0

Hello there, New to this forum and saw that you guys are very helpful here so im giving this a shot because i have tried 3 other forums and nobody seems to respond to my cry for help, So here i am.

Ok so i used IE and the one time i did i got infected and now i cant seem to clean it out no matter what i do, and now it seems to be taking over. I no longer have audio, and i get an error that it cannot run bluetooth stack. (says not enough memory to run it) But i have plenty of available memory. And over 40 gigs free. Also for certain files even under safe mode under the the Administrator account (Not an account with Administrative rights but the genuine administrators account) i cant seem to be able to delete certain files. When i ran Vundo Fix it went to a black screen and i was not able to see anything. So now my computer, it seems belongs to a virus. Can anyone help.. I am posting my hijack this log to give assistance. Would appreciate any help i get.. thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:14:12 PM, on 12/7/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Research in Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\~.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [DpAgent] C:\Program Files\DigitalPersona\Bin\dpagent.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe"
O4 - HKLM\..\Run: [MDGetStarted.exe] "C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-19\..\Run: [fopabekulo] Rundll32.exe "C:\Windows\system32\lemikiya.dll",s (User '?')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-21-3641274051-850343323-1744729051-500\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User '?')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O13 - Gopher Prefix:
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHostW.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MacDriveService - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9080 bytes


Running Processes

StartupList report, 12/7/2008, 2:16:57 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows Vista SP1 (WinNT 6.00.1905)
Detected: Internet Explorer v7.00 (7.00.6001.18000)
* Using default options
==================================================

Running processes:

C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Research in Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\~.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\NOTEPAD.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup]
Bluetooth.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\Windows\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SynTPStart = C:\Program Files\Synaptics\SynTP\SynTPStart.exe
DpAgent = C:\Program Files\DigitalPersona\Bin\dpagent.exe
hpWirelessAssistant = C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
WAWifiMessage = C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
WD Drive Manager = C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
{B179023B-6238-4499-8F26-CD73E9D90E0A} = "C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe"
MDGetStarted.exe = "C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" /auto
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
NvSvc = RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
NvCplDaemon = RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
NvMediaCenter = RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
BlackBerryAutoUpdate = C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
(Default) =
RoxWatchTray = "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Sidebar = C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
ISUSPM = "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Shell & screensaver key from C:\Windows\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=C:\Windows\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}

--------------------------------------------------

Enumerating Task Scheduler jobs:

GoogleUpdateTaskUser.job
User_Feed_Synchronization-{8457B008-C1FB-48AC-AB1E-8EABA35CD753}.job

--------------------------------------------------

Enumerating Download Program Files:

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\Windows\system32\LegitCheckControl.DLL
CODEBASE = http://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab

[HpProductDetection Class]
InProcServer32 = C:\Program Files\HP\Common\HPDeviceDetection.dll
CODEBASE = http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\Windows\system32\NLAapi.dll
NameSpace #2: C:\Windows\system32\napinsp.dll
NameSpace #3: C:\Windows\system32\pnrpnsp.dll
NameSpace #4: C:\Windows\system32\pnrpnsp.dll
NameSpace #5: C:\Windows\system32\wshbth.dll
NameSpace #8: C:\Program Files\Bonjour\mdnsNSP.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\Windows\system32\webcheck.dll

--------------------------------------------------
End of report, 6,336 bytes
Report generated in 0.046 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

3
Contributors
22
Replies
23
Views
8 Years
Discussion Span
Last Post by cohen
0

Can you please do the following.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\Windows\system32\~.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Scan with HijackThis and then place a check next to all the following, if present:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop

O4 - Global Startup: Bluetooth.lnk = ?

O13 - Gopher Prefix:


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\Windows\system32\~.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Post new HJT log.

0

Ok here is the Hijackthis log and the Malwarebytes log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:16:22 AM, on 12/8/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Research in Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [DpAgent] C:\Program Files\DigitalPersona\Bin\dpagent.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe"
O4 - HKLM\..\Run: [MDGetStarted.exe] "C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-19\..\Run: [fopabekulo] Rundll32.exe "C:\Windows\system32\lemikiya.dll",s (User '?')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-21-3641274051-850343323-1744729051-500\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHostW.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MacDriveService - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8568 bytes


MALWAREBYTES LOG

Malwarebytes' Anti-Malware 1.31
Database version: 1471
Windows 6.0.6001 Service Pack 1

12/8/2008 4:15:37 AM
mbam-log-2008-12-08 (04-15-37).txt

Scan type: Full Scan (C:\|)
Objects scanned: 370954
Time elapsed: 2 hour(s), 5 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{17cbbd9e-7c3c-4de6-8311-64a4e84f94f4} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{17cbbd9e-7c3c-4de6-8311-64a4e84f94f4} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{17cbbd9f-7c3c-4de6-8311-64a4e84f94f4} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{056d0bea-1324-464d-a781-66902a6f4dd2} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{056d0bea-1324-464d-a781-66902a6f4dd2} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{056d0beb-1324-464d-a781-66902a6f4dd2} (Adware.Mirar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Romeo\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0HMPK5T6\tzvjt[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\Tvifimuhabucuyaj.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\winmf77.dll (Adware.Mirar) -> Quarantined and deleted successfully.
C:\Windows\System32\winnc77.dll (Adware.Mirar) -> Quarantined and deleted successfully.

I have deleted this file "C:\Windows\system32\lemikiya.dll",s (User '?')" about 2 million times now and it goes away for a fwe scans and the returns.. No idea how.

0

I have deleted this file "C:\Windows\system32\lemikiya.dll",s (User '?')" about 2 million times now and it goes away for a fwe scans and the returns.. No idea how.

Ok. Based on that, I will get you to run another program.

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

0

ok i did that


Here is the log,

ComboFix 08-12-07.01 - Administrator 2008-12-08 9:54:43.1 - NTFSx86

Running from: c:\users\Administrator.Romeo-Laptop\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\DIV55
c:\temp\DIV55\xDb.log
c:\temp\tn3
c:\users\Romeo\AppData\Local\Microsoft\Windows\Temporary Internet Files\bestwiner.stt
c:\users\Romeo\AppData\Local\Microsoft\Windows\Temporary Internet Files\CPV.stt
c:\users\Romeo\AppData\Local\Microsoft\Windows\Temporary Internet Files\fbk.sts
c:\users\Romeo\AppData\Roaming\IUpd721
c:\users\Romeo\AppData\Roaming\IUpd721\Logs\scns.log
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\bHRXycfe.ini
c:\windows\System32\bHRXycfe.ini2
c:\windows\system32\gs73gfidgf.dll
c:\windows\system32\hrwd8.dll
c:\windows\system32\KBL.LOG
c:\windows\system32\ki3
c:\windows\system32\ktdjpwmw.ini
c:\windows\system32\MabryObj.dll
c:\windows\system32\rvurcmozez.dll
c:\windows\system32\tblybqcw.ini
c:\windows\system32\TDSSsttxkbnb.dat
c:\windows\system32\uv9
c:\windows\system32\VC

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-12-07 15:04 . 2008-12-07 15:04 <DIR> d-------- c:\program files\TrojanHunter
2008-12-07 14:52 . 2008-12-07 14:52 <DIR> d-------- C:\!KillBox
2008-12-07 14:42 . 2008-12-07 14:42 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\TrojanHunter
2008-12-07 14:40 . 2008-12-07 14:58 <DIR> d-------- c:\program files\TrojanHunter 5.0
2008-12-07 02:37 . 2008-12-07 02:37 24,576 --a------ c:\windows\System32\VundoFixSVC.exe
2008-12-07 02:07 . 2008-12-07 02:27 <DIR> d-------- C:\VundoFix Backups
2008-12-06 17:14 . 2008-12-06 17:14 <DIR> d-------- c:\users\Romeo\AppData\Roaming\Malwarebytes
2008-12-05 12:12 . 2008-12-05 12:15 <DIR> d-------- c:\program files\Mp3Doctor
2008-12-05 12:12 . 2001-12-08 12:23 1,089,536 --a------ c:\windows\System32\Mp3Doctor1.dll
2008-12-05 12:12 . 2003-01-22 14:20 299,008 --a------ c:\windows\System32\winwmbcay.dll
2008-12-05 12:12 . 2001-11-25 17:00 266,240 --a------ c:\windows\System32\Mp3Doctor2.dll
2008-12-05 12:12 . 2001-08-01 09:50 90,112 --a------ c:\windows\System32\ID3v23xBase.DLL
2008-12-05 12:12 . 2003-04-11 12:48 18,432 --a------ c:\windows\System32\winint.dll
2008-12-05 02:31 . 2008-12-05 02:31 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-12-05 02:31 . 2008-12-05 02:31 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Malwarebytes
2008-12-05 02:31 . 2008-12-05 02:31 <DIR> d-------- c:\programdata\Malwarebytes
2008-12-05 02:31 . 2008-12-05 02:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-05 02:31 . 2008-12-03 19:54 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-05 02:31 . 2008-12-03 19:54 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-04 19:16 . 2008-12-04 19:16 <DIR> d-------- c:\program files\Trend Micro
2008-12-04 10:59 . 2008-12-04 19:00 <DIR> d--hs---- c:\windows\Um9tZW8
2008-12-04 10:59 . 2008-12-04 10:59 <DIR> d-------- c:\windows\System32\din
2008-12-04 10:59 . 2008-12-04 10:59 <DIR> d-------- c:\windows\System32\av
2008-12-04 10:59 . 2008-12-04 11:05 47,598 --a------ c:\windows\System32\eoppmhycydcnuns.exe
2008-12-04 10:51 . 2008-12-04 10:51 <DIR> d-------- c:\users\Romeo\AppData\Roaming\Yahoo!
2008-12-04 10:51 . 2008-12-04 11:06 2 --a------ C:\742876493
2008-12-03 04:51 . 2008-12-03 04:51 <DIR> d-------- c:\program files\mm2knet
2008-11-30 13:01 . 2008-11-30 13:01 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\InstallShield
2008-11-30 12:57 . 2008-11-30 12:58 <DIR> d-------- c:\program files\Roxio
2008-11-30 12:57 . 2008-11-30 12:57 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2008-11-25 10:57 . 2008-11-25 10:57 <DIR> d-------- c:\program files\Imikimi
2008-11-24 21:43 . 2008-11-24 22:12 <DIR> d-------- C:\MP3
2008-11-22 10:27 . 2008-11-22 10:27 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\CyberLink
2008-11-22 00:57 . 2008-11-22 00:57 <DIR> d-------- c:\program files\Wondershare
2008-11-22 00:48 . 2006-01-27 00:56 938,272 --a------ c:\windows\System32\wodFtpDLX.OCX
2008-11-22 00:28 . 2008-11-22 00:28 <DIR> d-------- c:\users\All Users\Anvsoft
2008-11-22 00:28 . 2008-11-22 00:28 <DIR> d-------- c:\programdata\Anvsoft
2008-11-22 00:27 . 2008-11-22 00:27 <DIR> d-------- c:\program files\Photo DVD Maker Professional
2008-11-21 23:52 . 2008-11-21 23:54 <DIR> d-------- c:\users\All Users\WinZip
2008-11-21 23:52 . 2008-11-21 23:54 <DIR> d-------- c:\programdata\WinZip
2008-11-21 23:41 . 2008-11-21 23:41 <DIR> d-------- c:\program files\WE Unlimited
2008-11-21 19:29 . 2008-11-21 19:29 <DIR> d-------- c:\program files\Common Files\Real
2008-11-21 19:28 . 2008-11-30 13:24 <DIR> d-------- c:\program files\V CAST Music with Rhapsody
2008-11-21 19:26 . 2008-11-21 19:26 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-11-21 19:00 . 2008-11-21 19:00 <DIR> d--hs---- c:\windows\ftpcache
2008-11-16 21:35 . 2008-10-16 16:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-16 21:35 . 2008-10-16 15:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-16 21:35 . 2008-10-16 16:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-16 21:35 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-16 21:35 . 2008-10-16 15:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-16 21:35 . 2008-10-16 16:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-16 21:35 . 2008-10-16 16:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-16 21:35 . 2008-10-16 16:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-16 21:35 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-15 21:05 . 2008-11-15 21:05 46,346 --a------ c:\windows\System32\SmrtDrive.dll
2008-11-15 21:04 . 2004-08-04 00:56 1,392,671 --a------ c:\windows\System32\temp.002
2008-11-11 02:10 . 2008-11-11 02:31 <DIR> d-------- c:\program files\WebSite X5 Evolution
2008-11-11 02:04 . 2008-03-20 16:25 185,856 --a------ c:\windows\System32\iwpsetup.exe
2008-11-11 02:04 . 1997-01-16 00:00 29,696 --a------ c:\windows\System32\VB5STKIT.DLL
2008-11-11 02:04 . 1997-01-16 13:42 6,114 --a------ c:\windows\System32\SHELLLNK.TLB
2008-11-11 00:29 . 2008-11-11 00:29 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\AtomPark
2008-11-11 00:29 . 2008-11-11 00:29 <DIR> d-------- c:\program files\AtomPark
2008-11-10 23:58 . 2008-11-10 23:58 <DIR> d-------- c:\program files\Email Sender Deluxe
2008-11-10 23:58 . 2008-11-10 23:58 3 --a------ c:\windows\System32\krx280.dat
2008-11-09 15:57 . 2008-11-09 15:57 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Smith Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 18:29 28,095 ----a-w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\nvModes.dat
2008-12-06 18:29 --------- d-----w c:\program files\Warcraft III
2008-12-05 16:37 --------- d-----w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\LimeWire
2008-12-04 02:43 27,335 ----a-w c:\users\Romeo\AppData\Roaming\nvModes.dat
2008-12-01 23:57 --------- d-----w c:\users\Romeo\AppData\Roaming\LimeWire
2008-11-30 19:54 --------- d-----w c:\program files\Common Files\Research in Motion
2008-11-30 18:19 --------- d-----w c:\program files\Verizon Wireless
2008-11-30 17:58 --------- d-----w c:\programdata\Roxio
2008-11-30 17:58 --------- d-----w c:\program files\Common Files\Roxio Shared
2008-11-30 17:58 --------- d-----w c:\program files\Common Files\PX Storage Engine
2008-11-30 17:27 --------- d-----w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Research In Motion
2008-11-25 02:34 --------- d-----w c:\program files\Research In Motion
2008-11-25 00:16 --------- d-----w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Fingerfox (SE)
2008-11-22 18:21 --------- d-----w c:\program files\Common Files\LightScribe
2008-11-22 16:25 --------- d-----w c:\programdata\LightScribe
2008-11-22 05:48 --------- d-----w c:\program files\CoffeeCup Software
2008-11-20 03:53 --------- d-----w c:\program files\DivX
2008-11-16 02:05 --------- d-----w c:\program files\4PLAY
2008-11-11 10:48 --------- d-----w c:\program files\Ashampoo
2008-11-11 04:02 --------- d-----w c:\programdata\Microsoft Help
2008-11-06 14:15 --------- d-----w c:\users\Romeo\AppData\Roaming\Thinstall
2008-11-04 22:18 --------- d-----w c:\program files\WC3Banlist
2008-11-01 14:47 --------- d-----w c:\users\Romeo\AppData\Roaming\Summitsoft
2008-11-01 13:28 --------- d-----w c:\program files\SourceTec
2008-11-01 13:28 --------- d-----w c:\program files\Common Files\SourceTec
2008-11-01 13:00 --------- d-----w c:\program files\SWF Decompiler Magic
2008-11-01 11:57 --------- d-----w c:\users\Romeo\AppData\Roaming\LogoMaker
2008-11-01 11:55 --------- d-----w c:\program files\Studio V5
2008-10-31 19:36 --------- d-----w c:\program files\Common Files\Adobe
2008-10-31 19:35 --------- d-----w c:\program files\Adobe Media Player
2008-10-31 19:32 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-10-31 04:03 --------- d-----w c:\program files\WinPcap
2008-10-30 18:01 --------- d-----w c:\users\Romeo\AppData\Roaming\Skype
2008-10-30 17:46 --------- d-----w c:\users\Romeo\AppData\Roaming\skypePM
2008-10-30 15:21 --------- d-----w c:\programdata\NVIDIA
2008-10-27 16:53 --------- d---a-w c:\programdata\TEMP
2008-10-20 07:49 --------- d-----w c:\program files\Windows Mail
2008-10-18 12:37 --------- d-----w c:\program files\Spb Backup
2008-10-18 12:19 --------- d-----w c:\users\Romeo\AppData\Roaming\Jeyo
2008-10-18 12:19 --------- d-----w c:\program files\Jeyo
2008-10-18 06:08 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-18 05:08 --------- d-----w c:\users\Romeo\AppData\Roaming\Easy Sync
2008-10-18 05:08 --------- d-----w c:\program files\Pocket Wizards
2008-10-14 16:14 --------- d-----w c:\program files\CONEXANT
2008-10-14 11:00 --------- d-----w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Symantec
2008-10-14 00:09 --------- d-----w c:\program files\SystemRequirementsLab
2008-10-14 00:07 --------- d-----w c:\users\Romeo\AppData\Roaming\SystemRequirementsLab
2008-10-13 22:56 --------- d-----w c:\program files\Norton Internet Security
2008-10-13 22:56 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-13 22:50 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-10-13 22:50 123,952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-13 22:50 10,671 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-13 22:50 --------- d-----w c:\program files\Symantec
2008-10-13 22:45 --------- d-----w c:\programdata\Symantec
2008-10-12 18:20 --------- d-----w c:\programdata\Viewpoint
2008-10-12 18:20 --------- d-----w c:\programdata\acccore
2008-10-12 18:20 --------- d-----w c:\program files\Viewpoint
2008-10-12 18:20 --------- d-----w c:\program files\AIM6
2008-10-09 23:04 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-09 01:57 8,224 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-10-08 22:50 672 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-10-08 22:50 32 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-10-08 22:50 32 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\System32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\System32\libdivx.dll
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-09-08 15:36 2,829 ----a-w c:\windows\War3Unin.pif
2008-09-08 15:36 139,264 ----a-w c:\windows\War3Unin.exe
2008-08-06 03:16 174 --sha-w c:\program files\desktop.ini
2008-03-01 08:53 32 ----a-w c:\users\All Users\ezsid.dat
2008-03-01 08:53 32 ----a-w c:\programdata\ezsid.dat
1998-02-10 23:34 128,000 ----a-w c:\program files\UNWISE.EXE
2008-06-13 22:24 22 --sha-w c:\windows\SMINST\HPCD.sys
2006-05-03 09:06 163,328 --sh--r c:\windows\System32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\System32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r c:\windows\System32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2007-09-20 671744]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-02-19 438272]
"{B179023B-6238-4499-8F26-CD73E9D90E0A}"="c:\program files\Mediafour\MacDrive 7\MacDrive.exe" [2007-07-12 179288]
"MDGetStarted.exe"="c:\program files\Mediafour\MacDrive 7\MDGetStarted.exe" [2007-06-13 139264]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-09 144784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1045800]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-19 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-19 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2008-11-04 615696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-09-19 236016]
"THGuard"="c:\program files\TrojanHunter 5.0\THGuard.exe" [2008-10-24 1056928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.DVSD"= miroDV2avi.dll
"vidc.i420"= i420vfw.dll
"msacm.l3codecp"= l3codecp.acm
"msacm.avis"= ff_acm.acm
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm
"msacm.dvacm"= c:\progra~1\COMMON~1\Ulead Systems\vio\dvacm.acm
"vidc.mjpg"= pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders credssp.dll, digeste.dll

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Vongo Tray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
--a------ 2008-08-14 06:58 611712 c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-13 21:44 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-08-06 10:21 50472 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-02-14 10:01 51048 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-02 23:07 133104 c:\users\Romeo\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 15:24 54840 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
--a------ 2007-10-01 19:10 1783136 c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
--a------ 2008-06-02 02:55 80896 c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\isCfgWiz]
--a------ 2007-08-24 02:49 607624 c:\program files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2008-10-22 19:57 2363392 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-09-19 15:05 81920 c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnScreenDisplay]
--a------ 2007-09-04 16:54 554320 c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-06-16 03:52 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a------ 2007-09-19 17:31 202032 c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
--a------ 2007-09-30 22:34 181544 c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2008-09-19 10:37 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 03:42 144784 c:\program files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
--------- 2007-09-13 15:32 222504 c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-25 14:19 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-19 02:38 1008184 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
--a------ 2007-05-31 09:21 648072 c:\windows\WindowsMobile\wmdc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2008-01-19 02:33 202240 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"<NO NAME>"=
"c:\\Program Files\\Vongo\\VongoService.exe"= c:\program files\Vongo\VongoService.exe:*:enabled:VongoService

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9B22924B-C76E-4D1F-9509-C7228B4666A1}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{D9778C69-A22E-4913-88F7-3CEFDAECC583}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3EFB2612-BEB1-4647-9DC3-9ED1B6D0D9BB}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6FB32505-7F0B-44E7-8703-EB9A59BB25A3}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{15F9A471-8027-46D7-B87D-3B00E00613F1}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{5F1BB71C-2B26-404D-8B05-C6D02D21555E}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C485A96F-A8B8-4909-8ACD-72674FB3B5AF}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{72D3C1A4-1A95-40AB-A238-7DD093A1AD12}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B53655B4-6403-4A16-BB77-041FD462C49C}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{46058D6B-2121-4AE6-8BD5-E6A6A9BB8A92}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A2B81A71-49EC-4C2C-B930-11C31640ACEC}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{9BEC6979-C09B-4C15-BFA9-996B7E3084DE}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{3EE12C04-DFC4-48BE-931A-FB9A885C235F}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"TCP Query User{A207D3BF-5428-4F84-B032-16746C2401C5}c:\\windows\\system32\\javaw.exe"= UDP:c:\windows\system32\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{036C8FDA-3C94-4AA9-9304-C213C9F43383}c:\\windows\\system32\\javaw.exe"= TCP:c:\windows\system32\javaw.exe:Java(TM) Platform SE binary
"TCP Query User{3F4B2BD8-CFD4-4E66-83CF-FFF1BC6FFE62}c:\\windows\\system32\\javaw.exe"= UDP:c:\windows\system32\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{F332EAA9-C466-4DD7-9D59-24384E0381B3}c:\\windows\\system32\\javaw.exe"= TCP:c:\windows\system32\javaw.exe:Java(TM) Platform SE binary
"{3C493C49-D97B-4B18-90A8-2BBB538F3518}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{6C0ECE08-DA60-48E7-AD88-528EDEFEE253}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{AAD27A87-BB0C-4A9F-A336-82A67DFC12CB}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{2C7C9529-1735-42AB-BED7-54C6B44055A8}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{EE8F19B0-BBB6-4FC5-AF35-F2094AD9E068}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{367AB7FB-EC96-40B7-9512-B1F0AA1859E8}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{555E28D4-3F7B-46BD-9081-429C56616539}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{BF36F146-162D-43EE-A81D-B8754A7A42AA}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"TCP Query User{1631A059-E6F2-467C-8DBD-381A67D6DBE8}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{B8AECB91-FA82-470A-9115-3CF5DD18514E}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{2AD2B76D-1BDC-4BDB-92D6-D0DE942826D2}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{96937C85-C040-4E6E-8E3A-1CA73D65C988}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{7986F9D4-F10D-423D-B0A0-85610667E6D4}c:\\program files\\tapur\\tapur.exe"= UDP:c:\program files\tapur\tapur.exe:Tapur.exe
"UDP Query User{4F2EDF11-49D2-4C41-A84D-5ACE1DA24B95}c:\\program files\\tapur\\tapur.exe"= TCP:c:\program files\tapur\tapur.exe:Tapur.exe
"{946B1B88-3DD9-41CA-B8E0-52760F33F91E}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{9503AC45-5FEF-40F3-8F4F-C5C6204DA506}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{CBE9184C-7704-48D0-A422-64AF97E5C54B}c:\\program files\\skype\\phone\\skype.exe"= Disabled:UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{570A2A49-9DB0-48E6-B1DC-863D239B585C}c:\\program files\\skype\\phone\\skype.exe"= Disabled:TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"{B9EE398A-EFF5-492A-8663-FC0172DBD6A4}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{B99EDD45-A82F-4152-93BC-1F425184BAB2}"= Disabled:UDP:443:ooVoo TCP port 443
"{EF553F3E-273A-425E-8702-FAFDC66DCFCE}"= Disabled:TCP:443:ooVoo UDP port 443
"{18719189-C48C-4219-9FA6-B5EFF6B90EDB}"= Disabled:UDP:37674:ooVoo TCP port 37674
"{26493C66-5C26-4F12-9A7E-05530167D79B}"= Disabled:TCP:37674:ooVoo UDP port 37674
"{5C578D8B-3EE8-4AE5-9F68-CB634370FC53}"= Disabled:TCP:37675:ooVoo UDP port 37675
"{DD5A1697-652A-4139-ABD9-86C01A374A9F}"= UDP:5900:vnc
"{05EB1445-9ED1-4F12-AFAB-D6DA27C25502}"= UDP:6000:vnc
"{74FFA48A-FB9F-4EF4-A9FE-DE8643AC35CF}"= UDP:c:\program files\TightVNC\vncviewer.exe:TightVNC Viewer
"{B628D5DC-075E-4C96-B80F-0A2E716F802B}"= TCP:c:\program files\TightVNC\vncviewer.exe:TightVNC Viewer
"TCP Query User{B52EA7E1-01D0-4BA2-98D8-CE234E749B5C}c:\\program files\\tightvnc\\winvnc.exe"= UDP:c:\program files\tightvnc\winvnc.exe:TightVNC Win32 Server
"UDP Query User{AC3C5DC4-56AF-4FB5-B7DC-57F2CF8C6D97}c:\\program files\\tightvnc\\winvnc.exe"= TCP:c:\program files\tightvnc\winvnc.exe:TightVNC Win32 Server
"{A736FED1-BF79-4479-8142-D4B2FC75EC6C}"= UDP:5800:vnc
"TCP Query User{53EBB492-83F9-432D-8EBE-C903D7A1C424}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{FB74F033-3C65-428F-BA9B-3C8C11338EED}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{86D82B94-16BD-4257-B89F-085FF48B73B3}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{2DBF6D28-468A-47FF-B985-5DADBFD0F18C}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{723F1783-9589-4C89-8BC0-CF2632D96068}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\RM.exe:Render Manager
"{A69F5205-9B8E-411E-A160-4BB552F6CDF7}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\RM.exe:Render Manager
"{9E7C1BEB-268D-4ABB-8E2B-62F84ADE476A}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\Studio.exe:Studio
"{FFA54142-DB8F-486A-A7FD-DE068C304B21}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\Studio.exe:Studio
"{9E5FF738-F0B0-48D0-A4BE-E0BAF7977C14}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\umi.exe:umi
"{162F46D0-B900-4C87-8E01-9FC82DABE03C}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\umi.exe:umi
"TCP Query User{0B99DBE0-5E4C-4024-B87B-FB1318D76860}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{AF9F7B2E-F033-4D85-9BF8-8473167717BC}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"{48771F0F-BE33-40A2-8D32-AF9F0004EECD}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{93376A8B-38B7-4DD5-BDD9-015F45BAB547}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{5E5B2A08-8900-43D9-AF9E-0EAB1290F8F9}c:\\program files\\tightvnc\\winvnc.exe"= UDP:c:\program files\tightvnc\winvnc.exe:TightVNC Win32 Server
"UDP Query User{088A1F80-F8B5-4E79-86BB-8AE876C5B529}c:\\program files\\tightvnc\\winvnc.exe"= TCP:c:\program files\tightvnc\winvnc.exe:TightVNC Win32 Server
"TCP Query User{8D6C8942-A8EF-49BD-8C9E-73F61636A942}c:\\program files\\camfrog\\camfrog video chat\\camfrog video chat.exe"= Disabled:UDP:c:\program files\camfrog\camfrog video chat\camfrog video chat.exe:Camfrog Client Module
"UDP Query User{743B6174-A053-40DD-89C9-2C73C3414EFF}c:\\program files\\camfrog\\camfrog video chat\\camfrog video chat.exe"= Disabled:TCP:c:\program files\camfrog\camfrog video chat\camfrog video chat.exe:Camfrog Client Module
"TCP Query User{E1FE002A-5BF4-4633-A1F5-93EF349DB871}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{91710C63-AF01-4AF8-92BE-7DB68CAD778A}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{E492B98F-0CF6-4280-850D-3C7C409CEF62}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{107D366A-4609-474E-B336-D083D009100A}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{51C9E0FB-5F2F-4D1F-AF3E-F79DF9C0BFC6}c:\\program files\\oovoo\\oovoo.exe"= Disabled:UDP:c:\program files\oovoo\oovoo.exe:ooVoo
"UDP Query User{45B70B30-1E62-49F2-8CB8-3C4BCF0A9EC2}c:\\program files\\oovoo\\oovoo.exe"= Disabled:TCP:c:\program files\oovoo\oovoo.exe:ooVoo
"{0ABB70BD-5DCA-488C-A3F5-38E1B4E90B15}"= UDP:c:\program files\Warcraft III\Frozen Throne.exe:Warcraft III - The Frozen Throne
"{B702885F-EF90-4B6C-AE5F-39782314CBA1}"= TCP:c:\program files\Warcraft III\Frozen Throne.exe:Warcraft III - The Frozen Throne
"{CBF5E508-6F90-4498-B19D-D0774BC04369}"= UDP:c:\program files\Warcraft III\World Editor.exe:Warcraft III World Editor
"{DB61C101-8FD1-4D70-B264-BB5E9A9CF429}"= TCP:c:\program files\Warcraft III\World Editor.exe:Warcraft III World Editor
"{45A9F560-E133-43C1-B351-B28648E091E9}"= UDP:5353:Adobe CSI CS4
"{2225F130-E851-4D0C-8D06-AE512ADB4046}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{F0D7502F-EA9B-4257-A33A-A0DC3A45AB39}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{0F16D65D-566A-40CB-B9C3-330AEBF4456C}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{3AB76F7B-4416-43EA-9F4D-580EAEF67FBF}"= UDP:c:\program files\AtomPark\Atomic Mail Sender\AtomicMailSender.exe:Atomic Mail Sender
"{99F7EFF5-85C3-43E3-9181-662F5EF06066}"= TCP:c:\program files\AtomPark\Atomic Mail Sender\AtomicMailSender.exe:Atomic Mail Sender
"{96EDDC98-18D3-4ADB-9769-685822F7B577}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{040B54EC-4D12-4575-ADCC-B4BEBD8799B4}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{4B999DAC-12F5-4AE8-8138-077001398505}"= UDP:c:\users\Romeo\AppData\Local\Google\Google Talk Plugin\googletalkplugin.dll:Google Talk Plugin
"{0C5A722D-DF6E-4486-810A-BF1F34F242FE}"= TCP:c:\users\Romeo\AppData\Local\Google\Google Talk Plugin\googletalkplugin.dll:Google Talk Plugin
"{8F0E0922-E602-48F2-B182-67B9ABD3EE59}"= UDP:c:\users\Romeo\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe:Google Talk Plugin
"{D3913716-3110-466D-9843-1F4D4E73B7E3}"= TCP:c:\users\Romeo\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe:Google Talk Plugin
"{64805EBE-8C0F-4196-8B81-F2E983E950CF}"= UDP:c:\windows\System32\wininit.exe:wininit
"{F898163D-31F2-4076-B909-BD93006BD32C}"= TCP:c:\windows\System32\wininit.exe:wininit
"{A63526D8-9E16-43C9-B5E8-B95AD4FF8AC4}"= UDP:c:\windows\System32\wininit.exe:wininit
"{954D4E0F-4E57-460C-88C8-20E2CB8765BD}"= TCP:c:\windows\System32\wininit.exe:wininit

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3827666-e42d-11dc-9368-806e6f6e6963}]
\shell\AutoRun\command - E:\start.exe

*Newly Created Service* - COMHOST
*Newly Created Service* - IPNAT

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-12-08 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\users\Romeo\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-02 23:07]

2008-12-08 c:\windows\Tasks\User_Feed_Synchronization-{8457B008-C1FB-48AC-AB1E-8EABA35CD753}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 02:33]
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-MacDrive Volume Icons - (no file)
MSConfigStartUp-2c4765e2 - c:\windows\system32\rurimita.dll
MSConfigStartUp-AIMPro - c:\program files\AIM\AIM Pro\aimpro.exe
MSConfigStartUp-CPM2f74567e - c:\windows\system32\bumokoju.dll
MSConfigStartUp-fopabekulo - c:\windows\system32\lemikiya.dll
MSConfigStartUp-gadcom - c:\users\Romeo\AppData\Roaming\gadcom\gadcom.exe
MSConfigStartUp-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
MSConfigStartUp-IUpd721 - c:\users\Romeo\AppData\Roaming\NI.GSCNS\IUpd721.exe
MSConfigStartUp-Jnskdfmf9eldfd - c:\users\Romeo\AppData\Local\Temp\csrssc.exe
MSConfigStartUp-MSServer - c:\windows\system32\cbXNDULD.dll
MSConfigStartUp-prunnet - c:\windows\system32\prunnet.exe
MSConfigStartUp-Twain - c:\users\Romeo\AppData\Roaming\Twain\Twain.exe
MSConfigStartUp-Vkofemu - c:\windows\ijurawaxozuvovep.dll
MSConfigStartUp-xsjfn83jkemfofght - c:\users\Romeo\AppData\Local\Temp\winlogin.exe


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FireFox -: Profile - c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\zwsrx9vt.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30226.2\npctrl.1.0.30109.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30226.2\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npkimi.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
FF -: plugin - c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\zwsrx9vt.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 10:00:56
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(656)
c:\windows\system32\DPPWDFLT.dll

- - - - - - - > 'Explorer.exe'(3300)
c:\program files\DigitalPersona\Bin\DpoFeedb.dll
c:\program files\Mediafour\MacDrive 7\MDVolumeIcons.dll
c:\program files\Mediafour\MacDrive 7\MACDRAPI.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\DigitalPersona\Bin\DpHostW.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Mediafour\MacDrive 7\MacDriveService.exe
c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
.
**************************************************************************
.
Completion time: 2008-12-08 10:07:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-08 15:06:51

Pre-Run: 27,611,541,504 bytes free
Post-Run: 27,466,059,776 bytes free

504 --- E O F --- 2008-10-28 23:40:19


and HJT log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:07 AM, on 12/8/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Research in Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [DpAgent] C:\Program Files\DigitalPersona\Bin\dpagent.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe"
O4 - HKLM\..\Run: [MDGetStarted.exe] "C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-21-3641274051-850343323-1744729051-500\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User '?')
O4 - HKUS\S-1-5-21-3641274051-850343323-1744729051-500\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHostW.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MacDriveService - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8197 bytes

0

Ok Done

winint.dll
File has already been analysed:
MD5: 3a7bd4d6df8d7a38be2a485754cd958d
First received: 03.16.2008 19:25:33 (CET)
Date: 03.19.2008 12:41:15 (CET) [>264D]
Results: 2/32
Permalink: analisis/e51b66a93c26a4347bd9bfc78c7256cf

and eoppmhycydcuns.exe

MD5: eda350341cba5ec552e6b1bec2aa9207
First received: 11.30.2008 02:35:18 (CET)
Date: 12.08.2008 23:37:50 (CET) [<1D]
Results: 2/38
Permalink: analisis/0f9107d09d2f30cfb6cd6fef52d01b06

0

Ok. You see in your two results the Permalink line at the bottom? When you are on the site, you are meant to click on that link. That will then show you the results :).

0

Oooohhh Ok My bad sorry, Ok here are the results


wininit.exe

File wininit.exe received on 12.09.2008 03:50:51 (CET)
Current status: finished
Result: 0/38 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.12.8.1 2008.12.09 -
AntiVir 7.9.0.43 2008.12.08 -
Authentium 5.1.0.4 2008.12.08 -
Avast 4.8.1281.0 2008.12.08 -
AVG 8.0.0.199 2008.12.08 -
BitDefender 7.2 2008.12.09 -
CAT-QuickHeal 10.00 2008.12.08 -
ClamAV 0.94.1 2008.12.09 -
Comodo 711 2008.12.08 -
DrWeb 4.44.0.09170 2008.12.09 -
eSafe 7.0.17.0 2008.12.08 -
eTrust-Vet 31.6.6246 2008.12.05 -
Ewido 4.0 2008.12.08 -
F-Prot 4.4.4.56 2008.12.08 -
F-Secure 8.0.14332.0 2008.12.09 -
Fortinet 3.117.0.0 2008.12.09 -
GData 19 2008.12.09 -
Ikarus T3.1.1.45.0 2008.12.08 -
K7AntiVirus 7.10.548 2008.12.08 -
Kaspersky 7.0.0.125 2008.12.09 -
McAfee 5458 2008.12.08 -
McAfee+Artemis 5458 2008.12.09 -
Microsoft 1.4205 2008.12.09 -
NOD32 3674 2008.12.09 -
Norman 5.80.02 2008.12.08 -
Panda 9.0.0.4 2008.12.08 -
PCTools 4.4.2.0 2008.12.08 -
Prevx1 V2 2008.12.09 -
Rising 21.07.02.00 2008.12.08 -
SecureWeb-Gateway 6.7.6 2008.12.09 -
Sophos 4.36.0 2008.12.09 -
Sunbelt 3.1.1832.2 2008.12.01 -
Symantec 10 2008.12.09 -
TheHacker 6.3.1.2.180 2008.12.09 -
TrendMicro 8.700.0.1004 2008.12.08 -
VBA32 3.12.8.10 2008.12.09 -
ViRobot 2008.12.8.1506 2008.12.08 -
VirusBuster 4.5.11.0 2008.12.08 -
Additional information
File size: 96768 bytes
MD5...: 101ba3ea053480bb5d957ef37c06b5ed
SHA1..: 738ef691944f08cf0c405a52f3f55e99ef6e8e6e
SHA256: 9a02771da9c226552a1766c2dd0295eca8b5b80aae13076ffce6a806fa5c21b8
SHA512: ed1d47e017a67e385c31aab00e8dc5833d49a6e19b318702af0807b048b74af0
d7e11b9a19b3799003a90da1832f4b3ead90089f3b6f8039b810d0df4d654fa5
ssdeep: 1536:BWH2/rG8s2gq3yQlEQiFXKREc7Mom5dFmEO+OKXqKYMk:BWYy8zfEQiFXKR
EbdFmEO+OBKR
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x100634b
timedatestamp.....: 0x47918db8 (Sat Jan 19 05:42:16 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x13fdc 0x14000 6.32 cb3e5f4d9c5edc220dfb42d94dc3353a
.data 0x15000 0x940 0x800 1.70 4a0b595f10f7b17b94ed648111413be2
.rsrc 0x16000 0x1750 0x1800 3.95 a1082da9a24924d9e0032925125eadb3
.reloc 0x18000 0x1520 0x1600 6.70 d343b5056081c437db336f5d73c56a66

( 7 imports )
> ADVAPI32.dll: TraceMessage, GetTraceEnableFlags, GetTraceEnableLevel, GetTraceLoggerHandle, RegisterTraceGuidsW, UnregisterTraceGuids, RegCloseKey, RegDeleteValueW, RegOpenKeyExW, RegSetValueExW, RegQueryValueExW, EventRegister, EventUnregister, EventWrite, EventEnabled, RegOpenKeyW, LsaGetUserName, EventWriteEndScenario, EventWriteStartScenario, EventActivityIdControl, CheckTokenMembership, RevertToSelf, ImpersonateLoggedOnUser, EqualSid, GetTokenInformation, SetNamedSecurityInfoW, GetSecurityDescriptorSacl, GetSecurityDescriptorDacl, GetSecurityDescriptorGroup, GetSecurityDescriptorOwner, GetSecurityDescriptorControl, ConvertStringSecurityDescriptorToSecurityDescriptorW, DeregisterEventSource, RegisterEventSourceW, RegEnumValueW, RegQueryInfoKeyW, RegQueryInfoKeyA, RegQueryValueExA, QueryTraceW, EnableTrace, ControlTraceW, StartTraceW, OpenSCManagerW, OpenServiceW, QueryServiceStatus, NotifyServiceStatusChangeW, CloseServiceHandle, NotifyBootConfigStatus, OpenProcessToken, CreateWellKnownSid, LookupAccountSidW, RegDeleteTreeW, CreateProcessAsUserW, DuplicateTokenEx, I_ScSendTSMessage, ReportEventW
> KERNEL32.dll: HeapAlloc, HeapFree, WaitForSingleObjectEx, ResetEvent, CreateEventW, Sleep, SetThreadExecutionState, MoveFileExW, DeleteFileW, GetSystemDirectoryW, GetCurrentProcessId, SleepEx, CreateThread, InterlockedExchange, CreateProcessW, HeapDestroy, FindClose, FindFirstFileW, GetWindowsDirectoryW, GetTickCount, SetErrorMode, CreateTimerQueueTimer, SetEvent, HeapSetInformation, QueueUserWorkItem, DeleteTimerQueueTimer, GetVersionExW, GetDateFormatW, GetTimeFormatW, FileTimeToSystemTime, SystemTimeToFileTime, GetLocalTime, LockResource, LoadResource, FindResourceExW, ExpandEnvironmentStringsW, lstrlenW, SetLastError, LocalFree, CreateDirectoryW, ReadFile, LocalAlloc, CreateFileW, GetShortPathNameW, lstrcmpiW, FindVolumeClose, FindNextVolumeW, GetDriveTypeW, FindFirstVolumeW, LocalReAlloc, LocalSize, InterlockedCompareExchange, LoadLibraryA, SetUnhandledExceptionFilter, GetStartupInfoA, DelayLoadFailureHook, HeapCreate, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, GetProcessHeap, ResumeThread, CreateRemoteThread, GetModuleHandleW, OpenProcess, SetTimerQueueTimer, GetFileAttributesW, LoadLibraryW, GetProcAddress, FreeLibrary, GetComputerNameW, SetEnvironmentVariableW, GetLastError, GetCurrentProcess, SetPriorityClass, GetCurrentThread, SetThreadPriority, GetExitCodeProcess, CloseHandle, WaitForMultipleObjectsEx, WaitForSingleObject, GetModuleHandleA
> USER32.dll: GetAsyncKeyState, RecordShutdownReason, UnhookWindowsHookEx, SwitchDesktopWithFade, SetThreadDesktop, UpdatePerUserSystemParameters, LoadLocalFonts, SetWindowStationUser, SwitchDesktop, SetUserObjectSecurity, SetWindowsHookExW, CloseWindowStation, CloseDesktop, CreateDesktopW, SetProcessWindowStation, CreateWindowStationW, RegisterLogonProcess, ExitWindowsEx
> msvcrt.dll: _vsnwprintf, _wcsicmp, memcpy, memmove, wcschr, __getmainargs, _cexit, _exit, _XcptFilter, _ismbblead, exit, _acmdln, _initterm, _amsg_exit, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler4_common, _terminate@@YAXXZ, _controlfp, memset, wcsstr
> ntdll.dll: NtCreatePagingFile, NtShutdownSystem, RtlDeregisterWaitEx, NtOpenProcessToken, RtlRemovePrivileges, NtClose, RtlDosPathNameToNtPathName_U, NtReplyPort, NtCompleteConnectPort, NtReplyWaitReceivePort, NtAcceptConnectPort, NtCreatePort, NtAllocateLocallyUniqueId, RtlFreeSid, RtlSetSaclSecurityDescriptor, RtlAddMandatoryAce, RtlCreateAcl, RtlInitUnicodeString, NtQueryInformationProcess, RtlGetDaclSecurityDescriptor, RtlCopySid, RtlLengthSid, RtlSetDaclSecurityDescriptor, RtlAddAce, TpSimpleTryPost, RtlUnhandledExceptionFilter, NtQuerySystemInformation, RtlNtStatusToDosError, RtlRegisterWait, RtlDestroyEnvironment, NtSetValueKey, NtCreateKey, RtlSetThreadIsCritical, RtlSetProcessIsCritical, RtlLeaveCriticalSection, RtlEnterCriticalSection, RtlCompareUnicodeString, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, RtlAllocateAndInitializeSid, RtlInitializeCriticalSection, NtQueryInformationToken, RtlSetEnvironmentVariable, RtlQueryEnvironmentVariable_U, RtlInitUnicodeStringEx, RtlCreateEnvironment, NtCreateEvent, RtlAdjustPrivilege, NtSystemDebugControl, DbgBreakPoint, RtlCreateSecurityDescriptor, RtlFreeHeap
> RPCRT4.dll: RpcServerRegisterIfEx, RpcServerListen, RpcServerInqCallAttributesW, RpcImpersonateClient, RpcRevertToSelf, RpcBindingServerFromClient, RpcBindingToStringBindingW, RpcStringBindingParseW, RpcBindingFree, RpcServerUseProtseqW, RpcServerInqDefaultPrincNameW, NdrServerCall2, RpcBindingSetAuthInfoExW, RpcBindingFromStringBindingW, RpcStringBindingComposeW, RpcMgmtIsServerListening, NdrClientCall2, RpcBindingUnbind, RpcAsyncCompleteCall, RpcAsyncCancelCall, RpcAsyncInitializeHandle, RpcBindingBind, RpcBindingCreateW, RpcBindingCopy, NdrAsyncClientCall, I_RpcBindingIsClientLocal, RpcAsyncAbortCall, RpcServerTestCancel, NdrAsyncServerCall, RpcServerUseProtseqEpW, RpcServerRegisterAuthInfoW, RpcStringFreeW, RpcServerInqBindings, UuidFromStringW, RpcEpRegisterW, RpcServerUnregisterIf, RpcEpUnregister, RpcBindingVectorFree
> USERENV.dll: GetAllUsersProfileDirectoryW, -, -, GetUserProfileDirectoryW

( 0 exports )


eoppmhycydcnuns.exe

File ppqmhuzjokzffdj.exe received on 12.08.2008 23:36:26 (CET)
Current status: finished
Result: 2/38 (5.26%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.12.8.1 2008.12.08 -
AntiVir 7.9.0.43 2008.12.08 -
Authentium 5.1.0.4 2008.12.08 -
Avast 4.8.1281.0 2008.12.08 -
AVG 8.0.0.199 2008.12.08 -
BitDefender 7.2 2008.12.08 -
CAT-QuickHeal 10.00 2008.12.08 -
ClamAV 0.94.1 2008.12.08 -
Comodo 711 2008.12.08 -
DrWeb 4.44.0.09170 2008.12.08 -
eSafe 7.0.17.0 2008.12.08 -
eTrust-Vet 31.6.6245 2008.12.05 -
Ewido 4.0 2008.12.08 -
F-Prot 4.4.4.56 2008.12.08 -
F-Secure 8.0.14332.0 2008.12.08 -
Fortinet 3.117.0.0 2008.12.07 -
GData 19 2008.12.08 -
Ikarus T3.1.1.45.0 2008.12.08 -
K7AntiVirus 7.10.548 2008.12.08 -
Kaspersky 7.0.0.125 2008.12.08 -
McAfee 5458 2008.12.08 -
McAfee+Artemis 5456 2008.12.06 -
Microsoft 1.4205 2008.12.08 -
NOD32 3673 2008.12.08 -
Norman 5.80.02 2008.12.08 -
Panda 9.0.0.4 2008.12.08 -
PCTools 4.4.2.0 2008.12.08 -
Prevx1 V2 2008.12.08 Cloaked Malware
Rising 21.07.02.00 2008.12.08 -
SecureWeb-Gateway 6.7.6 2008.12.08 -
Sophos 4.36.0 2008.12.08 -
Sunbelt 3.1.1832.2 2008.12.01 -
Symantec 10 2008.12.08 -
TheHacker 6.3.1.2.179 2008.12.06 Adware/AdRotator
TrendMicro 8.700.0.1004 2008.12.08 -
VBA32 3.12.8.10 2008.12.07 -
ViRobot 2008.12.8.1506 2008.12.08 -
VirusBuster 4.5.11.0 2008.12.08 -
Additional information
File size: 47598 bytes
MD5...: eda350341cba5ec552e6b1bec2aa9207
SHA1..: cf6af4a6ee7126fe3e5901cba43ff67013ff307d
SHA256: 9796a6f0bbc18f477b819419743dbc3f1ee3f635097878efb7601b5626d59040
SHA512: df2e4063644f66d56b176bdedba5d6a6034ece72d7350cd8222a823f532498b6
6b83298f44a1d63206d95fca10cd12e89e3743d0b737548b35b5d399ac13e31a
ssdeep: 768:SSup23EQCjlQRB8/ewZ1iU6nyYFxbssT/F/O71mJ5TJRn0IKPPJYUp6kUwWn
+pAb:Hu4EQalMK/ewGnh0mJ6fL6kUH+pA0o
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x403225
timedatestamp.....: 0x48efcdc9 (Fri Oct 10 21:48:57 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5976 0x5a00 6.47 335c19bb25cd1d02eec2b0a4eacb979c
.rdata 0x7000 0x1190 0x1200 5.18 db16645055619c0cc73276ff5c3adb75
.data 0x9000 0x1af98 0x400 4.69 59710519e577598f785044e4d95261f4
.ndata 0x24000 0xd000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x31000 0x908 0xa00 3.85 c8a7e34036e84f6de6309bd5eacecfa0

( 8 imports )
> KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
> USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
> GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
> SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
> ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
> COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create
> ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=8BBFD997EEC3D6E0B91500CEBA529500EED81502
CWSandbox info: http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=eda350341cba5ec552e6b1bec2aa9207

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

0

Oh also, When fixed can you help me return my audio and a few services. Because i think it changed registry settings for a whole bunch of stuff. Has something to do with the paging file. says im out of storage space. But i have like 30 gig's free and im only using like 25% of memory.

Thank you sooo much for all your help

0

1. Please open Notepad Click Start , then Run
Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
FileLook::
c:\windows\System32\winint.dll
c:\windows\System32\eoppmhycydcnuns.exeNote: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter youre-enable all the programs that were disabled during the running of ComboFix:Combofix.txt
A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Attachments CFScript.gif 27.09 KB
0

Ok here are the new logs


ComboFix 08-12-07.01 - Administrator 2008-12-09 17:17:49.3 - NTFSx86

Running from: c:\users\Administrator.Romeo-Laptop\Desktop\ComboFix.exe
Command switches used :: c:\users\Administrator.Romeo-Laptop\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-07 15:04 . 2008-12-07 15:04 <DIR> d-------- c:\program files\TrojanHunter
2008-12-07 14:52 . 2008-12-07 14:52 <DIR> d-------- C:\!KillBox
2008-12-07 14:42 . 2008-12-07 14:42 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\TrojanHunter
2008-12-07 14:40 . 2008-12-07 14:58 <DIR> d-------- c:\program files\TrojanHunter 5.0
2008-12-07 02:37 . 2008-12-07 02:37 24,576 --a------ c:\windows\System32\VundoFixSVC.exe
2008-12-07 02:07 . 2008-12-07 02:27 <DIR> d-------- C:\VundoFix Backups
2008-12-06 17:14 . 2008-12-06 17:14 <DIR> d-------- c:\users\Romeo\AppData\Roaming\Malwarebytes
2008-12-05 12:12 . 2008-12-05 12:15 <DIR> d-------- c:\program files\Mp3Doctor
2008-12-05 12:12 . 2001-12-08 12:23 1,089,536 --a------ c:\windows\System32\Mp3Doctor1.dll
2008-12-05 12:12 . 2003-01-22 14:20 299,008 --a------ c:\windows\System32\winwmbcay.dll
2008-12-05 12:12 . 2001-11-25 17:00 266,240 --a------ c:\windows\System32\Mp3Doctor2.dll
2008-12-05 12:12 . 2001-08-01 09:50 90,112 --a------ c:\windows\System32\ID3v23xBase.DLL
2008-12-05 12:12 . 2003-04-11 12:48 18,432 --a------ c:\windows\System32\winint.dll
2008-12-05 02:31 . 2008-12-05 02:31 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-12-05 02:31 . 2008-12-05 02:31 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Malwarebytes
2008-12-05 02:31 . 2008-12-05 02:31 <DIR> d-------- c:\programdata\Malwarebytes
2008-12-05 02:31 . 2008-12-05 02:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-05 02:31 . 2008-12-03 19:54 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-05 02:31 . 2008-12-03 19:54 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-04 19:16 . 2008-12-04 19:16 <DIR> d-------- c:\program files\Trend Micro
2008-12-04 10:59 . 2008-12-04 19:00 <DIR> d--hs---- c:\windows\Um9tZW8
2008-12-04 10:59 . 2008-12-04 10:59 <DIR> d-------- c:\windows\System32\din
2008-12-04 10:59 . 2008-12-04 10:59 <DIR> d-------- c:\windows\System32\av
2008-12-04 10:59 . 2008-12-04 11:05 47,598 --a------ c:\windows\System32\eoppmhycydcnuns.exe
2008-12-04 10:51 . 2008-12-04 10:51 <DIR> d-------- c:\users\Romeo\AppData\Roaming\Yahoo!
2008-12-04 10:51 . 2008-12-04 11:06 2 --a------ C:\742876493
2008-12-03 04:51 . 2008-12-03 04:51 <DIR> d-------- c:\program files\mm2knet
2008-11-30 13:01 . 2008-11-30 13:01 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\InstallShield
2008-11-30 12:57 . 2008-11-30 12:58 <DIR> d-------- c:\program files\Roxio
2008-11-30 12:57 . 2008-11-30 12:57 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2008-11-25 10:57 . 2008-11-25 10:57 <DIR> d-------- c:\program files\Imikimi
2008-11-24 21:43 . 2008-11-24 22:12 <DIR> d-------- C:\MP3
2008-11-22 10:27 . 2008-11-22 10:27 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\CyberLink
2008-11-22 00:57 . 2008-11-22 00:57 <DIR> d-------- c:\program files\Wondershare
2008-11-22 00:48 . 2006-01-27 00:56 938,272 --a------ c:\windows\System32\wodFtpDLX.OCX
2008-11-22 00:28 . 2008-11-22 00:28 <DIR> d-------- c:\users\All Users\Anvsoft
2008-11-22 00:28 . 2008-11-22 00:28 <DIR> d-------- c:\programdata\Anvsoft
2008-11-22 00:27 . 2008-11-22 00:27 <DIR> d-------- c:\program files\Photo DVD Maker Professional
2008-11-21 23:52 . 2008-11-21 23:54 <DIR> d-------- c:\users\All Users\WinZip
2008-11-21 23:52 . 2008-11-21 23:54 <DIR> d-------- c:\programdata\WinZip
2008-11-21 23:41 . 2008-11-21 23:41 <DIR> d-------- c:\program files\WE Unlimited
2008-11-21 19:29 . 2008-11-21 19:29 <DIR> d-------- c:\program files\Common Files\Real
2008-11-21 19:28 . 2008-11-30 13:24 <DIR> d-------- c:\program files\V CAST Music with Rhapsody
2008-11-21 19:26 . 2008-11-21 19:26 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-11-21 19:00 . 2008-11-21 19:00 <DIR> d--hs---- c:\windows\ftpcache
2008-11-16 21:35 . 2008-10-16 16:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-16 21:35 . 2008-10-16 15:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-16 21:35 . 2008-10-16 16:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-16 21:35 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-16 21:35 . 2008-10-16 15:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-16 21:35 . 2008-10-16 16:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-16 21:35 . 2008-10-16 16:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-16 21:35 . 2008-10-16 16:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-16 21:35 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-15 21:05 . 2008-11-15 21:05 46,346 --a------ c:\windows\System32\SmrtDrive.dll
2008-11-15 21:04 . 2004-08-04 00:56 1,392,671 --a------ c:\windows\System32\temp.002
2008-11-11 02:10 . 2008-11-11 02:31 <DIR> d-------- c:\program files\WebSite X5 Evolution
2008-11-11 02:04 . 2008-03-20 16:25 185,856 --a------ c:\windows\System32\iwpsetup.exe
2008-11-11 02:04 . 1997-01-16 00:00 29,696 --a------ c:\windows\System32\VB5STKIT.DLL
2008-11-11 02:04 . 1997-01-16 13:42 6,114 --a------ c:\windows\System32\SHELLLNK.TLB
2008-11-11 00:29 . 2008-11-11 00:29 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\AtomPark
2008-11-11 00:29 . 2008-11-11 00:29 <DIR> d-------- c:\program files\AtomPark
2008-11-10 23:58 . 2008-11-10 23:58 <DIR> d-------- c:\program files\Email Sender Deluxe
2008-11-10 23:58 . 2008-11-10 23:58 3 --a------ c:\windows\System32\krx280.dat
2008-11-09 15:57 . 2008-11-09 15:57 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Smith Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 22:15 28,095 ----a-w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\nvModes.dat
2008-12-09 22:07 --------- d-----w c:\program files\Warcraft III
2008-12-05 16:37 --------- d-----w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\LimeWire
2008-12-04 02:43 27,335 ----a-w c:\users\Romeo\AppData\Roaming\nvModes.dat
2008-12-01 23:57 --------- d-----w c:\users\Romeo\AppData\Roaming\LimeWire
2008-11-30 19:54 --------- d-----w c:\program files\Common Files\Research in Motion
2008-11-30 18:19 --------- d-----w c:\program files\Verizon Wireless
2008-11-30 17:58 --------- d-----w c:\programdata\Roxio
2008-11-30 17:58 --------- d-----w c:\program files\Common Files\Roxio Shared
2008-11-30 17:58 --------- d-----w c:\program files\Common Files\PX Storage Engine
2008-11-30 17:27 --------- d-----w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Research In Motion
2008-11-25 02:34 --------- d-----w c:\program files\Research In Motion
2008-11-25 00:16 --------- d-----w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Fingerfox (SE)
2008-11-22 18:21 --------- d-----w c:\program files\Common Files\LightScribe
2008-11-22 16:25 --------- d-----w c:\programdata\LightScribe
2008-11-22 05:48 --------- d-----w c:\program files\CoffeeCup Software
2008-11-20 03:53 --------- d-----w c:\program files\DivX
2008-11-16 02:05 --------- d-----w c:\program files\4PLAY
2008-11-11 10:48 --------- d-----w c:\program files\Ashampoo
2008-11-11 04:02 --------- d-----w c:\programdata\Microsoft Help
2008-11-06 14:15 --------- d-----w c:\users\Romeo\AppData\Roaming\Thinstall
2008-11-04 22:18 --------- d-----w c:\program files\WC3Banlist
2008-11-01 14:47 --------- d-----w c:\users\Romeo\AppData\Roaming\Summitsoft
2008-11-01 13:28 --------- d-----w c:\program files\SourceTec
2008-11-01 13:28 --------- d-----w c:\program files\Common Files\SourceTec
2008-11-01 13:00 --------- d-----w c:\program files\SWF Decompiler Magic
2008-11-01 11:57 --------- d-----w c:\users\Romeo\AppData\Roaming\LogoMaker
2008-11-01 11:55 --------- d-----w c:\program files\Studio V5
2008-10-31 19:36 --------- d-----w c:\program files\Common Files\Adobe
2008-10-31 19:35 --------- d-----w c:\program files\Adobe Media Player
2008-10-31 19:32 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-10-31 04:03 --------- d-----w c:\program files\WinPcap
2008-10-30 18:01 --------- d-----w c:\users\Romeo\AppData\Roaming\Skype
2008-10-30 17:46 --------- d-----w c:\users\Romeo\AppData\Roaming\skypePM
2008-10-30 15:21 --------- d-----w c:\programdata\NVIDIA
2008-10-27 16:53 --------- d---a-w c:\programdata\TEMP
2008-10-20 07:49 --------- d-----w c:\program files\Windows Mail
2008-10-18 12:37 --------- d-----w c:\program files\Spb Backup
2008-10-18 12:19 --------- d-----w c:\users\Romeo\AppData\Roaming\Jeyo
2008-10-18 12:19 --------- d-----w c:\program files\Jeyo
2008-10-18 06:08 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-18 05:08 --------- d-----w c:\users\Romeo\AppData\Roaming\Easy Sync
2008-10-18 05:08 --------- d-----w c:\program files\Pocket Wizards
2008-10-14 16:14 --------- d-----w c:\program files\CONEXANT
2008-10-14 11:00 --------- d-----w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Symantec
2008-10-14 00:09 --------- d-----w c:\program files\SystemRequirementsLab
2008-10-14 00:07 --------- d-----w c:\users\Romeo\AppData\Roaming\SystemRequirementsLab
2008-10-13 22:56 --------- d-----w c:\program files\Norton Internet Security
2008-10-13 22:56 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-13 22:50 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-10-13 22:50 123,952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-13 22:50 10,671 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-13 22:50 --------- d-----w c:\program files\Symantec
2008-10-13 22:45 --------- d-----w c:\programdata\Symantec
2008-10-12 18:20 --------- d-----w c:\programdata\Viewpoint
2008-10-12 18:20 --------- d-----w c:\programdata\acccore
2008-10-12 18:20 --------- d-----w c:\program files\Viewpoint
2008-10-12 18:20 --------- d-----w c:\program files\AIM6
2008-10-09 23:04 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-09 01:57 8,224 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\System32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\System32\libdivx.dll
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-08-06 03:16 174 --sha-w c:\program files\desktop.ini
2008-03-01 08:53 32 ----a-w c:\users\All Users\ezsid.dat
2008-03-01 08:53 32 ----a-w c:\programdata\ezsid.dat
1998-02-10 23:34 128,000 ----a-w c:\program files\UNWISE.EXE
2008-06-13 22:24 22 --sha-w c:\windows\SMINST\HPCD.sys
2006-05-03 09:06 163,328 --sh--r c:\windows\System32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\System32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r c:\windows\System32\nbDX.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\eoppmhycydcnuns.exe -- Unable to find file version info.
MD5: eda350341cba5ec552e6b1bec2aa9207

c:\windows\System32\winint.dll -- Unable to find Resource table header.
MD5: 3a7bd4d6df8d7a38be2a485754cd958d


((((((((((((((((((((((((((((( snapshot@2008-12-08_10.05.42.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-08 14:58:01 2,484 ----a-w c:\windows\bthservsdp.dat
+ 2008-12-09 22:20:55 2,484 ----a-w c:\windows\bthservsdp.dat
+ 2007-04-03 20:08:34 344,664 ----a-w c:\windows\Downloaded Program Files\HPBasicDetection3.dll
+ 2007-04-30 22:09:12 34,360 ----a-w c:\windows\Downloaded Program Files\HPProductDetails.dll
+ 2007-04-30 22:09:50 83,512 ----a-w c:\windows\Downloaded Program Files\LogInfo.dll
+ 2007-05-15 21:33:20 251,448 ----a-w c:\windows\Downloaded Program Files\SysInfo.dll
- 2008-12-08 14:59:23 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-12-09 22:22:21 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-12-08 14:59:23 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-12-09 22:22:21 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-12-08 15:00:55 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-12-09 22:23:21 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-12-08 15:00:55 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-09 22:23:21 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-09 22:23:21 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-12-07 22:49:18 6,554 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3641274051-850343323-1744729051-500_UserData.bin
+ 2008-12-09 02:21:35 6,888 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3641274051-850343323-1744729051-500_UserData.bin
- 2008-12-07 22:49:18 89,386 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-09 02:21:35 89,468 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-08 15:27:37 2,470 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-12-07 22:49:14 51,824 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-12-09 02:21:33 52,176 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2007-09-20 671744]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-02-19 438272]
"{B179023B-6238-4499-8F26-CD73E9D90E0A}"="c:\program files\Mediafour\MacDrive 7\MacDrive.exe" [2007-07-12 179288]
"MDGetStarted.exe"="c:\program files\Mediafour\MacDrive 7\MDGetStarted.exe" [2007-06-13 139264]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-09 144784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1045800]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-19 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-19 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.DVSD"= miroDV2avi.dll
"vidc.i420"= i420vfw.dll
"msacm.l3codecp"= l3codecp.acm
"msacm.avis"= ff_acm.acm
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm
"msacm.dvacm"= c:\progra~1\COMMON~1\Ulead Systems\vio\dvacm.acm
"vidc.mjpg"= pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders credssp.dll, digeste.dll

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Vongo Tray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
--a------ 2008-08-14 06:58 611712 c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-13 21:44 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-08-06 10:21 50472 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
--a------ 2008-11-04 12:09 615696 c:\program files\Common Files\Research in Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-02-14 10:01 51048 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-02 23:07 133104 c:\users\Romeo\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 15:24 54840 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
--a------ 2007-10-01 19:10 1783136 c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
--a------ 2008-06-02 02:55 80896 c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\isCfgWiz]
--a------ 2007-08-24 02:49 607624 c:\program files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2007-08-30 10:50 205480 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2008-10-22 19:57 2363392 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-09-19 15:05 81920 c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnScreenDisplay]
--a------ 2007-09-04 16:54 554320 c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-06-16 03:52 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a------ 2007-09-19 17:31 202032 c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
--a------ 2007-09-30 22:34 181544 c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2008-09-19 10:37 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
--a------ 2008-01-19 02:33 1233920 c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 03:42 144784 c:\program files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THGuard]
--a------ 2008-10-24 13:23 1056928 c:\program files\TrojanHunter 5.0\THGuard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
--------- 2007-09-13 15:32 222504 c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-25 14:19 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-19 02:38 1008184 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
--a------ 2007-05-31 09:21 648072 c:\windows\WindowsMobile\wmdc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2008-01-19 02:33 202240 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"<NO NAME>"=
"c:\\Program Files\\Vongo\\VongoService.exe"= c:\program files\Vongo\VongoService.exe:*:enabled:VongoService

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9B22924B-C76E-4D1F-9509-C7228B4666A1}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{D9778C69-A22E-4913-88F7-3CEFDAECC583}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3EFB2612-BEB1-4647-9DC3-9ED1B6D0D9BB}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6FB32505-7F0B-44E7-8703-EB9A59BB25A3}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{15F9A471-8027-46D7-B87D-3B00E00613F1}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{5F1BB71C-2B26-404D-8B05-C6D02D21555E}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C485A96F-A8B8-4909-8ACD-72674FB3B5AF}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{72D3C1A4-1A95-40AB-A238-7DD093A1AD12}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B53655B4-6403-4A16-BB77-041FD462C49C}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{46058D6B-2121-4AE6-8BD5-E6A6A9BB8A92}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A2B81A71-49EC-4C2C-B930-11C31640ACEC}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{9BEC6979-C09B-4C15-BFA9-996B7E3084DE}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{3EE12C04-DFC4-48BE-931A-FB9A885C235F}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"TCP Query User{A207D3BF-5428-4F84-B032-16746C2401C5}c:\\windows\\system32\\javaw.exe"= UDP:c:\windows\system32\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{036C8FDA-3C94-4AA9-9304-C213C9F43383}c:\\windows\\system32\\javaw.exe"= TCP:c:\windows\system32\javaw.exe:Java(TM) Platform SE binary
"TCP Query User{3F4B2BD8-CFD4-4E66-83CF-FFF1BC6FFE62}c:\\windows\\system32\\javaw.exe"= UDP:c:\windows\system32\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{F332EAA9-C466-4DD7-9D59-24384E0381B3}c:\\windows\\system32\\javaw.exe"= TCP:c:\windows\system32\javaw.exe:Java(TM) Platform SE binary
"{3C493C49-D97B-4B18-90A8-2BBB538F3518}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{6C0ECE08-DA60-48E7-AD88-528EDEFEE253}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{AAD27A87-BB0C-4A9F-A336-82A67DFC12CB}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{2C7C9529-1735-42AB-BED7-54C6B44055A8}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{EE8F19B0-BBB6-4FC5-AF35-F2094AD9E068}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{367AB7FB-EC96-40B7-9512-B1F0AA1859E8}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{555E28D4-3F7B-46BD-9081-429C56616539}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{BF36F146-162D-43EE-A81D-B8754A7A42AA}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"TCP Query User{1631A059-E6F2-467C-8DBD-381A67D6DBE8}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{B8AECB91-FA82-470A-9115-3CF5DD18514E}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{2AD2B76D-1BDC-4BDB-92D6-D0DE942826D2}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{96937C85-C040-4E6E-8E3A-1CA73D65C988}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{7986F9D4-F10D-423D-B0A0-85610667E6D4}c:\\program files\\tapur\\tapur.exe"= UDP:c:\program files\tapur\tapur.exe:Tapur.exe
"UDP Query User{4F2EDF11-49D2-4C41-A84D-5ACE1DA24B95}c:\\program files\\tapur\\tapur.exe"= TCP:c:\program files\tapur\tapur.exe:Tapur.exe
"{946B1B88-3DD9-41CA-B8E0-52760F33F91E}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{9503AC45-5FEF-40F3-8F4F-C5C6204DA506}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{CBE9184C-7704-48D0-A422-64AF97E5C54B}c:\\program files\\skype\\phone\\skype.exe"= Disabled:UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{570A2A49-9DB0-48E6-B1DC-863D239B585C}c:\\program files\\skype\\phone\\skype.exe"= Disabled:TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"{B9EE398A-EFF5-492A-8663-FC0172DBD6A4}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{B99EDD45-A82F-4152-93BC-1F425184BAB2}"= Disabled:UDP:443:ooVoo TCP port 443
"{EF553F3E-273A-425E-8702-FAFDC66DCFCE}"= Disabled:TCP:443:ooVoo UDP port 443
"{18719189-C48C-4219-9FA6-B5EFF6B90EDB}"= Disabled:UDP:37674:ooVoo TCP port 37674
"{26493C66-5C26-4F12-9A7E-05530167D79B}"= Disabled:TCP:37674:ooVoo UDP port 37674
"{5C578D8B-3EE8-4AE5-9F68-CB634370FC53}"= Disabled:TCP:37675:ooVoo UDP port 37675
"{DD5A1697-652A-4139-ABD9-86C01A374A9F}"= UDP:5900:vnc
"{05EB1445-9ED1-4F12-AFAB-D6DA27C25502}"= UDP:6000:vnc
"{74FFA48A-FB9F-4EF4-A9FE-DE8643AC35CF}"= UDP:c:\program files\TightVNC\vncviewer.exe:TightVNC Viewer
"{B628D5DC-075E-4C96-B80F-0A2E716F802B}"= TCP:c:\program files\TightVNC\vncviewer.exe:TightVNC Viewer
"TCP Query User{B52EA7E1-01D0-4BA2-98D8-CE234E749B5C}c:\\program files\\tightvnc\\winvnc.exe"= UDP:c:\program files\tightvnc\winvnc.exe:TightVNC Win32 Server
"UDP Query User{AC3C5DC4-56AF-4FB5-B7DC-57F2CF8C6D97}c:\\program files\\tightvnc\\winvnc.exe"= TCP:c:\program files\tightvnc\winvnc.exe:TightVNC Win32 Server
"{A736FED1-BF79-4479-8142-D4B2FC75EC6C}"= UDP:5800:vnc
"TCP Query User{53EBB492-83F9-432D-8EBE-C903D7A1C424}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{FB74F033-3C65-428F-BA9B-3C8C11338EED}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{86D82B94-16BD-4257-B89F-085FF48B73B3}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{2DBF6D28-468A-47FF-B985-5DADBFD0F18C}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{723F1783-9589-4C89-8BC0-CF2632D96068}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\RM.exe:Render Manager
"{A69F5205-9B8E-411E-A160-4BB552F6CDF7}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\RM.exe:Render Manager
"{9E7C1BEB-268D-4ABB-8E2B-62F84ADE476A}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\Studio.exe:Studio
"{FFA54142-DB8F-486A-A7FD-DE068C304B21}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\Studio.exe:Studio
"{9E5FF738-F0B0-48D0-A4BE-E0BAF7977C14}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\umi.exe:umi
"{162F46D0-B900-4C87-8E01-9FC82DABE03C}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\umi.exe:umi
"TCP Query User{0B99DBE0-5E4C-4024-B87B-FB1318D76860}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{AF9F7B2E-F033-4D85-9BF8-8473167717BC}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"{48771F0F-BE33-40A2-8D32-AF9F0004EECD}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{93376A8B-38B7-4DD5-BDD9-015F45BAB547}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{5E5B2A08-8900-43D9-AF9E-0EAB1290F8F9}c:\\program files\\tightvnc\\winvnc.exe"= UDP:c:\program files\tightvnc\winvnc.exe:TightVNC Win32 Server
"UDP Query User{088A1F80-F8B5-4E79-86BB-8AE876C5B529}c:\\program files\\tightvnc\\winvnc.exe"= TCP:c:\program files\tightvnc\winvnc.exe:TightVNC Win32 Server
"TCP Query User{8D6C8942-A8EF-49BD-8C9E-73F61636A942}c:\\program files\\camfrog\\camfrog video chat\\camfrog video chat.exe"= Disabled:UDP:c:\program files\camfrog\camfrog video chat\camfrog video chat.exe:Camfrog Client Module
"UDP Query User{743B6174-A053-40DD-89C9-2C73C3414EFF}c:\\program files\\camfrog\\camfrog video chat\\camfrog video chat.exe"= Disabled:TCP:c:\program files\camfrog\camfrog video chat\camfrog video chat.exe:Camfrog Client Module
"TCP Query User{E1FE002A-5BF4-4633-A1F5-93EF349DB871}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{91710C63-AF01-4AF8-92BE-7DB68CAD778A}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{E492B98F-0CF6-4280-850D-3C7C409CEF62}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{107D366A-4609-474E-B336-D083D009100A}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{51C9E0FB-5F2F-4D1F-AF3E-F79DF9C0BFC6}c:\\program files\\oovoo\\oovoo.exe"= Disabled:UDP:c:\program files\oovoo\oovoo.exe:ooVoo
"UDP Query User{45B70B30-1E62-49F2-8CB8-3C4BCF0A9EC2}c:\\program files\\oovoo\\oovoo.exe"= Disabled:TCP:c:\program files\oovoo\oovoo.exe:ooVoo
"{0ABB70BD-5DCA-488C-A3F5-38E1B4E90B15}"= UDP:c:\program files\Warcraft III\Frozen Throne.exe:Warcraft III - The Frozen Throne
"{B702885F-EF90-4B6C-AE5F-39782314CBA1}"= TCP:c:\program files\Warcraft III\Frozen Throne.exe:Warcraft III - The Frozen Throne
"{CBF5E508-6F90-4498-B19D-D0774BC04369}"= UDP:c:\program files\Warcraft III\World Editor.exe:Warcraft III World Editor
"{DB61C101-8FD1-4D70-B264-BB5E9A9CF429}"= TCP:c:\program files\Warcraft III\World Editor.exe:Warcraft III World Editor
"{45A9F560-E133-43C1-B351-B28648E091E9}"= UDP:5353:Adobe CSI CS4
"{2225F130-E851-4D0C-8D06-AE512ADB4046}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{F0D7502F-EA9B-4257-A33A-A0DC3A45AB39}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{0F16D65D-566A-40CB-B9C3-330AEBF4456C}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{3AB76F7B-4416-43EA-9F4D-580EAEF67FBF}"= UDP:c:\program files\AtomPark\Atomic Mail Sender\AtomicMailSender.exe:Atomic Mail Sender
"{99F7EFF5-85C3-43E3-9181-662F5EF06066}"= TCP:c:\program files\AtomPark\Atomic Mail Sender\AtomicMailSender.exe:Atomic Mail Sender
"{96EDDC98-18D3-4ADB-9769-685822F7B577}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{040B54EC-4D12-4575-ADCC-B4BEBD8799B4}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{4B999DAC-12F5-4AE8-8138-077001398505}"= UDP:c:\users\Romeo\AppData\Local\Google\Google Talk Plugin\googletalkplugin.dll:Google Talk Plugin
"{0C5A722D-DF6E-4486-810A-BF1F34F242FE}"= TCP:c:\users\Romeo\AppData\Local\Google\Google Talk Plugin\googletalkplugin.dll:Google Talk Plugin
"{8F0E0922-E602-48F2-B182-67B9ABD3EE59}"= UDP:c:\users\Romeo\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe:Google Talk Plugin
"{D3913716-3110-466D-9843-1F4D4E73B7E3}"= TCP:c:\users\Romeo\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe:Google Talk Plugin
"{64805EBE-8C0F-4196-8B81-F2E983E950CF}"= UDP:c:\windows\System32\wininit.exe:wininit
"{F898163D-31F2-4076-B909-BD93006BD32C}"= TCP:c:\windows\System32\wininit.exe:wininit
"{A63526D8-9E16-43C9-B5E8-B95AD4FF8AC4}"= UDP:c:\windows\System32\wininit.exe:wininit
"{954D4E0F-4E57-460C-88C8-20E2CB8765BD}"= TCP:c:\windows\System32\wininit.exe:wininit

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3827666-e42d-11dc-9368-806e6f6e6963}]
\shell\AutoRun\command - E:\start.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-12-09 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\users\Romeo\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-02 23:07]

2008-12-09 c:\windows\Tasks\User_Feed_Synchronization-{8457B008-C1FB-48AC-AB1E-8EABA35CD753}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 02:33]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FireFox -: Profile - c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\zwsrx9vt.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30226.2\npctrl.1.0.30109.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30226.2\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npkimi.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
FF -: plugin - c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\zwsrx9vt.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 17:23:24
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(656)
c:\windows\system32\DPPWDFLT.dll

- - - - - - - > 'Explorer.exe'(3800)
c:\program files\DigitalPersona\Bin\DpoFeedb.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\DigitalPersona\Bin\DpHostW.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Mediafour\MacDrive 7\MacDriveService.exe
c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
.
**************************************************************************
.
Completion time: 2008-12-09 17:29:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-09 22:28:57
ComboFix2.txt 2008-12-08 15:35:52
ComboFix3.txt 2008-12-08 15:07:06

Pre-Run: 26,043,203,584 bytes free
Post-Run: 26,005,405,696 bytes free

485 --- E O F --- 2008-10-28 23:40:19


Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:34:11 PM, on 12/9/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [DpAgent] C:\Program Files\DigitalPersona\Bin\dpagent.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe"
O4 - HKLM\..\Run: [MDGetStarted.exe] "C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHostW.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MacDriveService - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7228 bytes

0

Please let me know how your pc is.

1. Please open Notepad

  • Click Start , then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\System32\eoppmhycydcnuns.exe
c:\windows\System32\winint.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

  • Combofix.txt
  • A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:31 PM, on 12/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [DpAgent] C:\Program Files\DigitalPersona\Bin\dpagent.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe"
O4 - HKLM\..\Run: [MDGetStarted.exe] "C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-21-3641274051-850343323-1744729051-500\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHostW.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MacDriveService - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7284 bytes


ComboFix 08-12-09.03 - Administrator 2008-12-10 16:31:22.4 - NTFSx86

Running from: c:\users\Administrator.Romeo-Laptop\Desktop\ComboFix.exe
Command switches used :: c:\users\Administrator.Romeo-Laptop\Desktop\CFScript.txt

FILE ::
c:\windows\System32\eoppmhycydcnuns.exe
c:\windows\System32\winint.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\eoppmhycydcnuns.exe
c:\windows\System32\winint.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.

2008-12-07 15:04 . 2008-12-07 15:04 <DIR> d-------- c:\program files\TrojanHunter
2008-12-07 14:52 . 2008-12-07 14:52 <DIR> d-------- C:\!KillBox
2008-12-07 14:42 . 2008-12-07 14:42 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\TrojanHunter
2008-12-07 14:40 . 2008-12-07 14:58 <DIR> d-------- c:\program files\TrojanHunter 5.0
2008-12-07 02:37 . 2008-12-07 02:37 24,576 --a------ c:\windows\System32\VundoFixSVC.exe
2008-12-07 02:07 . 2008-12-07 02:27 <DIR> d-------- C:\VundoFix Backups
2008-12-06 17:14 . 2008-12-06 17:14 <DIR> d-------- c:\users\Romeo\AppData\Roaming\Malwarebytes
2008-12-05 12:12 . 2008-12-05 12:15 <DIR> d-------- c:\program files\Mp3Doctor
2008-12-05 12:12 . 2001-12-08 12:23 1,089,536 --a------ c:\windows\System32\Mp3Doctor1.dll
2008-12-05 12:12 . 2003-01-22 14:20 299,008 --a------ c:\windows\System32\winwmbcay.dll
2008-12-05 12:12 . 2001-11-25 17:00 266,240 --a------ c:\windows\System32\Mp3Doctor2.dll
2008-12-05 12:12 . 2001-08-01 09:50 90,112 --a------ c:\windows\System32\ID3v23xBase.DLL
2008-12-05 02:31 . 2008-12-05 02:31 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-12-05 02:31 . 2008-12-05 02:31 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Malwarebytes
2008-12-05 02:31 . 2008-12-05 02:31 <DIR> d-------- c:\programdata\Malwarebytes
2008-12-05 02:31 . 2008-12-05 02:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-05 02:31 . 2008-12-03 19:54 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-05 02:31 . 2008-12-03 19:54 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-04 19:16 . 2008-12-04 19:16 <DIR> d-------- c:\program files\Trend Micro
2008-12-04 10:59 . 2008-12-04 19:00 <DIR> d--hs---- c:\windows\Um9tZW8
2008-12-04 10:59 . 2008-12-04 10:59 <DIR> d-------- c:\windows\System32\din
2008-12-04 10:59 . 2008-12-04 10:59 <DIR> d-------- c:\windows\System32\av
2008-12-04 10:51 . 2008-12-04 10:51 <DIR> d-------- c:\users\Romeo\AppData\Roaming\Yahoo!
2008-12-04 10:51 . 2008-12-04 11:06 2 --a------ C:\742876493
2008-12-03 04:51 . 2008-12-03 04:51 <DIR> d-------- c:\program files\mm2knet
2008-11-30 13:01 . 2008-11-30 13:01 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\InstallShield
2008-11-30 12:57 . 2008-11-30 12:58 <DIR> d-------- c:\program files\Roxio
2008-11-30 12:57 . 2008-11-30 12:57 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2008-11-25 10:57 . 2008-11-25 10:57 <DIR> d-------- c:\program files\Imikimi
2008-11-24 21:43 . 2008-11-24 22:12 <DIR> d-------- C:\MP3
2008-11-22 10:27 . 2008-11-22 10:27 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\CyberLink
2008-11-22 00:57 . 2008-11-22 00:57 <DIR> d-------- c:\program files\Wondershare
2008-11-22 00:48 . 2006-01-27 00:56 938,272 --a------ c:\windows\System32\wodFtpDLX.OCX
2008-11-22 00:28 . 2008-11-22 00:28 <DIR> d-------- c:\users\All Users\Anvsoft
2008-11-22 00:28 . 2008-11-22 00:28 <DIR> d-------- c:\programdata\Anvsoft
2008-11-22 00:27 . 2008-11-22 00:27 <DIR> d-------- c:\program files\Photo DVD Maker Professional
2008-11-21 23:52 . 2008-11-21 23:54 <DIR> d-------- c:\users\All Users\WinZip
2008-11-21 23:52 . 2008-11-21 23:54 <DIR> d-------- c:\programdata\WinZip
2008-11-21 23:41 . 2008-11-21 23:41 <DIR> d-------- c:\program files\WE Unlimited
2008-11-21 19:29 . 2008-11-21 19:29 <DIR> d-------- c:\program files\Common Files\Real
2008-11-21 19:28 . 2008-11-30 13:24 <DIR> d-------- c:\program files\V CAST Music with Rhapsody
2008-11-21 19:26 . 2008-11-21 19:26 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-11-21 19:00 . 2008-11-21 19:00 <DIR> d--hs---- c:\windows\ftpcache
2008-11-16 21:35 . 2008-10-16 16:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-16 21:35 . 2008-10-16 15:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-16 21:35 . 2008-10-16 16:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-16 21:35 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-16 21:35 . 2008-10-16 15:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-16 21:35 . 2008-10-16 16:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-16 21:35 . 2008-10-16 16:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-16 21:35 . 2008-10-16 16:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-16 21:35 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-15 21:05 . 2008-11-15 21:05 46,346 --a------ c:\windows\System32\SmrtDrive.dll
2008-11-15 21:04 . 2004-08-04 00:56 1,392,671 --a------ c:\windows\System32\temp.002
2008-11-11 02:10 . 2008-11-11 02:31 <DIR> d-------- c:\program files\WebSite X5 Evolution
2008-11-11 02:04 . 2008-03-20 16:25 185,856 --a------ c:\windows\System32\iwpsetup.exe
2008-11-11 02:04 . 1997-01-16 00:00 29,696 --a------ c:\windows\System32\VB5STKIT.DLL
2008-11-11 02:04 . 1997-01-16 13:42 6,114 --a------ c:\windows\System32\SHELLLNK.TLB
2008-11-11 00:29 . 2008-11-11 00:29 <DIR> d-------- c:\users\Administrator.Romeo-Laptop\AppData\Roaming\AtomPark
2008-11-11 00:29 . 2008-11-11 00:29 <DIR> d-------- c:\program files\AtomPark
2008-11-10 23:58 . 2008-11-10 23:58 <DIR> d-------- c:\program files\Email Sender Deluxe
2008-11-10 23:58 . 2008-11-10 23:58 3 --a------ c:\windows\System32\krx280.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-10 16:39 28,095 ----a-w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\nvModes.dat
2008-12-10 16:39 --------- d-----w c:\program files\Warcraft III
2008-12-05 16:37 --------- d-----w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\LimeWire
2008-12-04 02:43 27,335 ----a-w c:\users\Romeo\AppData\Roaming\nvModes.dat
2008-12-01 23:57 --------- d-----w c:\users\Romeo\AppData\Roaming\LimeWire
2008-11-30 19:54 --------- d-----w c:\program files\Common Files\Research in Motion
2008-11-30 18:19 --------- d-----w c:\program files\Verizon Wireless
2008-11-30 17:58 --------- d-----w c:\programdata\Roxio
2008-11-30 17:58 --------- d-----w c:\program files\Common Files\Roxio Shared
2008-11-30 17:58 --------- d-----w c:\program files\Common Files\PX Storage Engine
2008-11-30 17:27 --------- d-----w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Research In Motion
2008-11-25 02:34 --------- d-----w c:\program files\Research In Motion
2008-11-25 00:16 --------- d-----w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Fingerfox (SE)
2008-11-22 18:21 --------- d-----w c:\program files\Common Files\LightScribe
2008-11-22 16:25 --------- d-----w c:\programdata\LightScribe
2008-11-22 05:48 --------- d-----w c:\program files\CoffeeCup Software
2008-11-20 03:53 --------- d-----w c:\program files\DivX
2008-11-16 02:05 --------- d-----w c:\program files\4PLAY
2008-11-11 10:48 --------- d-----w c:\program files\Ashampoo
2008-11-11 04:02 --------- d-----w c:\programdata\Microsoft Help
2008-11-09 20:57 --------- d-----w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Smith Micro
2008-11-06 14:15 --------- d-----w c:\users\Romeo\AppData\Roaming\Thinstall
2008-11-04 22:18 --------- d-----w c:\program files\WC3Banlist
2008-11-01 14:47 --------- d-----w c:\users\Romeo\AppData\Roaming\Summitsoft
2008-11-01 13:28 --------- d-----w c:\program files\SourceTec
2008-11-01 13:28 --------- d-----w c:\program files\Common Files\SourceTec
2008-11-01 13:00 --------- d-----w c:\program files\SWF Decompiler Magic
2008-11-01 11:57 --------- d-----w c:\users\Romeo\AppData\Roaming\LogoMaker
2008-11-01 11:55 --------- d-----w c:\program files\Studio V5
2008-10-31 19:36 --------- d-----w c:\program files\Common Files\Adobe
2008-10-31 19:35 --------- d-----w c:\program files\Adobe Media Player
2008-10-31 19:32 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-10-31 04:03 --------- d-----w c:\program files\WinPcap
2008-10-30 18:01 --------- d-----w c:\users\Romeo\AppData\Roaming\Skype
2008-10-30 17:46 --------- d-----w c:\users\Romeo\AppData\Roaming\skypePM
2008-10-30 15:21 --------- d-----w c:\programdata\NVIDIA
2008-10-27 16:53 --------- d---a-w c:\programdata\TEMP
2008-10-20 07:49 --------- d-----w c:\program files\Windows Mail
2008-10-18 12:37 --------- d-----w c:\program files\Spb Backup
2008-10-18 12:19 --------- d-----w c:\users\Romeo\AppData\Roaming\Jeyo
2008-10-18 12:19 --------- d-----w c:\program files\Jeyo
2008-10-18 06:08 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-18 05:08 --------- d-----w c:\users\Romeo\AppData\Roaming\Easy Sync
2008-10-18 05:08 --------- d-----w c:\program files\Pocket Wizards
2008-10-14 16:14 --------- d-----w c:\program files\CONEXANT
2008-10-14 11:00 --------- d-----w c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Symantec
2008-10-14 00:09 --------- d-----w c:\program files\SystemRequirementsLab
2008-10-14 00:07 --------- d-----w c:\users\Romeo\AppData\Roaming\SystemRequirementsLab
2008-10-13 22:56 --------- d-----w c:\program files\Norton Internet Security
2008-10-13 22:56 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-13 22:50 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-10-13 22:50 123,952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-13 22:50 10,671 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-13 22:50 --------- d-----w c:\program files\Symantec
2008-10-13 22:45 --------- d-----w c:\programdata\Symantec
2008-10-12 18:20 --------- d-----w c:\programdata\Viewpoint
2008-10-12 18:20 --------- d-----w c:\programdata\acccore
2008-10-12 18:20 --------- d-----w c:\program files\Viewpoint
2008-10-12 18:20 --------- d-----w c:\program files\AIM6
2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\System32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\System32\libdivx.dll
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-08-06 03:16 174 --sha-w c:\program files\desktop.ini
2008-03-01 08:53 32 ----a-w c:\users\All Users\ezsid.dat
2008-03-01 08:53 32 ----a-w c:\programdata\ezsid.dat
1998-02-10 23:34 128,000 ----a-w c:\program files\UNWISE.EXE
2008-06-13 22:24 22 --sha-w c:\windows\SMINST\HPCD.sys
2006-05-03 09:06 163,328 --sh--r c:\windows\System32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\System32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r c:\windows\System32\nbDX.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-08_10.05.42.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-08 14:58:01 2,484 ----a-w c:\windows\bthservsdp.dat
+ 2008-12-10 21:34:51 2,484 ----a-w c:\windows\bthservsdp.dat
- 2008-12-08 14:59:23 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-12-10 21:36:15 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-12-08 14:59:23 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-12-10 21:36:15 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-12-08 15:00:55 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-12-10 21:37:08 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-12-08 15:00:55 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-10 21:37:08 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-10 21:37:08 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-12-08 14:54:36 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2008-12-10 21:31:09 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
- 2008-12-07 22:49:18 6,554 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3641274051-850343323-1744729051-500_UserData.bin
+ 2008-12-09 22:25:00 6,920 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3641274051-850343323-1744729051-500_UserData.bin
- 2008-12-07 22:49:18 89,386 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-10 21:38:46 89,500 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-10 21:34:52 2,470 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-12-07 22:49:14 51,824 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-12-09 02:21:33 52,176 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2007-09-20 671744]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-02-19 438272]
"{B179023B-6238-4499-8F26-CD73E9D90E0A}"="c:\program files\Mediafour\MacDrive 7\MacDrive.exe" [2007-07-12 179288]
"MDGetStarted.exe"="c:\program files\Mediafour\MacDrive 7\MDGetStarted.exe" [2007-06-13 139264]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-09 144784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1045800]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-19 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-19 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.DVSD"= miroDV2avi.dll
"vidc.i420"= i420vfw.dll
"msacm.l3codecp"= l3codecp.acm
"msacm.avis"= ff_acm.acm
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm
"msacm.dvacm"= c:\progra~1\COMMON~1\Ulead Systems\vio\dvacm.acm
"vidc.mjpg"= pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders credssp.dll, digeste.dll

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Vongo Tray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
--a------ 2008-08-14 06:58 611712 c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-13 21:44 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-08-06 10:21 50472 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
--a------ 2008-11-04 12:09 615696 c:\program files\Common Files\Research in Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-02-14 10:01 51048 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-02 23:07 133104 c:\users\Romeo\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 15:24 54840 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
--a------ 2007-10-01 19:10 1783136 c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
--a------ 2008-06-02 02:55 80896 c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\isCfgWiz]
--a------ 2007-08-24 02:49 607624 c:\program files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2007-08-30 10:50 205480 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2008-10-22 19:57 2363392 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-09-19 15:05 81920 c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnScreenDisplay]
--a------ 2007-09-04 16:54 554320 c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-06-16 03:52 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a------ 2007-09-19 17:31 202032 c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
--a------ 2007-09-30 22:34 181544 c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2008-09-19 10:37 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
--a------ 2008-01-19 02:33 1233920 c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 03:42 144784 c:\program files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THGuard]
--a------ 2008-10-24 13:23 1056928 c:\program files\TrojanHunter 5.0\THGuard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
--------- 2007-09-13 15:32 222504 c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-25 14:19 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-19 02:38 1008184 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
--a------ 2007-05-31 09:21 648072 c:\windows\WindowsMobile\wmdc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2008-01-19 02:33 202240 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"<NO NAME>"=
"c:\\Program Files\\Vongo\\VongoService.exe"= c:\program files\Vongo\VongoService.exe:*:enabled:VongoService

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9B22924B-C76E-4D1F-9509-C7228B4666A1}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{D9778C69-A22E-4913-88F7-3CEFDAECC583}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3EFB2612-BEB1-4647-9DC3-9ED1B6D0D9BB}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6FB32505-7F0B-44E7-8703-EB9A59BB25A3}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{15F9A471-8027-46D7-B87D-3B00E00613F1}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{5F1BB71C-2B26-404D-8B05-C6D02D21555E}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C485A96F-A8B8-4909-8ACD-72674FB3B5AF}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{72D3C1A4-1A95-40AB-A238-7DD093A1AD12}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B53655B4-6403-4A16-BB77-041FD462C49C}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{46058D6B-2121-4AE6-8BD5-E6A6A9BB8A92}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A2B81A71-49EC-4C2C-B930-11C31640ACEC}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{9BEC6979-C09B-4C15-BFA9-996B7E3084DE}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{3EE12C04-DFC4-48BE-931A-FB9A885C235F}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"TCP Query User{A207D3BF-5428-4F84-B032-16746C2401C5}c:\\windows\\system32\\javaw.exe"= UDP:c:\windows\system32\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{036C8FDA-3C94-4AA9-9304-C213C9F43383}c:\\windows\\system32\\javaw.exe"= TCP:c:\windows\system32\javaw.exe:Java(TM) Platform SE binary
"TCP Query User{3F4B2BD8-CFD4-4E66-83CF-FFF1BC6FFE62}c:\\windows\\system32\\javaw.exe"= UDP:c:\windows\system32\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{F332EAA9-C466-4DD7-9D59-24384E0381B3}c:\\windows\\system32\\javaw.exe"= TCP:c:\windows\system32\javaw.exe:Java(TM) Platform SE binary
"{3C493C49-D97B-4B18-90A8-2BBB538F3518}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{6C0ECE08-DA60-48E7-AD88-528EDEFEE253}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{AAD27A87-BB0C-4A9F-A336-82A67DFC12CB}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{2C7C9529-1735-42AB-BED7-54C6B44055A8}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{EE8F19B0-BBB6-4FC5-AF35-F2094AD9E068}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{367AB7FB-EC96-40B7-9512-B1F0AA1859E8}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{555E28D4-3F7B-46BD-9081-429C56616539}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{BF36F146-162D-43EE-A81D-B8754A7A42AA}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"TCP Query User{1631A059-E6F2-467C-8DBD-381A67D6DBE8}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{B8AECB91-FA82-470A-9115-3CF5DD18514E}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{2AD2B76D-1BDC-4BDB-92D6-D0DE942826D2}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{96937C85-C040-4E6E-8E3A-1CA73D65C988}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{7986F9D4-F10D-423D-B0A0-85610667E6D4}c:\\program files\\tapur\\tapur.exe"= UDP:c:\program files\tapur\tapur.exe:Tapur.exe
"UDP Query User{4F2EDF11-49D2-4C41-A84D-5ACE1DA24B95}c:\\program files\\tapur\\tapur.exe"= TCP:c:\program files\tapur\tapur.exe:Tapur.exe
"{946B1B88-3DD9-41CA-B8E0-52760F33F91E}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{9503AC45-5FEF-40F3-8F4F-C5C6204DA506}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{CBE9184C-7704-48D0-A422-64AF97E5C54B}c:\\program files\\skype\\phone\\skype.exe"= Disabled:UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{570A2A49-9DB0-48E6-B1DC-863D239B585C}c:\\program files\\skype\\phone\\skype.exe"= Disabled:TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"{B9EE398A-EFF5-492A-8663-FC0172DBD6A4}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{B99EDD45-A82F-4152-93BC-1F425184BAB2}"= Disabled:UDP:443:ooVoo TCP port 443
"{EF553F3E-273A-425E-8702-FAFDC66DCFCE}"= Disabled:TCP:443:ooVoo UDP port 443
"{18719189-C48C-4219-9FA6-B5EFF6B90EDB}"= Disabled:UDP:37674:ooVoo TCP port 37674
"{26493C66-5C26-4F12-9A7E-05530167D79B}"= Disabled:TCP:37674:ooVoo UDP port 37674
"{5C578D8B-3EE8-4AE5-9F68-CB634370FC53}"= Disabled:TCP:37675:ooVoo UDP port 37675
"{DD5A1697-652A-4139-ABD9-86C01A374A9F}"= UDP:5900:vnc
"{05EB1445-9ED1-4F12-AFAB-D6DA27C25502}"= UDP:6000:vnc
"{74FFA48A-FB9F-4EF4-A9FE-DE8643AC35CF}"= UDP:c:\program files\TightVNC\vncviewer.exe:TightVNC Viewer
"{B628D5DC-075E-4C96-B80F-0A2E716F802B}"= TCP:c:\program files\TightVNC\vncviewer.exe:TightVNC Viewer
"TCP Query User{B52EA7E1-01D0-4BA2-98D8-CE234E749B5C}c:\\program files\\tightvnc\\winvnc.exe"= UDP:c:\program files\tightvnc\winvnc.exe:TightVNC Win32 Server
"UDP Query User{AC3C5DC4-56AF-4FB5-B7DC-57F2CF8C6D97}c:\\program files\\tightvnc\\winvnc.exe"= TCP:c:\program files\tightvnc\winvnc.exe:TightVNC Win32 Server
"{A736FED1-BF79-4479-8142-D4B2FC75EC6C}"= UDP:5800:vnc
"TCP Query User{53EBB492-83F9-432D-8EBE-C903D7A1C424}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{FB74F033-3C65-428F-BA9B-3C8C11338EED}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{86D82B94-16BD-4257-B89F-085FF48B73B3}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{2DBF6D28-468A-47FF-B985-5DADBFD0F18C}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{723F1783-9589-4C89-8BC0-CF2632D96068}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\RM.exe:Render Manager
"{A69F5205-9B8E-411E-A160-4BB552F6CDF7}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\RM.exe:Render Manager
"{9E7C1BEB-268D-4ABB-8E2B-62F84ADE476A}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\Studio.exe:Studio
"{FFA54142-DB8F-486A-A7FD-DE068C304B21}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\Studio.exe:Studio
"{9E5FF738-F0B0-48D0-A4BE-E0BAF7977C14}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\umi.exe:umi
"{162F46D0-B900-4C87-8E01-9FC82DABE03C}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\umi.exe:umi
"TCP Query User{0B99DBE0-5E4C-4024-B87B-FB1318D76860}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{AF9F7B2E-F033-4D85-9BF8-8473167717BC}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"{48771F0F-BE33-40A2-8D32-AF9F0004EECD}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{93376A8B-38B7-4DD5-BDD9-015F45BAB547}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{5E5B2A08-8900-43D9-AF9E-0EAB1290F8F9}c:\\program files\\tightvnc\\winvnc.exe"= UDP:c:\program files\tightvnc\winvnc.exe:TightVNC Win32 Server
"UDP Query User{088A1F80-F8B5-4E79-86BB-8AE876C5B529}c:\\program files\\tightvnc\\winvnc.exe"= TCP:c:\program files\tightvnc\winvnc.exe:TightVNC Win32 Server
"TCP Query User{8D6C8942-A8EF-49BD-8C9E-73F61636A942}c:\\program files\\camfrog\\camfrog video chat\\camfrog video chat.exe"= Disabled:UDP:c:\program files\camfrog\camfrog video chat\camfrog video chat.exe:Camfrog Client Module
"UDP Query User{743B6174-A053-40DD-89C9-2C73C3414EFF}c:\\program files\\camfrog\\camfrog video chat\\camfrog video chat.exe"= Disabled:TCP:c:\program files\camfrog\camfrog video chat\camfrog video chat.exe:Camfrog Client Module
"TCP Query User{E1FE002A-5BF4-4633-A1F5-93EF349DB871}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{91710C63-AF01-4AF8-92BE-7DB68CAD778A}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{E492B98F-0CF6-4280-850D-3C7C409CEF62}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{107D366A-4609-474E-B336-D083D009100A}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{51C9E0FB-5F2F-4D1F-AF3E-F79DF9C0BFC6}c:\\program files\\oovoo\\oovoo.exe"= Disabled:UDP:c:\program files\oovoo\oovoo.exe:ooVoo
"UDP Query User{45B70B30-1E62-49F2-8CB8-3C4BCF0A9EC2}c:\\program files\\oovoo\\oovoo.exe"= Disabled:TCP:c:\program files\oovoo\oovoo.exe:ooVoo
"{0ABB70BD-5DCA-488C-A3F5-38E1B4E90B15}"= UDP:c:\program files\Warcraft III\Frozen Throne.exe:Warcraft III - The Frozen Throne
"{B702885F-EF90-4B6C-AE5F-39782314CBA1}"= TCP:c:\program files\Warcraft III\Frozen Throne.exe:Warcraft III - The Frozen Throne
"{CBF5E508-6F90-4498-B19D-D0774BC04369}"= UDP:c:\program files\Warcraft III\World Editor.exe:Warcraft III World Editor
"{DB61C101-8FD1-4D70-B264-BB5E9A9CF429}"= TCP:c:\program files\Warcraft III\World Editor.exe:Warcraft III World Editor
"{45A9F560-E133-43C1-B351-B28648E091E9}"= UDP:5353:Adobe CSI CS4
"{2225F130-E851-4D0C-8D06-AE512ADB4046}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{F0D7502F-EA9B-4257-A33A-A0DC3A45AB39}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{0F16D65D-566A-40CB-B9C3-330AEBF4456C}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{3AB76F7B-4416-43EA-9F4D-580EAEF67FBF}"= UDP:c:\program files\AtomPark\Atomic Mail Sender\AtomicMailSender.exe:Atomic Mail Sender
"{99F7EFF5-85C3-43E3-9181-662F5EF06066}"= TCP:c:\program files\AtomPark\Atomic Mail Sender\AtomicMailSender.exe:Atomic Mail Sender
"{96EDDC98-18D3-4ADB-9769-685822F7B577}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{040B54EC-4D12-4575-ADCC-B4BEBD8799B4}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{4B999DAC-12F5-4AE8-8138-077001398505}"= UDP:c:\users\Romeo\AppData\Local\Google\Google Talk Plugin\googletalkplugin.dll:Google Talk Plugin
"{0C5A722D-DF6E-4486-810A-BF1F34F242FE}"= TCP:c:\users\Romeo\AppData\Local\Google\Google Talk Plugin\googletalkplugin.dll:Google Talk Plugin
"{8F0E0922-E602-48F2-B182-67B9ABD3EE59}"= UDP:c:\users\Romeo\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe:Google Talk Plugin
"{D3913716-3110-466D-9843-1F4D4E73B7E3}"= TCP:c:\users\Romeo\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe:Google Talk Plugin
"{64805EBE-8C0F-4196-8B81-F2E983E950CF}"= UDP:c:\windows\System32\wininit.exe:wininit
"{F898163D-31F2-4076-B909-BD93006BD32C}"= TCP:c:\windows\System32\wininit.exe:wininit
"{A63526D8-9E16-43C9-B5E8-B95AD4FF8AC4}"= UDP:c:\windows\System32\wininit.exe:wininit
"{954D4E0F-4E57-460C-88C8-20E2CB8765BD}"= TCP:c:\windows\System32\wininit.exe:wininit

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3827666-e42d-11dc-9368-806e6f6e6963}]
\shell\AutoRun\command - E:\start.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-12-10 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\users\Romeo\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-02 23:07]

2008-12-10 c:\windows\Tasks\User_Feed_Synchronization-{8457B008-C1FB-48AC-AB1E-8EABA35CD753}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 02:33]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FireFox -: Profile - c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\zwsrx9vt.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30226.2\npctrl.1.0.30109.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30226.2\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npkimi.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
FF -: plugin - c:\users\Administrator.Romeo-Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\zwsrx9vt.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 16:37:10
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(660)
c:\windows\system32\DPPWDFLT.dll

- - - - - - - > 'Explorer.exe'(3092)
c:\program files\DigitalPersona\Bin\DpoFeedb.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\DigitalPersona\Bin\DpHostW.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Mediafour\MacDrive 7\MacDriveService.exe
c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-12-10 16:43:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-10 21:43:00
ComboFix2.txt 2008-12-09 22:29:07
ComboFix3.txt 2008-12-08 15:35:52
ComboFix4.txt 2008-12-08 15:07:06

Pre-Run: 26,461,446,144 bytes free
Post-Run: 26,447,470,592 bytes free

485 --- E O F --- 2008-10-28 23:40:19

0

OK, Beautiful, Can you now pls post a fresh new Hijackthis log.

Thanks,

Cohen :)

Edit - Ignore this, i was miss reading the post.

0

Please let me know how your pc is.

The reason I ask questions is because I am not a mind reader.

Cohen. I think you will find that the hijackthis log posted, was run after combofix :).

0

Pc is running good Thanks for all your help.. I still have a bunch of svhosts running, and i still dont have audio, dont know why.. every time i try to start the audio service it tell me not enough memory to run it, but i have tons of memory so im assuming that the virus changed up some registry settings.. also i think i think i have been google.goored every time i do s search in firefox it redirects me to some site and when its loading it says google.goored.com/xxxxxxxxxx.. (x) being whereever its redirecting me too. So i dont know how to clean that out either and virus scans are not detecting it.

0

Update MBAM and run it again and see what it finds. Remove anything that it does find.

Try uninstalling your audio drivers in device manager and re-installing them after a reboot.

0

I ran MBAM, updated it and ran it. It found nothing and i uninstalled the audio also the audio controller and rebooted and reinstalled but it still doesn't work, here is the error i get:

"Windows could not start the Windows Audio Service on Local Computer.

Error 0x800700e: Not enough storage is available to complete this operation."


But i have tons of free memory and 30 gigs of hd space

0

Also when i try to look at the dependencies in any service it gives me this error:

"Win32: Not enough storage is available to complete this operation."

So i'm thinking my registry is really screwed up. I cant even add a new user to the laptop.

0

Do you have your installation CD? If so, you can try doing a repair. I am not sure how it is done on Vista though.
In XP it is done by going to Start | Run and typing in sfc /scannow and hitting enter.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.