "c:\users\shaun\desktop\web server\xampp\apache\bin\apache.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
    R2 mysql - "c:\users\shaun\desktop\web server\xampp\mysql\bin\mysqld-nt.exe" "--defaults-file=c:\users\shaun\desktop\web server\xampp\mysql\bin\my.cnf" mysql

    S2 MsSecurity1.209.4 (MsSecurity Updated) - c:\windows\444.470 service (file missing)
    S2 XAMPP (XAMPP Service) - c:\users\shaun\web server\xampp\service.exe (file missing)
    S3 FileZilla Server (FileZilla Server FTP server) - c:\users\shaun\desktop\web server\xampp\filezillaftp\filezillaserver.exe <Not Verified; FileZilla Project; FileZilla Server>
    S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; Remote Packet Capture Daemon>


    -- Device Manager: Disabled ----------------------------------------------------

    No disabled devices found.


    -- Files created between 2008-05-17 and 2008-06-17 -----------------------------

    2008-06-17 17:23:11 0 d-------- C:\Program Files\Trend Micro
    2008-06-16 16:07:26 0 -rahs---- C:\MSDOS.SYS
    2008-06-16 16:07:26 0 -rahs---- C:\IO.SYS
    2008-06-16 15:53:56 0 d--h----- C:\$AVG8.VAULT$
    2008-06-16 15:50:40 74703 --a------ C:\Windows\system32\mfc45.dll
    2008-06-16 15:50:09 0 d-------- C:\Program Files\Lavasoft
    2008-06-16 15:50:08 0 d-------- C:\Users\All Users\Lavasoft
    2008-06-16 15:49:08 0 d-------- C:\Users\All Users\iolo
    2008-06-16 15:35:13 0 d-------- C:\Windows\system32\drivers\Avg
    2008-06-16 15:35:06 0 d-------- C:\Users\All Users\avg8
    2008-06-16 15:35:06 0 d-------- C:\Program Files\AVG
    2008-06-16 13:34:16 0 d-------- C:\Program Files\Registry Defender Platinum
    2008-06-16 13:10:06 86144 --a------ C:\Windows\system32\drivers\BrUsbMdmm.sys
    2008-06-16 13:09:59 0 d--hs---- C:\Windows\U2hhdW4
    2008-06-16 13:09:57 515 --a------ C:\Users\Shaun\315.bat
    2008-06-16 13:09:56 0 d-------- C:\Windows\system32\xc
    2008-06-16 13:09:56 0 d-------- C:\Windows\system32\pb109
    2008-06-16 13:09:56 0 d-------- C:\Windows\system32\dgi
    2008-06-16 13:09:56 0 d-------- C:\Windows\system32\3039a
    2008-06-16 13:09:55 52224 --a------ C:\Users\Shaun\csrss.exe
    2008-06-16 13:09:54 0 d-------- C:\Windows\system32\netrax05
    2008-06-16 13:09:54 0 d-------- C:\Temp
    2008-06-15 00:15:15 0 d-------- C:\Users\All Users\Ad Muncher
    2008-06-15 00:15:15 0 d-------- C:\Program Files\Ad Muncher
    2008-06-03 00:06:02 0 d-------- C:\Program Files\FileZilla FTP Client
    2008-06-02 23:21:13 0 d-------- C:\Users\Shaun\Web Server
    2008-06-02 23:10:04 0 d-------- C:\Program Files\PHP
    2008-06-02 23:03:02 0 d-------- C:\MySQL Datafiles
    2008-06-02 22:58:22 0 d-------- C:\Program Files\MySQL
    2008-06-02 22:33:20 0 d-------- C:\Program Files\Apache Software Foundation
    2008-06-01 09:13:14 0 d-------- C:\Program Files\SecondLife
    2008-05-23 22:11:09 0 d-------- C:\Users\All Users\NVIDIA
    2008-05-23 16:04:06 0 d-------- C:\Windows\nvidia icons
    2008-05-23 15:29:58 0 d-------- C:\Program Files\SystemRequirementsLab


    -- Find3M Report ---------------------------------------------------------------

    2008-06-17 17:23:53 0 d-------- C:\Program Files\Warcraft III
    2008-06-16 21:35:22 0 d-------- C:\Program Files\Trillian
    2008-06-16 17:46:31 0 d-------- C:\Program Files\World of Warcraft
    2008-06-16 17:40:53 0 d-------- C:\Program Files\Steam
    2008-06-16 15:49:36 0 d-------- C:\Users\Shaun\AppData\Roaming\iolo
    2008-06-16 15:49:12 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-06-16 13:07:03 0 d-------- C:\Users\Shaun\AppData\Roaming\Xfire
    2008-06-15 03:10:13 0 d-------- C:\Program Files\Windows Mail
    2008-06-14 22:46:13 0 d-------- C:\Program Files\Common Files\Steam
    2008-06-14 22:40:23 0 d---s---- C:\Program Files\Xfire
    2008-06-03 01:20:45 0 d-------- C:\Users\Shaun\AppData\Roaming\FileZilla
    2008-06-01 09:13:37 0 d-------- C:\Users\Shaun\AppData\Roaming\SecondLife
    2008-05-27 09:08:12 0 d-------- C:\Users\Shaun\AppData\Roaming\Adobe
    2008-05-23 15:59:45 0 d-------- C:\Users\Shaun\AppData\Roaming\SystemRequirementsLab
    2008-05-11 10:42:35 0 d-------- C:\Users\Shaun\AppData\Roaming\Vso
    2008-05-01 18:51:50 0 d-------- C:\Program Files\BitTorrent
    2008-05-01 12:10:33 0 d-------- C:\Users\Shaun\AppData\Roaming\BitTorrent
    2008-04-29 15:29:10 0 d-------- C:\Users\Shaun\AppData\Roaming\uTorrent
    2008-04-27 17:18:57 0 d-------- C:\Program Files\Microsoft Works
    2008-04-27 17:18:30 0 d-------- C:\Program Files\Common Files
    2008-04-27 17:18:05 0 d-------- C:\Program Files\Microsoft.NET
    2008-04-17 16:37:27 0 d-------- C:\Program Files\WC3Banlist
    2008-04-13 17:00:43 97395 --a------ C:\Windows\War3Unin.dat
    2008-04-12 17:01:52 2829 --a------ C:\Windows\War3Unin.pif
    2008-04-12 17:01:52 139264 --a------ C:\Windows\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
    2008-04-10 16:41:23 2540 --a------ C:\Windows\unins000.dat
    2008-04-10 16:40:46 691545 --a------ C:\Windows\unins000.exe
    2008-03-25 17:52:49 73728 --a------ C:\Windows\system32\ElbyVCD.dll <Not Verified; Elaborate Bytes AG; Elaborate Bytes VirtualCloneDrive>


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [08/15/2007 03:02 AM]
    "Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]
    "VirtualCloneDrive "= "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [04/29/2006 06:21 AM]
    "NvCplDaemon "= "C:\Windows\system32\NvCpl.dll" [05/02/2008 10:46 PM]
    "NvMediaCenter "= "C:\Windows\system32\NvMcTray.dll" [05/02/2008 10:46 PM]
    "Ad Muncher "= "C:\Program Files\Ad Muncher\AdMunch.exe" [06/15/2008 12:15 AM]
    "AVG8_TRAY "= "C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/16/2008 03:35 PM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar "= "C:\Program Files\Windows Sidebar\sidebar.exe" [01/09/2008 03:04 AM]
    "ehTray.exe "= "C:\Windows\ehome\ehTray.exe" [11/02/2006 05:35 AM]
    "BitTorrent "= "C:\Program Files\BitTorrent\bittorrent.exe" []
    "Steam "= "c:\program files\steam\steam.exe" [04/09/2008 03:16 AM]
    "LSA Shellu "= "C:\Users\Shaun\lsass.exe" []

    C:\Users\Shaun\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin "=2 (0x2)
    "EnableLUA "=0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls "=avgrsstx.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
    @= "Driver "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
    @= "Driver "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
    @= "Volume shadow copy "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
    @= "IEEE 1394 Bus host controllers "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
    @= "SBP2 IEEE 1394 Devices "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
    @= "SecurityDevices "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{133e91f2-064e-11dc-ad93-806e6f6e6963}]
    AutoRun\command- D:\autoplay.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26113615-1d09-11dc-90bc-0019215aea8c}]
    AutoRun\command- pptview.exe /L "playlist.txt "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c31be55-061d-11dd-a2dd-0019215aea8c}]
    AutoRun\command- E:\autoplay.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    C:\Windows\system32\unregmp2.exe /ShowWMP

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    %SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



    -- Hosts -----------------------------------------------------------------------

    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com
    127.0.0.1 www.032439.com
    127.0.0.1 032439.com

    8724 more entries in hosts file.


    -- End of Deckard's System Scanner: finished at 2008-06-17 17:27:09 ------------

    Deckard's System Scanner v20071014.68
    Extra logfile - please post this as an attachment with your post.
    --------------------------------------------------------------------------------

    -- System Information ----------------------------------------------------------

    Microsoft® Windows Vistaâ„¢ Home Premium (build 6000)
    Architecture: X86; Language: English

    CPU 0: AMD Athlon(tm) 64 X2 Dual Core Processor 4800+
    Percentage of Memory in Use: 58%
    Physical Memory (total/avail): 2045.88 MiB / 844.63 MiB
    Pagefile Memory (total/avail): 4311.09 MiB / 2677.3 MiB
    Virtual Memory (total/avail): 2047.88 MiB / 1900.05 MiB

    A: is Removable (No Media)
    C: is Fixed (NTFS) - 465.76 GiB total, 244.71 GiB free.
    D: is CDROM (CDFS)
    E: is CDROM (CDFS)
    G: is CDROM (No Media)

    \\.\PHYSICALDRIVE0 - Maxtor 7H500F0 ATA Device - 465.76 GiB - 1 partition
    Status: Pred Fail
    StatusInfo:
    \PARTITION0 (bootable) - Installable File System - 465.76 GiB - C:



    -- Security Center -------------------------------------------------------------

    AUOptions is scheduled to auto-install.
    Windows Internal Firewall is enabled.

    AV: AVG Anti-Virus Free v8.0 (AVG Technologies)
    AS: AVG Anti-Virus Free v8.0 (AVG Technologies) Disabled
    AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\\Program Files\\BitTorrent\\bittorrent.exe "= "C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent "


    -- Environment Variables -------------------------------------------------------

    ALLUSERSPROFILE=C:\ProgramData
    APPDATA=C:\Users\Shaun\AppData\Roaming
    CommonProgramFiles=C:\Program Files\Common Files
    COMPUTERNAME=SHAUN-PC
    ComSpec=C:\Windows\system32\cmd.exe
    FP_NO_HOST_CHECK=NO
    HOMEDRIVE=C:
    HOMEPATH=\Users\Shaun
    LOCALAPPDATA=C:\Users\Shaun\AppData\Local
    LOGONSERVER=\\SHAUN-PC
    NUMBER_OF_PROCESSORS=2
    OS=Windows_NT
    Path=C:\Program Files\Mozilla Firefox;C:\Program Files\Mozilla Firefox;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\Common Files\Adobe\AGL;
    PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
    PROCESSOR_ARCHITECTURE=x86
    PROCESSOR_IDENTIFIER=x86 Family 15 Model 107 Stepping 1, AuthenticAMD
    PROCESSOR_LEVEL=15
    PROCESSOR_REVISION=6b01
    ProgramData=C:\ProgramData
    ProgramFiles=C:\Program Files
    PROMPT=$P$G
    PUBLIC=C:\Users\Public
    SESSIONNAME=Console
    SystemDrive=C:
    SystemRoot=C:\Windows
    TEMP=C:\Users\Shaun\AppData\Local\Temp
    TMP=C:\Users\Shaun\AppData\Local\Temp
    USERDOMAIN=Shaun-PC
    USERNAME=Shaun
    USERPROFILE=C:\Users\Shaun
    windir=C:\Windows


    -- User Profiles ---------------------------------------------------------------

    Shaun (admin)


    -- Add/Remove Programs ---------------------------------------------------------

    µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
    Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
    Ad Muncher v4.72 Build 30400 --> "C:\Program Files\Ad Muncher\AM-Install.exe" /P "InstallerAction=Uninstall" /P "InstallTarget=C:\Program Files\Ad Muncher "
    Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
    Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
    Adobe Flash Player 9 ActiveX --> C:\Windows\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
    Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{685A56F8-75B6-44AD-B3DA-FB0A3266B47C}
    Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
    Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
    Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
    Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003}
    Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
    AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
    ConvertXtoDVD 2.2.1.253 --> "C:\Program Files\VSO\ConvertXtoDVD\unins000.exe "
    Counter-Strike --> "C:\Program Files\Steam\steam.exe" steam://uninstall/10
    Counter-Strike: Source --> "C:\Program Files\Steam\steam.exe" steam://uninstall/240
    Diablo II --> C:\Windows\DIIUnin.exe C:\Windows\DIIUnin.dat
    DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
    DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
    FasterPing --> rundll32.exe dfshim.dll,ShArpMaintain FasterPing.application, Culture=neutral, PublicKeyToken=70e7d13bb83f253e, processorArchitecture=msil
    FileZilla Client 3.0.10 --> C:\Program Files\FileZilla FTP Client\uninstall.exe
    Guild Wars --> "C:\Program Files\Guild Wars\Gw.exe" -uninstall
    Half-Life 2 --> "C:\Program Files\Steam\steam.exe" steam://uninstall/220
    Half-Life Dedicated Server Update Tool --> C:\PROGRA~1\Valve\HLServer\UNWISE.EXE C:\PROGRA~1\Valve\HLServer\INSTALL.LOG
    J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
    K-Lite Mega Codec Pack 2.1.0 --> "C:\Program Files\K-Lite Codec Pack\unins000.exe "
    LimeWire 4.12.11 --> "C:\Program Files\LimeWire\uninstall.exe "
    Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
    Microsoft Office Home and Student 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
    Microsoft Office Home and Student 2007 --> MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
    Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
    Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
    Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
    Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
    Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
    Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
    Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
    Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
    Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
    Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
    Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
    NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
    SecondLife (remove only) --> "C:\Program Files\SecondLife\uninst.exe" /P= "SecondLife "
    Security Update for Excel 2007 (KB946974) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
    Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
    Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
    Security Update for Office 2007 (KB947801) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
    Source Dedicated Server --> "C:\Program Files\Steam\steam.exe" steam://uninstall/205
    SpeechRedist --> MsiExec.exe /X{8795CBED-55E2-4693-9F14-84EC446935BE}
    Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe "
    Spybot - Search & Destroy 1.5.2.20 --> "C:\Windows\unins000.exe "
    Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
    System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
    Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
    Unreal Tournament 2004 --> C:\UT2004\System\Setup.exe uninstall "UT2004 "
    Update for Office 2007 (KB946691) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
    Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
    Ventrilo Server --> MsiExec.exe /I{1D46A3A0-B37D-423A-91C2-101A49E2FF80}
    VirtualCloneDrive --> "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\vcd-uninst.exe" /D= "C:\Program Files\Elaborate Bytes\VirtualCloneDrive "
    Warcraft III --> C:\Windows\War3Unin.exe C:\Windows\War3Unin.dat
    Warcraft III: All Products --> C:\Windows\War3Unin.exe C:\Windows\War3Unin.dat
    WC3Banlist --> "C:\Program Files\WC3Banlist\unins000.exe "
    Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
    WinISO 5.3 --> "C:\Program Files\WinISO\unins000.exe "
    WinPcap 3.1 --> C:\Program Files\WinPcap\uninstall.exe
    WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
    World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
    WowAceUpdater --> rundll32.exe dfshim.dll,ShArpMaintain WowAceUpdater.application, Culture=neutral, PublicKeyToken=4d89fb8d52541cc9, processorArchitecture=msil
    XAMPP 1.6.6a --> "C:\Users\Shaun\Desktop\Web Server\xampp\uninstall.exe "
    Xfire (remove only) --> "C:\Program Files\Xfire\uninst.exe "


    -- Application Event Log -------------------------------------------------------

    Event Record #/Type45419 / Error
    Event Submitted/Written: 06/17/2008 02:00:46 AM
    Event ID/Source: 8194 / VSS
    Event Description:
    Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005.
    This is often caused by incorrect security settings in either the writer or requestor process.


    Operation:
    Gathering Writer Data

    Context:
    Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
    Writer Name: System Writer
    Writer Instance ID: {92e78fc0-7167-4e06-9cd4-4c2a189cdb32}

    Event Record #/Type45401 / Error
    Event Submitted/Written: 06/16/2008 05:41:18 PM
    Event ID/Source: 11 / Microsoft-Windows-CAPI2
    Event Description:
    http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

    Event Record #/Type45397 / Success
    Event Submitted/Written: 06/16/2008 05:40:50 PM
    Event ID/Source: 5617 / WinMgmt
    Event Description:


    Event Record #/Type45395 / Success
    Event Submitted/Written: 06/16/2008 05:40:45 PM
    Event ID/Source: 5615 / WinMgmt
    Event Description:


    Event Record #/Type45394 / Success
    Event Submitted/Written: 06/16/2008 05:40:20 PM
    Event ID/Source: 902 / Software Licensing Service
    Event Description:
    The Software Licensing service has started.



    -- Security Event Log ----------------------------------------------------------

    No Errors/Warnings found.


    -- System Event Log ------------------------------------------------------------

    Event Record #/Type51665 / Error
    Event Submitted/Written: 06/17/2008 05:24:40 PM
    Event ID/Source: 10016 / DCOM
    Event Description:
    machine-defaultLocalActivation{9BA05972-F6A8-11CF-A442-00A0C90A8F39}Shaun-PCShaunS-1-5-21-1199825368-32970646-4135343034-1000LocalHost (Using LRPC)

    Event Record #/Type51664 / Error
    Event Submitted/Written: 06/17/2008 05:24:39 PM
    Event ID/Source: 10016 / DCOM
    Event Description:
    machine-defaultLocalActivation{9BA05972-F6A8-11CF-A442-00A0C90A8F39}Shaun-PCShaunS-1-5-21-1199825368-32970646-4135343034-1000LocalHost (Using LRPC)

    Event Record #/Type51660 / Error
    Event Submitted/Written: 06/17/2008 04:35:40 PM
    Event ID/Source: 10016 / DCOM
    Event Description:
    machine-defaultLocalActivation{9BA05972-F6A8-11CF-A442-00A0C90A8F39}Shaun-PCShaunS-1-5-21-1199825368-32970646-4135343034-1000LocalHost (Using LRPC)

    Event Record #/Type51659 / Error
    Event Submitted/Written: 06/17/2008 04:35:38 PM
    Event ID/Source: 10016 / DCOM
    Event Description:
    machine-defaultLocalActivation{9BA05972-F6A8-11CF-A442-00A0C90A8F39}Shaun-PCShaunS-1-5-21-1199825368-32970646-4135343034-1000LocalHost (Using LRPC)

    Event Record #/Type51658 / Error
    Event Submitted/Written: 06/17/2008 04:35:32 PM
    Event ID/Source: 10016 / DCOM
    Event Description:
    machine-defaultLocalActivation{9BA05972-F6A8-11CF-A442-00A0C90A8F39}Shaun-PCShaunS-1-5-21-1199825368-32970646-4135343034-1000LocalHost (Using LRPC)



    -- End of Deckard's System Scanner: finished at 2008-06-17 17:27:09 ------------
     
    Shaun,
    #4
  6. 2008/06/18
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi Shaun

    Please do this. Make sure you follow the Vista instructions.

    Download ComboFix from Here to your Desktop.

    It's best to disable realtime protection applications as they sometimes interfere with the tool.
    Check this link for any applicable programs you may have.
    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • Vista users right click Combofix.exe and select Run As Administrator.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

    Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

    Please post the combofix log

    Thanks
    Geri
     
    Geri,
    #5
  7. 2008/06/18
    Shaun

    Shaun Inactive Thread Starter

    Joined:
    2008/06/16
    Messages:
    4
    Likes Received:
    0
    Thanks Geri.


    As requested, here is the combofix






    ComboFix 08-06-16.5 - Shaun 2008-06-18 15:59:19.1 - NTFSx86
    Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6000.0.1252.1.1033.18.1204 [GMT -7:00]
    Running from: C:\Users\Shaun\Desktop\Downloads\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Temp\1cb
    C:\Temp\1cb\syscheck.log
    C:\temp\tn3
    C:\Users\Shaun\AppData\Roaming\inst.exe
    C:\Windows\megavid.cdt
    C:\Windows\muotr.so
    C:\Windows\system32\MSINET.oca
    C:\Windows\system32\pac.txt
    C:\Windows\system32\drivers\core.cache.dsk . . . . failed to delete

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_MsSecurity1.209.4


    ((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 )))))))))))))))))))))))))))))))
    .

    No new files created in this timespan

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-06-18 23:07 --------- d-----w C:\Program Files\Steam
    2008-06-18 23:04 --------- d-----w C:\Program Files\Trillian
    2008-06-18 22:18 --------- d-----w C:\Program Files\Warcraft III
    2008-06-18 08:01 --------- d-----w C:\Users\Shaun\AppData\Roaming\Xfire
    2008-06-18 00:23 --------- d-----w C:\Program Files\Trend Micro
    2008-06-17 00:46 --------- d-----w C:\Program Files\World of Warcraft
    2008-06-17 00:39 --------- d-----w C:\Program Files\Registry Defender Platinum
    2008-06-16 22:52 --------- d-----w C:\ProgramData\Lavasoft
    2008-06-16 22:52 --------- d-----w C:\ProgramData\iolo
    2008-06-16 22:50 --------- d-----w C:\Program Files\Lavasoft
    2008-06-16 22:49 --------- d-----w C:\Users\Shaun\AppData\Roaming\iolo
    2008-06-16 22:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-06-16 22:41 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
    2008-06-16 22:35 96,520 ----a-w C:\Windows\system32\drivers\avgldx86.sys
    2008-06-16 22:35 67,080 ----a-w C:\Windows\system32\drivers\avgwfpx.sys
    2008-06-16 22:35 --------- d-----w C:\ProgramData\avg8
    2008-06-16 22:35 --------- d-----w C:\Program Files\AVG
    2008-06-16 20:10 86,144 ----a-w C:\Windows\system32\drivers\BrUsbMdmm.sys
    2008-06-16 20:10 167,976 ------w C:\Windows\system32\drivers\core.cache.dsk
    2008-06-16 20:09 515 ----a-w C:\Users\Shaun\315.bat
    2008-06-15 10:10 --------- d-----w C:\Program Files\Windows Mail
    2008-06-15 07:15 --------- d-----w C:\ProgramData\Ad Muncher
    2008-06-15 07:15 --------- d-----w C:\Program Files\Ad Muncher
    2008-06-15 05:46 --------- d-----w C:\Program Files\Common Files\Steam
    2008-06-15 05:40 --------- d-s---w C:\Program Files\Xfire
    2008-06-15 05:40 --------- d-----w C:\ProgramData\Xfire
    2008-06-03 08:20 --------- d-----w C:\Users\Shaun\AppData\Roaming\FileZilla
    2008-06-03 07:06 --------- d-----w C:\Program Files\FileZilla FTP Client
    2008-06-03 06:20 --------- d-----w C:\Program Files\PHP
    2008-06-03 06:08 --------- d-----w C:\Program Files\MySQL
    2008-06-03 05:33 --------- d-----w C:\Program Files\Apache Software Foundation
    2008-06-01 16:13 --------- d-----w C:\Users\Shaun\AppData\Roaming\SecondLife
    2008-06-01 16:13 --------- d-----w C:\Program Files\SecondLife
    2008-05-24 05:11 --------- d-----w C:\ProgramData\NVIDIA
    2008-05-23 22:59 --------- d-----w C:\Users\Shaun\AppData\Roaming\SystemRequirementsLab
    2008-05-23 22:59 --------- d-----w C:\Program Files\SystemRequirementsLab
    2008-05-15 10:03 --------- d-----w C:\ProgramData\Microsoft Help
    2008-05-11 17:42 --------- d-----w C:\Users\Shaun\AppData\Roaming\Vso
    2008-05-10 01:21 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
    2008-05-03 05:46 7,460,320 ----a-w C:\Windows\system32\drivers\nvlddmkm.sys
    2008-05-02 01:51 --------- d-----w C:\Program Files\BitTorrent
    2008-05-01 19:10 --------- d-----w C:\Users\Shaun\AppData\Roaming\BitTorrent
    2008-04-29 22:29 --------- d-----w C:\Users\Shaun\AppData\Roaming\uTorrent
    2008-04-29 18:20 15,648 ----a-w C:\Windows\system32\drivers\NSDriver.sys
    2008-04-29 18:19 15,648 ----a-w C:\Windows\system32\drivers\Awrtrd.sys
    2008-04-29 18:19 12,960 ----a-w C:\Windows\system32\drivers\Awrtpd.sys
    2008-04-28 00:18 --------- d-----w C:\Program Files\Microsoft.NET
    2008-04-28 00:18 --------- d-----w C:\Program Files\Microsoft Works
    2008-04-25 04:23 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
    2008-04-13 00:01 2,829 ----a-w C:\Windows\War3Unin.pif
    2008-04-13 00:01 139,264 ----a-w C:\Windows\War3Unin.exe
    2008-04-10 23:40 691,545 ----a-w C:\Windows\unins000.exe
    2007-08-30 10:12 174 --sha-w C:\Program Files\desktop.ini
    2007-05-28 22:46 47,360 ----a-w C:\Users\Shaun\AppData\Roaming\pcouffin.sys
    2008-01-03 09:46 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    2008-01-03 09:46 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    2008-01-03 09:46 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    2008-01-19 05:11 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    2008-01-19 05:11 32,768 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    2008-01-19 05:11 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar "= "C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 03:04 1232896]
    "ehTray.exe "= "C:\Windows\ehome\ehTray.exe" [2006-11-02 05:35 125440]
    "BitTorrent "= "C:\Program Files\BitTorrent\bittorrent.exe" [ ]
    "Steam "= "c:\program files\steam\steam.exe" [2008-04-09 03:16 1271032]
    "LSA Shellu "= "C:\Users\Shaun\lsass.exe" [ ]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
    "VirtualCloneDrive "= "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 06:21 94208]
    "NvCplDaemon "= "C:\Windows\system32\NvCpl.dll" [2008-05-02 22:46 13535776]
    "NvMediaCenter "= "C:\Windows\system32\NvMcTray.dll" [2008-05-02 22:46 92704]
    "Ad Muncher "= "C:\Program Files\Ad Muncher\AdMunch.exe" [2008-06-15 00:15 779776]
    "AVG8_TRAY "= "C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-16 15:35 1177368]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA "= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.yv12 "= yv12vfw.dll
    "VIDC.XFR1 "= xfcodec.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
    "TCP Query User{88FDC8D5-3E2B-4807-BA76-9496B0299242}C:\\program files\\world of warcraft\\wow-2.0.3-enus-downloader.exe "= UDP:C:\program files\world of warcraft\wow-2.0.3-enus-downloader.exe:Blizzard Downloader
    "UDP Query User{1ECF8D1F-19E7-46E7-B9AE-C94DD7752AE1}C:\\program files\\world of warcraft\\wow-2.0.3-enus-downloader.exe "= TCP:C:\program files\world of warcraft\wow-2.0.3-enus-downloader.exe:Blizzard Downloader
    "TCP Query User{4B9343B1-69EA-415A-B593-C295840440C2}C:\\program files\\xfire\\xfire.exe "= UDP:C:\program files\xfire\xfire.exe:Xfire
    "UDP Query User{CAA8E744-6292-4FB8-B937-3ADF87187ED3}C:\\program files\\xfire\\xfire.exe "= TCP:C:\program files\xfire\xfire.exe:Xfire
    "TCP Query User{0DC2DB81-AA32-4A37-8EF9-A4E24F41AE4E}C:\\program files\\world of warcraft\\wow-2.0.3.6299-to-2.0.12.6546-enus-downloader.exe "= UDP:C:\program files\world of warcraft\wow-2.0.3.6299-to-2.0.12.6546-enus-downloader.exe:Blizzard Downloader
    "UDP Query User{CE52D231-C361-466F-99DC-CDEC9DFE1315}C:\\program files\\world of warcraft\\wow-2.0.3.6299-to-2.0.12.6546-enus-downloader.exe "= TCP:C:\program files\world of warcraft\wow-2.0.3.6299-to-2.0.12.6546-enus-downloader.exe:Blizzard Downloader
    "TCP Query User{B1F11D83-9115-4087-AB2A-E9267EE8E454}C:\\users\\shaun\\desktop\\wow-burningcrusade-enus-installer-downloader.exe "= UDP:C:\users\shaun\desktop\wow-burningcrusade-enus-installer-downloader.exe:wow-burningcrusade-enus-installer-downloader.exe
    "UDP Query User{CCBF98E9-57FA-4929-9334-32501C2276B6}C:\\users\\shaun\\desktop\\wow-burningcrusade-enus-installer-downloader.exe "= TCP:C:\users\shaun\desktop\wow-burningcrusade-enus-installer-downloader.exe:wow-burningcrusade-enus-installer-downloader.exe
    "TCP Query User{0D4CE6D4-770A-480B-B97C-8C479D9492DC}C:\\users\\shaun\\desktop\\downloads\\wow-burningcrusade-enus-installer-downloader.exe "= UDP:C:\users\shaun\desktop\downloads\wow-burningcrusade-enus-installer-downloader.exe:wow-burningcrusade-enus-installer-downloader.exe
    "UDP Query User{BD427F1C-211D-4BF1-AD96-D1B5926341BC}C:\\users\\shaun\\desktop\\downloads\\wow-burningcrusade-enus-installer-downloader.exe "= TCP:C:\users\shaun\desktop\downloads\wow-burningcrusade-enus-installer-downloader.exe:wow-burningcrusade-enus-installer-downloader.exe
    "TCP Query User{ABFB3F28-E3A7-424F-B567-0D10836505B6}C:\\program files\\steam\\steamapps\\sporter38@juno.com\\counter-strike source\\hl2.exe "= UDP:C:\program files\steam\steamapps\sporter38@juno.com\counter-strike source\hl2.exe:hl2
    "UDP Query User{2E533667-83DA-47C4-B81A-5D001BEFE84C}C:\\program files\\steam\\steamapps\\sporter38@juno.com\\counter-strike source\\hl2.exe "= TCP:C:\program files\steam\steamapps\sporter38@juno.com\counter-strike source\hl2.exe:hl2
    "TCP Query User{508486E7-46BD-47AF-9909-769019CEB133}C:\\program files\\xfire\\xfire.exe "= UDP:C:\program files\xfire\xfire.exe:Xfire
    "UDP Query User{6685658A-165A-45BD-B98B-1E2F77E8B2B3}C:\\program files\\xfire\\xfire.exe "= TCP:C:\program files\xfire\xfire.exe:Xfire
    "{9802E723-8B39-492E-8A77-9B5F2A7B6052} "= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
    "{999E8A2C-76D8-4D71-A909-042B7318A4C8} "= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
    "TCP Query User{571CD1BF-F7F4-4570-AC98-7743DCAA8E81}C:\\program files\\bittorrent\\bittorrent.exe "= UDP:C:\program files\bittorrent\bittorrent.exe:bittorrent
    "UDP Query User{D9448F9E-8E87-47B1-AAB1-177B49BCDA98}C:\\program files\\bittorrent\\bittorrent.exe "= TCP:C:\program files\bittorrent\bittorrent.exe:bittorrent
    "{E6C1F602-1C6D-4ED1-9AD6-CF4194E14C7E} "= UDP:C:\Program Files\Steam\Steam.exe:Steam Client
    "{A4AAB57C-EC8C-4B61-9EE6-B5728D46B069} "= TCP:C:\Program Files\Steam\Steam.exe:Steam Client
    "TCP Query User{6A30B197-D151-4DC8-83BF-2AC48FAB80F8}C:\\program files\\steam\\steam.exe "= UDP:C:\program files\steam\steam.exe:Steam
    "UDP Query User{4B6A3CE2-1600-409F-9BB8-45858E956DDC}C:\\program files\\steam\\steam.exe "= TCP:C:\program files\steam\steam.exe:Steam
    "{F7D10862-CA76-4B14-958F-B8BFAFFB36C2} "= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
    "{5719D68E-BE8F-4B7D-8770-C405BC9262D5} "= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
    "{A4E75D71-27C7-42A1-A259-55C0E3C9834E} "= UDP:C:\UT2004\System\UT2004.exe:UT2004
    "{34D85EEA-F66A-4C3C-A7DD-636B36159273} "= TCP:C:\UT2004\System\UT2004.exe:UT2004
    "{92FFB598-18AF-491C-9B3E-D14942F2CDF2} "= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
    "{EF55F9A7-3C8A-43DC-82D2-661FEB15F521} "= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
    "{D3FAEFDA-7836-46F2-BD00-CED3158BF503} "= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
    "{45E67C49-5BA8-4C1E-83A4-9FC48292E628} "= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
    "{67F041C6-38EE-4FE1-AA91-715F24153095} "= UDP:3306:MySQL Server
    "{758F93E3-86C1-43AD-ABEF-32B60810F112} "= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
    "{79CBC79D-CCBB-4D5F-835A-50EB872AB6EB} "= C:\Program Files\AVG\AVG8\avgemc.exe:avgemc.exe
    "TCP Query User{11CFB2A3-79BD-4DA3-BE96-161B48F096F6}C:\\program files\\warcraft iii\\war3.exe "= UDP:C:\program files\warcraft iii\war3.exe:Warcraft III
    "UDP Query User{F27A2B5F-6BDD-4BF9-8248-163D1E762B14}C:\\program files\\warcraft iii\\war3.exe "= TCP:C:\program files\warcraft iii\war3.exe:Warcraft III
    "TCP Query User{83A170CE-FEA5-4583-B1B0-B4F5A7273AC2}C:\\program files\\trillian\\trillian.exe "= UDP:C:\program files\trillian\trillian.exe:Trillian
    "UDP Query User{1E11C806-2EB8-45D8-805A-0111E29CA847}C:\\program files\\trillian\\trillian.exe "= TCP:C:\program files\trillian\trillian.exe:Trillian

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
    "DFSR-1 "= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
    "C:\\Program Files\\BitTorrent\\bittorrent.exe "= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

    R1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-06-16 15:35]
    R2 Apache2.2;Apache2.2; "C:\Users\Shaun\Desktop\Web Server\xampp\apache\bin\apache.exe" -k runservice []
    R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-16 15:35]
    R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-16 15:35]
    R3 AGR1310_60;Agere Systems ET-13xx PCI-E Ethernet Adapter Vista Driver;C:\Windows\system32\DRIVERS\AGR1310_60.sys [2007-01-19 10:41]
    R3 AvgWfpX;AVG8 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfpx.sys [2008-06-16 15:35]
    R3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-06-14 22:42]
    S2 XAMPP;XAMPP Service;C:\Users\Shaun\Web Server\xampp\service.exe []
    S3 NPF;NetGroup Packet Filter Driver;C:\Windows\system32\drivers\npf.sys [2005-08-02 14:10]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{133e91f2-064e-11dc-ad93-806e6f6e6963}]
    \shell\AutoRun\command - D:\autoplay.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26113615-1d09-11dc-90bc-0019215aea8c}]
    \shell\AutoRun\command - pptview.exe /L "playlist.txt "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c31be55-061d-11dd-a2dd-0019215aea8c}]
    \shell\AutoRun\command - E:\autoplay.exe

    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-18 16:07:11
    Windows 6.0.6000 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Windows\System32\nvvsvc.exe
    C:\Windows\System32\audiodg.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\AVG\AVG8\avgtray.exe
    C:\Program Files\Xfire\xfire.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Users\Shaun\Desktop\Web Server\xampp\mysql\bin\mysqld-nt.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\wbem\unsecapp.exe
    .
    **************************************************************************
    .
    Completion time: 2008-06-18 16:17:27 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-06-18 23:16:29

    The system cannot find message text for message number 0x2379 in the message file for Application.
    The system cannot find message text for message number 0x2379 in the message file for Application.

    201 --- E O F --- 2008-06-17 18:25:48





    Logfile of HijackThis v1.99.1
    Scan saved at 5:10:05 PM, on 6/18/2008
    Platform: Unknown Windows (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16681)

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\AVG\AVG8\avgtray.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Steam\Steam.exe
    C:\Program Files\Xfire\xfire.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\Explorer.exe
    C:\Windows\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HijackThis\HijackThis.exe
    C:\Windows\system32\NOTEPAD.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [LSA Shellu] C:\Users\Shaun\lsass.exe
    O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: WinMySQLadmin.lnk = Shaun\Web Server\xampp\mysql\bin\winmysqladmin.exe
    O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O13 - Gopher Prefix:
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apache2.2 - Unknown owner - C:\Users\Shaun\Desktop\Web Server\xampp\apache\bin\apache.exe" -k runservice (file missing)
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Users\Shaun\Desktop\Web Server\xampp\FileZillaFTP\FileZillaServer.exe
    O23 - Service: mysql - Unknown owner - C:\Users\Shaun\Desktop\Web Server\xampp\mysql\bin\mysqld-nt.exe" "--defaults-file=C:\Users\Shaun\Desktop\Web Server\xampp\mysql\bin\my.cnf" mysql (file missing)
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
    O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
    O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Users\Shaun\Web Server\xampp\service.exe (file missing)
     
    Shaun,
    #6
  8. 2008/06/19
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi Shaun
    I see you have P2P software ( Limewire, BitTorrent uTorrent etc… ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

    References for the risk of these programs are here,
    here and here.

    I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

    Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at Windowsbbs Virus and Spyware removal.


    Now do this.

    Download ATF Cleaner by Atribune and save it to your Desktop.
    This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
    Double click ATF-Cleaner.exe to run the program.
    Check the boxes to the left of:

    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache
    Recycle bin

    The rest are optional - if you want it to remove everything check "Select All ".
    Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.


    Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
    [​IMG]
    Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

    Code:
    File::
C:\Windows\system32\drivers\BrUsbMdmm.sys
C:\Windows\system32\drivers\core.cache.dsk
C:\Users\Shaun\315.bat
    Please post the combofix log.

    Let me know if you removed the P2P programs.

    Thanks
    Geri
     
    Geri,
    #7

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...