Windows Vista Infected Big Time!!

Reply
1 2 3

Join Date: Dec 2008
Posts: 12
Reputation: IntenseRegard is an unknown quantity at this point 
Solved Threads: 0
IntenseRegard IntenseRegard is offline Offline
Newbie Poster

Re: Windows Vista Infected Big Time!!

 
0
  #11
Dec 9th, 2008
Oh also, When fixed can you help me return my audio and a few services. Because i think it changed registry settings for a whole bunch of stuff. Has something to do with the paging file. says im out of storage space. But i have like 30 gig's free and im only using like 25% of memory.

Thank you sooo much for all your help
Reply With Quote Quick reply to this message  
Join Date: Feb 2004
Posts: 10,125
Reputation: crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold 
Solved Threads: 770
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: Windows Vista Infected Big Time!!

 
0
  #12
Dec 9th, 2008
1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
FileLook::
c:\windows\System32\winint.dll
c:\windows\System32\eoppmhycydcnuns.exe
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Name: CFScript.gif Views: 11 Size: 27.1 KB


7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
  • Combofix.txt
  • A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Reply With Quote Quick reply to this message  
Join Date: Dec 2008
Posts: 12
Reputation: IntenseRegard is an unknown quantity at this point 
Solved Threads: 0
IntenseRegard IntenseRegard is offline Offline
Newbie Poster

Re: Windows Vista Infected Big Time!!

 
0
  #13
Dec 9th, 2008
Ok here are the new logs


ComboFix 08-12-07.01 - Administrator 2008-12-09 17:17:49.3 - NTFSx86

Running from: c:\users\Administrator.Romeo-Laptop\Desktop\ComboFix.exe
Command switches used :: c:\users\Administrator.Romeo-Laptop\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-07 15:04 . 2008-12-07 15:04 <DIR> d-------- c:\program files\TrojanHunter
2008-12-07 14:52 . 2008-12-07 14:52 <DIR> d-------- C:\!KillBox
2008-12-07 14:42 . 2008-12-07 14:42 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\TrojanHunter
2008-12-07 14:40 . 2008-12-07 14:58 <DIR> d-------- c:\program files\TrojanHunter 5.0
2008-12-07 02:37 . 2008-12-07 02:37 24,576 --a------ c:\windows\System32\VundoFixSVC.exe
2008-12-07 02:07 . 2008-12-07 02:27 <DIR> d-------- C:\VundoFix Backups
2008-12-06 17:14 . 2008-12-06 17:14 <DIR> d-------- c:\users\Romeo\AppData\Roaming\Malwarebytes
2008-12-05 12:12 . 2008-12-05 12:15 <DIR> d-------- c:\program files\Mp3Doctor
2008-12-05 12:12 . 2001-12-08 12:23 1,089,536 --a------ c:\windows\System32\Mp3Doctor1.dll
2008-12-05 12:12 . 2003-01-22 14:20 299,008 --a------ c:\windows\System32\winwmbcay.dll
2008-12-05 12:12 . 2001-11-25 17:00 266,240 --a------ c:\windows\System32\Mp3Doctor2.dll
2008-12-05 12:12 . 2001-08-01 09:50 90,112 --a------ c:\windows\System32\ID3v23xBase.DLL
2008-12-05 12:12 . 2003-04-11 12:48 18,432 --a------ c:\windows\System32\winint.dll
2008-12-05 02:31 . 2008-12-05 02:31 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-12-05 02:31 . 2008-12-05 02:31 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Malwarebytes
2008-12-05 02:31 . 2008-12-05 02:31 <DIR> d-------- c:\programdata\Malwarebytes
2008-12-05 02:31 . 2008-12-05 02:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-05 02:31 . 2008-12-03 19:54 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-05 02:31 . 2008-12-03 19:54 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-04 19:16 . 2008-12-04 19:16 <DIR> d-------- c:\program files\Trend Micro
2008-12-04 10:59 . 2008-12-04 19:00 <DIR> d--hs---- c:\windows\Um9tZW8
2008-12-04 10:59 . 2008-12-04 10:59 <DIR> d-------- c:\windows\System32\din
2008-12-04 10:59 . 2008-12-04 10:59 <DIR> d-------- c:\windows\System32\av
2008-12-04 10:59 . 2008-12-04 11:05 47,598 --a------ c:\windows\System32\eoppmhycydcnuns.exe
2008-12-04 10:51 . 2008-12-04 10:51 <DIR> d-------- c:\users\Romeo\AppData\Roaming\Yahoo!
2008-12-04 10:51 . 2008-12-04 11:06 2 --a------ C:\742876493
2008-12-03 04:51 . 2008-12-03 04:51 <DIR> d-------- c:\program files\mm2knet
2008-11-30 13:01 . 2008-11-30 13:01 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\InstallShield
2008-11-30 12:57 . 2008-11-30 12:58 <DIR> d-------- c:\program files\Roxio
2008-11-30 12:57 . 2008-11-30 12:57 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2008-11-25 10:57 . 2008-11-25 10:57 <DIR> d-------- c:\program files\Imikimi
2008-11-24 21:43 . 2008-11-24 22:12 <DIR> d-------- C:\MP3
2008-11-22 10:27 . 2008-11-22 10:27 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\CyberLink
2008-11-22 00:57 . 2008-11-22 00:57 <DIR> d-------- c:\program files\Wondershare
2008-11-22 00:48 . 2006-01-27 00:56 938,272 --a------ c:\windows\System32\wodFtpDLX.OCX
2008-11-22 00:28 . 2008-11-22 00:28 <DIR> d-------- c:\users\All Users\Anvsoft
2008-11-22 00:28 . 2008-11-22 00:28 <DIR> d-------- c:\programdata\Anvsoft
2008-11-22 00:27 . 2008-11-22 00:27 <DIR> d-------- c:\program files\Photo DVD Maker Professional
2008-11-21 23:52 . 2008-11-21 23:54 <DIR> d-------- c:\users\All Users\WinZip
2008-11-21 23:52 . 2008-11-21 23:54 <DIR> d-------- c:\programdata\WinZip
2008-11-21 23:41 . 2008-11-21 23:41 <DIR> d-------- c:\program files\WE Unlimited
2008-11-21 19:29 . 2008-11-21 19:29 <DIR> d-------- c:\program files\Common Files\Real
2008-11-21 19:28 . 2008-11-30 13:24 <DIR> d-------- c:\program files\V CAST Music with Rhapsody
2008-11-21 19:26 . 2008-11-21 19:26 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-11-21 19:00 . 2008-11-21 19:00 <DIR> d--hs---- c:\windows\ftpcache
2008-11-16 21:35 . 2008-10-16 16:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-16 21:35 . 2008-10-16 15:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-16 21:35 . 2008-10-16 16:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-16 21:35 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-16 21:35 . 2008-10-16 15:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-16 21:35 . 2008-10-16 16:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-16 21:35 . 2008-10-16 16:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-16 21:35 . 2008-10-16 16:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-16 21:35 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-15 21:05 . 2008-11-15 21:05 46,346 --a------ c:\windows\System32\SmrtDrive.dll
2008-11-15 21:04 . 2004-08-04 00:56 1,392,671 --a------ c:\windows\System32\temp.002
2008-11-11 02:10 . 2008-11-11 02:31 <DIR> d-------- c:\program files\WebSite X5 Evolution
2008-11-11 02:04 . 2008-03-20 16:25 185,856 --a------ c:\windows\System32\iwpsetup.exe
2008-11-11 02:04 . 1997-01-16 00:00 29,696 --a------ c:\windows\System32\VB5STKIT.DLL
2008-11-11 02:04 . 1997-01-16 13:42 6,114 --a------ c:\windows\System32\SHELLLNK.TLB
2008-11-11 00:29 . 2008-11-11 00:29 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\AtomPark
2008-11-11 00:29 . 2008-11-11 00:29 <DIR> d-------- c:\program files\AtomPark
2008-11-10 23:58 . 2008-11-10 23:58 <DIR> d-------- c:\program files\Email Sender Deluxe
2008-11-10 23:58 . 2008-11-10 23:58 3 --a------ c:\windows\System32\krx280.dat
2008-11-09 15:57 . 2008-11-09 15:57 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Smith Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 22:15 28,095 ----a-w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\nvModes.dat
2008-12-09 22:07 --------- d-----w c:\program files\Warcraft III
2008-12-05 16:37 --------- d-----w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\LimeWire
2008-12-04 02:43 27,335 ----a-w c:\users\Romeo\AppData\Roaming\nvModes.dat
2008-12-01 23:57 --------- d-----w c:\users\Romeo\AppData\Roaming\LimeWire
2008-11-30 19:54 --------- d-----w c:\program files\Common Files\Research in Motion
2008-11-30 18:19 --------- d-----w c:\program files\Verizon Wireless
2008-11-30 17:58 --------- d-----w c:\programdata\Roxio
2008-11-30 17:58 --------- d-----w c:\program files\Common Files\Roxio Shared
2008-11-30 17:58 --------- d-----w c:\program files\Common Files\PX Storage Engine
2008-11-30 17:27 --------- d-----w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Research In Motion
2008-11-25 02:34 --------- d-----w c:\program files\Research In Motion
2008-11-25 00:16 --------- d-----w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Fingerfox (SE)
2008-11-22 18:21 --------- d-----w c:\program files\Common Files\LightScribe
2008-11-22 16:25 --------- d-----w c:\programdata\LightScribe
2008-11-22 05:48 --------- d-----w c:\program files\CoffeeCup Software
2008-11-20 03:53 --------- d-----w c:\program files\DivX
2008-11-16 02:05 --------- d-----w c:\program files\4PLAY
2008-11-11 10:48 --------- d-----w c:\program files\Ashampoo
2008-11-11 04:02 --------- d-----w c:\programdata\Microsoft Help
2008-11-06 14:15 --------- d-----w c:\users\Romeo\AppData\Roaming\Thinstall
2008-11-04 22:18 --------- d-----w c:\program files\WC3Banlist
2008-11-01 14:47 --------- d-----w c:\users\Romeo\AppData\Roaming\Summitsoft
2008-11-01 13:28 --------- d-----w c:\program files\SourceTec
2008-11-01 13:28 --------- d-----w c:\program files\Common Files\SourceTec
2008-11-01 13:00 --------- d-----w c:\program files\SWF Decompiler Magic
2008-11-01 11:57 --------- d-----w c:\users\Romeo\AppData\Roaming\LogoMaker
2008-11-01 11:55 --------- d-----w c:\program files\Studio V5
2008-10-31 19:36 --------- d-----w c:\program files\Common Files\Adobe
2008-10-31 19:35 --------- d-----w c:\program files\Adobe Media Player
2008-10-31 19:32 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-10-31 04:03 --------- d-----w c:\program files\WinPcap
2008-10-30 18:01 --------- d-----w c:\users\Romeo\AppData\Roaming\Skype
2008-10-30 17:46 --------- d-----w c:\users\Romeo\AppData\Roaming\skypePM
2008-10-30 15:21 --------- d-----w c:\programdata\NVIDIA
2008-10-27 16:53 --------- d---a-w c:\programdata\TEMP
2008-10-20 07:49 --------- d-----w c:\program files\Windows Mail
2008-10-18 12:37 --------- d-----w c:\program files\Spb Backup
2008-10-18 12:19 --------- d-----w c:\users\Romeo\AppData\Roaming\Jeyo
2008-10-18 12:19 --------- d-----w c:\program files\Jeyo
2008-10-18 06:08 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-18 05:08 --------- d-----w c:\users\Romeo\AppData\Roaming\Easy Sync
2008-10-18 05:08 --------- d-----w c:\program files\Pocket Wizards
2008-10-14 16:14 --------- d-----w c:\program files\CONEXANT
2008-10-14 11:00 --------- d-----w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Symantec
2008-10-14 00:09 --------- d-----w c:\program files\SystemRequirementsLab
2008-10-14 00:07 --------- d-----w c:\users\Romeo\AppData\Roaming\SystemRequirementsLab
2008-10-13 22:56 --------- d-----w c:\program files\Norton Internet Security
2008-10-13 22:56 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-13 22:50 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-10-13 22:50 123,952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-13 22:50 10,671 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-13 22:50 --------- d-----w c:\program files\Symantec
2008-10-13 22:45 --------- d-----w c:\programdata\Symantec
2008-10-12 18:20 --------- d-----w c:\programdata\Viewpoint
2008-10-12 18:20 --------- d-----w c:\programdata\acccore
2008-10-12 18:20 --------- d-----w c:\program files\Viewpoint
2008-10-12 18:20 --------- d-----w c:\program files\AIM6
2008-10-09 23:04 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-09 01:57 8,224 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\System32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\System32\libdivx.dll
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-08-06 03:16 174 --sha-w c:\program files\desktop.ini
2008-03-01 08:53 32 ----a-w c:\users\All Users\ezsid.dat
2008-03-01 08:53 32 ----a-w c:\programdata\ezsid.dat
1998-02-10 23:34 128,000 ----a-w c:\program files\UNWISE.EXE
2008-06-13 22:24 22 --sha-w c:\windows\SMINST\HPCD.sys
2006-05-03 09:06 163,328 --sh--r c:\windows\System32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\System32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r c:\windows\System32\nbDX.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\eoppmhycydcnuns.exe -- Unable to find file version info.
MD5: eda350341cba5ec552e6b1bec2aa9207

c:\windows\System32\winint.dll -- Unable to find Resource table header.
MD5: 3a7bd4d6df8d7a38be2a485754cd958d


((((((((((((((((((((((((((((( snapshot@2008-12-08_10.05.42.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-08 14:58:01 2,484 ----a-w c:\windows\bthservsdp.dat
+ 2008-12-09 22:20:55 2,484 ----a-w c:\windows\bthservsdp.dat
+ 2007-04-03 20:08:34 344,664 ----a-w c:\windows\Downloaded Program Files\HPBasicDetection3.dll
+ 2007-04-30 22:09:12 34,360 ----a-w c:\windows\Downloaded Program Files\HPProductDetails.dll
+ 2007-04-30 22:09:50 83,512 ----a-w c:\windows\Downloaded Program Files\LogInfo.dll
+ 2007-05-15 21:33:20 251,448 ----a-w c:\windows\Downloaded Program Files\SysInfo.dll
- 2008-12-08 14:59:23 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-12-09 22:22:21 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-12-08 14:59:23 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-12-09 22:22:21 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-12-08 15:00:55 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-12-09 22:23:21 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-12-08 15:00:55 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-09 22:23:21 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-09 22:23:21 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-12-07 22:49:18 6,554 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3641274051-850343323-1744729051-500_UserData.bin
+ 2008-12-09 02:21:35 6,888 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3641274051-850343323-1744729051-500_UserData.bin
- 2008-12-07 22:49:18 89,386 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-09 02:21:35 89,468 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-08 15:27:37 2,470 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-12-07 22:49:14 51,824 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-12-09 02:21:33 52,176 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2007-09-20 671744]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-02-19 438272]
"{B179023B-6238-4499-8F26-CD73E9D90E0A}"="c:\program files\Mediafour\MacDrive 7\MacDrive.exe" [2007-07-12 179288]
"MDGetStarted.exe"="c:\program files\Mediafour\MacDrive 7\MDGetStarted.exe" [2007-06-13 139264]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-09 144784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1045800]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-19 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-19 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.DVSD"= miroDV2avi.dll
"vidc.i420"= i420vfw.dll
"msacm.l3codecp"= l3codecp.acm
"msacm.avis"= ff_acm.acm
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm
"msacm.dvacm"= c:\progra~1\COMMON~1\Ulead Systems\vio\dvacm.acm
"vidc.mjpg"= pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders credssp.dll, digeste.dll

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Vongo Tray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
--a------ 2008-08-14 06:58 611712 c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-13 21:44 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-08-06 10:21 50472 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
--a------ 2008-11-04 12:09 615696 c:\program files\Common Files\Research in Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-02-14 10:01 51048 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-02 23:07 133104 c:\users\Romeo\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 15:24 54840 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
--a------ 2007-10-01 19:10 1783136 c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
--a------ 2008-06-02 02:55 80896 c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\isCfgWiz]
--a------ 2007-08-24 02:49 607624 c:\program files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2007-08-30 10:50 205480 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2008-10-22 19:57 2363392 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-09-19 15:05 81920 c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnScreenDisplay]
--a------ 2007-09-04 16:54 554320 c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-06-16 03:52 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a------ 2007-09-19 17:31 202032 c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
--a------ 2007-09-30 22:34 181544 c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2008-09-19 10:37 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
--a------ 2008-01-19 02:33 1233920 c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 03:42 144784 c:\program files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THGuard]
--a------ 2008-10-24 13:23 1056928 c:\program files\TrojanHunter 5.0\THGuard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
--------- 2007-09-13 15:32 222504 c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-25 14:19 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-19 02:38 1008184 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
--a------ 2007-05-31 09:21 648072 c:\windows\WindowsMobile\wmdc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2008-01-19 02:33 202240 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"<NO NAME>"=
"c:\\Program Files\\Vongo\\VongoService.exe"= c:\program files\Vongo\VongoService.exe:enabled:VongoService

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9B22924B-C76E-4D1F-9509-C7228B4666A1}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{D9778C69-A22E-4913-88F7-3CEFDAECC583}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3EFB2612-BEB1-4647-9DC3-9ED1B6D0D9BB}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6FB32505-7F0B-44E7-8703-EB9A59BB25A3}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{15F9A471-8027-46D7-B87D-3B00E00613F1}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{5F1BB71C-2B26-404D-8B05-C6D02D21555E}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C485A96F-A8B8-4909-8ACD-72674FB3B5AF}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{72D3C1A4-1A95-40AB-A238-7DD093A1AD12}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B53655B4-6403-4A16-BB77-041FD462C49C}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{46058D6B-2121-4AE6-8BD5-E6A6A9BB8A92}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A2B81A71-49EC-4C2C-B930-11C31640ACEC}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{9BEC6979-C09B-4C15-BFA9-996B7E3084DE}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{3EE12C04-DFC4-48BE-931A-FB9A885C235F}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"TCP Query User{A207D3BF-5428-4F84-B032-16746C2401C5}c:\\windows\\system32\\javaw.exe"= UDP:c:\windows\system32\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{036C8FDA-3C94-4AA9-9304-C213C9F43383}c:\\windows\\system32\\javaw.exe"= TCP:c:\windows\system32\javaw.exe:Java(TM) Platform SE binary
"TCP Query User{3F4B2BD8-CFD4-4E66-83CF-FFF1BC6FFE62}c:\\windows\\system32\\javaw.exe"= UDP:c:\windows\system32\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{F332EAA9-C466-4DD7-9D59-24384E0381B3}c:\\windows\\system32\\javaw.exe"= TCP:c:\windows\system32\javaw.exe:Java(TM) Platform SE binary
"{3C493C49-D97B-4B18-90A8-2BBB538F3518}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{6C0ECE08-DA60-48E7-AD88-528EDEFEE253}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{AAD27A87-BB0C-4A9F-A336-82A67DFC12CB}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{2C7C9529-1735-42AB-BED7-54C6B44055A8}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{EE8F19B0-BBB6-4FC5-AF35-F2094AD9E068}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{367AB7FB-EC96-40B7-9512-B1F0AA1859E8}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{555E28D4-3F7B-46BD-9081-429C56616539}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{BF36F146-162D-43EE-A81D-B8754A7A42AA}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"TCP Query User{1631A059-E6F2-467C-8DBD-381A67D6DBE8}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{B8AECB91-FA82-470A-9115-3CF5DD18514E}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{2AD2B76D-1BDC-4BDB-92D6-D0DE942826D2}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{96937C85-C040-4E6E-8E3A-1CA73D65C988}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{7986F9D4-F10D-423D-B0A0-85610667E6D4}c:\\program files\\tapur\\tapur.exe"= UDP:c:\program files\tapur\tapur.exe:Tapur.exe
"UDP Query User{4F2EDF11-49D2-4C41-A84D-5ACE1DA24B95}c:\\program files\\tapur\\tapur.exe"= TCP:c:\program files\tapur\tapur.exe:Tapur.exe
"{946B1B88-3DD9-41CA-B8E0-52760F33F91E}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{9503AC45-5FEF-40F3-8F4F-C5C6204DA506}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{CBE9184C-7704-48D0-A422-64AF97E5C54B}c:\\program files\\skype\\phone\\skype.exe"= Disabled:UDP:c:\program files\skype\phone\skype.exekype. Take a deep breath
"UDP Query User{570A2A49-9DB0-48E6-B1DC-863D239B585C}c:\\program files\\skype\\phone\\skype.exe"= Disabled:TCP:c:\program files\skype\phone\skype.exekype. Take a deep breath
"{B9EE398A-EFF5-492A-8663-FC0172DBD6A4}"= c:\program files\Skype\Phone\Skype.exekype
"{B99EDD45-A82F-4152-93BC-1F425184BAB2}"= Disabled:UDP:443:ooVoo TCP port 443
"{EF553F3E-273A-425E-8702-FAFDC66DCFCE}"= Disabled:TCP:443:ooVoo UDP port 443
"{18719189-C48C-4219-9FA6-B5EFF6B90EDB}"= Disabled:UDP:37674:ooVoo TCP port 37674
"{26493C66-5C26-4F12-9A7E-05530167D79B}"= Disabled:TCP:37674:ooVoo UDP port 37674
"{5C578D8B-3EE8-4AE5-9F68-CB634370FC53}"= Disabled:TCP:37675:ooVoo UDP port 37675
"{DD5A1697-652A-4139-ABD9-86C01A374A9F}"= UDP:5900:vnc
"{05EB1445-9ED1-4F12-AFAB-D6DA27C25502}"= UDP:6000:vnc
"{74FFA48A-FB9F-4EF4-A9FE-DE8643AC35CF}"= UDP:c:\program files\TightVNC\vncviewer.exe:TightVNC Viewer
"{B628D5DC-075E-4C96-B80F-0A2E716F802B}"= TCP:c:\program files\TightVNC\vncviewer.exe:TightVNC Viewer
"TCP Query User{B52EA7E1-01D0-4BA2-98D8-CE234E749B5C}c:\\program files\\tightvnc\\winvnc.exe"= UDP:c:\program files\tightvnc\winvnc.exe:TightVNC Win32 Server
"UDP Query User{AC3C5DC4-56AF-4FB5-B7DC-57F2CF8C6D97}c:\\program files\\tightvnc\\winvnc.exe"= TCP:c:\program files\tightvnc\winvnc.exe:TightVNC Win32 Server
"{A736FED1-BF79-4479-8142-D4B2FC75EC6C}"= UDP:5800:vnc
"TCP Query User{53EBB492-83F9-432D-8EBE-C903D7A1C424}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{FB74F033-3C65-428F-BA9B-3C8C11338EED}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{86D82B94-16BD-4257-B89F-085FF48B73B3}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{2DBF6D28-468A-47FF-B985-5DADBFD0F18C}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{723F1783-9589-4C89-8BC0-CF2632D96068}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\RM.exe:Render Manager
"{A69F5205-9B8E-411E-A160-4BB552F6CDF7}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\RM.exe:Render Manager
"{9E7C1BEB-268D-4ABB-8E2B-62F84ADE476A}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\Studio.exetudio
"{FFA54142-DB8F-486A-A7FD-DE068C304B21}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\Studio.exetudio
"{9E5FF738-F0B0-48D0-A4BE-E0BAF7977C14}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\umi.exe:umi
"{162F46D0-B900-4C87-8E01-9FC82DABE03C}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\umi.exe:umi
"TCP Query User{0B99DBE0-5E4C-4024-B87B-FB1318D76860}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{AF9F7B2E-F033-4D85-9BF8-8473167717BC}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"{48771F0F-BE33-40A2-8D32-AF9F0004EECD}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{93376A8B-38B7-4DD5-BDD9-015F45BAB547}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{5E5B2A08-8900-43D9-AF9E-0EAB1290F8F9}c:\\program files\\tightvnc\\winvnc.exe"= UDP:c:\program files\tightvnc\winvnc.exe:TightVNC Win32 Server
"UDP Query User{088A1F80-F8B5-4E79-86BB-8AE876C5B529}c:\\program files\\tightvnc\\winvnc.exe"= TCP:c:\program files\tightvnc\winvnc.exe:TightVNC Win32 Server
"TCP Query User{8D6C8942-A8EF-49BD-8C9E-73F61636A942}c:\\program files\\camfrog\\camfrog video chat\\camfrog video chat.exe"= Disabled:UDP:c:\program files\camfrog\camfrog video chat\camfrog video chat.exe:Camfrog Client Module
"UDP Query User{743B6174-A053-40DD-89C9-2C73C3414EFF}c:\\program files\\camfrog\\camfrog video chat\\camfrog video chat.exe"= Disabled:TCP:c:\program files\camfrog\camfrog video chat\camfrog video chat.exe:Camfrog Client Module
"TCP Query User{E1FE002A-5BF4-4633-A1F5-93EF349DB871}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{91710C63-AF01-4AF8-92BE-7DB68CAD778A}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{E492B98F-0CF6-4280-850D-3C7C409CEF62}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{107D366A-4609-474E-B336-D083D009100A}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{51C9E0FB-5F2F-4D1F-AF3E-F79DF9C0BFC6}c:\\program files\\oovoo\\oovoo.exe"= Disabled:UDP:c:\program files\oovoo\oovoo.exe:ooVoo
"UDP Query User{45B70B30-1E62-49F2-8CB8-3C4BCF0A9EC2}c:\\program files\\oovoo\\oovoo.exe"= Disabled:TCP:c:\program files\oovoo\oovoo.exe:ooVoo
"{0ABB70BD-5DCA-488C-A3F5-38E1B4E90B15}"= UDP:c:\program files\Warcraft III\Frozen Throne.exe:Warcraft III - The Frozen Throne
"{B702885F-EF90-4B6C-AE5F-39782314CBA1}"= TCP:c:\program files\Warcraft III\Frozen Throne.exe:Warcraft III - The Frozen Throne
"{CBF5E508-6F90-4498-B19D-D0774BC04369}"= UDP:c:\program files\Warcraft III\World Editor.exe:Warcraft III World Editor
"{DB61C101-8FD1-4D70-B264-BB5E9A9CF429}"= TCP:c:\program files\Warcraft III\World Editor.exe:Warcraft III World Editor
"{45A9F560-E133-43C1-B351-B28648E091E9}"= UDP:5353:Adobe CSI CS4
"{2225F130-E851-4D0C-8D06-AE512ADB4046}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{F0D7502F-EA9B-4257-A33A-A0DC3A45AB39}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{0F16D65D-566A-40CB-B9C3-330AEBF4456C}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{3AB76F7B-4416-43EA-9F4D-580EAEF67FBF}"= UDP:c:\program files\AtomPark\Atomic Mail Sender\AtomicMailSender.exe:Atomic Mail Sender
"{99F7EFF5-85C3-43E3-9181-662F5EF06066}"= TCP:c:\program files\AtomPark\Atomic Mail Sender\AtomicMailSender.exe:Atomic Mail Sender
"{96EDDC98-18D3-4ADB-9769-685822F7B577}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{040B54EC-4D12-4575-ADCC-B4BEBD8799B4}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{4B999DAC-12F5-4AE8-8138-077001398505}"= UDP:c:\users\Romeo\AppData\Local\Google\Google Talk Plugin\googletalkplugin.dll:Google Talk Plugin
"{0C5A722D-DF6E-4486-810A-BF1F34F242FE}"= TCP:c:\users\Romeo\AppData\Local\Google\Google Talk Plugin\googletalkplugin.dll:Google Talk Plugin
"{8F0E0922-E602-48F2-B182-67B9ABD3EE59}"= UDP:c:\users\Romeo\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe:Google Talk Plugin
"{D3913716-3110-466D-9843-1F4D4E73B7E3}"= TCP:c:\users\Romeo\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe:Google Talk Plugin
"{64805EBE-8C0F-4196-8B81-F2E983E950CF}"= UDP:c:\windows\System32\wininit.exe:wininit
"{F898163D-31F2-4076-B909-BD93006BD32C}"= TCP:c:\windows\System32\wininit.exe:wininit
"{A63526D8-9E16-43C9-B5E8-B95AD4FF8AC4}"= UDP:c:\windows\System32\wininit.exe:wininit
"{954D4E0F-4E57-460C-88C8-20E2CB8765BD}"= TCP:c:\windows\System32\wininit.exe:wininit

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:Enabled:Earthlink


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3827666-e42d-11dc-9368-806e6f6e6963}]
\shell\AutoRun\command - E:\start.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-12-09 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\users\Romeo\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-02 23:07]

2008-12-09 c:\windows\Tasks\User_Feed_Synchronization-{8457B008-C1FB-48AC-AB1E-8EABA35CD753}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 02:33]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FireFox -: Profile - c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\zwsrx9vt.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30226.2\npctrl.1.0.30109.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30226.2\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npkimi.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
FF -: plugin - c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\zwsrx9vt.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 17:23:24
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(656)
c:\windows\system32\DPPWDFLT.dll

- - - - - - - > 'Explorer.exe'(3800)
c:\program files\DigitalPersona\Bin\DpoFeedb.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\DigitalPersona\Bin\DpHostW.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Mediafour\MacDrive 7\MacDriveService.exe
c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
.
**************************************************************************
.
Completion time: 2008-12-09 17:29:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-09 22:28:57
ComboFix2.txt 2008-12-08 15:35:52
ComboFix3.txt 2008-12-08 15:07:06

Pre-Run: 26,043,203,584 bytes free
Post-Run: 26,005,405,696 bytes free

485 --- E O F --- 2008-10-28 23:40:19


Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:34:11 PM, on 12/9/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [DpAgent] C:\Program Files\DigitalPersona\Bin\dpagent.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe"
O4 - HKLM\..\Run: [MDGetStarted.exe] "C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro.cce.hp.com/ChatEntry/...ds/sysinfo.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHostW.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MacDriveService - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7228 bytes
Reply With Quote Quick reply to this message  
Join Date: Feb 2004
Posts: 10,125
Reputation: crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold 
Solved Threads: 770
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: Windows Vista Infected Big Time!!

 
0
  #14
Dec 10th, 2008
Please let me know how your pc is.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File::
c:\windows\System32\eoppmhycydcnuns.exe
c:\windows\System32\winint.dll
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
  • Combofix.txt
  • A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Last edited by crunchie; Dec 10th, 2008 at 4:43 am.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Reply With Quote Quick reply to this message  
Join Date: Dec 2008
Posts: 12
Reputation: IntenseRegard is an unknown quantity at this point 
Solved Threads: 0
IntenseRegard IntenseRegard is offline Offline
Newbie Poster

Re: Windows Vista Infected Big Time!!

 
0
  #15
Dec 10th, 2008
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:31 PM, on 12/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [DpAgent] C:\Program Files\DigitalPersona\Bin\dpagent.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe"
O4 - HKLM\..\Run: [MDGetStarted.exe] "C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-21-3641274051-850343323-1744729051-500\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHostW.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MacDriveService - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7284 bytes


ComboFix 08-12-09.03 - Administrator 2008-12-10 16:31:22.4 - NTFSx86

Running from: c:\users\Administrator.Romeo-Laptop\Desktop\ComboFix.exe
Command switches used :: c:\users\Administrator.Romeo-Laptop\Desktop\CFScript.txt

FILE ::
c:\windows\System32\eoppmhycydcnuns.exe
c:\windows\System32\winint.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\eoppmhycydcnuns.exe
c:\windows\System32\winint.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.

2008-12-07 15:04 . 2008-12-07 15:04 <DIR> d-------- c:\program files\TrojanHunter
2008-12-07 14:52 . 2008-12-07 14:52 <DIR> d-------- C:\!KillBox
2008-12-07 14:42 . 2008-12-07 14:42 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\TrojanHunter
2008-12-07 14:40 . 2008-12-07 14:58 <DIR> d-------- c:\program files\TrojanHunter 5.0
2008-12-07 02:37 . 2008-12-07 02:37 24,576 --a------ c:\windows\System32\VundoFixSVC.exe
2008-12-07 02:07 . 2008-12-07 02:27 <DIR> d-------- C:\VundoFix Backups
2008-12-06 17:14 . 2008-12-06 17:14 <DIR> d-------- c:\users\Romeo\AppData\Roaming\Malwarebytes
2008-12-05 12:12 . 2008-12-05 12:15 <DIR> d-------- c:\program files\Mp3Doctor
2008-12-05 12:12 . 2001-12-08 12:23 1,089,536 --a------ c:\windows\System32\Mp3Doctor1.dll
2008-12-05 12:12 . 2003-01-22 14:20 299,008 --a------ c:\windows\System32\winwmbcay.dll
2008-12-05 12:12 . 2001-11-25 17:00 266,240 --a------ c:\windows\System32\Mp3Doctor2.dll
2008-12-05 12:12 . 2001-08-01 09:50 90,112 --a------ c:\windows\System32\ID3v23xBase.DLL
2008-12-05 02:31 . 2008-12-05 02:31 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-12-05 02:31 . 2008-12-05 02:31 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Malwarebytes
2008-12-05 02:31 . 2008-12-05 02:31 <DIR> d-------- c:\programdata\Malwarebytes
2008-12-05 02:31 . 2008-12-05 02:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-05 02:31 . 2008-12-03 19:54 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-05 02:31 . 2008-12-03 19:54 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-04 19:16 . 2008-12-04 19:16 <DIR> d-------- c:\program files\Trend Micro
2008-12-04 10:59 . 2008-12-04 19:00 <DIR> d--hs---- c:\windows\Um9tZW8
2008-12-04 10:59 . 2008-12-04 10:59 <DIR> d-------- c:\windows\System32\din
2008-12-04 10:59 . 2008-12-04 10:59 <DIR> d-------- c:\windows\System32\av
2008-12-04 10:51 . 2008-12-04 10:51 <DIR> d-------- c:\users\Romeo\AppData\Roaming\Yahoo!
2008-12-04 10:51 . 2008-12-04 11:06 2 --a------ C:\742876493
2008-12-03 04:51 . 2008-12-03 04:51 <DIR> d-------- c:\program files\mm2knet
2008-11-30 13:01 . 2008-11-30 13:01 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\InstallShield
2008-11-30 12:57 . 2008-11-30 12:58 <DIR> d-------- c:\program files\Roxio
2008-11-30 12:57 . 2008-11-30 12:57 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2008-11-25 10:57 . 2008-11-25 10:57 <DIR> d-------- c:\program files\Imikimi
2008-11-24 21:43 . 2008-11-24 22:12 <DIR> d-------- C:\MP3
2008-11-22 10:27 . 2008-11-22 10:27 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\CyberLink
2008-11-22 00:57 . 2008-11-22 00:57 <DIR> d-------- c:\program files\Wondershare
2008-11-22 00:48 . 2006-01-27 00:56 938,272 --a------ c:\windows\System32\wodFtpDLX.OCX
2008-11-22 00:28 . 2008-11-22 00:28 <DIR> d-------- c:\users\All Users\Anvsoft
2008-11-22 00:28 . 2008-11-22 00:28 <DIR> d-------- c:\programdata\Anvsoft
2008-11-22 00:27 . 2008-11-22 00:27 <DIR> d-------- c:\program files\Photo DVD Maker Professional
2008-11-21 23:52 . 2008-11-21 23:54 <DIR> d-------- c:\users\All Users\WinZip
2008-11-21 23:52 . 2008-11-21 23:54 <DIR> d-------- c:\programdata\WinZip
2008-11-21 23:41 . 2008-11-21 23:41 <DIR> d-------- c:\program files\WE Unlimited
2008-11-21 19:29 . 2008-11-21 19:29 <DIR> d-------- c:\program files\Common Files\Real
2008-11-21 19:28 . 2008-11-30 13:24 <DIR> d-------- c:\program files\V CAST Music with Rhapsody
2008-11-21 19:26 . 2008-11-21 19:26 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-11-21 19:00 . 2008-11-21 19:00 <DIR> d--hs---- c:\windows\ftpcache
2008-11-16 21:35 . 2008-10-16 16:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-16 21:35 . 2008-10-16 15:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-16 21:35 . 2008-10-16 16:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-16 21:35 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-16 21:35 . 2008-10-16 15:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-16 21:35 . 2008-10-16 16:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-16 21:35 . 2008-10-16 16:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-16 21:35 . 2008-10-16 16:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-16 21:35 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-15 21:05 . 2008-11-15 21:05 46,346 --a------ c:\windows\System32\SmrtDrive.dll
2008-11-15 21:04 . 2004-08-04 00:56 1,392,671 --a------ c:\windows\System32\temp.002
2008-11-11 02:10 . 2008-11-11 02:31 <DIR> d-------- c:\program files\WebSite X5 Evolution
2008-11-11 02:04 . 2008-03-20 16:25 185,856 --a------ c:\windows\System32\iwpsetup.exe
2008-11-11 02:04 . 1997-01-16 00:00 29,696 --a------ c:\windows\System32\VB5STKIT.DLL
2008-11-11 02:04 . 1997-01-16 13:42 6,114 --a------ c:\windows\System32\SHELLLNK.TLB
2008-11-11 00:29 . 2008-11-11 00:29 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\AtomPark
2008-11-11 00:29 . 2008-11-11 00:29 <DIR> d-------- c:\program files\AtomPark
2008-11-10 23:58 . 2008-11-10 23:58 <DIR> d-------- c:\program files\Email Sender Deluxe
2008-11-10 23:58 . 2008-11-10 23:58 3 --a------ c:\windows\System32\krx280.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-10 16:39 28,095 ----a-w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\nvModes.dat
2008-12-10 16:39 --------- d-----w c:\program files\Warcraft III
2008-12-05 16:37 --------- d-----w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\LimeWire
2008-12-04 02:43 27,335 ----a-w c:\users\Romeo\AppData\Roaming\nvModes.dat
2008-12-01 23:57 --------- d-----w c:\users\Romeo\AppData\Roaming\LimeWire
2008-11-30 19:54 --------- d-----w c:\program files\Common Files\Research in Motion
2008-11-30 18:19 --------- d-----w c:\program files\Verizon Wireless
2008-11-30 17:58 --------- d-----w c:\programdata\Roxio
2008-11-30 17:58 --------- d-----w c:\program files\Common Files\Roxio Shared
2008-11-30 17:58 --------- d-----w c:\program files\Common Files\PX Storage Engine
2008-11-30 17:27 --------- d-----w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Research In Motion
2008-11-25 02:34 --------- d-----w c:\program files\Research In Motion
2008-11-25 00:16 --------- d-----w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Fingerfox (SE)
2008-11-22 18:21 --------- d-----w c:\program files\Common Files\LightScribe
2008-11-22 16:25 --------- d-----w c:\programdata\LightScribe
2008-11-22 05:48 --------- d-----w c:\program files\CoffeeCup Software
2008-11-20 03:53 --------- d-----w c:\program files\DivX
2008-11-16 02:05 --------- d-----w c:\program files\4PLAY
2008-11-11 10:48 --------- d-----w c:\program files\Ashampoo
2008-11-11 04:02 --------- d-----w c:\programdata\Microsoft Help
2008-11-09 20:57 --------- d-----w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Smith Micro
2008-11-06 14:15 --------- d-----w c:\users\Romeo\AppData\Roaming\Thinstall
2008-11-04 22:18 --------- d-----w c:\program files\WC3Banlist
2008-11-01 14:47 --------- d-----w c:\users\Romeo\AppData\Roaming\Summitsoft
2008-11-01 13:28 --------- d-----w c:\program files\SourceTec
2008-11-01 13:28 --------- d-----w c:\program files\Common Files\SourceTec
2008-11-01 13:00 --------- d-----w c:\program files\SWF Decompiler Magic
2008-11-01 11:57 --------- d-----w c:\users\Romeo\AppData\Roaming\LogoMaker
2008-11-01 11:55 --------- d-----w c:\program files\Studio V5
2008-10-31 19:36 --------- d-----w c:\program files\Common Files\Adobe
2008-10-31 19:35 --------- d-----w c:\program files\Adobe Media Player
2008-10-31 19:32 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-10-31 04:03 --------- d-----w c:\program files\WinPcap
2008-10-30 18:01 --------- d-----w c:\users\Romeo\AppData\Roaming\Skype
2008-10-30 17:46 --------- d-----w c:\users\Romeo\AppData\Roaming\skypePM
2008-10-30 15:21 --------- d-----w c:\programdata\NVIDIA
2008-10-27 16:53 --------- d---a-w c:\programdata\TEMP
2008-10-20 07:49 --------- d-----w c:\program files\Windows Mail
2008-10-18 12:37 --------- d-----w c:\program files\Spb Backup
2008-10-18 12:19 --------- d-----w c:\users\Romeo\AppData\Roaming\Jeyo
2008-10-18 12:19 --------- d-----w c:\program files\Jeyo
2008-10-18 06:08 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-18 05:08 --------- d-----w c:\users\Romeo\AppData\Roaming\Easy Sync
2008-10-18 05:08 --------- d-----w c:\program files\Pocket Wizards
2008-10-14 16:14 --------- d-----w c:\program files\CONEXANT
2008-10-14 11:00 --------- d-----w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Symantec
2008-10-14 00:09 --------- d-----w c:\program files\SystemRequirementsLab
2008-10-14 00:07 --------- d-----w c:\users\Romeo\AppData\Roaming\SystemRequirementsLab
2008-10-13 22:56 --------- d-----w c:\program files\Norton Internet Security
2008-10-13 22:56 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-13 22:50 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-10-13 22:50 123,952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-13 22:50 10,671 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-13 22:50 --------- d-----w c:\program files\Symantec
2008-10-13 22:45 --------- d-----w c:\programdata\Symantec
2008-10-12 18:20 --------- d-----w c:\programdata\Viewpoint
2008-10-12 18:20 --------- d-----w c:\programdata\acccore
2008-10-12 18:20 --------- d-----w c:\program files\Viewpoint
2008-10-12 18:20 --------- d-----w c:\program files\AIM6
2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\System32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\System32\libdivx.dll
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-08-06 03:16 174 --sha-w c:\program files\desktop.ini
2008-03-01 08:53 32 ----a-w c:\users\All Users\ezsid.dat
2008-03-01 08:53 32 ----a-w c:\programdata\ezsid.dat
1998-02-10 23:34 128,000 ----a-w c:\program files\UNWISE.EXE
2008-06-13 22:24 22 --sha-w c:\windows\SMINST\HPCD.sys
2006-05-03 09:06 163,328 --sh--r c:\windows\System32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\System32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r c:\windows\System32\nbDX.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-08_10.05.42.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-08 14:58:01 2,484 ----a-w c:\windows\bthservsdp.dat
+ 2008-12-10 21:34:51 2,484 ----a-w c:\windows\bthservsdp.dat
- 2008-12-08 14:59:23 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-12-10 21:36:15 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-12-08 14:59:23 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-12-10 21:36:15 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-12-08 15:00:55 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-12-10 21:37:08 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-12-08 15:00:55 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-10 21:37:08 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-10 21:37:08 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-12-08 14:54:36 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2008-12-10 21:31:09 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
- 2008-12-07 22:49:18 6,554 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3641274051-850343323-1744729051-500_UserData.bin
+ 2008-12-09 22:25:00 6,920 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3641274051-850343323-1744729051-500_UserData.bin
- 2008-12-07 22:49:18 89,386 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-10 21:38:46 89,500 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-10 21:34:52 2,470 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-12-07 22:49:14 51,824 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-12-09 02:21:33 52,176 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2007-09-20 671744]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-02-19 438272]
"{B179023B-6238-4499-8F26-CD73E9D90E0A}"="c:\program files\Mediafour\MacDrive 7\MacDrive.exe" [2007-07-12 179288]
"MDGetStarted.exe"="c:\program files\Mediafour\MacDrive 7\MDGetStarted.exe" [2007-06-13 139264]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-09 144784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1045800]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-19 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-19 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.DVSD"= miroDV2avi.dll
"vidc.i420"= i420vfw.dll
"msacm.l3codecp"= l3codecp.acm
"msacm.avis"= ff_acm.acm
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm
"msacm.dvacm"= c:\progra~1\COMMON~1\Ulead Systems\vio\dvacm.acm
"vidc.mjpg"= pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders credssp.dll, digeste.dll

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Vongo Tray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
--a------ 2008-08-14 06:58 611712 c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-13 21:44 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-08-06 10:21 50472 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
--a------ 2008-11-04 12:09 615696 c:\program files\Common Files\Research in Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-02-14 10:01 51048 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-02 23:07 133104 c:\users\Romeo\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 15:24 54840 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
--a------ 2007-10-01 19:10 1783136 c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
--a------ 2008-06-02 02:55 80896 c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\isCfgWiz]
--a------ 2007-08-24 02:49 607624 c:\program files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2007-08-30 10:50 205480 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2008-10-22 19:57 2363392 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-09-19 15:05 81920 c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnScreenDisplay]
--a------ 2007-09-04 16:54 554320 c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-06-16 03:52 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a------ 2007-09-19 17:31 202032 c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
--a------ 2007-09-30 22:34 181544 c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2008-09-19 10:37 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
--a------ 2008-01-19 02:33 1233920 c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 03:42 144784 c:\program files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THGuard]
--a------ 2008-10-24 13:23 1056928 c:\program files\TrojanHunter 5.0\THGuard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
--------- 2007-09-13 15:32 222504 c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-25 14:19 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-19 02:38 1008184 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
--a------ 2007-05-31 09:21 648072 c:\windows\WindowsMobile\wmdc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2008-01-19 02:33 202240 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"<NO NAME>"=
"c:\\Program Files\\Vongo\\VongoService.exe"= c:\program files\Vongo\VongoService.exe:enabled:VongoService

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9B22924B-C76E-4D1F-9509-C7228B4666A1}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{D9778C69-A22E-4913-88F7-3CEFDAECC583}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3EFB2612-BEB1-4647-9DC3-9ED1B6D0D9BB}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6FB32505-7F0B-44E7-8703-EB9A59BB25A3}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{15F9A471-8027-46D7-B87D-3B00E00613F1}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{5F1BB71C-2B26-404D-8B05-C6D02D21555E}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C485A96F-A8B8-4909-8ACD-72674FB3B5AF}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{72D3C1A4-1A95-40AB-A238-7DD093A1AD12}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B53655B4-6403-4A16-BB77-041FD462C49C}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{46058D6B-2121-4AE6-8BD5-E6A6A9BB8A92}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A2B81A71-49EC-4C2C-B930-11C31640ACEC}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{9BEC6979-C09B-4C15-BFA9-996B7E3084DE}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{3EE12C04-DFC4-48BE-931A-FB9A885C235F}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"TCP Query User{A207D3BF-5428-4F84-B032-16746C2401C5}c:\\windows\\system32\\javaw.exe"= UDP:c:\windows\system32\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{036C8FDA-3C94-4AA9-9304-C213C9F43383}c:\\windows\\system32\\javaw.exe"= TCP:c:\windows\system32\javaw.exe:Java(TM) Platform SE binary
"TCP Query User{3F4B2BD8-CFD4-4E66-83CF-FFF1BC6FFE62}c:\\windows\\system32\\javaw.exe"= UDP:c:\windows\system32\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{F332EAA9-C466-4DD7-9D59-24384E0381B3}c:\\windows\\system32\\javaw.exe"= TCP:c:\windows\system32\javaw.exe:Java(TM) Platform SE binary
"{3C493C49-D97B-4B18-90A8-2BBB538F3518}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{6C0ECE08-DA60-48E7-AD88-528EDEFEE253}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{AAD27A87-BB0C-4A9F-A336-82A67DFC12CB}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{2C7C9529-1735-42AB-BED7-54C6B44055A8}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{EE8F19B0-BBB6-4FC5-AF35-F2094AD9E068}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{367AB7FB-EC96-40B7-9512-B1F0AA1859E8}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{555E28D4-3F7B-46BD-9081-429C56616539}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{BF36F146-162D-43EE-A81D-B8754A7A42AA}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"TCP Query User{1631A059-E6F2-467C-8DBD-381A67D6DBE8}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{B8AECB91-FA82-470A-9115-3CF5DD18514E}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{2AD2B76D-1BDC-4BDB-92D6-D0DE942826D2}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{96937C85-C040-4E6E-8E3A-1CA73D65C988}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{7986F9D4-F10D-423D-B0A0-85610667E6D4}c:\\program files\\tapur\\tapur.exe"= UDP:c:\program files\tapur\tapur.exe:Tapur.exe
"UDP Query User{4F2EDF11-49D2-4C41-A84D-5ACE1DA24B95}c:\\program files\\tapur\\tapur.exe"= TCP:c:\program files\tapur\tapur.exe:Tapur.exe
"{946B1B88-3DD9-41CA-B8E0-52760F33F91E}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{9503AC45-5FEF-40F3-8F4F-C5C6204DA506}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{CBE9184C-7704-48D0-A422-64AF97E5C54B}c:\\program files\\skype\\phone\\skype.exe"= Disabled:UDP:c:\program files\skype\phone\skype.exekype. Take a deep breath
"UDP Query User{570A2A49-9DB0-48E6-B1DC-863D239B585C}c:\\program files\\skype\\phone\\skype.exe"= Disabled:TCP:c:\program files\skype\phone\skype.exekype. Take a deep breath
"{B9EE398A-EFF5-492A-8663-FC0172DBD6A4}"= c:\program files\Skype\Phone\Skype.exekype
"{B99EDD45-A82F-4152-93BC-1F425184BAB2}"= Disabled:UDP:443:ooVoo TCP port 443
"{EF553F3E-273A-425E-8702-FAFDC66DCFCE}"= Disabled:TCP:443:ooVoo UDP port 443
"{18719189-C48C-4219-9FA6-B5EFF6B90EDB}"= Disabled:UDP:37674:ooVoo TCP port 37674
"{26493C66-5C26-4F12-9A7E-05530167D79B}"= Disabled:TCP:37674:ooVoo UDP port 37674
"{5C578D8B-3EE8-4AE5-9F68-CB634370FC53}"= Disabled:TCP:37675:ooVoo UDP port 37675
"{DD5A1697-652A-4139-ABD9-86C01A374A9F}"= UDP:5900:vnc
"{05EB1445-9ED1-4F12-AFAB-D6DA27C25502}"= UDP:6000:vnc
"{74FFA48A-FB9F-4EF4-A9FE-DE8643AC35CF}"= UDP:c:\program files\TightVNC\vncviewer.exe:TightVNC Viewer
"{B628D5DC-075E-4C96-B80F-0A2E716F802B}"= TCP:c:\program files\TightVNC\vncviewer.exe:TightVNC Viewer
"TCP Query User{B52EA7E1-01D0-4BA2-98D8-CE234E749B5C}c:\\program files\\tightvnc\\winvnc.exe"= UDP:c:\program files\tightvnc\winvnc.exe:TightVNC Win32 Server
"UDP Query User{AC3C5DC4-56AF-4FB5-B7DC-57F2CF8C6D97}c:\\program files\\tightvnc\\winvnc.exe"= TCP:c:\program files\tightvnc\winvnc.exe:TightVNC Win32 Server
"{A736FED1-BF79-4479-8142-D4B2FC75EC6C}"= UDP:5800:vnc
"TCP Query User{53EBB492-83F9-432D-8EBE-C903D7A1C424}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{FB74F033-3C65-428F-BA9B-3C8C11338EED}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{86D82B94-16BD-4257-B89F-085FF48B73B3}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{2DBF6D28-468A-47FF-B985-5DADBFD0F18C}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{723F1783-9589-4C89-8BC0-CF2632D96068}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\RM.exe:Render Manager
"{A69F5205-9B8E-411E-A160-4BB552F6CDF7}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\RM.exe:Render Manager
"{9E7C1BEB-268D-4ABB-8E2B-62F84ADE476A}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\Studio.exetudio
"{FFA54142-DB8F-486A-A7FD-DE068C304B21}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\Studio.exetudio
"{9E5FF738-F0B0-48D0-A4BE-E0BAF7977C14}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\umi.exe:umi
"{162F46D0-B900-4C87-8E01-9FC82DABE03C}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\umi.exe:umi
"TCP Query User{0B99DBE0-5E4C-4024-B87B-FB1318D76860}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{AF9F7B2E-F033-4D85-9BF8-8473167717BC}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"{48771F0F-BE33-40A2-8D32-AF9F0004EECD}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{93376A8B-38B7-4DD5-BDD9-015F45BAB547}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{5E5B2A08-8900-43D9-AF9E-0EAB1290F8F9}c:\\program files\\tightvnc\\winvnc.exe"= UDP:c:\program files\tightvnc\winvnc.exe:TightVNC Win32 Server
"UDP Query User{088A1F80-F8B5-4E79-86BB-8AE876C5B529}c:\\program files\\tightvnc\\winvnc.exe"= TCP:c:\program files\tightvnc\winvnc.exe:TightVNC Win32 Server
"TCP Query User{8D6C8942-A8EF-49BD-8C9E-73F61636A942}c:\\program files\\camfrog\\camfrog video chat\\camfrog video chat.exe"= Disabled:UDP:c:\program files\camfrog\camfrog video chat\camfrog video chat.exe:Camfrog Client Module
"UDP Query User{743B6174-A053-40DD-89C9-2C73C3414EFF}c:\\program files\\camfrog\\camfrog video chat\\camfrog video chat.exe"= Disabled:TCP:c:\program files\camfrog\camfrog video chat\camfrog video chat.exe:Camfrog Client Module
"TCP Query User{E1FE002A-5BF4-4633-A1F5-93EF349DB871}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{91710C63-AF01-4AF8-92BE-7DB68CAD778A}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{E492B98F-0CF6-4280-850D-3C7C409CEF62}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{107D366A-4609-474E-B336-D083D009100A}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{51C9E0FB-5F2F-4D1F-AF3E-F79DF9C0BFC6}c:\\program files\\oovoo\\oovoo.exe"= Disabled:UDP:c:\program files\oovoo\oovoo.exe:ooVoo
"UDP Query User{45B70B30-1E62-49F2-8CB8-3C4BCF0A9EC2}c:\\program files\\oovoo\\oovoo.exe"= Disabled:TCP:c:\program files\oovoo\oovoo.exe:ooVoo
"{0ABB70BD-5DCA-488C-A3F5-38E1B4E90B15}"= UDP:c:\program files\Warcraft III\Frozen Throne.exe:Warcraft III - The Frozen Throne
"{B702885F-EF90-4B6C-AE5F-39782314CBA1}"= TCP:c:\program files\Warcraft III\Frozen Throne.exe:Warcraft III - The Frozen Throne
"{CBF5E508-6F90-4498-B19D-D0774BC04369}"= UDP:c:\program files\Warcraft III\World Editor.exe:Warcraft III World Editor
"{DB61C101-8FD1-4D70-B264-BB5E9A9CF429}"= TCP:c:\program files\Warcraft III\World Editor.exe:Warcraft III World Editor
"{45A9F560-E133-43C1-B351-B28648E091E9}"= UDP:5353:Adobe CSI CS4
"{2225F130-E851-4D0C-8D06-AE512ADB4046}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{F0D7502F-EA9B-4257-A33A-A0DC3A45AB39}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{0F16D65D-566A-40CB-B9C3-330AEBF4456C}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{3AB76F7B-4416-43EA-9F4D-580EAEF67FBF}"= UDP:c:\program files\AtomPark\Atomic Mail Sender\AtomicMailSender.exe:Atomic Mail Sender
"{99F7EFF5-85C3-43E3-9181-662F5EF06066}"= TCP:c:\program files\AtomPark\Atomic Mail Sender\AtomicMailSender.exe:Atomic Mail Sender
"{96EDDC98-18D3-4ADB-9769-685822F7B577}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{040B54EC-4D12-4575-ADCC-B4BEBD8799B4}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{4B999DAC-12F5-4AE8-8138-077001398505}"= UDP:c:\users\Romeo\AppData\Local\Google\Google Talk Plugin\googletalkplugin.dll:Google Talk Plugin
"{0C5A722D-DF6E-4486-810A-BF1F34F242FE}"= TCP:c:\users\Romeo\AppData\Local\Google\Google Talk Plugin\googletalkplugin.dll:Google Talk Plugin
"{8F0E0922-E602-48F2-B182-67B9ABD3EE59}"= UDP:c:\users\Romeo\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe:Google Talk Plugin
"{D3913716-3110-466D-9843-1F4D4E73B7E3}"= TCP:c:\users\Romeo\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe:Google Talk Plugin
"{64805EBE-8C0F-4196-8B81-F2E983E950CF}"= UDP:c:\windows\System32\wininit.exe:wininit
"{F898163D-31F2-4076-B909-BD93006BD32C}"= TCP:c:\windows\System32\wininit.exe:wininit
"{A63526D8-9E16-43C9-B5E8-B95AD4FF8AC4}"= UDP:c:\windows\System32\wininit.exe:wininit
"{954D4E0F-4E57-460C-88C8-20E2CB8765BD}"= TCP:c:\windows\System32\wininit.exe:wininit

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:Enabled:Earthlink


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3827666-e42d-11dc-9368-806e6f6e6963}]
\shell\AutoRun\command - E:\start.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-12-10 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\users\Romeo\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-02 23:07]

2008-12-10 c:\windows\Tasks\User_Feed_Synchronization-{8457B008-C1FB-48AC-AB1E-8EABA35CD753}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 02:33]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FireFox -: Profile - c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\zwsrx9vt.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30226.2\npctrl.1.0.30109.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30226.2\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npkimi.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
FF -: plugin - c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\zwsrx9vt.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 16:37:10
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(660)
c:\windows\system32\DPPWDFLT.dll

- - - - - - - > 'Explorer.exe'(3092)
c:\program files\DigitalPersona\Bin\DpoFeedb.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\DigitalPersona\Bin\DpHostW.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Mediafour\MacDrive 7\MacDriveService.exe
c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-12-10 16:43:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-10 21:43:00
ComboFix2.txt 2008-12-09 22:29:07
ComboFix3.txt 2008-12-08 15:35:52
ComboFix4.txt 2008-12-08 15:07:06

Pre-Run: 26,461,446,144 bytes free
Post-Run: 26,447,470,592 bytes free

485 --- E O F --- 2008-10-28 23:40:19
Reply With Quote Quick reply to this message  
Join Date: Nov 2008
Posts: 816
Reputation: cohen is an unknown quantity at this point 
Solved Threads: 42
Featured Poster
cohen's Avatar
cohen cohen is offline Offline
Practically a Posting Shark

Re: Windows Vista Infected Big Time!!

 
0
  #16
Dec 10th, 2008
OK, Beautiful, Can you now pls post a fresh new Hijackthis log.

Thanks,

Cohen

Edit - Ignore this, i was miss reading the post.
Last edited by cohen; Dec 10th, 2008 at 6:32 pm.
Cohen's Site www.cohenl.com

Do not PM me for support!!!
Reply With Quote Quick reply to this message  
Join Date: Feb 2004
Posts: 10,125
Reputation: crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold 
Solved Threads: 770
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: Windows Vista Infected Big Time!!

 
0
  #17
Dec 10th, 2008
Originally Posted by crunchie View Post
Please let me know how your pc is.
The reason I ask questions is because I am not a mind reader.

Cohen. I think you will find that the hijackthis log posted, was run after combofix .
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Reply With Quote Quick reply to this message  
Join Date: Dec 2008
Posts: 12
Reputation: IntenseRegard is an unknown quantity at this point 
Solved Threads: 0
IntenseRegard IntenseRegard is offline Offline
Newbie Poster

Re: Windows Vista Infected Big Time!!

 
0
  #18
Dec 10th, 2008
Pc is running good Thanks for all your help.. I still have a bunch of svhosts running, and i still dont have audio, dont know why.. every time i try to start the audio service it tell me not enough memory to run it, but i have tons of memory so im assuming that the virus changed up some registry settings.. also i think i think i have been google.goored every time i do s search in firefox it redirects me to some site and when its loading it says google.goored.com/xxxxxxxxxx.. (x) being whereever its redirecting me too. So i dont know how to clean that out either and virus scans are not detecting it.
Reply With Quote Quick reply to this message  
Join Date: Feb 2004
Posts: 10,125
Reputation: crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold 
Solved Threads: 770
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: Windows Vista Infected Big Time!!

 
0
  #19
Dec 10th, 2008
Update MBAM and run it again and see what it finds. Remove anything that it does find.

Try uninstalling your audio drivers in device manager and re-installing them after a reboot.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Reply With Quote Quick reply to this message  
Join Date: Dec 2008
Posts: 12
Reputation: IntenseRegard is an unknown quantity at this point 
Solved Threads: 0
IntenseRegard IntenseRegard is offline Offline
Newbie Poster

Re: Windows Vista Infected Big Time!!

 
0
  #20
Dec 10th, 2008
I ran MBAM, updated it and ran it. It found nothing and i uninstalled the audio also the audio controller and rebooted and reinstalled but it still doesn't work, here is the error i get:

"Windows could not start the Windows Audio Service on Local Computer.

Error 0x800700e: Not enough storage is available to complete this operation."


But i have tons of free memory and 30 gigs of hd space
Reply With Quote Quick reply to this message  
Reply
1 2 3

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Similar Threads
Other Threads in the Viruses, Spyware and other Nasties Forum


Views: 2625 | Replies: 22
Thread Tools Search this Thread



Tag cloud for Viruses, Spyware and other Nasties
acrobat adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china combofix commercial conficker control cybercrime cyberwarfare ddos education email europe exam exploit explorer facebook fake fancheckvirus firefox gtaiv halloween herss.exe hijack hosting ie8 internet iphone links logfiles malware mcafee microsoft mobile msn nazi news norton obama onlinethreats paedophile panel parents patch pc pdf policeprovirusmba-mblockedinternetaccess president privacy pro redirect redirecting report research rogueantivirus rootkit samhain sans scareware search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans symantec system teen threat translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista vulnerability war warning windows worm yahoo zero-day zeroday
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC