Win32/Rustock.gen!C

[missy_ellie]

Please help...

Logfile of HijackThis v1.99.1
Scan saved at 9:05:06 PM, on 25/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\SiteAdvisor\6028\SAService.exe
C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Samsung\AVStation premium\bin\AVStation agent.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Samsung\Samsung Command Center\PIC_UI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\OptusNet Dial-up Internet\DSC.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Samsung\SA8644~1\SAMSUN~1.EXE
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Ares\Ares.exe
C:\Documents and Settings\Elise\My Documents\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\SiteAdv.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {DA62B713-1249-4E5D-8639-D4EC1958AC07} - \
O2 - BHO: (no name) - {E26BA7DB-37EB-F685-B440-0265C6F43454} - C:\DOCUME~1\Elise\APPLIC~1\PILEBY~1\boobloud.exe (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\SiteAdv.dll (file missing)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies Ltd\RecoverPro_XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [MagicKeyboard] C:\Program Files\SAMSUNG\MagicKBD\PreMKBD.exe
O4 - HKLM\..\Run: [AVStation premium] "C:\Program Files\Samsung\AVStation premium\bin\AVStation agent.exe"
O4 - HKLM\..\Run: [BatteryManager] C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SamsungPIC] C:\Program Files\Samsung\Samsung Command Center\PIC_UI.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet Dial-up Internet\DSC.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://emilgate.spaces.msn.com//Phot...d/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase9602.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: McAfee Application Installer Cleanup (0246381172382106) (0246381172382106mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\Elise\LOCALS~1\Temp\024638~1.EXE
O23 - Service: Arca Eclipse - Unknown owner - C:\Program Files\Arca Eclipse\arca3.exe (file missing)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe
O23 - Service: SNM WLAN Service - Unknown owner - C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)

[tetonbob]

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

---------------------------------------------------------------------------------------------

What is alerting you to Rustock?

I see other infection signs present, which may or may not be active. We'll deal with them later.

Download http://www.uploads.ejvindh.net/rustbfix.exe ...and save it to your desktop.

Alternate download Mirror if needed:

http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%avenger.txt & %root%rustbfixpelog.txt). Post the content of these logfiles in your next reply.

------------------------------

Next, do this:

1. Download ComboScan to your Desktop. Note: You must be logged onto an account with administrator privileges.
2. Close all applications and windows.
3. Double-click on comboscan.exe to run it, and follow the prompts.
4. When the scan is complete, a text file will open - ComboScan.txt
5. Copy and paste the contents of ComboScan.txt here.
6. A folder, C:\ComboScan will also open. In it will be another text file, Supplementary.txt
7. Please Attach Supplementary.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options>Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:
   

   C:\ComboScan\Supplementary.txt

3. Click Upload.

---------------------------------------------------------------------------------------------

[missy_ellie]

Ok so basically i cant install new programs which Windows finds in updates for me. ie the new version of internet explorer. When i attempt to download it, it gets to the "running malicious software removal tool" then my computer cuts to a blue screen and shuts down before i can read anything on the screen. This also happened when i tried to install the new version of wimdows media player. So upon restart i get the message "your system has recovered from a serious error" and when i click send error report, Windows website pops up and tells me i have the Win32/Rustock.gen!C and then gives me the option of using the Windows Live OneCare scan to remove it. However, during scan i get the same problem - blue screen pops up then system restart. To me it seems that whenever a anti virus scan even touches the virus it sets it off. So i have had no way of getting rid of it

Thank you for your help so far.. here are the first two logs


pelog.txt =

************************* Rustock.b-fix -- By ejvindh *************************
Mon 26/02/2007 9:17:35.17

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
No streams found.

Looking for Rustock.b-files in the System32-folder:
system32\lzx32.sys FOUND!
attempting to delete lzx32.sys from system32-folder


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************


avenger.txt=


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\shlngjfu

*******************

Script file located at: \??\C:\Documents and Settings\jmwnrjsd.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at c:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

[missy_ellie]

quick question - for the next step [i have to be logged onto an account with administrator priveledges.] i have two accounts on my comp one is mine and the other is a guest account. Can i use mine or do i need to start in safe mode and use the administrator account???

[tetonbob]

Hi missy_ellie -

Your Blue Screens should now be abated. Please let me know if this is not the case.

Your main account on your system is more than likely an admin account. ComboScan will tell you if it is not. Run it on your usual account, in normal mode, please.

[missy_ellie]

ComboScan v20070221.16 run by Elise on 2007-02-26 at 09:38:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Successfully created restore point.
Performed disk cleanup.


-- HijackThis (run as Elise.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:40:31 AM, on 26/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\SiteAdvisor\6028\SAService.exe
C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Samsung\AVStation premium\bin\AVStation agent.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Samsung\Samsung Command Center\PIC_UI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\OptusNet Dial-up Internet\DSC.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ares\Ares.exe
C:\PROGRA~1\Samsung\SA8644~1\SAMSUN~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Elise\My Documents\comboscan.exe
C:\Documents and Settings\Elise\My Documents\hijackthis\Elise.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\SiteAdv.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {DA62B713-1249-4E5D-8639-D4EC1958AC07} - \
O2 - BHO: (no name) - {E26BA7DB-37EB-F685-B440-0265C6F43454} - C:\DOCUME~1\Elise\APPLIC~1\PILEBY~1\boobloud.exe (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\SiteAdv.dll (file missing)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies Ltd\RecoverPro_XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [MagicKeyboard] C:\Program Files\SAMSUNG\MagicKBD\PreMKBD.exe
O4 - HKLM\..\Run: [AVStation premium] "C:\Program Files\Samsung\AVStation premium\bin\AVStation agent.exe"
O4 - HKLM\..\Run: [BatteryManager] C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SamsungPIC] C:\Program Files\Samsung\Samsung Command Center\PIC_UI.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet Dial-up Internet\DSC.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://emilgate.spaces.msn.com//Phot...d/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase9602.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Arca Eclipse - Unknown owner - C:\Program Files\Arca Eclipse\arca3.exe (file missing)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe
O23 - Service: SNM WLAN Service - Unknown owner - C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)


-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

3S 61883 (61883 Unit Device) - C:\WINDOWS\system32\drivers\61883.sys
3R aeaudio - C:\WINDOWS\system32\drivers\aeaudio.sys
3R AgereSoftModem (SENS LT56ADW Modem) - C:\WINDOWS\system32\drivers\AGRSM.sys
3S AR5211 (Atheros Wireless Network Adapter Service) - C:\WINDOWS\system32\drivers\ar5211.sys
3R Arp1394 (1394 ARP Client Protocol) - C:\WINDOWS\system32\drivers\arp1394.sys
3R ati2mtag - C:\WINDOWS\system32\drivers\ati2mtag.sys
3S Avc (AVC Device) - C:\WINDOWS\system32\drivers\avc.sys
3S AVCSTRM (AVC Streaming Filter Driver) - C:\WINDOWS\system32\drivers\avcstrm.sys
3R bcm4sbxp (Broadcom 440x 10/100 Integrated Controller XP Driver) - C:\WINDOWS\system32\drivers\bcm4sbxp.sys
3S CCDECODE (Closed Caption Decoder) - C:\WINDOWS\system32\drivers\CCDECODE.sys
2R DOSMEMIO (MEMIO) - C:\WINDOWS\system32\MEMIO.SYS
2R FBAPI - C:\WINDOWS\system32\drivers\FBAPI.sys
3S HidUsb (Microsoft HID Class Driver) - C:\WINDOWS\system32\drivers\hidusb.sys
3S HPZid412 (IEEE-1284.4 Driver HPZid412) - C:\WINDOWS\system32\drivers\HPZid412.sys
3S HPZipr12 (Print Class Driver for IEEE-1284.4 HPZipr12) - C:\WINDOWS\system32\drivers\HPZipr12.sys
3S HPZius12 (USB to IEEE-1284.4 Translation Driver HPZius12) - C:\WINDOWS\system32\drivers\HPZius12.sys
3S ialm - C:\WINDOWS\system32\drivers\ialmnt5.sys
1R intelppm (Intel Processor Driver) - C:\WINDOWS\system32\drivers\intelppm.sys
3S mouhid (Mouse HID Driver) - C:\WINDOWS\system32\drivers\mouhid.sys
3S MSDV (Microsoft DV Camera and VCR) - C:\WINDOWS\system32\drivers\msdv.sys
3S MSTAPE (Microsoft AV/C Tape Subunit Device) - C:\WINDOWS\system32\drivers\mstape.sys
3S MSTEE (Microsoft Streaming Tee/Sink-to-Sink Converter) - C:\WINDOWS\system32\drivers\MSTEE.sys
3S NABTSFEC (NABTS/FEC VBI Codec) - C:\WINDOWS\system32\drivers\NABTSFEC.sys
3S NdisIP (Microsoft TV/Video Connection) - C:\WINDOWS\system32\drivers\NdisIP.sys
3R NIC1394 (1394 Net Driver) - C:\WINDOWS\system32\drivers\nic1394.sys
0R ohci1394 (OHCI Compliant IEEE 1394 Host Controller) - C:\WINDOWS\system32\drivers\ohci1394.sys
0R rimsptsk - C:\WINDOWS\system32\drivers\rimsptsk.sys
0R risdptsk - C:\WINDOWS\system32\drivers\risdptsk.sys
0R rismxdp (Ricoh xD-Picture Card Driver) - C:\WINDOWS\system32\drivers\rixdptsk.sys
0R RITCPT - C:\WINDOWS\system32\drivers\RITCPT.SYS
0R sbp2port (SBP-2 Transport/Protocol Bus Driver) - C:\WINDOWS\system32\drivers\sbp2port.sys
3S sdbus - C:\WINDOWS\system32\drivers\sdbus.sys
3S SLIP (BDA Slip De-Framer) - C:\WINDOWS\system32\drivers\SLIP.sys
3R smwdm - C:\WINDOWS\system32\drivers\smwdm.sys
0S srescan - C:\WINDOWS\system32\ZoneLabs\srescan.sys (not found)
3S streamip (BDA IPSink) - C:\WINDOWS\system32\drivers\StreamIP.sys
3S SUEPD (SUE NDIS Protocol Driver) - C:\WINDOWS\system32\drivers\SUE_PD.sys
3S SYMIDSCO - C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20061025.029\symidsco.sys (not found)
3R SynTP (Synaptics TouchPad Driver) - C:\WINDOWS\system32\drivers\SynTP.sys
3S usbccgp (Microsoft USB Generic Parent Driver) - C:\WINDOWS\system32\drivers\usbccgp.sys
3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys
3S usbprint (Microsoft USB PRINTER Class) - C:\WINDOWS\system32\drivers\usbprint.sys
3S usbscan (USB Scanner Driver) - C:\WINDOWS\system32\drivers\usbscan.sys
3S USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\system32\drivers\USBSTOR.SYS
1S vsdatant - C:\WINDOWS\system32\vsdatant.sys (not found)
3R w29n51 (Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows XP) - C:\WINDOWS\system32\drivers\w29n51.sys
3R wowfilter (WOW XT Filter Driver) - C:\WINDOWS\system32\drivers\WOWFilter.sys
4S WS2IFSL (Windows Socket 2.0 Non-IFS Service Provider Support Environment) - C:\WINDOWS\system32\drivers\ws2ifsl.sys
3S WSTCODEC (World Standard Teletext Codec) - C:\WINDOWS\system32\drivers\WSTCODEC.SYS


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

4S Alerter - C:\WINDOWS\system32\svchost.exe -k LocalService
3S ALG (Application Layer Gateway Service) - C:\WINDOWS\System32\alg.exe
3S AppMgmt (Application Management) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2S Arca Eclipse - C:\Program Files\Arca Eclipse\arca3.exe
3S AresChatServer (Ares Chatroom server) - C:\Program Files\Ares\chatServer.exe
3S aspnet_state (ASP.NET State Service) - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
2R Ati HotKey Poller - C:\WINDOWS\system32\Ati2evxx.exe
2R AudioSrv (Windows Audio) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S BITS (Background Intelligent Transfer Service) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2S Browser (Computer Browser) - C:\WINDOWS\system32\svchost.exe -k netsvcs
3S CiSvc (Indexing Service) - C:\WINDOWS\system32\cisvc.exe
4S ClipSrv (ClipBook) - C:\WINDOWS\system32\clipsrv.exe
3S COMSysApp (COM+ System Application) - C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
2R CryptSvc (Cryptographic Services) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R DcomLaunch (DCOM Server Process Launcher) - C:\WINDOWS\system32\svchost -k DcomLaunch
2R Dhcp (DHCP Client) - C:\WINDOWS\system32\svchost.exe -k netsvcs
3S dlcg_device - C:\WINDOWS\system32\dlcgcoms.exe -service
3S dmadmin (Logical Disk Manager Administrative Service) - C:\WINDOWS\System32\dmadmin.exe /com
3S dmserver (Logical Disk Manager) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R Dnscache (DNS Client) - C:\WINDOWS\system32\svchost.exe -k NetworkService
2R ERSvc (Error Reporting Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R Eventlog (Event Log) - C:\WINDOWS\system32\services.exe
3R EventSystem (COM+ Event System) - C:\WINDOWS\system32\svchost.exe -k netsvcs
3R FastUserSwitchingCompatibility (Fast User Switching Compatibility) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R helpsvc (Help and Support) - C:\WINDOWS\System32\svchost.exe -k netsvcs
4S HidServ (Human Interface Device Access) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S HTTPFilter (HTTP SSL) - C:\WINDOWS\System32\svchost.exe -k HTTPFilter
3S IDriverT (InstallDriver Table Manager) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
3S ImapiService (IMAPI CD-Burning COM Service) - C:\WINDOWS\system32\imapi.exe
2R lanmanserver (Server) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R lanmanworkstation (Workstation) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R LmHosts (TCP/IP NetBIOS Helper) - C:\WINDOWS\system32\svchost.exe -k LocalService
2R McNASvc (McAfee Network Agent) - "C:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe"
4S Messenger - C:\WINDOWS\system32\svchost.exe -k netsvcs
3S mnmsrvc (NetMeeting Remote Desktop Sharing) - C:\WINDOWS\system32\mnmsrvc.exe
3S MSDTC (Distributed Transaction Coordinator) - C:\WINDOWS\system32\msdtc.exe
3S MSIServer (Windows Installer) - C:\WINDOWS\system32\msiexec.exe /V
4S NetDDE (Network DDE) - C:\WINDOWS\system32\netdde.exe
4S NetDDEdsdm (Network DDE DSDM) - C:\WINDOWS\system32\netdde.exe
3S Netlogon (Net Logon) - C:\WINDOWS\system32\lsass.exe
3R Netman (Network Connections) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3R Nla (Network Location Awareness (NLA)) - C:\WINDOWS\system32\svchost.exe -k netsvcs
3S NtLmSsp (NT LM Security Support Provider) - C:\WINDOWS\system32\lsass.exe
3S NtmsSvc (Removable Storage) - C:\WINDOWS\system32\svchost.exe -k netsvcs
3S ose (Office Source Engine) - "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
2R PlugPlay (Plug and Play) - C:\WINDOWS\system32\services.exe
2S Pml Driver HPZ12 - C:\WINDOWS\system32\HPZipm12.exe
2R PolicyAgent (IPSEC Services) - C:\WINDOWS\system32\lsass.exe
2R ProtectedStorage (Protected Storage) - C:\WINDOWS\system32\lsass.exe
3S RasAuto (Remote Access Auto Connection Manager) - C:\WINDOWS\system32\svchost.exe -k netsvcs
3R RasMan (Remote Access Connection Manager) - C:\WINDOWS\system32\svchost.exe -k netsvcs
3S RDSessMgr (Remote Desktop Help Session Manager) - C:\WINDOWS\system32\sessmgr.exe
4S RemoteAccess (Routing and Remote Access) - C:\WINDOWS\system32\svchost.exe -k netsvcs
3S RpcLocator (Remote Procedure Call (RPC) Locator) - C:\WINDOWS\system32\locator.exe
2R RpcSs (Remote Procedure Call (RPC)) - C:\WINDOWS\system32\svchost -k rpcss
3S RSVP (QoS RSVP) - C:\WINDOWS\system32\rsvp.exe
2R SamSs (Security Accounts Manager) - C:\WINDOWS\system32\lsass.exe
2S Samsung Update Plus - "C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe"
3S SCardSvr (Smart Card) - C:\WINDOWS\System32\SCardSvr.exe
2R Schedule (Task Scheduler) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R seclogon (Secondary Logon) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R SENS (System Event Notification) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R ShellHWDetection (Shell Hardware Detection) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R SiteAdvisor Service - C:\Program Files\SiteAdvisor\6028\SAService.exe
2R SNM WLAN Service - "C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe"
2R SoundMAX Agent Service (default) (SoundMAX Agent Service) - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
2R Spooler (Print Spooler) - C:\WINDOWS\system32\spoolsv.exe
2R srservice (System Restore Service) - C:\WINDOWS\system32\svchost.exe -k netsvcs
3R SSDPSRV (SSDP Discovery Service) - C:\WINDOWS\system32\svchost.exe -k LocalService
2R stisvc (Windows Image Acquisition (WIA)) - C:\WINDOWS\system32\svchost.exe -k imgsvc
3S SwPrv (MS Software Shadow Copy Provider) - C:\WINDOWS\system32\dllhost.exe /Processid:{0EA019DF-AD4F-4E85-8DAC-98C2A0409755}
3S SysmonLog (Performance Logs and Alerts) - C:\WINDOWS\system32\smlogsvc.exe
3R TapiSrv (Telephony) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3R TermService (Terminal Services) - C:\WINDOWS\System32\svchost -k DComLaunch
2R Themes - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R TrkWks (Distributed Link Tracking Client) - C:\WINDOWS\system32\svchost.exe -k netsvcs
3S UMWdf (Windows User Mode Driver Framework) - C:\WINDOWS\system32\wdfmgr.exe
3S upnphost (Universal Plug and Play Device Host) - C:\WINDOWS\system32\svchost.exe -k LocalService
3S UPS (Uninterruptible Power Supply) - C:\WINDOWS\System32\ups.exe
3R usnjsvc (Messenger Sharing Folders USN Journal Reader service) - "C:\Program Files\MSN Messenger\usnsvc.exe"
2S vsmon (TrueVector Internet Monitor) - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
3S VSS (Volume Shadow Copy) - C:\WINDOWS\System32\vssvc.exe
2R W32Time (Windows Time) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R WebClient - C:\WINDOWS\system32\svchost.exe -k LocalService
2R winmgmt (Windows Management Instrumentation) - C:\WINDOWS\system32\svchost.exe -k netsvcs
3S WmdmPmSN (Portable Media Serial Number Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S WmiApSrv (WMI Performance Adapter) - C:\WINDOWS\system32\wbem\wmiapsrv.exe
2R wscsvc (Security Center) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R wuauserv (Automatic Updates) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R WZCSVC (Wireless Zero Configuration) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S xmlprov (Network Provisioning Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs


-- Scheduled Tasks --------------------------------------------------------------

2007-02-25 23:00:00 260 --ah----- C:\WINDOWS\Tasks\AE1280A191893599.job<AE1280~1.JOB>
2007-02-23 17:19:57 352 --ah----- C:\WINDOWS\Tasks\McQcTask.job
2006-11-26 16:01:09 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>


-- Files created between 2007-01-26 and 2007-02-26 ------------------------------

2007-02-26 09:21:04 0 d-------- C:\avenger
2007-02-26 09:17:34 0 d-------- C:\Rustbfix
2007-02-23 19:46:57 0 d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor<SITEAD~1>
2007-02-23 19:46:54 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-02-23 19:46:42 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor<SITEAD~1>
2007-02-23 19:46:07 0 d-------- C:\Program Files\Broadcom
2007-02-23 17:22:33 0 d-------- C:\Program Files\SiteAdvisor<SITEAD~1>
2007-02-23 17:22:28 0 d-------- C:\Documents and Settings\Elise\Application Data\SiteAdvisor<SITEAD~1>
2007-02-23 17:18:51 0 d-------- C:\Program Files\McAfee.com
2007-02-23 17:18:41 0 d-------- C:\Program Files\Common Files\McAfee
2007-02-23 17:18:29 0 d-------- C:\Program Files\McAfee
2007-02-23 17:15:54 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-02-23 16:02:33 0 d-------- C:\Documents and Settings\Elise\Application Data\WinPatrol<WINPAT~1>
2007-02-23 16:02:25 0 d-------- C:\Program Files\BillP Studios<BILLPS~1>
2007-02-21 21:05:53 0 dr-h----- C:\$VAULT$.AVG
2007-02-21 20:44:13 0 d-------- C:\Documents and Settings\Elise\Application Data\AVG7
2007-02-21 20:43:51 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-02-21 20:43:02 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-02-21 1311 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-02-19 13:10:32 0 d-------- C:\Program Files\Windows Live Safety Center<WINDOW~4>
2007-02-19 09:43:00 0 d-------- C:\f9523016fbdb51374032<F95230~1>
2007-02-17 12:33:46 0 d-------- C:\WINDOWS\system32\CatRoot
2007-02-05 10:57:15 87040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-02-05 10:56:36 40960 --a------ C:\WINDOWS\system32\dlcgvs.dll
2007-02-05 10:56:35 1134592 --a------ C:\WINDOWS\system32\dlcgusb1.dll
2007-02-05 10:56:35 1183744 --a------ C:\WINDOWS\system32\dlcgserv.dll
2007-02-05 10:56:35 155648 --a------ C:\WINDOWS\system32\dlcgprox.dll
2007-02-05 10:56:35 114688 --a------ C:\WINDOWS\system32\dlcgpplc.dll
2007-02-05 10:56:34 638976 --a------ C:\WINDOWS\system32\dlcgpmui.dll
2007-02-05 10:56:34 372736 --a------ C:\WINDOWS\system32\dlcgih.exe
2007-02-05 10:56:33 491520 --a------ C:\WINDOWS\system32\dlcgcoms.exe
2007-02-05 10:56:33 413696 --a------ C:\WINDOWS\system32\dlcgcomm.dll
2007-02-05 10:56:32 704512 --a------ C:\WINDOWS\system32\dlcgcomc.dll
2007-02-05 10:56:31 430080 --a------ C:\WINDOWS\system32\dlcgutil.dll
2007-02-05 10:56:31 483328 --a------ C:\WINDOWS\system32\dlcglmpm.dll
2007-02-05 10:56:23 131072 --a------ C:\WINDOWS\system32\dlcgjswr.dll
2007-02-05 10:56:23 106496 --a------ C:\WINDOWS\system32\dlcginsr.dll
2007-02-05 10:56:22 176128 --a------ C:\WINDOWS\system32\dlcginsb.dll
2007-02-05 10:56:22 155648 --a------ C:\WINDOWS\system32\dlcgins.dll
2007-02-05 10:56:20 983092 --a------ C:\WINDOWS\system32\dlcggf.dll
2007-02-05 10:56:19 36864 --a------ C:\WINDOWS\system32\dlcgcur.dll
2007-02-05 10:56:19 86016 --a------ C:\WINDOWS\system32\dlcgcub.dll
2007-02-05 10:56:19 73728 --a------ C:\WINDOWS\system32\dlcgcu.dll
2007-02-05 10:56:15 65536 --a------ C:\WINDOWS\system32\dlcgcfg.dll
2007-02-05 10:56:14 0 d-------- C:\Program Files\Dell AIO 810<DELLAI~1>
2007-02-05 10:55:31 0 d-------- C:\Temp
2007-02-04 20:19:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Ultima_T15<ULTIMA~1>
2007-02-04 20:19:37 20 ---h----- C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-02-04 20:19:37 0 d-------- C:\Documents and Settings\All Users\Application Data\EnterNHelp<ENTERN~1>
2007-02-04 20:12:56 0 d-------- C:\Documents and Settings\Elise\Application Data\Nikon
2007-02-04 20:12:55 765952 --a------ C:\WINDOWS\system32\msvcp71d.dll
2007-02-04 20:12:54 544768 --a------ C:\WINDOWS\system32\msvcr71d.dll
2007-02-04 20:12:54 2179072 --a------ C:\WINDOWS\system32\mfc71d.dll
2007-02-04 20:12:52 4644864 -ra------ C:\WINDOWS\system32\NkNEFPlugin.dll<NKNEFP~1.DLL>
2007-02-04 20:12:12 180224 -ra------ C:\WINDOWS\system32\Strato4.dll
2007-02-04 20:12:12 76800 -ra------ C:\WINDOWS\system32\RedEye.dll
2007-02-04 20:12:11 110592 -ra------ C:\WINDOWS\system32\RCSigProc.dll<RCSIGP~1.DLL>
2007-02-04 20:12:11 48128 -ra------ C:\WINDOWS\system32\picn20.dll
2007-02-04 20:12:10 180224 -ra------ C:\WINDOWS\system32\picn1120.dll
2007-02-04 20:12:10 155648 -ra------ C:\WINDOWS\system32\picn1020.dll
2007-02-04 20:12:04 495616 -ra------ C:\WINDOWS\system32\DRAGNKL1.dll
2007-02-04 20:11:01 207872 --a------ C:\WINDOWS\system32\LTEFX12N.DLL
2007-02-04 20:11:01 141312 --a------ C:\WINDOWS\system32\LFTIF12N.DLL
2007-02-04 20:11:01 36864 --a------ C:\WINDOWS\system32\LFPSD12N.DLL
2007-02-04 20:11:01 181248 --a------ C:\WINDOWS\system32\LFPNG12N.DLL
2007-02-04 20:11:01 26112 --a------ C:\WINDOWS\system32\LFPCX12N.DLL
2007-02-04 20:11:01 60416 --a------ C:\WINDOWS\system32\LFPCT12N.DLL
2007-02-04 20:11:01 19968 --a------ C:\WINDOWS\system32\LFPCD12N.DLL
2007-02-04 20:11:01 73728 --a------ C:\WINDOWS\system32\LFFAX12N.DLL
2007-02-04 20:11:01 358912 --a------ C:\WINDOWS\system32\LFCMP12N.DLL
2007-02-04 20:11:01 30720 --a------ C:\WINDOWS\system32\LFBMP12N.DLL
2007-02-04 20:11:00 406016 --a------ C:\WINDOWS\system32\LTKRN12N.DLL
2007-02-04 20:11:00 164864 --a------ C:\WINDOWS\system32\LTIMG12N.DLL
2007-02-04 20:11:00 131072 --a------ C:\WINDOWS\system32\LTFIL12N.DLL
2007-02-04 20:11:00 259072 --a------ C:\WINDOWS\system32\LTDIS12N.DLL
2007-02-04 20:11:00 230400 --a------ C:\WINDOWS\system32\DC265.DLL
2007-02-04 20:11:00 434176 --a------ C:\WINDOWS\system32\DC120V15_32.DLL<DC120V~1.DLL>
2007-02-04 20:10:56 0 d-------- C:\Program Files\Nikon
2007-02-04 20:09:50 0 d-------- C:\Program Files\Common Files\Nikon


-- Find3M Report ----------------------------------------------------------------

2007-02-25 20:59:25 0 d-------- C:\Program Files\Ares
2007-02-23 14:17:58 0 d-------- C:\Documents and Settings\Elise\Application Data\Skype
2007-02-23 10:03:04 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-02-21 20:12:53 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>
2007-02-21 14:35:51 0 d-------- C:\Program Files\IrfanView<IRFANV~1>
2007-02-07 09:16:08 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>
2007-01-29 19:58:06 60416 -----n--- C:\WINDOWS\system32\tzchange.exe
2007-01-19 12:53:04 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-18 20:44:23 0 d-------- C:\Program Files\Google
2007-01-14 21:48:59 0 d-------- C:\Program Files\Skype
2007-01-14 21:48:59 0 d-------- C:\Program Files\Common Files\Skype
2007-01-13 00:50:24 0 d---s---- C:\Documents and Settings\Elise\Application Data\Microsoft<MICROS~1>
2007-01-06 19:31:03 0 d-------- C:\Program Files\Messenger Plus! Live<MESSEN~3>
2006-12-20 08:52:18 134656 --a------ C:\WINDOWS\system32\shsvcs.dll
2006-12-20 05:16:47 333824 --a------ C:\WINDOWS\system32\wiaservc.dll
2006-12-07 17:40:49 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-28 01:54:06 433152 --a------ C:\WINDOWS\system32\riched20.dll
2006-11-28 01:54:06 539136 --a------ C:\WINDOWS\system32\msftedit.dll


-- Registry Dump ----------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ares"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe /tray"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"farstone"=""
"RestoreIT!"="\"C:\\Program Files\\Phoenix Technologies Ltd\\RecoverPro_XP\\VBPTASK.EXE\" VBStart"
"MagicKeyboard"="C:\\Program Files\\SAMSUNG\\MagicKBD\\PreMKBD.exe"
"AVStation premium"="\"C:\\Program Files\\Samsung\\AVStation premium\\bin\\AVStation agent.exe\""
"BatteryManager"="C:\\Program Files\\Samsung\\Samsung Battery Manager\\BatteryManager.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SamsungPIC"="C:\\Program Files\\Samsung\\Samsung Command Center\\PIC_UI.exe"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"Desktop Service Centre"="C:\\Program Files\\OptusNet Dial-up Internet\\DSC.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"SiteAdvisor"="C:\\Program Files\\SiteAdvisor\\6028\\SiteAdv.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]
"item"="ACTX1"
"command"="C:\\WINDOWS\\v1201.exe"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
"item"="AGRSMMSG"
"command"="AGRSMMSG.exe"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FindSetupLoveBase]
"item"="FindSetupLoveBase"
"command"="C:\\Documents and Settings\\All Users\\Application Data\\forkdefaultfindsetup\\Burngpl.exe"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
"item"="igfxhkcmd"
"command"="C:\\WINDOWS\\system32\\hkcmd.exe"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
"item"="igfxpers"
"command"="C:\\WINDOWS\\system32\\igfxpers.exe"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
"item"="igfxtray"
"command"="C:\\WINDOWS\\system32\\igfxtray.exe"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Open download]
"item"="Open download"
"command"="C:\\DOCUME~1\\Elise\\APPLIC~1\\FLAGON~1\\BITS 16 FOR.exe"
"hkey"="HKEY"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"item"="SunJavaUpdateSched"
"command"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"hkey"="HKLM"
"key"="Run"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"{586977AF-031D-1033-0930-05050623003d}"="\"C:\\Program Files\\Common Files\\{586977AF-031D-1033-0930-05050623003d}\\Update.exe\" mc-110-12-0001232"
"{586977AF-06C0-1033-0930-05050623003d}"="\"C:\\Program Files\\Common Files\\{586977AF-06C0-1033-0930-05050623003d}\\Update.exe\" mc-110-12-0001232"
"{586977AF-06C1-1033-0930-05050623003d}"="\"C:\\Program Files\\Common Files\\{586977AF-06C1-1033-0930-05050623003d}\\Update.exe\" mc-110-12-0001232"
"{586977AF-031E-1033-0930-05050623003d}"="\"C:\\Program Files\\Common Files\\{586977AF-031E-1033-0930-05050623003d}\\Update.exe\" mc-110-12-0001232"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



-- End of ComboScan: finished at 2007-02-26 at 09:41:03 -------------------------

[tetonbob]

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Copy and paste the following into Notepad (don't forget to copy and paste REGEDIT4):

Quote:

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FindSetupLoveBase]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Open download]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"{586977AF-031D-1033-0930-05050623003d}"=-
"{586977AF-06C0-1033-0930-05050623003d}"=-
"{586977AF-06C1-1033-0930-05050623003d}"=-
"{586977AF-031E-1033-0930-05050623003d}"=-

Save the file as "delete.reg". Make sure to save it with the quotes. It should look like this:

Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------------------------------------------------------------------------

Please Download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3

• First close any other programs you have running as this will require a reboot
• Double click NoLop.exe to run it
  • Carefully type or copy and paste this series of characters into the lower text area labelled Insert CLSID Here. Include the {}:
    
    {E26BA7DB-37EB-F685-B440-0265C6F43454}
• Now click the button labelled "Search and Destroy"
  <<your computer will now be scanned for infected files>>
• When scanning is finished you will be prompted to reboot only if infected, Click OK
• Now click the "REBOOT" Button.
• A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log at the end of this fix.

--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program. --

---------------------------------------------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name. In your case, it is J2SE Runtime Environment 5.0
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6-windowsi586-p.exe to install the newest version.

• After the install is complete, go back into the Control Panel and double-click the Java Icon.
• Under Temporary Internet Files, click the Delete Files button.
• There are three options in the window to clear the cache - Leave ALL 3 Checked
  • Downloaded Applets
  • Downloaded Applications
  • Other Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Please run a new scan with HJT. Save the log and post it.


Post the requested logs, and let me know if you have any troubles with these instructions, and how your system is behaving, please. We'll likely have more work to do.

[missy_ellie]

so after i saved the registry file then tried to iport it. i got the message "Cannot import C:\Documents and Settings\Elise\My Documents\delete.reg: The specified file is not a registry script. You can only import birnary registry fileswithin the registry editor.

help please...

[tetonbob]

I have attached a file to this post - missyfix.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry.

let me know if there are any troubles with this, otherwise, continue with