Member Panel

Remember me ?

Forgot password?   

Sponsors and Ads

Join the Team

Live Tag Cloud
PC Forum PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs » Infected with Vundo please help...

[Fixed] Hijackthis! Logs - Infected with Vundo please help... posted in the Security & Safety forums; A week ago, I've been experiencing some troubles with my computer. Firstly, My C: drive began to bloat... often a warning telling me it has low space on the c: ...

JOIN US NOW to remove these Ads

Post New Thread  Reply
Page 1 of 2 1 2 >
  #1  
Old 06-20-2008
Bronze Member
  
Join Date: Jun 2008
Posts: 4
PC Experience: Some Experience
dreamer. - See this Members User comments on their Profile page
Default Infected with Vundo please help...
A week ago, I've been experiencing some troubles with my computer.
Firstly, My C: drive began to bloat... often a warning telling me it has low space on the c: drive... So I did some cleaning , I cleaned around 1gb... but the next day, another warning pops up telling me I have low disk space... so I merged my partitions... Whenever I surf with my IE, a bunch load of pops up came up... Then came this horrific warning pops up from windows defender... it says I have a trojan "Vundo".... I tried removing it with my norton antivirus... but it seemed it can't detect the trojan... I also tried few other programs after being recommended from a few sites... I tried VundoFix and etc. (can't really remember the names... I've uninstalled them all) at first those programs can detect the trojan... and claimed it have removed the trojan successfully... but still this Vundo keeps coming back and haunt me... Anyway I thing leads to another I found this web through HIJACKTHIS website... Really hoping to get helped by the experts... I've read and followed the instructions from the forum and here is the log from DSS

Extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Ultimate (build 6000)
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.80GHz
Percentage of Memory in Use: 72%
Physical Memory (total/avail): 1022.19 MiB / 281.99 MiB
Pagefile Memory (total/avail): 3972.01 MiB / 2871.39 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1905.6 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 46.68 GiB total, 23.46 GiB free.
D: is Fixed (NTFS) - 186.31 GiB total, 14.08 GiB free.
F: is Fixed (NTFS) - 68.36 GiB total, 22.34 GiB free.
G: is CDROM (No Media)
H: is CDROM (UDF)
I: is CDROM (No Media)
J: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - HDS722512VLAT20 ATA Device - 115.04 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 46.68 GiB - C:
\PARTITION1 - Installable File System - 68.36 GiB - F:

\\.\PHYSICALDRIVE1 - ST3200820A ATA Device - 186.31 GiB - 1 partition
\PARTITION0 - Installable File System - 186.31 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: Norton AntiVirus v2007 (Symantec Corporation)
AV: Norton AntiVirus v2007 (Symantec Corporation)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)
AS: SUPERAntiSpyware v4, 15, 0, 1000 (SUPERAntiSpyware.com) Disabled
AS: Norton AntiVirus v2007 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAcces s\Parameters\FirewallPolicy\DomainProfile\Authoriz edApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAcces s\Parameters\FirewallPolicy\StandardProfile\Author izedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\dreamer\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DREAMER-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\dreamer
LOCALAPPDATA=C:\Users\dreamer\AppData\Local
LOGONSERVER=\\DREAMER-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\Sys tem32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WS F;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\dreamer\AppData\Local\Temp
TMP=C:\Users\dreamer\AppData\Local\Temp
USERDOMAIN=dreamer-PC
USERNAME=dreamer
USERPROFILE=C:\Users\dreamer
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

dreamer
Administrator.dreamer-PC (new local, admin, net ready)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Windows\UNNeroBackItUp.exe /UNINSTALL
--> C:\Windows\UNNeroMediaHome.exe /UNINSTALL
--> C:\Windows\UNNeroShowTime.exe /UNINSTALL
--> C:\Windows\UNNeroVision.exe /UNINSTALL
--> C:\Windows\UNRecode.exe /UNINSTALL
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activ eX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugi n.exe
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\719d6f144d0c086a0dfa7ff76bb 9ac1\Setup.exe
Adobe Photoshop CS3 --> MsiExec.exe /I{3D7E3EC9-46CF-4359-9289-39CE01DFB82F}
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Setup --> MsiExec.exe /I{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Age of Empires III --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\I Driver.exe /M{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI HydraVision --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe"
AutoCAD 2008 - English --> D:\Program Files\AutoCAD 2008\Setup\Setup.exe /P {5783F2D7-6001-0409-0002-0060B0CE6BBA} /M ACAD
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Cobra 11 - Crash Time (remove only) --> "d:\Program Files\Cobra 11 - Crash Time\Uninstall.exe"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Frets On Fire --> "d:\Program Files\Frets on Fire\Uninstall.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
I-Doser v4 --> C:\Program Files\IDoser v4\Uninstal.exe
Internet Download Manager --> C:\Program Files\Internet Download Manager\Uninstall.exe
Internet Worm Protection --> MsiExec.exe /I{2908F0CB-C1D4-447F-97A2-CFC135C9F8D4}
iTunes --> MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LimeWire PRO 4.13.2 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
MagicDisc 2.5.79 --> C:\PROGRA~1\MAGICD~1\UNWISE.EXE C:\PROGRA~1\MAGICD~1\INSTALL.LOG
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Monopoly by Parker Brothers --> D:\PROGRA~1\Hasbro\MONOPO~1\UNWISE.EXE /U D:\PROGRA~1\Hasbro\MONOPO~1\INSTALL.LOG
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
Nero 8 --> MsiExec.exe /X{8AEA4BE2-2B52-41C0-BB7D-9F2D17AF1033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}
Norton AntiVirus (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{830D8CBD-C668-49e2-A969-C2C2106332E0}_14_2_0_29\{830D8CBD-C668-49e2-A969-C2C2106332E0}.exe" /X
Norton AntiVirus Help --> MsiExec.exe /I{34EEB1F5-E939-40A1-A6BA-957282A4B2C8}
Norton AntiVirus Parent MSI --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton AntiVirus SYMLT MSI --> MsiExec.exe /I{D1FF75E7-DD42-4CFD-B052-20B3FFF4EDB8}
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
On2 VP7 Personal Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD0DDC9E-2ED4-44DD-B461-0EFC126813A0}\Setup.exe" -l0x9
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Photomatix Pro version 2.4 --> "C:\Program Files\Photomatix\unins000.exe"
PSP ISO Compressor --> MsiExec.exe /X{D47087E7-AA15-4D1D-8C0A-60F7E446D597}
pzizz --> C:\Program Files\Brainwave\pzizz\Uninstall.exe
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RegCure 1.5.0.0 --> C:\Program Files\RegCure\uninst.exe
Rhapsody Player Engine --> MsiExec.exe /I{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB934062) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {305D509B-F194-4638-9F0F-D9E4C05F9D33}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for the 2007 Microsoft Office System (KB936960) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5E5BD655-7AA9-47F9-BB6D-A1D8CE29AC86}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Speeditup Free 4.76 --> "C:\Windows\Speeditup Free\uninstall.exe" "/U:C:\Program Files\Speeditup Free\irunin.xml"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
sXe Injected --> "C:\Program Files\sXe Injected\uninstall.exe"
Symantec --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}
Update for Office 2007 (KB932080) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {EDC9CA29-6BC1-471C-828C-7A36109005D7}
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb950378) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F6296086-AED5-4EC0-938B-08EA0254F20E}
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
VIA Integrated Setup Wizard --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\ID river.exe /M{9497EBAA-87AD-41E6-8ED6-E1E52995A76C}
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
VSO Image Resizer 2.0.1.3 --> "C:\Program Files\VSO\Image Resizer\unins000.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Sound Schemes --> RunDll32 advpack.dll,LaunchINFSection C:\Windows\INF\UltSound.inf,Uninstall
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Yahoo! Install Manager --> C:\Windows\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
Yahoo! Widgets --> C:\PROGRA~1\Yahoo!\Widgets\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type21196 / Error
Event Submitted/Written: 06/21/2008 05:22:04 AM
Event ID/Source: 3024 / Windows Search Service
Event Description:
The update cannot be started because the content sources cannot be accessed. Fix the errors and try the update again.

Context: Windows Application, SystemIndex Catalog

Event Record #/Type21195 / Warning
Event Submitted/Written: 06/21/2008 05:22:04 AM
Event ID/Source: 3036 / Windows Search Service
Event Description:
The content source <csc://{s-1-5-21-2458741484-1966541543-2703877822-500}/> cannot be accessed.

Context: Windows Application, SystemIndex Catalog

Details:
The per-user filter pool could not be found. (0x80040dba)

Event Record #/Type21191 / Error
Event Submitted/Written: 06/21/2008 05:10:03 AM
Event ID/Source: 8194 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {8d37e681-53fa-48cf-a13b-cdf8d6431150}

Event Record #/Type21185 / Success
Event Submitted/Written: 06/21/2008 05:06:09 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type21177 / Success
Event Submitted/Written: 06/21/2008 05:00:58 AM
Event ID/Source: 5617 / WinMgmt
Event Description:




-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type58547 / Error
Event Submitted/Written: 06/21/2008 05:10:59 AM
Event ID/Source: 3006 / WinDefend
Event Description:
%dreamer-PC27 Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software.

For more information please see the following:
%dreamer-PC275

Scan ID: {5C83277E-BED2-4890-9A6C-FC93B7EFDCEB}

User: dreamer-PC\dreamer

Name: %dreamer-PC271

ID: %dreamer-PC272

Severity ID: %dreamer-PC273

Category ID: %dreamer-PC274

Path: %dreamer-PC276

Alert Type: %dreamer-PC278

Action: 1.1.1505.00

Error Code: 1.1.1505.01

Error description: 1.1.1505.02

Event Record #/Type58542 / Warning
Event Submitted/Written: 06/21/2008 05:08:04 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type58539 / Warning
Event Submitted/Written: 06/21/2008 05:07:42 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%dreamer-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %dreamer-PC27 can't undo changes that you allow.

For more information please see the following:
%dreamer-PC275

Scan ID: {E8E68DB8-CA6B-453D-B7F9-4D49B890AE54}

User: dreamer-PC\dreamer

Name: %dreamer-PC271

ID: %dreamer-PC272

Severity ID: %dreamer-PC273

Category ID: %dreamer-PC274

Path Found: %dreamer-PC276

Alert Type: %dreamer-PC278

Detection Type: 1.1.1505.02

Event Record #/Type58538 / Warning
Event Submitted/Written: 06/21/2008 05:07:42 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%dreamer-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %dreamer-PC27 can't undo changes that you allow.

For more information please see the following:
%dreamer-PC275

Scan ID: {061C11A7-ACF7-476F-B73F-9F69CC7A949D}

User: dreamer-PC\dreamer

Name: %dreamer-PC271

ID: %dreamer-PC272

Severity ID: %dreamer-PC273

Category ID: %dreamer-PC274

Path Found: %dreamer-PC276

Alert Type: %dreamer-PC278

Detection Type: 1.1.1505.02

Event Record #/Type58522 / Error
Event Submitted/Written: 06/21/2008 05:05:14 AM
Event ID/Source: 7022 / Service Control Manager
Event Description:
Background Intelligent Transfer Service



-- End of Deckard's System Scanner: finished at 2008-06-21 05:43:12 ------------

main.txt

Deckard's System Scanner v20071014.68
Run by dreamer on 2008-06-21 05:30:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 1023 MiB (1024 MiB recommended).


-- HijackThis (run as dreamer.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:38:15, on 6/21/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\System32\CtHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Azureus\Azureus.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\dreamer\Desktop\dss.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\dreamer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\ssqPhEvU.dll,#1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\dreamer\AppData\Local\Temp\opNFvSif.dll,c
O4 - HKCU\..\Run: [3c8f6f08] rundll32.exe "C:\Users\dreamer\AppData\Local\Temp\tglyawja.dll" ,b
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\dreamer\AppData\Local\Temp\cbXPjhhG.dll,# 1
O4 - HKCU\..\Run: [BM3fbc5c94] Rundll32.exe "C:\Users\dreamer\AppData\Local\Temp\uevwsdab.dll" ,s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')
O4 - Startup: Azureus Vuze.lnk = C:\Program Files\Azureus\Azureus.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Windows\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9481 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - shell\edit\command - %SystemRoot%\System32\NOTEPAD.EXE %1"
.ini - inifile - shell\open\command - %SystemRoot%\System32\NOTEPAD.EXE %1"
.pif - piffile - shell\open\command - "%1" %*"
.scr - AutoCADScriptFile - shell\open\command - "C:\Windows\system32\notepad.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 viaraid - c:\windows\system32\drivers\viaraid.sys <Not Verified; VIA Technologies inc,.ltd; VT6410 RAID MINIPORT DRIVER>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>

S0 OemBiosDevice (Royalty OEM BIOS Extension) - c:\windows\system32\drivers\royal.sys <Not Verified; PARADOX; SLP Kernel-Mode Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762 ##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description:
Device ID: STREAM\CX88XBAR.VEN_14F1.CNXT\5&F2B4C67&0&0
Manufacturer:
Name:
PNP Device ID: STREAM\CX88XBAR.VEN_14F1.CNXT\5&F2B4C67&0&0
Service:

Class GUID:
Description: PCI Input Device
Device ID: PCI\VEN_1102&DEV_7002&SUBSYS_00201102&REV_0A\4&2E9 8101C&0&69F0
Manufacturer:
Name: PCI Input Device
PNP Device ID: PCI\VEN_1102&DEV_7002&SUBSYS_00201102&REV_0A\4&2E9 8101C&0&69F0
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-06-21 05:00:52 442 --a------ C:\Windows\Tasks\RegCure Program Check.job
2008-06-20 18:44:22 422 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{E9CBD648-6721-44C7-8032-58DE1AB41704}.job
2008-06-20 18:01:09 376 --a------ C:\Windows\Tasks\RegCure.job
2008-06-20 18:01:09 484 --a------ C:\Windows\Tasks\Norton AntiVirus - Run Full System Scan - dreamer.job
2007-12-14 21:05:41 258 --a------ C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job


-- Files created between 2008-05-21 and 2008-06-21 -----------------------------

2008-06-21 04:54:24 25088 --a------ C:\Windows\system32\ssqPhEvU.dll
2008-06-21 04:52:13 0 dr------- C:\Users\Administrator.dreamer-PC\Searches
2008-06-21 04:51:45 0 dr------- C:\Users\Administrator.dreamer-PC\Contacts
2008-06-21 04:51:08 0 d--hs---- C:\Users\Administrator.dreamer-PC\Templates
2008-06-21 04:51:08 0 d--hs---- C:\Users\Administrator.dreamer-PC\Start Menu
2008-06-21 04:51:08 0 d--hs---- C:\Users\Administrator.dreamer-PC\Local Settings
2008-06-21 04:51:07 0 d--hs---- C:\Users\Administrator.dreamer-PC\SendTo
2008-06-21 04:51:07 0 d--hs---- C:\Users\Administrator.dreamer-PC\Recent
2008-06-21 04:51:07 0 d--hs---- C:\Users\Administrator.dreamer-PC\PrintHood
2008-06-21 04:51:07 0 d--hs---- C:\Users\Administrator.dreamer-PC\NetHood
2008-06-21 04:51:07 0 d--hs---- C:\Users\Administrator.dreamer-PC\My Documents
2008-06-21 04:51:07 0 d--hs---- C:\Users\Administrator.dreamer-PC\Cookies
2008-06-21 04:51:07 0 d--hs---- C:\Users\Administrator.dreamer-PC\Application Data
2008-06-21 04:51:05 0 dr------- C:\Users\Administrator.dreamer-PC\Videos
2008-06-21 04:51:05 0 dr------- C:\Users\Administrator.dreamer-PC\Saved Games
2008-06-21 04:51:05 0 dr------- C:\Users\Administrator.dreamer-PC\Pictures
2008-06-21 04:51:05 786432 --ahs---- C:\Users\Administrator.dreamer-PC\NTUSER.DAT
2008-06-21 04:51:05 0 dr------- C:\Users\Administrator.dreamer-PC\Music
2008-06-21 04:51:05 0 dr------- C:\Users\Administrator.dreamer-PC\Links
2008-06-21 04:51:05 0 dr------- C:\Users\Administrator.dreamer-PC\Favorites
2008-06-21 04:51:05 0 dr------- C:\Users\Administrator.dreamer-PC\Downloads
2008-06-21 04:51:05 0 dr------- C:\Users\Administrator.dreamer-PC\Documents
2008-06-21 04:51:05 0 dr------- C:\Users\Administrator.dreamer-PC\Desktop
2008-06-21 04:51:05 0 d--h----- C:\Users\Administrator.dreamer-PC\AppData
2008-06-21 04:01:27 0 d------c- C:\Program Files\Trend Micro
2008-06-20 00:49:10 104448 --a------ C:\1.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-20 00:48:58 0 d------c- C:\Program Files\RegCure
2008-06-20 00:33:03 0 d-------- C:\Windows\RegCure
2008-06-19 23:56:22 0 d------c- C:\Program Files\Exterminate It!
2008-06-19 22:56:42 25600 --a------ C:\Windows\system32\WS2Fix.exe
2008-06-19 22:56:42 289144 --a------ C:\Windows\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-19 22:56:42 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-19 22:56:42 288417 --a------ C:\Windows\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-19 22:56:42 82944 --a------ C:\Windows\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-19 22:56:42 51200 --a------ C:\Windows\system32\dumphive.exe
2008-06-19 22:56:42 81920 --a------ C:\Windows\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-19 22:56:41 53248 --a------ C:\Windows\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-19 22:51:19 0 --a------ C:\ntuser.dat
2008-06-19 22:23:18 0 d-------- C:\Windows\Speeditup Free
2008-06-19 22:23:18 0 d------c- C:\Program Files\Speeditup Free
2008-06-19 22:01:15 4298 --a------ C:\Windows\system32\tmp.reg
2008-06-19 18:49:39 0 d------c- C:\Users\All Users\SUPERAntiSpyware.com
2008-06-19 18:41:56 0 d------c- C:\Program Files\SUPERAntiSpyware
2008-06-19 18:39:23 0 d------c- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-19 15:27:41 0 d------c- C:\Users\All Users\Spybot - Search & Destroy
2008-06-19 04:45:11 0 d-------- C:\VundoFix Backups
2008-06-18 23:52:22 0 d-a----c- C:\Users\All Users\TEMP
2008-06-17 16:37:14 0 d-------- C:\Windows\system32\appmgmt
2008-06-11 02:11:39 0 d-------- C:\Program Files\Microsoft Silverlight
2008-06-08 21:45:01 0 d-------- C:\Program Files\sXe Injected
2008-05-31 01:44:43 0 d-------- C:\Program Files\IDoser v4
2008-05-31 01:42:05 0 d-------- C:\Program Files\VSO
2008-05-24 03:19:47 0 d------c- C:\Users\All Users\HipSoft
2008-05-24 03:16:20 0 d-------- C:\Windows\Build-a-lot 2 - Town of the Year


-- Find3M Report ---------------------------------------------------------------

2008-06-21 05:39:33 0 d-------- C:\Users\dreamer\AppData\Roaming\Azureus
2008-06-21 04:58:51 12 --a------ C:\Windows\bthservsdp.dat
2008-06-20 18:08:48 0 d-------- C:\Users\dreamer\AppData\Roaming\dvdcss
2008-06-19 22:58:21 35 --a------ C:\Users\dreamer\AppData\Roaming\SetValue.bat
2008-06-19 22:58:21 691 --a------ C:\Users\dreamer\AppData\Roaming\GetValue.vbs
2008-06-19 18:41:56 0 d-------- C:\Users\dreamer\AppData\Roaming\SUPERAntiSpyware. com
2008-06-19 18:39:23 0 d------c- C:\Program Files\Common Files
2008-06-19 15:57:48 0 d-------- C:\Program Files\PowerISO
2008-06-18 00:57:50 0 d------c- C:\Program Files\Azureus
2008-06-17 16:05:46 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-17 16:05:29 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-17 16:04:48 0 d-------- C:\Users\dreamer\AppData\Roaming\My Games
2008-06-17 13:47:37 0 d-------- C:\Users\dreamer\AppData\Roaming\fretsonfire
2008-06-12 19:11:02 0 d-------- C:\Users\dreamer\AppData\Roaming\Autodesk
2008-06-11 07:09:52 0 d-------- C:\Program Files\Windows Mail
2008-06-10 01:19:26 0 d-------- C:\Users\dreamer\AppData\Roaming\DMCache
2008-05-31 21:44:59 0 d-------- C:\Program Files\Symantec
2008-05-05 22:49:15 0 d-------- C:\Program Files\Microsoft Works
2008-05-05 22:48:48 0 d-------- C:\Program Files\MSBuild
2008-05-05 22:44:48 0 d-------- C:\Program Files\Microsoft.NET
2008-05-05 22:38:01 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-05-04 03:20:32 0 d-------- C:\Users\dreamer\AppData\Roaming\Adobe
2008-04-24 20:15:23 0 d-------- C:\Program Files\danny_kay1710
2008-04-11 17:23:54 38400 --a------ C:\Windows\system32\SoundSchemes.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [12/19/2007 22:26]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [05/29/2003 16:28]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" [05/30/2003 09:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25]
"CTHelper"="CTHELPER.EXE" [04/09/2007 12:32 C:\Windows\System32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [04/09/2007 12:32 C:\Windows\System32\Ctxfihlp.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 14:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [03/01/2007 15:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [08/08/2007 09:25]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 12:59]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/04/2008 01:48]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 17:38]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/31/2008 23:13]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 13:10]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 00:47]
"MSServer"="C:\Windows\system32\ssqPhEvU.dll" [06/20/2008 00:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [12/12/2007 20:09]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 19:33]
"cmds"="C:\Users\dreamer\AppData\Local\Temp\opNFvS if.dll,c" []
"3c8f6f08"="C:\Users\dreamer\AppData\Local\Temp\tg lyawja.dll,b" []
"MSServer"="C:\Users\dreamer\AppData\Local\Temp\cb XPjhhG.dll,#1" []
"BM3fbc5c94"="C:\Users\dreamer\AppData\Local\Temp\ uevwsdab.dll,s" []

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"DevconDefaultDB"=C:\Windows\system32\READREG /SILENT /FAIL=1

C:\Users\dreamer\AppData\Roaming\Microsoft\Windows \Start Menu\Programs\Startup\
Azureus Vuze.lnk - C:\Program Files\Azureus\Azureus.exe [12/14/2007 22:12:42]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [12/14/2007 20:33:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{57A52E74-004C-464B-96CC-4DFE5366EA02}"= C:\Windows\system32\ssqPhEvU.dll [06/20/2008 00:49 25088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{443659ea-b514-11dc-8a38-000ea668f16c}]
AutoRun\command- J:\Setupx.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{bb2814b7-aa65-11dc-b0d6-000ea668f16c}]
AutoRun\command- ntde1ect.com
explore\Command- ntde1ect.com
open\Command- ntde1ect.com


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration



-- End of Deckard's System Scanner: finished at 2008-06-21 05:43:12 ------------


Help would be very much appreciated... thanks in advance...

regards,

William
  #2  
Old 06-21-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 3,057
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: Infected with Vundo please help...
Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for download links, and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.

=======================================

Please download SDFix from here and save it to your desktop

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Please copy and paste that log in your next reply.


__________________
  • An Australian Member of
  • and
My real name is Eddy
Last edited by Pancake; 06-21-2008 at 02:04 AM.
  #3  
Old 06-21-2008
Bronze Member
  
Join Date: Jun 2008
Posts: 4
PC Experience: Some Experience
dreamer. - See this Members User comments on their Profile page
Default Re: Infected with Vundo please help...
Ok.. Firstly I want to thank you for the help... really appreciate it... cheers mate... =)

here is the log from combofix

ComboFix 08-06-20.4 - dreamer 2008-06-21 14:49:34.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.272 [GMT 7:00]
Running from: C:\Users\dreamer\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1.exe
C:\Windows\system32\ssqPhEvU.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-21 to 2008-06-21 )))))))))))))))))))))))))))))))
.

2008-06-21 05:26 . 2008-06-21 05:26 <DIR> d-------- C:\Deckard
2008-06-21 04:58 . 2008-06-21 04:58 3,377,466 --a------ C:\Windows\{00000002-00000000-0000000D-00001102-00000002-80661102}.BAK
2008-06-21 04:54 . 2008-06-21 04:54 <DIR> d-------- C:\Users\Administrator.dreamer-PC\AppData\Roaming\Nero
2008-06-21 04:52 . 2008-06-21 04:52 <DIR> dr------- C:\Users\Administrator.dreamer-PC\Searches
2008-06-21 04:51 . 2008-06-21 04:52 <DIR> dr------- C:\Users\Administrator.dreamer-PC\Videos
2008-06-21 04:51 . 2008-06-21 04:52 <DIR> dr------- C:\Users\Administrator.dreamer-PC\Saved Games
2008-06-21 04:51 . 2008-06-21 04:52 <DIR> dr------- C:\Users\Administrator.dreamer-PC\Pictures
2008-06-21 04:51 . 2008-06-21 04:52 <DIR> dr------- C:\Users\Administrator.dreamer-PC\Music
2008-06-21 04:51 . 2008-06-21 04:52 <DIR> dr------- C:\Users\Administrator.dreamer-PC\Links
2008-06-21 04:51 . 2008-06-21 04:52 <DIR> dr------- C:\Users\Administrator.dreamer-PC\Downloads
2008-06-21 04:51 . 2008-06-21 04:52 <DIR> dr------- C:\Users\Administrator.dreamer-PC\Documents
2008-06-21 04:51 . 2008-06-21 04:51 <DIR> dr------- C:\Users\Administrator.dreamer-PC\Contacts
2008-06-21 04:51 . 2006-11-02 19:35 <DIR> d-------- C:\Users\Administrator.dreamer-PC\AppData\Roaming\Media Center Programs
2008-06-21 04:51 . 2008-06-21 04:52 <DIR> d--h----- C:\Users\Administrator.dreamer-PC\AppData
2008-06-21 04:51 . 2008-06-21 04:52 <DIR> d-------- C:\Users\Administrator.dreamer-PC
2008-06-21 04:01 . 2008-06-21 04:01 <DIR> d----c--- C:\Program Files\Trend Micro
2008-06-20 00:48 . 2008-06-20 01:08 <DIR> d----c--- C:\Program Files\RegCure
2008-06-20 00:33 . 2008-06-20 00:33 <DIR> d-------- C:\Windows\RegCure
2008-06-19 23:56 . 2008-06-20 00:00 <DIR> d----c--- C:\Program Files\Exterminate It!
2008-06-19 22:56 . 2007-09-06 00:22 289,144 --a------ C:\Windows\System32\VCCLSID.exe
2008-06-19 22:56 . 2006-04-27 17:49 288,417 --a------ C:\Windows\System32\SrchSTS.exe
2008-06-19 22:56 . 2008-05-29 09:35 86,528 --a------ C:\Windows\System32\VACFix.exe
2008-06-19 22:56 . 2008-05-18 21:40 82,944 --a------ C:\Windows\System32\IEDFix.exe
2008-06-19 22:56 . 2008-06-15 15:28 81,920 --a------ C:\Windows\System32\IEDFix.C.exe
2008-06-19 22:56 . 2008-05-23 18:21 81,920 --a------ C:\Windows\System32\404Fix.exe
2008-06-19 22:56 . 2003-06-05 21:13 53,248 --a------ C:\Windows\System32\Process.exe
2008-06-19 22:56 . 2004-07-31 18:50 51,200 --a------ C:\Windows\System32\dumphive.exe
2008-06-19 22:56 . 2007-10-04 00:36 25,600 --a------ C:\Windows\System32\WS2Fix.exe
2008-06-19 22:51 . 2008-06-19 22:51 0 --ah----- C:\ntuser.dat.LOG2
2008-06-19 22:51 . 2008-06-19 22:51 0 --ah----- C:\ntuser.dat.LOG1
2008-06-19 22:51 . 2008-06-19 22:51 0 --a------ C:\ntuser.dat
2008-06-19 22:23 . 2008-06-19 22:23 <DIR> d-------- C:\Windows\Speeditup Free
2008-06-19 22:23 . 2008-06-19 22:23 <DIR> d----c--- C:\Program Files\Speeditup Free
2008-06-19 22:01 . 2008-06-19 22:58 4,298 --a------ C:\Windows\System32\tmp.reg
2008-06-19 22:01 . 2008-06-19 22:58 691 --a------ C:\Users\dreamer\AppData\Roaming\GetValue.vbs
2008-06-19 22:01 . 2008-06-19 22:58 35 --a------ C:\Users\dreamer\AppData\Roaming\SetValue.bat
2008-06-19 18:49 . 2008-06-19 18:49 <DIR> d----c--- C:\Users\All Users\SUPERAntiSpyware.com
2008-06-19 18:49 . 2008-06-19 18:49 <DIR> d----c--- C:\PROGRA~2\SUPERAntiSpyware.com
2008-06-19 18:41 . 2008-06-19 18:41 <DIR> d-------- C:\Users\dreamer\AppData\Roaming\SUPERAntiSpyware. com
2008-06-19 18:41 . 2008-06-19 22:11 <DIR> d----c--- C:\Program Files\SUPERAntiSpyware
2008-06-19 18:39 . 2008-06-19 18:39 <DIR> d----c--- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-19 15:27 . 2008-06-19 19:52 <DIR> d----c--- C:\Users\All Users\Spybot - Search & Destroy
2008-06-19 15:27 . 2008-06-19 19:52 <DIR> d----c--- C:\PROGRA~2\Spybot - Search & Destroy
2008-06-19 04:45 . 2008-06-19 16:02 <DIR> d-------- C:\VundoFix Backups
2008-06-18 23:52 . 2008-06-19 19:49 <DIR> d-a--c--- C:\Users\All Users\TEMP
2008-06-18 23:52 . 2008-06-19 19:49 <DIR> d-a--c--- C:\PROGRA~2\TEMP
2008-06-17 13:46 . 2008-06-17 13:47 <DIR> d-------- C:\Users\dreamer\AppData\Roaming\fretsonfire
2008-06-12 00:50 . 2008-04-26 15:02 1,327,104 --a------ C:\Windows\System32\quartz.dll
2008-06-12 00:50 . 2008-04-29 08:42 220,160 --a------ C:\Windows\System32\drivers\bthport.sys
2008-06-12 00:50 . 2008-04-29 10:50 181,760 --a------ C:\Windows\System32\fsquirt.exe
2008-06-12 00:50 . 2008-05-10 08:21 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys
2008-06-12 00:50 . 2008-04-29 08:42 29,184 --a------ C:\Windows\System32\drivers\BTHUSB.SYS
2008-06-12 00:50 . 2008-04-29 08:42 19,456 --a------ C:\Windows\System32\drivers\bthenum.sys
2008-06-12 00:50 . 2008-05-10 10:30 14,848 --a------ C:\Windows\System32\wshrm.dll
2008-06-11 02:11 . 2008-06-11 02:11 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-06-11 02:06 . 2008-03-08 07:37 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-06-11 02:06 . 2008-03-08 11:30 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-06-11 02:05 . 2007-10-24 10:58 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-06-11 02:05 . 2007-10-24 10:58 3,470,392 --a------ C:\Windows\System32\ntoskrnl.exe
2008-06-11 02:05 . 2007-12-17 05:50 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-06-11 02:05 . 2007-10-26 18:14 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys
2008-06-11 02:05 . 2008-01-19 10:06 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-06-11 02:05 . 2008-01-19 12:08 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-06-11 02:05 . 2008-01-19 12:07 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-06-11 02:05 . 2007-12-16 16:56 41,984 --a------ C:\Windows\System32\drivers\monitor.sys
2008-06-11 02:05 . 2008-01-19 12:06 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-06-11 02:05 . 2008-01-19 12:06 15,928 --a------ C:\Windows\System32\drivers\pciide.sys
2008-06-08 21:45 . 2008-06-08 21:45 <DIR> d-------- C:\Program Files\sXe Injected
2008-05-31 01:44 . 2008-05-31 01:47 <DIR> d-------- C:\Program Files\IDoser v4
2008-05-31 01:42 . 2008-05-31 01:42 <DIR> d-------- C:\Program Files\VSO
2008-05-24 03:19 . 2008-05-24 03:19 <DIR> d----c--- C:\Users\All Users\HipSoft
2008-05-24 03:19 . 2008-05-24 03:19 <DIR> d----c--- C:\PROGRA~2\HipSoft
2008-05-24 03:16 . 2008-05-24 03:16 <DIR> d-------- C:\Windows\Build-a-lot 2 - Town of the Year

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-06-21 07:55 --------- d-----w C:\Users\dreamer\AppData\Roaming\Azureus
2008-06-20 11:08 --------- d-----w C:\Users\dreamer\AppData\Roaming\dvdcss
2008-06-19 08:57 --------- d-----w C:\Program Files\PowerISO
2008-06-17 17:57 --------- dc----w C:\Program Files\Azureus
2008-06-17 09:33 716,272 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-06-17 09:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-17 09:05 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-17 09:04 --------- d-----w C:\Users\dreamer\AppData\Roaming\My Games
2008-06-12 12:11 --------- dc----w C:\PROGRA~2\Autodesk
2008-06-12 12:11 --------- d-----w C:\Users\dreamer\AppData\Roaming\Autodesk
2008-06-11 00:09 --------- d-----w C:\Program Files\Windows Mail
2008-06-10 19:13 --------- d-----w C:\PROGRA~2\Microsoft Help
2008-06-09 18:19 --------- d-----w C:\Users\dreamer\AppData\Roaming\DMCache
2008-05-31 14:44 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2008-05-31 14:44 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2008-05-31 14:44 10,671 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2008-05-31 14:44 --------- d-----w C:\Program Files\Symantec
2008-05-05 15:49 --------- d-----w C:\Program Files\Microsoft Works
2008-05-05 15:48 --------- d-----w C:\Program Files\MSBuild
2008-05-05 15:44 --------- d-----w C:\Program Files\Microsoft.NET
2008-05-05 15:38 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-04-25 04:23 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-04-25 04:23 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-04-25 04:23 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-04-25 04:22 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-04-24 13:15 --------- d-----w C:\Program Files\danny_kay1710
2008-04-11 10:23 38,400 ----a-w C:\Windows\System32\SoundSchemes.exe
2007-12-16 10:23 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-12-12 20:09 167368]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 19:33 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"CTHelper"="CTHELPER.EXE" [2007-04-09 12:32 19456 C:\Windows\System32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 12:32 19968 C:\Windows\System32\Ctxfihlp.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 14:06 40048]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 09:25 1828136]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 12:59 115816]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-04 01:48 185896]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"DevconDefaultDB"="C:\Windows\system32\READREG " [ ]

C:\Users\dreamer\AppData\Roaming\Microsoft\Windows \Start Menu\Programs\Startup\
Azureus Vuze.lnk - C:\Program Files\Azureus\Azureus.exe [2007-12-14 22:12:42 254976]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2007-12-14 20:33:02 565248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{EBC798F4-00AA-4940-9003-00C2EE8F0A44}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{6C0D274E-6D5C-49E4-AC0A-104B6B0A75B1}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{8DDA8294-CF76-4E48-A30C-6DF992B7FF45}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"TCP Query User{1A608B4B-202E-4171-8FA5-329442A44F15}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{791F3622-A0BB-4BD6-B9E2-5ABDF09B5442}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"{B6EA5606-3175-4B2A-A584-9630D33F1D56}"= UDP:C:\Program Files\Mozilla Firefox\firefox.exe:Mozilla Firefox
"{7CC31DA5-110A-4899-B24D-401A9F1C16B9}"= TCP:C:\Program Files\Mozilla Firefox\firefox.exe:Mozilla Firefox
"{21D031F9-7270-48D0-B1CE-2B42E400FCBA}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{35F38647-D6D9-4537-B570-CF3E7BD90652}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{655A22EB-FD97-4FBC-A5DB-04ADA061E96D}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{2486CA27-F251-47E0-91C2-CCC15B9A5C9B}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{5E10E41D-423F-4E4C-9ACE-CBAA194E5384}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{2502616E-98C3-4FC8-82EF-0C8290A200CA}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{54DEC961-4A20-47B8-8412-64EFD2025042}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E0212051-418A-4E07-92D6-7E4E7B905B8B}"= Disabled:UDP:C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{B800454F-8C0D-496F-9ABE-6E0AEB2A7FDC}"= Disabled:TCP:C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|S vc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 viaraid;viaraid;C:\Windows\system32\DRIVERS\viarai d.sys [2003-10-21 13:03]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\IDS-DI~1\20080617.001\IDSvix86.sys [2008-03-12 00:34]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atik mdag.sys [2007-09-29 03:13]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMN DISV.SYS [2007-10-30 19:55]
R3 VST_DPV;VST_DPV;C:\Windows\system32\DRIVERS\VSTDPV 3.SYS [2006-11-02 14:41]
R3 VSTHWBS2;VSTHWBS2;C:\Windows\system32\DRIVERS\VSTB S23.SYS [2006-11-02 14:41]
S0 OemBiosDevice;Royalty OEM BIOS Extension;C:\Windows\system32\DRIVERS\royal.sys [2007-12-14 22:22]
S3 BthAvrcp;Bluetooth AVRCP Profile;C:\Windows\system32\DRIVERS\BthAvrcp.sys [2007-08-24 19:34]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-09-29 03:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{443659ea-b514-11dc-8a38-000ea668f16c}]
\shell\AutoRun\command - J:\Setupx.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{bb2814b7-aa65-11dc-b0d6-000ea668f16c}]
\shell\AutoRun\command - ntde1ect.com
\shell\explore\Command - ntde1ect.com
\shell\open\Command - ntde1ect.com

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
"2007-12-14 14:05:41 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-06-20 11:01:09 C:\Windows\Tasks\Norton AntiVirus - Run Full System Scan - dreamer.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeB/TASK:
"2008-06-21 07:35:06 C:\Windows\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-06-20 11:01:09 C:\Windows\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-06-20 11:44:22 C:\Windows\Tasks\User_Feed_Synchronization-{E9CBD648-6721-44C7-8032-58DE1AB41704}.job"
- C:\Windows\system32\msfeedssync.exe
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-21 14:55:05
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...


**************************