DaniWeb IT Discussion Community

DaniWeb IT Discussion Community (http://www.daniweb.com/forums/index.php)
-   Viruses, Spyware and other Nasties (http://www.daniweb.com/forums/forum64.html)
-   -   Windows Vista, AVG I-Worm/Nuwar.U (http://www.daniweb.com/forums/thread136621.html)

ajv717 Jul 25th, 2008 1:32 am
Windows Vista, AVG I-Worm/Nuwar.U
 
So I have recently been getting a popup from AVG saying that an infected file has been detected. When I check the virus vault it shows two file labled I-Worm/Nuwar.U, I have tried healing the files but no luck. Windows firewall has also been dectecting a virus.

here are the listed logs as requested.

Malwarebytes -

Malwarebytes' Anti-Malware 1.23
Database version: 987
Windows 6.0.6001 Service Pack 1

4:50:33 PM 7/24/2008
mbam-log-7-24-2008 (16-50-33).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 112596
Time elapsed: 38 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





DSS -
Main-

Deckard's System Scanner v20071014.68
Run by AnthonynBre on 2008-07-24 17:43:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
7: 2008-07-24 16:27:52 UTC - RP381 - Scheduled Checkpoint
6: 2008-07-23 15:19:34 UTC - RP380 - Scheduled Checkpoint
5: 2008-07-23 02:38:48 UTC - RP379 - Windows Update
4: 2008-07-22 15:58:57 UTC - RP378 - Removed LEGO® Indiana Jones™ Demo
3: 2008-07-22 15:14:00 UTC - RP376 - Installed LEGO® Indiana Jones™ Demo


-- First Restore Point --
1: 2008-07-22 14:12:01 UTC - RP373 - Removed Microsoft Office Home and Student 2007


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as AnthonynBre.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:44:44 PM, on 7/24/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\mobsync.exe
C:\ProgramData\hchefwvk\rutonsfy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WlanMon.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\AnthonynBre\Desktop\dss.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\AnthonynBre.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [PCMMediaSharing] C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
O4 - HKLM\..\Run: [SiSTray] %ProgramFiles%\SiS VGA Utilities\SiSTray.exe
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Airlink101 Airlink101 WLAN Monitor] C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKLM\..\Policies\Explorer\Run: [IpcwZdhOzZ] C:\ProgramData\hchefwvk\rutonsfy.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: .security
O4 - Global Startup: .security
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~4.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~4.0_0\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O21 - SSODL: AppProcSmart - {4E800BDB-20B3-CCEF-1113-0308D0C0D147} - C:\Program Files\ouemijb\AppProcSmart.dll
O21 - SSODL: DscSmartSrv - {2C7E9ED3-A813-A590-2961-0B86E0202A4B} - C:\Program Files\fnbyyff\DscSmartSrv.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe

--
End of file - 7725 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ANIO (ANIO Service) - \??\c:\windows\system32\anio.sys
R3 ROOTUSB (Airlink101 MFP Server USB Root Driver) - c:\windows\system32\drivers\rootusb.sys
R3 vusbbus (ZOT BUS DRIVER) - c:\windows\system32\drivers\vusbbus.sys

S3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
S4 eRecoveryService (eRecovery Service) - c:\acer\empowering technology\erecovery\erecoveryservice.exe <Not Verified; Acer Inc.; eRecoveryService>
S4 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\3&33FD14CA&0
Manufacturer: Logitech
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\3&33FD14CA&0
Service: i8042prt


-- Files created between 2008-06-24 and 2008-07-24 -----------------------------

2008-07-24 17:44:32 0 d-------- C:\Program Files\Trend Micro
2008-07-24 16:55:38 0 d-------- C:\Program Files\EsetOnlineScanner
2008-07-24 14:34:47 0 d-------- C:\Program Files\fnbyyff
2008-07-24 14:34:38 110080 --a------ C:\Windows\system32\cxgpmhqj.exe
2008-07-24 11:51:32 0 d-------- C:\Users\All Users\Malwarebytes
2008-07-24 11:51:32 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-24 09:54:08 0 dr-h----- C:\$VAULT$.AVG
2008-07-24 09:54:04 0 d-------- C:\Program Files\ouemijb
2008-07-24 09:54:01 0 d-------- C:\Users\All Users\hchefwvk
2008-07-19 21:59:03 0 d-------- C:\My Games
2008-07-17 11:54:37 0 d-------- C:\Program Files\iPod
2008-07-17 11:54:35 0 d-------- C:\Program Files\iTunes
2008-07-17 11:53:06 0 d-------- C:\Program Files\QuickTime
2008-07-15 09:52:53 0 d-------- C:\Windows\system32\AGEIA
2008-07-15 09:52:53 0 d-------- C:\Program Files\AGEIA Technologies
2008-07-15 09:52:29 0 d-------- C:\Users\All Users\THQ
2008-07-12 23:35:42 0 d-------- C:\Program Files\Ventrilo
2008-07-12 23:34:24 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-08 06:54:34 0 d-------- C:\Users\All Users\NexonUS
2008-07-01 06:41:11 180224 --a------ C:\Windows\system32\xvidvfw.dll
2008-07-01 06:41:11 765952 --a------ C:\Windows\system32\xvidcore.dll
2008-07-01 06:41:11 0 d-------- C:\Program Files\Xvid


-- Find3M Report ---------------------------------------------------------------

2008-07-24 14:02:38 0 d-------- C:\Users\AnthonynBre\AppData\Roaming\LimeWire
2008-07-24 11:51:35 0 d-------- C:\Users\AnthonynBre\AppData\Roaming\Malwarebytes
2008-07-24 10:44:01 0 d-------- C:\Users\AnthonynBre\AppData\Roaming\AVG7
2008-07-22 18:22:23 0 d-------- C:\Users\AnthonynBre\AppData\Roaming\Mozilla
2008-07-22 08:59:52 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-22 07:14:32 0 d-------- C:\Program Files\Microsoft Works
2008-07-19 21:59:50 0 d-------- C:\Users\AnthonynBre\AppData\Roaming\iWin
2008-07-15 09:42:55 0 d-------- C:\Users\AnthonynBre\AppData\Roaming\IGN_DLM
2008-07-12 23:41:00 0 d-------- C:\Users\AnthonynBre\AppData\Roaming\Ventrilo
2008-07-12 23:34:24 0 d-------- C:\Program Files\Common Files
2008-07-09 22:02:40 0 d-------- C:\Users\AnthonynBre\AppData\Roaming\Thunderbird
2008-07-09 16:06:03 0 d-------- C:\Program Files\Java
2008-07-08 21:56:14 0 d-------- C:\Program Files\Windows Mail
2008-06-24 07:33:08 0 d-------- C:\Program Files\LimeWire
2008-06-17 19:52:42 0 d-------- C:\Users\AnthonynBre\AppData\Roaming\WinRAR


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/19/2008 12:38 AM]
"RtHDVCpl"="RtHDVCpl.exe" [06/20/2007 01:56 AM C:\Windows\RtHDVCpl.exe]
"PCMMediaSharing"="C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe" [06/21/2007 06:33 PM]
"SiSTray"="C:\Program Files\SiS VGA Utilities\SiSTray.exe" [06/05/2007 04:07 AM]
"eRecoveryService"="" []
"Acer Product Registration"="C:\Program Files\Acer Registration\ACE1.exe" [10/15/2007 01:43 PM]
"Acer Assist Launcher"="C:\Program Files\Acer Assist\launcher.exe" [02/02/2007 11:05 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [11/29/2007 02:17 AM C:\Windows\KHALMNPR.Exe]
"Airlink101 Airlink101 WLAN Monitor"="C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe" [06/18/2007 02:30 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/15/2008 09:45 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [05/02/2008 10:46 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [05/02/2008 10:46 PM]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/10/2008 09:47 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2008 10:51 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/19/2008 12:33 AM]
"Acer Tour Reminder"="" []
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [01/19/2008 12:33 AM]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [03/05/2007 02:57 PM]

C:\Users\AnthonynBre\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
.security [7/24/2008 11:21:49 AM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
.security [7/24/2008 11:21:49 AM]
Empowering Technology Launcher.lnk - C:\Acer\Empowering Technology\eAPLauncher.exe [9/13/2007 8:38:32 PM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [4/3/2008 8:45:32 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"=2 (0x2)
"DontDisplayLogonHoursWarnings"=1 (0x1)
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"IpcwZdhOzZ"=C:\ProgramData\hchefwvk\rutonsfy.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"AppProcSmart"= {4E800BDB-20B3-CCEF-1113-0308D0C0D147} - C:\Program Files\ouemijb\AppProcSmart.dll [07/24/2008 09:54 AM 102400]
"DscSmartSrv"= {2C7E9ED3-A813-A590-2961-0B86E0202A4B} - C:\Program Files\fnbyyff\DscSmartSrv.dll [07/24/2008 02:34 PM 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 04/12/2008 10:45 PM 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- Hosts -----------------------------------------------------------------------

127.0.0.1 .supercocklol.com
127.0.0.1 www..webloyalty.com
127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com

8118 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-24 17:46:46 ------------

Extra -

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) Dual CPU E2140 @ 1.60GHz
Percentage of Memory in Use: 45%
Physical Memory (total/avail): 2046.83 MiB / 1123.16 MiB
Pagefile Memory (total/avail): 4338.95 MiB / 3089.99 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1895.35 MiB

C: is Fixed (NTFS) - 111.69 GiB total, 63.91 GiB free.
D: is Fixed (NTFS) - 111.43 GiB total, 111.09 GiB free.
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)

\\.\PHYSICALDRIVE0 - ST3250310AS ATA Device - 232.88 GiB - 3 partitions
\PARTITION0 - Unknown - 9.76 GiB
\PARTITION1 (bootable) - MS-DOS V4 Huge - 111.69 GiB - C:
\PARTITION2 - Installable File System - 111.43 GiB - D:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG 7.5.524 v7.5.524 (Grisoft)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation) Disabled Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Acer\\Empowering Technology\\eDataSecurity\\eDSfsu.exe"="C:\\Acer\\Empowering Technology\\eDataSecurity\\eDSfsu.exe:*:Enabled:eDSfsu"
"C:\\Acer\\Empowering Technology\\eDataSecurity\\encryption.exe"="C:\\Acer\\Empowering Technology\\eDataSecurity\\encryption.exe:*:Enabled:encryption"
"C:\\Acer\\Empowering Technology\\eDataSecurity\\decryption.exe"="C:\\Acer\\Empowering Technology\\eDataSecurity\\decryption.exe:*:Enabled:decryption"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Combat Arms\\CombatArms.exe"="C:\\Program Files\\Combat Arms\\CombatArms.exe:*Enabled:CombatArms.exe"
"C:\\Program Files\\Combat Arms\\Engine.exe"="C:\\Program Files\\Combat Arms\\Engine.exe:*Enabled:Engine.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\AnthonynBre\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ANTHONYNBRE-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\AnthonynBre
LOCALAPPDATA=C:\Users\AnthonynBre\AppData\Local
LOGONSERVER=\\ANTHONYNBRE-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\ANTHON~1\AppData\Local\Temp
TMP=C:\Users\ANTHON~1\AppData\Local\Temp
USERDOMAIN=AnthonynBre-PC
USERNAME=AnthonynBre
USERPROFILE=C:\Users\AnthonynBre
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

AnthonynBre (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec /X{95FC26FB-19FD-4A96-BBB1-B1062E8648F5}
Acer Arcade Live Main Page --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFBDC2B0-FAA8-4B78-8DE1-AEBE7958FA37}\setup.exe" -uninstall
Acer Assist --> C:\Program Files\Acer Assist\uninstall.exe
Acer DV Magician --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F6EFFB76-4A07-11DA-9D78-000129760D75}\setup.exe" -uninstall
Acer DVDivine --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B145EC69-66F5-11D8-9D75-000129760D75}\setup.exe" -uninstall
Acer HomeMedia --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AA4BF92B-2AAF-11DA-9D78-000129760D75}\Setup.exe" -uninstall
Acer HomeMedia Connect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{132888AE-EF67-41C5-BCA2-7D5D2488AB63}\Setup.exe" -uninstall
Acer Registration --> C:\Program Files\Acer Registration\uninstall.exe
Acer ScreenSaver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}\setup.exe" -l0x9 -removeonly
Acer SlideShow DVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{41581EF5-45A7-11DA-9D78-000129760D75}\Setup.exe" -uninstall
Acer VideoMagician --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F79A208D-D929-11D9-9D77-000129760D75}\setup.exe" -uninstall
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
Adobe Shockwave Player --> C:\Windows\System32\Adobe\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Adobe\SHOCKW~1\Install.log
Agatha Christie - Murder on the Orient Express --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FBEDD989-D0C3-4DF4-A41C-5FC9DD693E18}\setup.exe" -l0x9 -uninst
AGEIA PhysX v7.11.13 --> MsiExec.exe /X{95FC26FB-19FD-4A96-BBB1-B1062E8648F5}
Airlink101 Cardbus & PCI Wireless Configuration Utility --> C:\Program Files\InstallShield Installation Information\{94FE8955-027B-41E0-8192-89F14A9E25F7}\SETUP.EXE -v"ISSCRIPTCMDLINE=\"-d -zREMOVE\"" -l0x0009 -removeonly
Airlink101 MFP PS Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ECE9D6C8-2DE8-4505-920E-103FAF0AC9CF}\setup.exe"
Airlink101 WLAN Monitor --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{47759129-8649-47D1-9EA5-4BB84D86DB97}
ANIO Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}\Setup.exe"
ANIWZCS2 Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C590030-7469-453E-8589-D15DA9D03F52}\Setup.exe"
Apple Mobile Device Support --> MsiExec.exe /I{35B91753-5789-4517-9CF1-2CCE3A8CF4F1}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CDDRV_Installer --> MsiExec.exe /I{0C826C5B-B131-423A-A229-C71B3CACCD6A}
Download Manager 2.3.6 --> C:\Program Files\Download Manager\uninst.exe
ESET Online Scanner --> C:\Windows\system32\OnlineScannerUninstaller.exe
iTunes --> MsiExec.exe /I{EF6C4600-306D-4F6A-A119-C2A877D25B4A}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
KhalInstallWrapper --> MsiExec.exe /I{3101CB58-3482-4D21-AF1A-7057FC935355}
LimeWire 4.18.3 --> "C:\Program Files\LimeWire\uninstall.exe"
Logitech SetPoint --> C:\Program Files\InstallShield Installation Information\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}\setup.exe -runfromtemp -l0x0009 -removeonly
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB929729) --> "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M929729\M929729Uninstall.msp"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 Parser and SDK --> MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
NTI Backup NOW! 4.7 --> "C:\Program Files\InstallShield Installation Information\{67ADE9AF-5CD9-4089-8825-55DE4B366799}\setup.exe" -removeonly
NTI CD & DVD-Maker --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1033 CDM7
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
OpenAL --> "C:\Program Files\OpenAL\oalinst.exe" /U
PunkBuster Services --> C:\Windows\system32\pbsvc[1].exe -u
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
SiS VGA Utilities --> C:\Program Files\SiS VGA Utilities\Setup.exe -u
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
Xvid 1.1.3 final uninstall --> "C:\Program Files\Xvid\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type18481 / Success
Event Submitted/Written: 07/24/2008 02:34:24 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type18479 / Success
Event Submitted/Written: 07/24/2008 02:34:22 PM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type18478 / Success
Event Submitted/Written: 07/24/2008 02:34:18 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type18455 / Warning
Event Submitted/Written: 07/24/2008 11:20:52 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{90110409-6000-11D3-8CFE-0150048383C9}', feature 'OutlookMAPI2' failed during request for component '{C3275D60-FF80-4A59-89C3-FD4497541CC1}'

Event Record #/Type18454 / Warning
Event Submitted/Written: 07/24/2008 11:20:52 AM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{90110409-6000-11D3-8CFE-0150048383C9}', feature 'ProductFiles', component '{66CD2C91-2A15-4DA4-BBD2-5EC1075F3C0E}' failed. The resource 'HKEY_CLASSES_ROOT\.pip\' does not exist.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type54928 / Warning
Event Submitted/Written: 07/24/2008 05:44:55 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%AnthonynBre-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %AnthonynBre-PC27 can't undo changes that you allow.

For more information please see the following:
%AnthonynBre-PC275

Scan ID: {C8788BA3-AE5F-43B7-9178-BFDCCEB165EB}

User: AnthonynBre-PC\AnthonynBre

Name: %AnthonynBre-PC271

ID: %AnthonynBre-PC272

Severity ID: %AnthonynBre-PC273

Category ID: %AnthonynBre-PC274

Path Found: %AnthonynBre-PC276

Alert Type: %AnthonynBre-PC278

Detection Type: 1.1.1600.02

Event Record #/Type54927 / Warning
Event Submitted/Written: 07/24/2008 05:44:55 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%AnthonynBre-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %AnthonynBre-PC27 can't undo changes that you allow.

For more information please see the following:
%AnthonynBre-PC275

Scan ID: {4797BF65-300A-4278-A1F9-97EC7A364417}

User: AnthonynBre-PC\AnthonynBre

Name: %AnthonynBre-PC271

ID: %AnthonynBre-PC272

Severity ID: %AnthonynBre-PC273

Category ID: %AnthonynBre-PC274

Path Found: %AnthonynBre-PC276

Alert Type: %AnthonynBre-PC278

Detection Type: 1.1.1600.02

Event Record #/Type54926 / Warning
Event Submitted/Written: 07/24/2008 05:44:55 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%AnthonynBre-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %AnthonynBre-PC27 can't undo changes that you allow.

For more information please see the following:
%AnthonynBre-PC275

Scan ID: {26D049F3-AE80-4778-98CE-8777F19179EB}

User: AnthonynBre-PC\AnthonynBre

Name: %AnthonynBre-PC271

ID: %AnthonynBre-PC272

Severity ID: %AnthonynBre-PC273

Category ID: %AnthonynBre-PC274

Path Found: %AnthonynBre-PC276

Alert Type: %AnthonynBre-PC278

Detection Type: 1.1.1600.02

Event Record #/Type54925 / Warning
Event Submitted/Written: 07/24/2008 05:44:55 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%AnthonynBre-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %AnthonynBre-PC27 can't undo changes that you allow.

For more information please see the following:
%AnthonynBre-PC275

Scan ID: {5D5CE8D2-64DF-4C3E-A8FA-FBDD7D2E466E}

User: AnthonynBre-PC\AnthonynBre

Name: %AnthonynBre-PC271

ID: %AnthonynBre-PC272

Severity ID: %AnthonynBre-PC273

Category ID: %AnthonynBre-PC274

Path Found: %AnthonynBre-PC276

Alert Type: %AnthonynBre-PC278

Detection Type: 1.1.1600.02

Event Record #/Type54924 / Warning
Event Submitted/Written: 07/24/2008 05:44:55 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%AnthonynBre-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %AnthonynBre-PC27 can't undo changes that you allow.

For more information please see the following:
%AnthonynBre-PC275

Scan ID: {646E713C-EF5E-4513-B344-DC894B5BE938}

User: AnthonynBre-PC\AnthonynBre

Name: %AnthonynBre-PC271

ID: %AnthonynBre-PC272

Severity ID: %AnthonynBre-PC273

Category ID: %AnthonynBre-PC274

Path Found: %AnthonynBre-PC276

Alert Type: %AnthonynBre-PC278

Detection Type: 1.1.1600.02



-- End of Deckard's System Scanner: finished at 2008-07-24 17:46:46 ------------

ESet Online Scan -

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3296 (20080724)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=3d8e5523bab015419bb26ffdf6ae6f7a
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-07-25 12:32:54
# local_time=2008-07-24 05:32:54 (-0700, US Mountain Standard Time)
# country="United States"
# osver=6.0.6001 NT Service Pack 1
# scanned=406971
# found=4
# scan_time=2166
C:\ProgramData\hchefwvk\rutonsfy.exe a variant of Win32/TrojanDownloader.FakeAlert.BP trojan 1F72F00DE74E67D6EA4A9D3AB3B4DBC2
C:\Users\All Users\hchefwvk\rutonsfy.exe a variant of Win32/TrojanDownloader.FakeAlert.BP trojan 1F72F00DE74E67D6EA4A9D3AB3B4DBC2
C:\Users\AnthonynBre\Documents\LimeWire\Incomplete\T-3545425-real gfs.mpg WMA/TrojanDownloader.Wimad.N trojan AFA3AE52FDE53166F217E95C0A92CFAF
C:\Users\AnthonynBre\Documents\LimeWire\Incomplete\T-3545425-teen gfs.mpg WMA/TrojanDownloader.Wimad.N trojan AFA3AE52FDE53166F217E95C0A92CFAF

crunchie Jul 25th, 2008 7:57 am
Re: Windows Vista, AVG I-Worm/Nuwar.U
 
Please download DAFT and save it to your desktop:
  1. Double-click the daft.exe icon. Read the disclaimer and click OK.
  2. Click on the Scan button.
  3. Place a checkmark next to the following entries:

    .reg
    .scr

  4. Click the Fix button.
  5. Re-scan and save a logfile. By default, it will save as daft.txt.

Post the contents of that logfile with your next post.

==

What and where is AVG finding?

ajv717 Jul 25th, 2008 10:41 am
Re: Windows Vista, AVG I-Worm/Nuwar.U
 
Ok here is the Daft Log and aslo two of the popups i got from the windows firewall when i turned the computer on this morning.

Trojan-Downloader.Win32.agent.bq
Trojan-Spy.Win32.greenscreen

Daft -

DAFT Log saved on 2008-07-25 06:39:52
-----------------------------------------------------------------------
All associations okay!

crunchie Jul 25th, 2008 10:52 am
Re: Windows Vista, AVG I-Worm/Nuwar.U
 
Please download ComboFix by sUBs from HERE or HERE
  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

ajv717 Jul 25th, 2008 12:18 pm
Re: Windows Vista, AVG I-Worm/Nuwar.U
 
Ok Here are the 2 new logs :

ComboFix -

ComboFix 08-07-24.3 - AnthonynBre 2008-07-25 8:08:00.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1265 [GMT -7:00]
Running from: C:\Users\AnthonynBre\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-06-25 to 2008-07-25 )))))))))))))))))))))))))))))))
.

2008-07-25 06:29 . 2008-07-25 06:29 110,080 --a------ C:\Windows\System32\uryxmnyd.exe
2008-07-25 06:29 . 2008-07-25 06:29 81,920 --a------ C:\Windows\System32\afkzcjwf.exe
2008-07-24 17:44 . 2008-07-24 17:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-24 17:43 . 2008-07-24 17:43 <DIR> d-------- C:\Deckard
2008-07-24 16:55 . 2008-07-24 17:32 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-07-24 14:34 . 2008-07-24 14:34 <DIR> d-------- C:\Program Files\fnbyyff
2008-07-24 11:51 . 2008-07-24 11:51 <DIR> d-------- C:\Users\AnthonynBre\AppData\Roaming\Malwarebytes
2008-07-24 11:51 . 2008-07-24 11:51 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-07-24 11:51 . 2008-07-24 11:51 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-07-24 11:51 . 2008-07-24 11:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-24 11:51 . 2008-07-23 20:09 38,472 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-07-24 11:51 . 2008-07-23 20:09 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-07-24 11:21 . 2008-07-24 11:21 0 --ah----- C:\Windows\.security
2008-07-24 11:21 . 2008-07-24 11:21 0 --ah----- C:\.security
2008-07-24 09:54 . 2008-07-24 09:54 <DIR> d-------- C:\Users\All Users\hchefwvk
2008-07-24 09:54 . 2008-07-24 09:54 <DIR> d-------- C:\ProgramData\hchefwvk
2008-07-24 09:54 . 2008-07-24 09:54 <DIR> d-------- C:\Program Files\ouemijb
2008-07-24 09:54 . 2008-07-24 17:45 <DIR> dr-h----- C:\$VAULT$.AVG
2008-07-22 08:18 . 2008-03-05 15:56 3,786,760 --a------ C:\Windows\System32\D3DX9_37.dll
2008-07-22 08:18 . 2008-03-05 15:56 1,420,824 --a------ C:\Windows\System32\D3DCompiler_37.dll
2008-07-22 08:18 . 2008-03-05 16:03 479,752 --a------ C:\Windows\System32\XAudio2_0.dll
2008-07-22 08:18 . 2008-02-05 23:07 462,864 --a------ C:\Windows\System32\d3dx10_37.dll
2008-07-22 08:18 . 2008-03-05 16:03 238,088 --a------ C:\Windows\System32\xactengine3_0.dll
2008-07-22 08:18 . 2008-03-05 16:00 25,608 --a------ C:\Windows\System32\X3DAudio1_3.dll
2008-07-19 21:59 . 2008-07-19 21:59 <DIR> d-------- C:\Users\AnthonynBre\AppData\Roaming\iWin
2008-07-19 21:59 . 2008-07-19 22:02 <DIR> d-------- C:\My Games
2008-07-19 21:58 . 2008-07-19 22:03 <DIR> d-------- C:\Users\Public\RealArcade
2008-07-17 11:54 . 2008-07-17 11:54 <DIR> d-------- C:\Program Files\iTunes
2008-07-17 11:54 . 2008-07-17 11:54 <DIR> d-------- C:\Program Files\iPod
2008-07-17 11:53 . 2008-07-17 11:53 <DIR> d-------- C:\Program Files\QuickTime
2008-07-16 22:21 . 2008-07-16 22:21 <DIR> dr------- C:\Windows\System32\config\systemprofile\Music
2008-07-15 09:52 . 2008-07-15 09:52 <DIR> d-------- C:\Windows\System32\AGEIA
2008-07-15 09:52 . 2008-07-22 07:11 <DIR> d-------- C:\Users\All Users\THQ
2008-07-15 09:52 . 2008-07-22 07:11 <DIR> d-------- C:\ProgramData\THQ
2008-07-15 09:52 . 2008-07-15 09:52 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-07-12 23:38 . 2008-07-12 23:41 <DIR> d-------- C:\Users\AnthonynBre\AppData\Roaming\Ventrilo
2008-07-12 23:35 . 2008-07-12 23:35 <DIR> d-------- C:\Program Files\Ventrilo
2008-07-12 23:34 . 2008-07-15 09:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-10 11:23 . 2008-06-25 18:45 12,240,896 --a------ C:\Windows\System32\NlsLexicons0007.dll
2008-07-10 11:22 . 2008-06-25 18:45 2,644,480 --a------ C:\Windows\System32\NlsLexicons0009.dll
2008-07-10 11:22 . 2008-06-25 20:29 801,280 --a------ C:\Windows\System32\NaturalLanguage6.dll
2008-07-10 09:35 . 2008-07-10 09:35 32,000 --a------ C:\Windows\System32\drivers\usbaapl.sys
2008-07-09 22:02 . 2008-07-09 22:02 <DIR> d-------- C:\Users\AnthonynBre\AppData\Roaming\Thunderbird
2008-07-08 06:54 . 2008-07-08 06:54 <DIR> d-------- C:\Users\All Users\NexonUS
2008-07-08 06:54 . 2008-07-08 06:54 <DIR> d-------- C:\ProgramData\NexonUS
2008-07-01 06:41 . 2008-07-01 06:41 <DIR> d-------- C:\Program Files\Xvid
2008-07-01 06:41 . 2007-06-28 18:52 765,952 --a------ C:\Windows\System32\xvidcore.dll
2008-07-01 06:41 . 2007-06-28 18:54 180,224 --a------ C:\Windows\System32\xvidvfw.dll
2008-07-01 06:41 . 2007-06-28 18:55 77,824 --a------ C:\Windows\System32\xvid.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-24 21:02 --------- d-----w C:\Users\AnthonynBre\AppData\Roaming\LimeWire
2008-07-24 17:44 --------- d-----w C:\Users\AnthonynBre\AppData\Roaming\AVG7
2008-07-22 15:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-22 14:14 --------- d-----w C:\ProgramData\Microsoft Help
2008-07-22 14:14 --------- d-----w C:\Program Files\Microsoft Works
2008-07-15 16:42 --------- d-----w C:\Users\AnthonynBre\AppData\Roaming\IGN_DLM
2008-07-09 23:06 --------- d-----w C:\Program Files\Java
2008-07-09 04:56 --------- d-----w C:\Program Files\Windows Mail
2008-06-24 14:33 --------- d-----w C:\Program Files\LimeWire
2008-05-31 01:30 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2008-05-31 01:29 107,832 ----a-w C:\Windows\System32\PnkBstrB.exe
2008-05-10 03:35 885,248 ----a-w C:\Windows\System32\RacEngn.dll
2008-05-10 03:35 564,736 ----a-w C:\Windows\System32\emdmgmt.dll
2008-05-08 21:59 90,112 ----a-w C:\Windows\System32\wshext.dll
2008-05-08 21:59 430,080 ----a-w C:\Windows\System32\vbscript.dll
2008-05-08 21:59 180,224 ----a-w C:\Windows\System32\scrobj.dll
2008-05-08 21:59 172,032 ----a-w C:\Windows\System32\scrrun.dll
2008-05-08 21:59 155,648 ----a-w C:\Windows\System32\wscript.exe
2008-05-08 21:58 135,168 ----a-w C:\Windows\System32\cscript.exe
2008-05-02 13:20 66,872 ----a-w C:\Windows\System32\PnkBstrA.exe
2008-05-02 13:20 22,328 ----a-w C:\Users\AnthonynBre\AppData\Roaming\PnkBstrK.sys
2008-05-02 13:19 674,600 ----a-w C:\Windows\System32\pbsvc[1].exe
2008-05-01 00:27 442,368 ----a-w C:\Windows\System32\nvuninst.exe
2008-04-26 08:25 3,600,952 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-04-26 08:25 3,549,240 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-04-26 08:08 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-04-26 01:33 107,888 ----a-w C:\Windows\System32\CmdLineExt.dll
2008-04-25 04:35 826,880 ----a-w C:\Windows\System32\wininet.dll
2008-04-03 23:06 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 00:33 1233920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 00:33 125952]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 14:57 1103480]
"SrvDsc"="C:\Windows\system32\afkzcjwf.exe" [2008-07-25 06:29 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMMediaSharing"="C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe" [2007-06-21 18:33 204908]
"Acer Product Registration"="C:\Program Files\Acer Registration\ACE1.exe" [2007-10-15 13:43 3387392]
"Acer Assist Launcher"="C:\Program Files\Acer Assist\launcher.exe" [2007-02-02 11:05 1261568]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Airlink101 Airlink101 WLAN Monitor"="C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe" [2007-06-18 14:30 1925120]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 09:45 579584]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-05-02 22:46 13535776]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-05-02 22:46 92704]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"RtHDVCpl"="RtHDVCpl.exe" [2007-06-20 01:56 4493312 C:\Windows\RtHDVCpl.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 02:17 55824 C:\Windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-12 22:45 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"IpcwZdhOzZ"="C:\ProgramData\hchefwvk\rutonsfy.exe" [2008-07-24 09:54 61440]

C:\Users\AnthonynBre\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
.security [2008-07-24 11:21:49 0]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
.security [2008-07-24 11:21:49 0]
Empowering Technology Launcher.lnk - C:\Acer\Empowering Technology\eAPLauncher.exe [2007-09-13 20:38:32 535336]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-04-03 08:45:32 789008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"AppProcSmart"= {4E800BDB-20B3-CCEF-1113-0308D0C0D147} - C:\Program Files\ouemijb\AppProcSmart.dll [2008-07-24 09:54 102400]
"DscSmartSrv"= {2C7E9ED3-A813-A590-2961-0B86E0202A4B} - C:\Program Files\fnbyyff\DscSmartSrv.dll [2008-07-24 14:34 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2008-04-12 22:45 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mkdmp3enc"= C:\PROGRA~1\ACERAR~1\ACERVI~1\Kernel\Burner\MKDMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{19E90D49-E626-40AC-8CC0-B24D5344399A}"= C:\Program Files\Acer Arcade Live\Acer Arcade Live Main Page\Acer Arcade Live.exe:Acer Arcade Live
"{96734FEA-FF44-4EF2-960F-6A020D237C80}"= C:\Program Files\Acer Arcade Live\Acer DV Magician\Acer DV Magician.exe:Acer DV Magician
"{DDA71D86-E87D-43B1-97D0-A0FF5CEDA9E7}"= C:\Program Files\Acer Arcade Live\Acer SlideShow DVD\Acer SlideShow DVD.exe:Acer SlideShow DVD
"{6EED23F9-336D-43A2-8477-17A2BB6F3F15}"= C:\Program Files\Acer Arcade Live\Acer DVDivine\Acer DVDivine.exe:Acer DVDivine
"{B18354C5-FBCC-49BE-9FA1-DCD4CA785D0B}"= C:\Program Files\Acer Arcade Live\Acer VideoMagician\Acer VideoMagician.exe:Acer VideoMagician
"{48C4529A-D0C4-4E7B-A6A5-ACA0E25F22CF}"= C:\Program Files\Acer Arcade Live\Acer HomeMedia\Acer HomeMedia.exe:Acer HomeMedia
"{C3C0593F-EB72-431D-9221-A69405F1AAA9}"= C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Acer HomeMedia Connect.exe:Acer HomeMedia Connect
"{5CA689BC-45A5-4953-A562-BB126BA0CF1A}"= C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.EXE:Acer HomeMedia Connect Service
"{A763F9C7-FEF8-4240-9922-695F00520191}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{AE9DA601-8295-48ED-A00B-00A00AC4EA2B}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{0F2E1FEB-608A-4E65-AEAA-7D24936441DC}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{2D880C5D-1B8F-4FFD-A027-34BEA000254D}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{B8204EC9-A8D9-46DA-A484-BE356121EF1C}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{DF4DF1CD-B867-42A6-B161-92726B89B083}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{1602EEA6-60D5-4300-963D-845747F9F977}"= UDP:C:\Program Files\World of Warcraft\Launcher.exe:World of Warcraft
"{4C47DA61-2D30-48FA-A7B2-5AAF5A7628BB}"= TCP:C:\Program Files\World of Warcraft\Launcher.exe:World of Warcraft
"{8CAE97C4-3522-441D-A9C5-E68330C08403}"= UDP:C:\Program Files\World of Warcraft\Repair.exe:World of Warcraft - Repair
"{2946A31D-5EDB-429C-A718-284B95549D9F}"= TCP:C:\Program Files\World of Warcraft\Repair.exe:World of Warcraft - Repair
"{16DA6488-FF64-4EB7-8027-F8E10025DC8F}"= UDP:C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe:World of Warcraft - Uninstall
"{83D9BA62-0E05-4187-BB24-10C7E73C4F80}"= TCP:C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe:World of Warcraft - Uninstall
"TCP Query User{7223A80F-E4B2-437A-BCF1-1EAFC74E3A8D}C:\\program files\\airlink101\\mfp ps utility\\rmvusb.exe"= UDP:C:\program files\airlink101\mfp ps utility\rmvusb.exe:Airlink101 MFP PS Utility
"UDP Query User{00FAD257-EAD2-40BD-AB80-1BC362B5B9C8}C:\\program files\\airlink101\\mfp ps utility\\rmvusb.exe"= TCP:C:\program files\airlink101\mfp ps utility\rmvusb.exe:Airlink101 MFP PS Utility
"TCP Query User{2A25B556-A4F5-474F-A531-4C0319E64901}C:\\program files\\wolfenstein - enemy territory\\et.exe"= UDP:C:\program files\wolfenstein - enemy territory\et.exe:ET
"UDP Query User{86CD0BE7-ACEF-4B72-8881-5D3AC21C6563}C:\\program files\\wolfenstein - enemy territory\\et.exe"= TCP:C:\program files\wolfenstein - enemy territory\et.exe:ET
"TCP Query User{6FFF343D-91D0-4C9F-A027-91E3B15359DC}C:\\program files\\diablo ii\\game.exe"= UDP:C:\program files\diablo ii\game.exe:Diablo II
"UDP Query User{A3D28B3F-A3F8-4630-BC4D-E2A9A2A6F3CB}C:\\program files\\diablo ii\\game.exe"= TCP:C:\program files\diablo ii\game.exe:Diablo II
"{D0DAA25B-0AA2-449C-9599-863B3E704FF5}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
"{9B349125-FDCB-47EA-B04C-754627AE48B8}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
"{DB27DB05-66F5-4857-AC88-4FAA722DD3C4}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{6FFEAD6E-6561-428D-8B22-3D69C0545096}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{A90E546C-BC9E-48A5-B8C1-70E5FAF7675E}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{D7FBC47E-ABFE-4572-B45F-B05A77E724F1}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{4946D078-93E6-494C-8F7C-8FB68E06A471}"= UDP:9567:BitComet 9567 TCP
"{266AA8DF-71D8-4C88-9F09-185117E4B26C}"= TCP:9567:BitComet 9567 UDP
"TCP Query User{5CD403A2-388D-45C4-A0C2-AA78CE7698C5}C:\\program files\\bitcomet\\bitcomet.exe"= UDP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{2CBF23B8-86DA-4117-9178-C494398266EE}C:\\program files\\bitcomet\\bitcomet.exe"= TCP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"TCP Query User{ED0F93BA-3622-4E3E-985F-8F55215DABBB}C:\\program files\\america's army\\system\\armyops.exe"= UDP:C:\program files\america's army\system\armyops.exe:ArmyOps
"UDP Query User{D0BBEE65-A549-400A-BCD2-79B3F2E43915}C:\\program files\\america's army\\system\\armyops.exe"= TCP:C:\program files\america's army\system\armyops.exe:ArmyOps
"TCP Query User{1CBFEF77-4ACC-4387-8FB1-EF8BA27D3684}C:\\program files\\steam\\steamapps\\aflipzkidn\\team fortress 2\\hl2.exe"= UDP:C:\program files\steam\steamapps\aflipzkidn\team fortress 2\hl2.exe:hl2
"UDP Query User{40A07C31-C8C4-4240-B5DB-C95CDEECEF50}C:\\program files\\steam\\steamapps\\aflipzkidn\\team fortress 2\\hl2.exe"= TCP:C:\program files\steam\steamapps\aflipzkidn\team fortress 2\hl2.exe:hl2
"TCP Query User{71D6E8BB-4946-4CFE-8C2C-C6D79EA86D7F}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{492CE8D1-CF3D-46F2-8F9A-465059D59550}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{0B73B744-8FCF-422E-90F2-598454BE2873}"= UDP:C:\ProgramData\NexonUS\NGM\NGM.exe:Nexon Game Manager
"{5325DD54-BF0D-4634-8BC5-C5EB5FFF47AA}"= TCP:C:\ProgramData\NexonUS\NGM\NGM.exe:Nexon Game Manager
"{45C67361-D039-47A2-9490-9D17C26092CF}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{F366CBF9-9700-4392-87A2-269C59C51C22}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Acer\\Empowering Technology\\eDataSecurity\\eDSfsu.exe"= C:\Acer\Empowering Technology\eDataSecurity\eDSfsu.exe:*:Enabled:eDSfsu
"C:\\Acer\\Empowering Technology\\eDataSecurity\\encryption.exe"= C:\Acer\Empowering Technology\eDataSecurity\encryption.exe:*:Enabled:encryption
"C:\\Acer\\Empowering Technology\\eDataSecurity\\decryption.exe"= C:\Acer\Empowering Technology\eDataSecurity\decryption.exe:*:Enabled:decryption
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
"C:\\Program Files\\Combat Arms\\CombatArms.exe"= C:\Program Files\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"C:\\Program Files\\Combat Arms\\Engine.exe"= C:\Program Files\Combat Arms\Engine.exe:*Enabled:Engine.exe

R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-04-12 22:45]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\system32\DRIVERS\SiSGB6.sys [2007-01-22 01:09]
S3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;C:\Windows\system32\DRIVERS\netr28.sys [2007-11-21 03:17]
S3 RTL85n86;Realtek 8180/8185 Extensible 802.11 Wireless Device Driver;C:\Windows\system32\DRIVERS\RTL85n86.sys [2007-03-12 17:49]
S3 SiS6350;SiS6350;C:\Windows\system32\DRIVERS\SISGRKMD.sys [2007-06-05 04:08]
S4 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2007-06-21 18:33]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Acer Tour Reminder - (no file)
HKLM-Run-eRecoveryService - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://en.us.acer.yahoo.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
R0 -: HKLM-Main,Start Page = hxxp://en.us.acer.yahoo.com
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 08:10:21
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-25 8:11:08
ComboFix-quarantined-files.txt 2008-07-25 15:11:02

Pre-Run: 72,294,567,936 bytes free
Post-Run: 72,290,516,992 bytes free

239 --- E O F --- 2008-07-25 13:32:38


HJT -

Acer Arcade Live Main Page
Acer Assist
Acer DV Magician
Acer DVDivine
Acer HomeMedia
Acer HomeMedia Connect
Acer Registration
Acer ScreenSaver
Acer SlideShow DVD
Acer VideoMagician
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player
Agatha Christie - Murder on the Orient Express
AGEIA PhysX v7.11.13
Airlink101 Cardbus & PCI Wireless Configuration Utility
Airlink101 MFP PS Utility
Airlink101 WLAN Monitor
ANIO Service
ANIWZCS2 Service
Apple Mobile Device Support
Apple Software Update
AVG 7.5
Bonjour
CCleaner (remove only)
CDDRV_Installer
Download Manager 2.3.6
ESET Online Scanner
HijackThis 2.0.2
iTunes
Java(TM) 6 Update 3
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7
KhalInstallWrapper
LimeWire 4.18.3
Logitech SetPoint
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 Parser and SDK
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
NVIDIA Drivers
OpenAL
PunkBuster Services
QuickTime
Realtek High Definition Audio Driver
SiS VGA Utilities
Ventrilo Client
WinRAR archiver
World of Warcraft
Xvid 1.1.3 final uninstall

crunchie Jul 25th, 2008 9:47 pm
Re: Windows Vista, AVG I-Worm/Nuwar.U
 
Uninstall all the old versions of Java.

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

C:\Windows\System32\uryxmnyd.exe
C:\Windows\System32\afkzcjwf.exe

=====

Please post the contents of the following folders

C:\Program Files\fnbyyff
C:\Windows\.security
C:\.security
C:\Users\All Users\hchefwvk
C:\ProgramData\hchefwvk
C:\Program Files\ouemijb

If there are any executables and dll files, please scan them online too and post back the results.

ajv717 Jul 25th, 2008 10:47 pm
Re: Windows Vista, AVG I-Worm/Nuwar.U
 
The report for the first file kept returning to me saying the file is 0bytes, likely because of a firewall or malware, here is the results for the 2nd file

A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found a variant of Win32/TrojanDownloader.FakeAlert.BP
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/EncPk-DG
VirusBuster Found nothing
VBA32 Found nothing







and here are the contents of those files.

C:\Program Files\fnbyyff
DscSmartSrv.dll

A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/EncPk-DG
VirusBuster Found nothing
VBA32 Found nothing


C:\Windows\.security
was a file that need a correct app. to view.

C:\.security
was the same as the one above.

C:\Users\All Users\hchefwvk
rutonsfy.exe

A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found a variant of Win32/TrojanDownloader.FakeAlert.BP
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


C:\ProgramData\hchefwvk
rutonsfy.exe

A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found a variant of Win32/TrojanDownloader.FakeAlert.BP
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

ajv717 Jul 25th, 2008 10:52 pm
Re: Windows Vista, AVG I-Worm/Nuwar.U
 
opps and here is that last file

C:\Program Files\ouemijb
AppProcSmart.dll

A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/EncPk-DG
VirusBuster Found nothing
VBA32 Found nothing

crunchie Jul 25th, 2008 11:37 pm
Re: Windows Vista, AVG I-Worm/Nuwar.U
 
1 Attachment(s)
* Please download F2T (Files To Text)
  • *Doubleclick F2Ts.exe to start the program.
    *Next to Path on top, copy and paste next line:

    *
    C:\Program Files\fnbyyff\DscSmartSrv.dll
    *When done, press the GO button next to it.
    *Then click the Select F2T-list button below to select the results.
    *Right-click the selected text
    *Click on "copy"
    *Paste the copied text into your next reply.

Repeat for this one; C:\Program Files\ouemijb\AppProcSmart.dll
And also for the ones in the two .security folders.

==============

1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
Quote:
KillAll::

File::
C:\ProgramData\hchefwvk
C:\Users\All Users\hchefwvk
C:\Windows\System32\afkzcjwf.exe
C:\ProgramData\hchefwvk\rutonsfy.exe
C:\Users\All Users\hchefwvk\rutonsfy.exe
C:\Windows\System32\uryxmnyd.exe
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Attachment 6767


7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
  • Combofix.txt
  • A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

ajv717 Jul 26th, 2008 4:04 am
Re: Windows Vista, AVG I-Worm/Nuwar.U
 
ok here is the combofix log and htj log.

ComboFix 08-07-24.3 - AnthonynBre 2008-07-25 20:53:03.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1264 [GMT -7:00]
Running from: C:\Users\AnthonynBre\Desktop\ComboFix.exe
Command switches used :: C:\Users\AnthonynBre\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\ProgramData\hchefwvk
C:\ProgramData\hchefwvk\rutonsfy.exe
C:\Users\All Users\hchefwvk
C:\Users\All Users\hchefwvk\rutonsfy.exe
C:\Windows\System32\afkzcjwf.exe
C:\Windows\System32\uryxmnyd.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\hchefwvk\rutonsfy.exe
C:\Users\All Users\hchefwvk\rutonsfy.exe
C:\Windows\System32\afkzcjwf.exe
C:\Windows\System32\uryxmnyd.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.

2008-07-25 18:55 . 2008-07-25 18:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-25 18:29 . 2008-07-25 18:29 <DIR> d-------- C:\Program Files\zupvbse
2008-07-25 18:29 . 2008-07-25 18:29 110,080 --a------ C:\Windows\System32\slazkxax.exe
2008-07-25 18:29 . 2008-07-25 18:29 102,400 --a------ C:\Windows\System32\spixgpsx.exe
2008-07-24 17:44 . 2008-07-24 17:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-24 17:43 . 2008-07-24 17:43 <DIR> d-------- C:\Deckard
2008-07-24 16:55 . 2008-07-24 17:32 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-07-24 14:34 . 2008-07-24 14:34 <DIR> d-------- C:\Program Files\fnbyyff
2008-07-24 11:51 . 2008-07-24 11:51 <DIR> d-------- C:\Users\AnthonynBre\AppData\Roaming\Malwarebytes
2008-07-24 11:51 . 2008-07-24 11:51 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-07-24 11:51 . 2008-07-24 11:51 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-07-24 11:51 . 2008-07-24 11:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-24 11:51 . 2008-07-23 20:09 38,472 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-07-24 11:51 . 2008-07-23 20:09 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-07-24 11:21 . 2008-07-24 11:21 0 --ah----- C:\Windows\.security
2008-07-24 11:21 . 2008-07-24 11:21 0 --ah----- C:\.security
2008-07-24 09:54 . 2008-07-25 20:53 <DIR> d-------- C:\Users\All Users\hchefwvk
2008-07-24 09:54 . 2008-07-25 20:53 <DIR> d-------- C:\ProgramData\hchefwvk
2008-07-24 09:54 . 2008-07-24 09:54 <DIR> d-------- C:\Program Files\ouemijb
2008-07-24 09:54 . 2008-07-24 17:45 <DIR> dr-h----- C:\$VAULT$.AVG
2008-07-22 08:18 . 2008-03-05 15:56 3,786,760 --a------ C:\Windows\System32\D3DX9_37.dll
2008-07-22 08:18 . 2008-03-05 15:56 1,420,824 --a------ C:\Windows\System32\D3DCompiler_37.dll
2008-07-22 08:18 . 2008-03-05 16:03 479,752 --a------ C:\Windows\System32\XAudio2_0.dll
2008-07-22 08:18 . 2008-02-05 23:07 462,864 --a------ C:\Windows\System32\d3dx10_37.dll
2008-07-22 08:18 . 2008-03-05 16:03 238,088 --a------ C:\Windows\System32\xactengine3_0.dll
2008-07-22 08:18 . 2008-03-05 16:00 25,608 --a------ C:\Windows\System32\X3DAudio1_3.dll
2008-07-19 21:59 . 2008-07-19 21:59 <DIR> d-------- C:\Users\AnthonynBre\AppData\Roaming\iWin
2008-07-19 21:59 . 2008-07-19 22:02 <DIR> d-------- C:\My Games
2008-07-19 21:58 . 2008-07-19 22:03 <DIR> d-------- C:\Users\Public\RealArcade
2008-07-17 11:54 . 2008-07-17 11:54 <DIR> d-------- C:\Program Files\iTunes
2008-07-17 11:54 . 2008-07-17 11:54 <DIR> d-------- C:\Program Files\iPod
2008-07-17 11:53 . 2008-07-17 11:53 <DIR> d-------- C:\Program Files\QuickTime
2008-07-16 22:21 . 2008-07-16 22:21 <DIR> dr------- C:\Windows\System32\config\systemprofile\Music
2008-07-15 09:52 . 2008-07-15 09:52 <DIR> d-------- C:\Windows\System32\AGEIA
2008-07-15 09:52 . 2008-07-22 07:11 <DIR> d-------- C:\Users\All Users\THQ
2008-07-15 09:52 . 2008-07-22 07:11 <DIR> d-------- C:\ProgramData\THQ
2008-07-15 09:52 . 2008-07-15 09:52 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-07-12 23:38 . 2008-07-12 23:41 <DIR> d-------- C:\Users\AnthonynBre\AppData\Roaming\Ventrilo
2008-07-12 23:35 . 2008-07-12 23:35 <DIR> d-------- C:\Program Files\Ventrilo
2008-07-12 23:34 . 2008-07-15 09:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-10 11:23 . 2008-06-25 18:45 12,240,896 --a------ C:\Windows\System32\NlsLexicons0007.dll
2008-07-10 11:22 . 2008-06-25 18:45 2,644,480 --a------ C:\Windows\System32\NlsLexicons0009.dll
2008-07-10 11:22 . 2008-06-25 20:29 801,280 --a------ C:\Windows\System32\NaturalLanguage6.dll
2008-07-10 09:35 . 2008-07-10 09:35 32,000 --a------ C:\Windows\System32\drivers\usbaapl.sys
2008-07-09 22:02 . 2008-07-09 22:02 <DIR> d-------- C:\Users\AnthonynBre\AppData\Roaming\Thunderbird
2008-07-08 06:54 . 2008-07-08 06:54 <DIR> d-------- C:\Users\All Users\NexonUS
2008-07-08 06:54 . 2008-07-08 06:54 <DIR> d-------- C:\ProgramData\NexonUS
2008-07-01 06:41 . 2008-07-01 06:41 <DIR> d-------- C:\Program Files\Xvid
2008-07-01 06:41 . 2007-06-28 18:52 765,952 --a------ C:\Windows\System32\xvidcore.dll
2008-07-01 06:41 . 2007-06-28 18:54 180,224 --a------ C:\Windows\System32\xvidvfw.dll
2008-07-01 06:41 . 2007-06-28 18:55 77,824 --a------ C:\Windows\System32\xvid.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 01:57 --------- d-----w C:\Program Files\Java
2008-07-24 21:02 --------- d-----w C:\Users\AnthonynBre\AppData\Roaming\LimeWire
2008-07-24 17:44 --------- d-----w C:\Users\AnthonynBre\AppData\Roaming\AVG7
2008-07-22 15:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-22 14:14 --------- d-----w C:\ProgramData\Microsoft Help
2008-07-22 14:14 --------- d-----w C:\Program Files\Microsoft Works
2008-07-15 16:42 --------- d-----w C:\Users\AnthonynBre\AppData\Roaming\IGN_DLM
2008-07-09 04:56 --------- d-----w C:\Program Files\Windows Mail
2008-06-24 14:33 --------- d-----w C:\Program Files\LimeWire
2008-05-31 01:30 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2008-05-31 01:29 107,832 ----a-w C:\Windows\System32\PnkBstrB.exe
2008-05-10 03:35 885,248 ----a-w C:\Windows\System32\RacEngn.dll
2008-05-10 03:35 564,736 ----a-w C:\Windows\System32\emdmgmt.dll
2008-05-08 21:59 90,112 ----a-w C:\Windows\System32\wshext.dll
2008-05-08 21:59 430,080 ----a-w C:\Windows\System32\vbscript.dll
2008-05-08 21:59 180,224 ----a-w C:\Windows\System32\scrobj.dll
2008-05-08 21:59 172,032 ----a-w C:\Windows\System32\scrrun.dll
2008-05-08 21:59 155,648 ----a-w C:\Windows\System32\wscript.exe
2008-05-08 21:58 135,168 ----a-w C:\Windows\System32\cscript.exe
2008-05-02 13:20 66,872 ----a-w C:\Windows\System32\PnkBstrA.exe
2008-05-02 13:20 22,328 ----a-w C:\Users\AnthonynBre\AppData\Roaming\PnkBstrK.sys
2008-05-02 13:19 674,600 ----a-w C:\Windows\System32\pbsvc[1].exe
2008-05-01 00:27 442,368 ----a-w C:\Windows\System32\nvuninst.exe
2008-04-26 08:25 3,600,952 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-04-26 08:25 3,549,240 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-04-26 08:08 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-04-26 01:33 107,888 ----a-w C:\Windows\System32\CmdLineExt.dll
2008-04-03 23:06 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((( snapshot@2008-07-25_ 8.10.50.58 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-24 23:24:24 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-07-26 03:55:48 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-07-24 21:35:39 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-07-26 03:55:48 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-07-25 04:53:19 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-07-26 00:35:13 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-07-25 04:53:19 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-26 00:35:13 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-07-25 04:53:19 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-07-26 00:35:13 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-07-24 21:38:47 105,678 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-07-25 15:17:09 105,678 ----a-w C:\Windows\System32\perfc009.dat
- 2008-07-24 21:38:47 606,678 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-07-25 15:17:09 606,678 ----a-w C:\Windows\System32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 00:33 1233920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 00:33 125952]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 14:57 1103480]
"apidschlp"="C:\Windows\system32\spixgpsx.exe" [2008-07-25 18:29 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMMediaSharing"="C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe" [2007-06-21 18:33 204908]
"Acer Product Registration"="C:\Program Files\Acer Registration\ACE1.exe" [2007-10-15 13:43 3387392]
"Acer Assist Launcher"="C:\Program Files\Acer Assist\launcher.exe" [2007-02-02 11:05 1261568]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Airlink101 Airlink101 WLAN Monitor"="C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe" [2007-06-18 14:30 1925120]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 09:45 579584]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-05-02 22:46 13535776]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-05-02 22:46 92704]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"RtHDVCpl"="RtHDVCpl.exe" [2007-06-20 01:56 4493312 C:\Windows\RtHDVCpl.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 02:17 55824 C:\Windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-12 22:45 219136]

C:\Users\AnthonynBre\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
.security [2008-07-24 11:21:49 0]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
.security [2008-07-24 11:21:49 0]
Empowering Technology Launcher.lnk - C:\Acer\Empowering Technology\eAPLauncher.exe [2007-09-13 20:38:32 535336]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-04-03 08:45:32 789008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"AppProcSmart"= {4E800BDB-20B3-CCEF-1113-0308D0C0D147} - C:\Program Files\ouemijb\AppProcSmart.dll [2008-07-24 09:54 102400]
"DscSmartSrv"= {2C7E9ED3-A813-A590-2961-0B86E0202A4B} - C:\Program Files\fnbyyff\DscSmartSrv.dll [2008-07-24 14:34 114688]
"mondb"= {17B5CD4E-CD0D-5403-AF46-02F3B765F285} - C:\Program Files\zupvbse\mondb.dll [2008-07-25 18:29 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2008-04-12 22:45 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mkdmp3enc"= C:\PROGRA~1\ACERAR~1\ACERVI~1\Kernel\Burner\MKDMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{19E90D49-E626-40AC-8CC0-B24D5344399A}"= C:\Program Files\Acer Arcade Live\Acer Arcade Live Main Page\Acer Arcade Live.exe:Acer Arcade Live
"{96734FEA-FF44-4EF2-960F-6A020D237C80}"= C:\Program Files\Acer Arcade Live\Acer DV Magician\Acer DV Magician.exe:Acer DV Magician
"{DDA71D86-E87D-43B1-97D0-A0FF5CEDA9E7}"= C:\Program Files\Acer Arcade Live\Acer SlideShow DVD\Acer SlideShow DVD.exe:Acer SlideShow DVD
"{6EED23F9-336D-43A2-8477-17A2BB6F3F15}"= C:\Program Files\Acer Arcade Live\Acer DVDivine\Acer DVDivine.exe:Acer DVDivine
"{B18354C5-FBCC-49BE-9FA1-DCD4CA785D0B}"= C:\Program Files\Acer Arcade Live\Acer VideoMagician\Acer VideoMagician.exe:Acer VideoMagician
"{48C4529A-D0C4-4E7B-A6A5-ACA0E25F22CF}"= C:\Program Files\Acer Arcade Live\Acer HomeMedia\Acer HomeMedia.exe:Acer HomeMedia
"{C3C0593F-EB72-431D-9221-A69405F1AAA9}"= C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Acer HomeMedia Connect.exe:Acer HomeMedia Connect
"{5CA689BC-45A5-4953-A562-BB126BA0CF1A}"= C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.EXE:Acer HomeMedia Connect Service
"{A763F9C7-FEF8-4240-9922-695F00520191}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{AE9DA601-8295-48ED-A00B-00A00AC4EA2B}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{0F2E1FEB-608A-4E65-AEAA-7D24936441DC}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{2D880C5D-1B8F-4FFD-A027-34BEA000254D}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{B8204EC9-A8D9-46DA-A484-BE356121EF1C}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{DF4DF1CD-B867-42A6-B161-92726B89B083}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{1602EEA6-60D5-4300-963D-845747F9F977}"= UDP:C:\Program Files\World of Warcraft\Launcher.exe:World of Warcraft
"{4C47DA61-2D30-48FA-A7B2-5AAF5A7628BB}"= TCP:C:\Program Files\World of Warcraft\Launcher.exe:World of Warcraft
"{8CAE97C4-3522-441D-A9C5-E68330C08403}"= UDP:C:\Program Files\World of Warcraft\Repair.exe:World of Warcraft - Repair
"{2946A31D-5EDB-429C-A718-284B95549D9F}"= TCP:C:\Program Files\World of Warcraft\Repair.exe:World of Warcraft - Repair
"{16DA6488-FF64-4EB7-8027-F8E10025DC8F}"= UDP:C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe:World of Warcraft - Uninstall
"{83D9BA62-0E05-4187-BB24-10C7E73C4F80}"= TCP:C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe:World of Warcraft - Uninstall
"TCP Query User{7223A80F-E4B2-437A-BCF1-1EAFC74E3A8D}C:\\program files\\airlink101\\mfp ps utility\\rmvusb.exe"= UDP:C:\program files\airlink101\mfp ps utility\rmvusb.exe:Airlink101 MFP PS Utility
"UDP Query User{00FAD257-EAD2-40BD-AB80-1BC362B5B9C8}C:\\program files\\airlink101\\mfp ps utility\\rmvusb.exe"= TCP:C:\program files\airlink101\mfp ps utility\rmvusb.exe:Airlink101 MFP PS Utility
"TCP Query User{2A25B556-A4F5-474F-A531-4C0319E64901}C:\\program files\\wolfenstein - enemy territory\\et.exe"= UDP:C:\program files\wolfenstein - enemy territory\et.exe:ET
"UDP Query User{86CD0BE7-ACEF-4B72-8881-5D3AC21C6563}C:\\program files\\wolfenstein - enemy territory\\et.exe"= TCP:C:\program files\wolfenstein - enemy territory\et.exe:ET
"TCP Query User{6FFF343D-91D0-4C9F-A027-91E3B15359DC}C:\\program files\\diablo ii\\game.exe"= UDP:C:\program files\diablo ii\game.exe:Diablo II
"UDP Query User{A3D28B3F-A3F8-4630-BC4D-E2A9A2A6F3CB}C:\\program files\\diablo ii\\game.exe"= TCP:C:\program files\diablo ii\game.exe:Diablo II
"{D0DAA25B-0AA2-449C-9599-863B3E704FF5}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
"{9B349125-FDCB-47EA-B04C-754627AE48B8}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
"{DB27DB05-66F5-4857-AC88-4FAA722DD3C4}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{6FFEAD6E-6561-428D-8B22-3D69C0545096}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{A90E546C-BC9E-48A5-B8C1-70E5FAF7675E}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{D7FBC47E-ABFE-4572-B45F-B05A77E724F1}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{4946D078-93E6-494C-8F7C-8FB68E06A471}"= UDP:9567:BitComet 9567 TCP
"{266AA8DF-71D8-4C88-9F09-185117E4B26C}"= TCP:9567:BitComet 9567 UDP
"TCP Query User{5CD403A2-388D-45C4-A0C2-AA78CE7698C5}C:\\program files\\bitcomet\\bitcomet.exe"= UDP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{2CBF23B8-86DA-4117-9178-C494398266EE}C:\\program files\\bitcomet\\bitcomet.exe"= TCP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"TCP Query User{ED0F93BA-3622-4E3E-985F-8F55215DABBB}C:\\program files\\america's army\\system\\armyops.exe"= UDP:C:\program files\america's army\system\armyops.exe:ArmyOps
"UDP Query User{D0BBEE65-A549-400A-BCD2-79B3F2E43915}C:\\program files\\america's army\\system\\armyops.exe"= TCP:C:\program files\america's army\system\armyops.exe:ArmyOps
"TCP Query User{1CBFEF77-4ACC-4387-8FB1-EF8BA27D3684}C:\\program files\\steam\\steamapps\\aflipzkidn\\team fortress 2\\hl2.exe"= UDP:C:\program files\steam\steamapps\aflipzkidn\team fortress 2\hl2.exe:hl2
"UDP Query User{40A07C31-C8C4-4240-B5DB-C95CDEECEF50}C:\\program files\\steam\\steamapps\\aflipzkidn\\team fortress 2\\hl2.exe"= TCP:C:\program files\steam\steamapps\aflipzkidn\team fortress 2\hl2.exe:hl2
"TCP Query User{71D6E8BB-4946-4CFE-8C2C-C6D79EA86D7F}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{492CE8D1-CF3D-46F2-8F9A-465059D59550}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{0B73B744-8FCF-422E-90F2-598454BE2873}"= UDP:C:\ProgramData\NexonUS\NGM\NGM.exe:Nexon Game Manager
"{5325DD54-BF0D-4634-8BC5-C5EB5FFF47AA}"= TCP:C:\ProgramData\NexonUS\NGM\NGM.exe:Nexon Game Manager
"{45C67361-D039-47A2-9490-9D17C26092CF}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{F366CBF9-9700-4392-87A2-269C59C51C22}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Acer\\Empowering Technology\\eDataSecurity\\eDSfsu.exe"= C:\Acer\Empowering Technology\eDataSecurity\eDSfsu.exe:*:Enabled:eDSfsu
"C:\\Acer\\Empowering Technology\\eDataSecurity\\encryption.exe"= C:\Acer\Empowering Technology\eDataSecurity\encryption.exe:*:Enabled:encryption
"C:\\Acer\\Empowering Technology\\eDataSecurity\\decryption.exe"= C:\Acer\Empowering Technology\eDataSecurity\decryption.exe:*:Enabled:decryption
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
"C:\\Program Files\\Combat Arms\\CombatArms.exe"= C:\Program Files\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"C:\\Program Files\\Combat Arms\\Engine.exe"= C:\Program Files\Combat Arms\Engine.exe:*Enabled:Engine.exe

R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-04-12 22:45]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\system32\DRIVERS\SiSGB6.sys [2007-01-22 01:09]
S3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;C:\Windows\system32\DRIVERS\netr28.sys [2007-11-21 03:17]
S3 RTL85n86;Realtek 8180/8185 Extensible 802.11 Wireless Device Driver;C:\Windows\system32\DRIVERS\RTL85n86.sys [2007-03-12 17:49]
S3 SiS6350;SiS6350;C:\Windows\system32\DRIVERS\SISGRKMD.sys [2007-06-05 04:08]
S4 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2007-06-21 18:33]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SrvDsc - C:\Windows\system32\afkzcjwf.exe
HKLM-Explorer_Run-IpcwZdhOzZ - C:\ProgramData\hchefwvk\rutonsfy.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 20:55:57
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\nvvsvc.exe
C:\Windows\System32\audiodg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Windows\System32\PnkBstrA.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-07-25 20:58:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-26 03:57:59
ComboFix2.txt 2008-07-25 15:11:09

Pre-Run: 70,614,736,896 bytes free
Post-Run: 70,516,576,256 bytes free

285 --- E O F --- 2008-07-25 13:32:38



Acer Arcade Live Main Page
Acer Assist
Acer DV Magician
Acer DVDivine
Acer HomeMedia
Acer HomeMedia Connect
Acer Registration
Acer ScreenSaver
Acer SlideShow DVD
Acer VideoMagician
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player
Agatha Christie - Murder on the Orient Express
AGEIA PhysX v7.11.13
Airlink101 Cardbus & PCI Wireless Configuration Utility
Airlink101 MFP PS Utility
Airlink101 WLAN Monitor
ANIO Service
ANIWZCS2 Service
Apple Mobile Device Support
Apple Software Update
AVG 7.5
Bonjour
CCleaner (remove only)
CDDRV_Installer
Download Manager 2.3.6
ESET Online Scanner
HijackThis 2.0.2
iTunes
Java(TM) 6 Update 7
KhalInstallWrapper
LimeWire 4.18.3
Logitech SetPoint
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 Parser and SDK
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
NVIDIA Drivers
OpenAL
PunkBuster Services
QuickTime
Realtek High Definition Audio Driver
SiS VGA Utilities
Ventrilo Client
WinRAR archiver
World of Warcraft
Xvid 1.1.3 final uninstall

crunchie Jul 26th, 2008 4:18 am
Re: Windows Vista, AVG I-Worm/Nuwar.U
 
Quote:
Originally Posted by crunchie (Post 656452)
A new HijackThis log.
........

ajv717 Jul 26th, 2008 11:54 am
Re: Windows Vista, AVG I-Worm/Nuwar.U
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:44:44 PM, on 7/24/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\mobsync.exe
C:\ProgramData\hchefwvk\rutonsfy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WlanMon.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\AnthonynBre\Desktop\dss.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\AnthonynBre.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [PCMMediaSharing] C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
O4 - HKLM\..\Run: [SiSTray] %ProgramFiles%\SiS VGA Utilities\SiSTray.exe
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Airlink101 Airlink101 WLAN Monitor] C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKLM\..\Policies\Explorer\Run: [IpcwZdhOzZ] C:\ProgramData\hchefwvk\rutonsfy.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: .security
O4 - Global Startup: .security
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~4.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~4.0_0\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O21 - SSODL: AppProcSmart - {4E800BDB-20B3-CCEF-1113-0308D0C0D147} - C:\Program Files\ouemijb\AppProcSmart.dll
O21 - SSODL: DscSmartSrv - {2C7E9ED3-A813-A590-2961-0B86E0202A4B} - C:\Program Files\fnbyyff\DscSmartSrv.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe

--
End of file - 7725 bytes

crunchie Jul 26th, 2008 12:14 pm
Re: Windows Vista, AVG I-Worm/Nuwar.U
 
Quote:
Originally Posted by crunchie (Post 656452)
* Please download F2T (Files To Text)
  • *Doubleclick F2Ts.exe to start the program.
    *Next to Path on top, copy and paste next line:

    *
    C:\Program Files\fnbyyff\DscSmartSrv.dll
    *When done, press the GO button next to it.
    *Then click the Select F2T-list button below to select the results.
    *Right-click the selected text
    *Click on "copy"
    *Paste the copied text into your next reply.

Repeat for this one; C:\Program Files\ouemijb\AppProcSmart.dll
And also for the ones in the two .security folders.
And this?

========

Can you disable Windows Defender as it may interfere with the removal process. Please leave it disabled until your PC has been given the all clear.
  • Open Windows Defender
  • Click Tools
  • Click General Settings
  • Scroll down to Real Time Protection Options
  • Uncheck Turn on Real Time Protection (recommended)
  • After you uncheck this, click on the Save button
  • Close Windows Defender


===============

Scan with HijackThis and then place a check next to all the following, if present:


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - Global Startup: Empowering Technology Launcher.lnk = ?

O13 - Gopher Prefix:


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".


All times are GMT -4. The time now is 1:09 pm.

Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC