Trojan.Vundo.DVS infection on Vista

BullGuard Antivirus Forum > Virus > Virus Questions > Trojan.Vundo.DVS infection on Vista

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

Bluemoon
New Member

Date Joined Apr 2008
Total Posts : 3

Posted 4-13-2008 10:36 (GMT +1)

i have been infected by Vundo and i have already tried Vundofix and Fixvundo but both havn't work as i am still getting a bar asking me to buy some spyware tool on my browser. i have found some files that were created by Vundo and deleted them but some problems are still there. Below is my hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:32:04, on 13/04/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\TDSupportApp\cdrom_mon.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ZTE Mobile Connection\Datacard.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\rundll32.exe
F:\Archive\HiJackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aldi.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: DVA Media - {3808C05F-CFB0-4C9B-858D-851CC3EBB3BC} - C:\Windows\temlxopqmlf.dll
O2 - BHO: (no name) - {3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - C:\Windows\system32\losbdsah.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: DVA Media - {BA6BD7B1-990F-4D05-8D6C-9CBAFCB3C7ED} - C:\Windows\temlxopqpkd.dll
O2 - BHO: (no name) - {C36CD4C2-D443-41F1-95FA-F0065B7941D0} - C:\Windows\system32\sSMCUKbX.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: (no name) - {49D8D988-6D77-4E24-8A27-914FBCCC782F} - (no file)
O3 - Toolbar: (no name) - {273127BD-6681-45C8-A0FB-205BE4AEFBF8} - (no file)
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\geBtQihF.dll,#1
O4 - HKLM\..\Run: [2a7bdb1a] rundll32.exe "C:\Windows\system32\yujbjepw.dll",b
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E302F157-A890-4B6F-A421-839D25055D6D} (NLSysInfo Control) - http://www.novalogic.com/pub/NLSysInfo.ocx
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB2CDC8A-229D-4FD8-98DC-37AFB739CFB4}: NameServer = 172.31.140.69 172.30.140.69
O21 - SSODL: qdnkewfa - {11DBA1BC-4E7B-4A1F-A6D3-E31DCF4B3A36} - C:\Windows\qdnkewfa.dll
O21 - SSODL: mgsvflkw - {BE5D7C3B-11E6-4779-995D-C917B9122C91} - C:\Windows\mgsvflkw.dll
O23 - Service: Autorun CDROM Monitor - Unknown owner - C:\Windows\system32\TDSupportApp\cdrom_mon.exe
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: lxcf_device - - C:\Windows\system32\lxcfcoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: DiRT Drivers Auto Removal (pr2ah4nb) (pr2ah4nb) - CODEMASTERS - C:\Windows\system32\pr2ah4nb.exe
O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\Windows\system32\pr2ah4nc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

Slimcan
New Member

Date Joined Feb 2005
Total Posts : 10

Posted 4-13-2008 1:56 (GMT +1)

I picked up Trojan Vundo.dvs The computer was blinking badly when I got it. I restored the computer to the day before and it is working fine. It can not be this easy, the virus most still be in my computer.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13642

Posted 4-13-2008 3:25 (GMT +1)

Hello Bluemoon smile

Please download Combofix:

Http://download.bleepingcomputer.com/subs/combofix.exe

And save to the desktop.

Close all other browser windows.

Please connect your all your external hard drive/flash drive before running Combofix

Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".

Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.

Post the contents of that log in your next reply with a new hijackthis log.

NB. If you are using any P2P (file sharing) programs, please remove them before we clean your computer.. We do not clean logs that have P2P applications installed as this can cause reinfection during your cleaning.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Post Edited (Touch) : 13-04-2008 14:25:50 GMT

Bluemoon
New Member

Date Joined Apr 2008
Total Posts : 3

Posted 4-13-2008 4:41 (GMT +1)

Hi i have done what you said and below are the two log files
ComboFix 08-04-12.8 - Jordan 2008-04-13 16:16:07.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1309 [GMT 1:00]
Running from: C:\Users\Jordan\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Inet Delivery
C:\Program Files\Inet Delivery\inetdl.exe
C:\Program Files\Inet Delivery\intdel.exe
C:\Users\Jordan\Desktopblackbird.jpg
C:\Users\Jordan\DesktopEditorFKWP1.5.exe
C:\Users\Jordan\DesktopEditorFKWP2.0.exe
C:\Users\Jordan\Desktopfilemanagerclient.exe
C:\Users\Jordan\Desktopfkwp1.5.exe
C:\Users\Jordan\Desktopfkwp2.0.exe
C:\Users\Jordan\Desktopfwebd.exe
C:\Users\Jordan\DesktopFWebdEditor.exe
C:\Users\Jordan\DesktopTrojan.Win32.BlackBird.exe
C:\Users\Jordan\Desktopvirii
C:\Windows\a.bat
C:\Windows\apoxqwfv.exe
C:\Windows\base64.tmp
C:\Windows\bdn.com
C:\Windows\FVProtect.exe
C:\Windows\iTunesMusic.exe
C:\Windows\mgsvflkw.dll
C:\Windows\mslagent
C:\Windows\mslagent\2_mslagent.dll
C:\Windows\mslagent\mslagent.exe
C:\Windows\mslagent\uninstall.exe
C:\Windows\mssecu.exe
C:\Windows\qdnkewfa.dll
C:\Windows\rs.txt
C:\Windows\system32\cbXQICst.dll
C:\Windows\system32\pmnkIBsp.dll
C:\Windows\system32\sSMCUKbX.dll
C:\Windows\system32\ssqOGxWm.dll
C:\Windows\System32\wpejbjuy.ini
C:\Windows\System32\XbKUCMSs.ini
C:\Windows\System32\XbKUCMSs.ini2
C:\Windows\system32\yujbjepw.dll
C:\Windows\system32akttzn.exe
C:\Windows\system32anticipator.dll
C:\Windows\system32awtoolb.dll
C:\Windows\system32bdn.com
C:\Windows\system32bsva-egihsg52.exe
C:\Windows\system32dpcproxy.exe
C:\Windows\system32emesx.dll
C:\Windows\system32h@tkeysh@@k.dll
C:\Windows\system32hoproxy.dll
C:\Windows\system32hxiwlgpm.dat
C:\Windows\system32hxiwlgpm.exe
C:\Windows\system32medup012.dll
C:\Windows\system32medup020.dll
C:\Windows\system32msgp.exe
C:\Windows\system32msnbho.dll
C:\Windows\system32mssecu.exe
C:\Windows\system32msvchost.exe
C:\Windows\system32mtr2.exe
C:\Windows\system32mwin32.exe
C:\Windows\system32netode.exe
C:\Windows\system32newsd32.exe
C:\Windows\system32ps1.exe
C:\Windows\system32psof1.exe
C:\Windows\system32psoft1.exe
C:\Windows\system32regc64.dll
C:\Windows\system32regm64.dll
C:\Windows\system32Rundl1.exe
C:\Windows\system32smp
C:\Windows\system32smp\msrc.exe
C:\Windows\system32sncntr.exe
C:\Windows\system32ssurf022.dll
C:\Windows\system32ssvchost.com
C:\Windows\system32ssvchost.exe
C:\Windows\system32sysreq.exe
C:\Windows\system32taack.dat
C:\Windows\system32taack.exe
C:\Windows\system32temp#01.exe
C:\Windows\system32thun.dll
C:\Windows\system32thun32.dll
C:\Windows\system32VBIEWER.OCX
C:\Windows\system32vbsys2.dll
C:\Windows\system32vcatchpi.dll
C:\Windows\system32winlogonpc.exe
C:\Windows\system32winsystem.exe
C:\Windows\system32WINWGPX.EXE
C:\Windows\userconfig9x.dll
C:\Windows\Web\def.htm
C:\Windows\winsystem.exe
C:\Windows\zip1.tmp
C:\Windows\zip2.tmp
C:\Windows\zip3.tmp
C:\Windows\zipped.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_PortProxy

((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

2008-04-13 16:10 . 2008-04-13 16:10 53,312 --a------ C:\Windows\System32\icdkjabm.dll
2008-04-13 16:10 . 2008-04-13 16:10 3,648 --a------ C:\Windows\System32\lrjxxaot.dll
2008-04-13 16:08 . 2008-04-13 21:59 477 --a------ C:\ifexist.sed
2008-04-13 11:15 . 2008-04-13 11:16 250 --a------ C:\Windows\gmer.ini
2008-04-13 09:17 . 2008-04-13 09:17 53,312 --a------ C:\Windows\System32\losbdsah.dll
2008-04-13 09:17 . 2008-04-13 09:17 3,648 --a------ C:\Windows\System32\qkleyxge.dll
2008-04-13 09:16 . 2008-04-13 09:18 159,362 --ahs---- C:\Windows\System32\XbKUCMSstt.ini
2008-04-12 16:26 . 2008-04-12 16:26 <DIR> d-------- C:\Users\Jordan\AppData\Roaming\PC Tools
2008-04-12 16:26 . 2008-04-12 16:26 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-12 16:26 . 2005-09-23 07:29 626,688 --a------ C:\Windows\System32\msvcr80.dll
2008-04-12 16:26 . 2007-04-19 15:18 83,536 --a------ C:\Windows\System32\drivers\iksyssec.sys
2008-04-12 16:26 . 2007-04-19 15:18 59,984 --a------ C:\Windows\System32\drivers\iksysflt.sys
2008-04-12 16:26 . 2007-04-19 15:18 52,304 --a------ C:\Windows\System32\drivers\ikfilesec.sys
2008-04-12 16:26 . 2007-04-19 15:18 39,248 --a------ C:\Windows\System32\drivers\ikfileflt.sys
2008-04-12 16:26 . 2007-04-19 15:18 26,064 --a------ C:\Windows\System32\drivers\kcom.sys
2008-04-12 15:54 . 2008-04-12 15:54 <DIR> d--h----- C:\Windows\PIF
2008-04-12 15:48 . 2008-04-12 15:48 3,648 --a------ C:\Windows\System32\mfhbyocw.dll
2008-04-12 15:47 . 2008-04-12 15:47 53,312 --a------ C:\Windows\System32\dpmegxsx.dll
2008-04-12 10:18 . 2008-04-12 10:18 <DIR> d-------- C:\Program Files\Sophos
2008-04-12 09:57 . 2008-04-12 09:57 53,312 --a------ C:\Windows\System32\vnjwfsjl.dll
2008-04-12 09:57 . 2008-04-12 09:57 3,648 --a------ C:\Windows\System32\ehiyxkci.dll
2008-04-12 09:56 . 2008-04-12 09:56 <DIR> d-------- C:\fsaua.data
2008-04-12 08:49 . 2008-04-12 08:49 <DIR> d-------- C:\perflogs
2008-04-12 08:26 . 2008-04-12 08:26 50,703 --a------ C:\Windows\System32\System32.7z
2008-04-11 22:56 . 2008-04-11 22:56 24,576 --a------ C:\Windows\System32\VundoFixSVC.exe
2008-04-11 22:11 . 2008-04-12 15:57 <DIR> d-------- C:\VundoFix Backups
2008-04-11 21:58 . 2008-04-11 21:58 53,312 --a------ C:\Windows\System32\pqqgicyc.dll
2008-04-11 21:44 . 2008-04-11 21:44 53,312 --a------ C:\Windows\System32\ronmfpbt.dll
2008-04-11 21:44 . 2008-04-11 21:44 3,648 --a------ C:\Windows\System32\fpbcchny.dll
2008-04-10 20:32 . 2008-04-10 12:43 212,992 --a------ C:\Windows\temlxopqpkd.dll
2008-04-10 20:32 . 2008-04-09 18:49 212,992 --a------ C:\Windows\temlxopqmlf.dll
2008-04-09 17:47 . 2008-04-09 17:47 <DIR> d-------- C:\Program Files\Disc2Phone
2008-04-09 17:44 . 2008-04-09 17:44 <DIR> d-------- C:\Windows\System32\URTTEMP
2008-04-07 17:01 . 2008-04-07 17:01 <DIR> d-------- C:\NVIDIA
2008-04-07 11:10 . 2008-04-07 11:10 <DIR> d-------- C:\Users\All Users\The Filter
2008-04-07 11:10 . 2008-04-07 11:10 <DIR> d-------- C:\ProgramData\The Filter
2008-04-06 20:17 . 2008-04-06 20:17 <DIR> d-------- C:\Program Files\PixiePack Codec Pack
2008-04-06 20:15 . 2008-04-06 20:16 <DIR> d-------- C:\Users\All Users\RapidSolution
2008-04-06 20:15 . 2008-04-06 20:16 <DIR> d-------- C:\ProgramData\RapidSolution
2008-04-06 20:15 . 2008-04-06 20:15 <DIR> d-------- C:\Program Files\RapidSolution
2008-04-06 11:11 . 2008-04-06 11:11 <DIR> d-------- C:\Program Files\CineGobs
2008-04-05 20:43 . 2008-04-08 20:40 <DIR> d-------- C:\Program Files\PoolStars
2008-04-04 20:28 . 2008-04-04 20:28 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-04-04 20:25 . 2008-04-04 20:25 <DIR> d-------- C:\Program Files\NVIDIA nTune Performance Application
2008-04-04 12:14 . 2008-04-04 12:14 <DIR> d-------- C:\Program Files\Voxware Audio decoder
2008-03-29 22:51 . 2008-03-29 22:54 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-28 21:18 . 2008-03-28 21:37 <DIR> d-------- C:\Program Files\Prey
2008-03-25 17:39 . 2008-03-25 17:39 <DIR> d-------- C:\Program Files\Eidos
2008-03-25 15:49 . 2008-03-25 15:49 <DIR> d-------- C:\Program Files\Codemasters
2008-03-24 12:28 . 2008-03-24 12:28 <DIR> d-------- C:\Users\Jordan\{e46660c8-0357-452d-939b-75de2120a96a}
2008-03-24 12:21 . 2008-03-24 12:21 <DIR> d-------- C:\Users\All Users\BVRP Software
2008-03-24 12:21 . 2008-03-24 12:21 <DIR> d-------- C:\ProgramData\BVRP Software
2008-03-24 12:10 . 2008-03-24 12:10 <DIR> d-------- C:\Users\All Users\Sony Ericsson
2008-03-24 12:10 . 2008-03-24 12:10 <DIR> d-------- C:\ProgramData\Sony Ericsson
2008-03-24 12:10 . 2008-03-24 12:10 <DIR> d-------- C:\Program Files\Sony Ericsson
2008-03-24 11:53 . 2008-03-24 12:26 <DIR> d-------- C:\Users\Jordan\AppData\Roaming\MyPhoneExplorer
2008-03-24 11:53 . 2008-03-24 11:53 <DIR> d-------- C:\Program Files\MyPhoneExplorer
2008-03-20 17:46 . 2008-03-20 17:46 1,158 --a------ C:\Windows\mozver.dat
2008-03-20 13:26 . 2008-03-20 13:26 38 --a------ C:\Windows\webica.ini
2008-03-19 22:28 . 2008-03-19 22:42 <DIR> d-------- C:\gmax
2008-03-19 21:16 . 2008-03-19 21:16 14,152 --a------ C:\Windows\System32\lccl.dll
2008-03-19 21:16 . 2008-03-19 21:16 14,152 --a------ C:\Windows\System32\client_cc.dll
2008-03-18 18:54 . 2008-03-20 13:28 <DIR> d-------- C:\Users\Jordan\AppData\Roaming\ICAClient
2008-03-18 18:51 . 2008-03-18 18:51 <DIR> d-------- C:\Windows\System32\Resource
2008-03-18 18:51 . 2008-03-18 18:51 <DIR> d-------- C:\Program Files\Citrix
2008-03-18 18:49 . 2005-08-02 16:20 1,171 --a------ C:\Selby College CA.crt
2008-03-17 21:34 . 2008-03-17 21:34 664 --a------ C:\Windows\System32\dfrgui - Shortcut.lnk
2008-03-16 10:14 . 2008-03-17 21:23 <DIR> d-------- C:\Program Files\Ashampoo
2008-03-15 09:40 . 2008-03-15 09:40 <DIR> d-------- C:\Users\Jordan\AppData\Roaming\GlarySoft
2008-03-15 09:17 . 2007-12-16 23:50 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-03-15 09:17 . 2007-12-16 10:56 41,984 --a------ C:\Windows\System32\drivers\monitor.sys
2008-03-14 21:25 . 2008-04-04 10:42 <DIR> d-------- C:\Users\Jordan\AppData\Roaming\OpenOffice.org2
2008-03-14 21:22 . 2008-03-14 21:22 <DIR> d-------- C:\Program Files\OpenOffice.org 2.3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 15:14 --------- d-----w C:\Program Files\ZTE Mobile Connection
2008-04-13 15:11 --------- d-----w C:\ProgramData\BullGuard
2008-04-11 13:50 --------- d-----w C:\Users\Jordan\AppData\Roaming\SiteAdvisor
2008-04-07 20:47 --------- d-----w C:\Users\Jordan\AppData\Roaming\teamspeak2
2008-04-07 20:47 --------- d-----w C:\ProgramData\FLEXnet
2008-04-07 16:09 --------- d-----w C:\ProgramData\NVIDIA
2008-04-04 19:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-01 07:59 --------- d-----w C:\Program Files\Lx_cats
2008-03-31 16:58 --------- d---a-w C:\ProgramData\TEMP
2008-03-29 16:23 --------- d-----w C:\Program Files\Atari
2008-03-14 20:21 --------- d-----w C:\Program Files\Java
2008-03-13 20:10 --------- d-----w C:\Program Files\SiteAdvisor
2008-03-13 11:31 666 ----a-w C:\Users\Jordan\AppData\Roaming\wklnhst.dat
2008-03-12 21:36 --------- d-----w C:\ProgramData\TrackMania United
2008-03-12 21:04 --------- d-----w C:\Program Files\DDS Converter 2
2008-03-12 08:39 --------- d-----w C:\Program Files\QuickTime
2008-03-11 20:14 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-11 20:14 --------- d-----w C:\Program Files\Bonjour
2008-03-11 20:07 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-03-10 13:22 --------- d-----w C:\Users\Jordan\AppData\Roaming\MAGIX
2008-03-10 13:20 --------- d-----w C:\ProgramData\MAGIX
2008-03-10 13:20 --------- d-----w C:\Program Files\MAGIX
2008-03-10 13:17 --------- d-----w C:\Program Files\MyRealGames.com
2008-03-09 20:12 --------- d-----w C:\Program Files\Selectsoft
2008-03-09 20:02 --------- d-----w C:\Program Files\BiP media
2008-03-09 16:21 --------- d-----w C:\Program Files\Google
2008-03-08 17:16 --------- d-----w C:\ProgramData\Media Center Programs
2008-03-08 17:03 --------- d-----w C:\Program Files\THQ
2008-03-08 17:00 --------- d-----w C:\Users\Jordan\AppData\Roaming\InstallShield
2008-03-08 10:00 --------- d-----w C:\ProgramData\Trymedia
2008-03-06 21:56 --------- d-----w C:\Program Files\HD Tune
2008-03-06 15:22 --------- d-----w C:\Program Files\Disk Space Visualizer
2008-03-06 15:11 --------- d-----w C:\ProgramData\Microsoft Help
2008-03-05 15:00 --------- d-----w C:\Program Files\CCleaner
2008-03-04 22:14 --------- d-----w C:\ProgramData\SiteAdvisor
2008-03-04 22:14 --------- d-----w C:\ProgramData\McAfee
2008-03-04 22:01 --------- d-----w C:\ProgramData\PCPitstop
2008-03-04 17:30 --------- d-----w C:\Program Files\Lighthouse Interactive
2008-03-04 03:52 47,616 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-03-02 10:49 --------- d-----w C:\Program Files\Lexmark 730 Series
2008-02-29 10:12 --------- d-----w C:\Program Files\Enterbrain
2008-02-27 15:12 --------- d-----w C:\Program Files\WarRock
2008-02-26 12:47 --------- d-----w C:\Users\Jordan\AppData\Roaming\Nero
2008-02-22 20:29 --------- d-----w C:\Program Files\Process Lasso
2008-02-22 14:47 --------- d-----w C:\Users\Jordan\AppData\Roaming\Ahead
2008-02-22 10:20 --------- d-----w C:\Users\Jordan\AppData\Roaming\Thunderbird
2008-02-22 10:20 --------- d-----w C:\Users\Jordan\AppData\Roaming\Talkback
2008-02-21 17:35 --------- d-----w C:\Users\Jordan\AppData\Roaming\PeerNetworking
2008-02-21 17:03 --------- d-----w C:\Users\Jordan\AppData\Roaming\Steganos
2008-02-21 12:40 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-02-21 12:39 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-21 12:36 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-02-20 22:08 --------- d-----w C:\Program Files\Cryptainer LE
2008-02-19 20:21 --------- d-----w C:\Program Files\Paint.NET
2008-02-18 17:24 --------- d-----w C:\Program Files\TrackMania United
2008-02-17 15:39 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-02-16 22:59 --------- d-----w C:\Program Files\MSN Messenger
2008-02-16 21:16 --------- d-----w C:\Program Files\Common Files\Java
2008-02-15 20:55 --------- d-----w C:\ProgramData\SimCity Societies
2008-02-15 20:40 --------- d-----w C:\Program Files\Electronic Arts
2008-02-15 20:25 --------- d-----w C:\Program Files\7-Zip
2008-02-15 17:21 --------- d-----w C:\Users\Jordan\AppData\Roaming\BullGuard
2008-02-15 16:24 --------- d---a-w C:\Program Files\GoogleEULA
2008-02-15 10:33 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2008-02-15 10:33 22,328 ----a-w C:\Users\Jordan\AppData\Roaming\PnkBstrK.sys
2008-02-15 08:59 --------- d-----w C:\Users\Jordan\AppData\Roaming\Template
2008-02-14 20:41 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-14 14:17 --------- d-----w C:\Users\Jordan\AppData\Roaming\DNA
2008-02-14 14:09 --------- d-----w C:\ProgramData\Diskeeper Corporation
2008-02-14 14:09 --------- d-----w C:\Program Files\Diskeeper Corporation
2008-02-14 11:15 --------- d-----w C:\Users\Jordan\AppData\Roaming\Atari
2008-02-14 11:03 --------- d-----w C:\Program Files\Common Files\PocketSoft
2008-02-14 10:11 --------- d-----w C:\Users\Jordan\AppData\Roaming\Leadertech
2008-02-14 10:09 --------- d-----w C:\Program Files\NovaLogic
2008-02-14 10:04 50,896 ----a-w C:\Windows\system32\drivers\BdFileSpy.sys
2008-02-14 10:01 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-02-14 10:00 54,784 ----a-w C:\Windows\system32\drivers\i8042prt.sys
2008-02-14 10:00 495,160 ----a-w C:\Windows\system32\drivers\Wdf01000.sys
2008-02-14 10:00 35,384 ----a-w C:\Windows\system32\drivers\WdfLdr.sys
2008-02-14 10:00 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys
2008-02-14 10:00 34,360 ----a-w C:\Windows\system32\drivers\mouclass.sys
2008-02-14 10:00 19,968 ----a-w C:\Windows\system32\drivers\sermouse.sys
2008-02-14 10:00 15,872 ----a-w C:\Windows\system32\drivers\mouhid.sys
2008-02-14 10:00 15,872 ----a-w C:\Windows\system32\drivers\kbdhid.sys
2008-02-14 09:59 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-02-14 09:59 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-02-14 09:59 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-14 09:59 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-02-14 09:59 110,136 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-02-14 09:58 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-14 09:58 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-14 09:58 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-14 09:58 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-02-14 09:58 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-02-14 09:58 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3808C05F-CFB0-4C9B-858D-851CC3EBB3BC}]
2008-04-09 18:49 212992 --a------ C:\Windows\temlxopqmlf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}]
2008-04-13 16:10 53312 --a------ C:\Windows\system32\icdkjabm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA6BD7B1-990F-4D05-8D6C-9CBAFCB3C7ED}]
2008-04-10 12:43 212992 --a------ C:\Windows\temlxopqpkd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 11:18 1232896]
"BullGuard"="C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe" [2008-02-14 11:03 308552]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 13:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BullGuard"="C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" [2008-02-14 11:03 308552]
"RtHDVCpl"="RtHDVCpl.exe" [2007-11-14 16:50 4706304 C:\Windows\RtHDVCpl.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-14 04:28 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 04:42 144784]
"LXCFCATS"="C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 18:47 73728]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-13 19:05 36640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"toolbar_eula_launcher"=C:\Program Files\GoogleEULA\EULALauncher.exe
"NvMediaCenter"=RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
"NvCplDaemon"=RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E593E5BC-0F3E-4951-88C5-B288622C77A9}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{A684C2DB-B616-452F-BE30-BCC473285C57}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{304A3346-B1DC-405C-B759-8EECA3E7BCDD}"= C:\Program Files\HomeCinema\MakeDisc\MakeDisc.exe:CyberLink MakeDisc
"{8D98FB9A-6A5C-4F89-BDF2-12835F418180}"= C:\Program Files\HomeCinema\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{3A57E476-38E9-4BD4-B39B-20BD89DF2C3D}"= C:\Program Files\HomeCinema\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"{CCD289E3-4ECB-471B-86C6-EAD4940E0AE4}"= UDP:C:\Program Files\AOL\RC\regClient.exe:AOL
"{B35C1E7E-F096-4634-9A5D-748DA215A6FA}"= TCP:C:\Program Files\AOL\RC\regClient.exe:AOL
"TCP Query User{100D6384-65A8-43FA-9C2F-76E06737F800}C:\\program files\\novalogic\\joint operations typhoon rising\\jointops.exe"= UDP:C:\program files\novalogic\joint operations typhoon rising\jointops.exe:Jointops
"UDP Query User{995016AB-FF3D-443F-AD89-283DE05C7F35}C:\\program files\\novalogic\\joint operations typhoon rising\\jointops.exe"= TCP:C:\program files\novalogic\joint operations typhoon rising\jointops.exe:Jointops
"{3C060595-0018-4375-8135-EB1AC6C7E971}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{28BB4BF8-60E6-49E4-9140-61815D9AC993}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{0FDCF725-900F-4210-B538-296E08C57131}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{E9CB3DDB-4D9B-4A49-A3B4-1F9B3CCB377F}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"TCP Query User{E24C5592-6E32-4C6E-AC61-2B393B01384E}C:\\ut2004\\system\\ut2004.exe"= UDP:C:\ut2004\system\ut2004.exe:UT2004
"UDP Query User{8BE313AA-5DB6-4DD9-9EE0-D253BCD9A000}C:\\ut2004\\system\\ut2004.exe"= TCP:C:\ut2004\system\ut2004.exe:UT2004
"TCP Query User{6CF61413-6DF6-414C-B229-6A985A76F9C6}C:\\program files\\thq\\motogp urt 3\\motogp.exe"= UDP:C:\program files\thq\motogp urt 3\motogp.exe:motogp
"UDP Query User{30EFF68B-0DAF-4D6C-8B23-4EC47303134E}C:\\program files\\thq\\motogp urt 3\\motogp.exe"= TCP:C:\program files\thq\motogp urt 3\motogp.exe:motogp
"TCP Query User{C4932191-27A5-4718-9998-F81FCE92132F}C:\\users\\jordan\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\ag63xns2\\novapinger.exe"= UDP:C:\users\jordan\appdata\local\microsoft\windows\temporary internet files\content.ie5\ag63xns2\novapinger.exe:novapinger.exe
"UDP Query User{570B43C8-B33B-489B-89FE-744105668070}C:\\users\\jordan\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\ag63xns2\\novapinger.exe"= TCP:C:\users\jordan\appdata\local\microsoft\windows\temporary internet files\content.ie5\ag63xns2\novapinger.exe:novapinger.exe
"{BCF943BF-15B0-4744-90D1-EF023563C24F}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"TCP Query User{AFC12785-1AD6-4E18-BB36-7AA840DB43B0}C:\\program files\\trackmania united\\tmunited.exe"= UDP:C:\program files\trackmania united\tmunited.exe:TmUnited
"UDP Query User{09171774-B345-411D-B018-81230D5B6106}C:\\program files\\trackmania united\\tmunited.exe"= TCP:C:\program files\trackmania united\tmunited.exe:TmUnited
"TCP Query User{15501F7D-2DBB-44E5-B4AD-EB3A135F3257}C:\\gtl\\gtl.exe"= UDP:C:\gtl\gtl.exe:GT Legends
"UDP Query User{E795CBEA-FF21-4226-9ED2-BCA52A16059C}C:\\gtl\\gtl.exe"= TCP:C:\gtl\gtl.exe:GT Legends
"TCP Query User{D62716A8-0009-4479-8466-369F7B62107F}C:\\gtr\\gtr.exe"= UDP:C:\gtr\gtr.exe:GTR - FIA GT Racing Game
"UDP Query User{520B6CED-A7F1-4346-8FED-95EF10462CF1}C:\\gtr\\gtr.exe"= TCP:C:\gtr\gtr.exe:GTR - FIA GT Racing Game
"{69BBAED3-7E9B-4737-A97B-7FDB7D7DA67D}"= UDP:C:\Program Files\THQ\Gas Powered Games\Supreme Commander\bin\SupremeCommander.exe:Supreme Commander
"{DC273F9C-EC05-4C47-AFA1-560A04E78C46}"= TCP:C:\Program Files\THQ\Gas Powered Games\Supreme Commander\bin\SupremeCommander.exe:Supreme Commander
"{044AE0F3-CC8D-41C4-8DAE-DC885E7E1056}"= UDP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{798B1C2E-C003-4473-B990-6799186D1045}"= TCP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"TCP Query User{559967F5-8075-476A-A1FD-C313B367BAC1}F:\\archive\\novapinger.exe"= UDP:F:\archive\novapinger.exe:novapinger
"UDP Query User{607551D5-48C0-4BA5-A5FF-1F42BB74A877}F:\\archive\\novapinger.exe"= TCP:F:\archive\novapinger.exe:novapinger
"TCP Query User{04B75E83-3620-4BA8-8F64-50EA16EF6074}C:\\program files\\codemasters\\dirt\\dirt.exe"= UDP:C:\program files\codemasters\dirt\dirt.exe:DiRT Executable
"UDP Query User{4DF39982-F326-46F0-8384-6620E082D7DA}C:\\program files\\codemasters\\dirt\\dirt.exe"= TCP:C:\program files\codemasters\dirt\dirt.exe:DiRT Executable

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 pe3ah4nb;DiRT Environment Driver (pe3ah4nb);C:\Windows\system32\drivers\pe3ah4nb.sys [2007-06-17 21:45]
R0 pe3ah4nc;DiRT Environment Driver (pe3ah4nc);C:\Windows\system32\drivers\pe3ah4nc.sys [2007-05-18 20:53]
R0 ps6ah4nb;DiRT Synchronization Driver (ps6ah4nb);C:\Windows\system32\drivers\ps6ah4nb.sys [2007-06-17 21:45]
R0 ps6ah4nc;DiRT Synchronization Driver (ps6ah4nc);C:\Windows\system32\drivers\ps6ah4nc.sys [2007-05-18 20:52]
R1 SLEE_16_DRIVER;Steganos Live Encryption Engine 16 [Driver];C:\Windows\system32\drivers\Sleen16.sys [2007-10-11 12:24]
R2 Autorun CDROM Monitor;Autorun CDROM Monitor;C:\Windows\system32\TDSupportApp\cdrom_mon.exe [2007-10-06 15:56]
R2 BdFileSpy;BullGuard File Monitor Driver;C:\Windows\system32\drivers\BdFileSpy.sys [2008-02-14 11:04]
R2 BsFileScan;BullGuard File Scan Service;C:\Windows\System32\svchost.exe [2006-11-02 10:45]
R2 ssoftnt4;ssoftnt4;C:\Windows\system32\Drivers\ssoftnt4.sys [2003-03-14 01:13]
R3 3xHybrid;Philips SAA713x PCI Card;C:\Windows\system32\DRIVERS\3xHybrid.sys [2007-08-22 12:01]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;C:\Windows\system32\DRIVERS\netr28u.sys [2007-09-21 11:38]
R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2007-07-07 15:13]
R3 Reconn;BullGuard Email Monitor;C:\Program Files\BullGuard Software\BullGuard\reconn.sys [2007-05-16 12:07]
R3 X10Hid;X10 Hid Device;C:\Windows\system32\Drivers\x10hid.sys [2006-11-17 11:31]
R3 ZTEusbmdm6k;ZTE Proprietary USB Driver;C:\Windows\system32\DRIVERS\ZTEusbmdm6k.sys [2007-10-12 10:03]
R3 ZTEusbnmea;ZTE NMEA Port;C:\Windows\system32\DRIVERS\ZTEusbnmea.sys [2007-10-12 10:03]
R3 ZTEusbser6k;ZTE Diagnostic Port;C:\Windows\system32\DRIVERS\ZTEusbser6k.sys [2007-10-12 10:03]
S2 pr2ah4nb;DiRT Drivers Auto Removal (pr2ah4nb);C:\Windows\system32\pr2ah4nb.exe svc []
S2 pr2ah4nc;DiRT Drivers Auto Removal (pr2ah4nc);C:\Windows\system32\pr2ah4nc.exe svc []
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 15:18]
S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 04:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\shell\AutoRun\command - E:\browser.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81454290-dae0-11dc-84fc-0015af5d8a40}]
\shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8145538f-dae0-11dc-84fc-001d9260e95b}]
\shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eaa97eff-de34-11dc-85a2-001d9260e95b}]
\shell\AutoRun\command - J:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eaa97f0b-de34-11dc-85a2-001d9260e95b}]
\shell\AutoRun\command - J:\AutoRun.exe

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 16:20:51
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Windows\System32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Common Files\X10\Common\X10nets.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehrecvr.exe
.
**************************************************************************
.
Completion time: 2008-04-13 16:23:44 - machine was rebooted [Jordan]
ComboFix-quarantined-files.txt 2008-04-13 15:23:34
Pre-Run: 416,209,809,408 bytes free
Post-Run: 416,803,516,416 bytes free

Now the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:32:25, on 13/04/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\wuauclt.exe
F:\Archive\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aldi.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: DVA Media - {3808C05F-CFB0-4C9B-858D-851CC3EBB3BC} - C:\Windows\temlxopqmlf.dll
O2 - BHO: (no name) - {3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - C:\Windows\system32\icdkjabm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: DVA Media - {BA6BD7B1-990F-4D05-8D6C-9CBAFCB3C7ED} - C:\Windows\temlxopqpkd.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: (no name) - {49D8D988-6D77-4E24-8A27-914FBCCC782F} - (no file)
O3 - Toolbar: (no name) - {273127BD-6681-45C8-A0FB-205BE4AEFBF8} - (no file)
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E302F157-A890-4B6F-A421-839D25055D6D} (NLSysInfo Control) - http://www.novalogic.com/pub/NLSysInfo.ocx
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O23 - Service: Autorun CDROM Monitor - Unknown owner - C:\Windows\system32\TDSupportApp\cdrom_mon.exe
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: lxcf_device - - C:\Windows\system32\lxcfcoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: DiRT Drivers Auto Removal (pr2ah4nb) (pr2ah4nb) - CODEMASTERS - C:\Windows\system32\pr2ah4nb.exe
O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\Windows\system32\pr2ah4nc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 7458 bytes

.
2008-04-11 12:59:15 --- E O F ---

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13642

Posted 4-13-2008 4:56 (GMT +1)

You have a large number of infections, I´ll therefore suggest You run the below scantools -

Please download Free Version of Superantispyware

http://www.superantispyware.com/superantispywarefreevspro.html

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it.

close the program

Please download ATF Cleaner:

http://www.atribune.org/ccount/click.php?id=1 by Atribune.
This program is for XP and Windows 2000 only

Download DrWebCureit:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

to your desktop.

Please print out or copy this page to Notepad as you will be in Safe Mode and unable to refer to this page.

Reboot to Safe mode

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch (Windows XP) only.
Java Cache

Recycle Bin

NB. It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Please connect your all your external hard drive/flash drive before running drweb

Doubleclick the "drweb-cureit.exe" and click "Start" in the prompt window that will open , asking "start the express scan now".

It will first make a quick scan of your system, let it clean what it find, and when it says "done"

Click on the Options->Change settings.

Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select –Rename

Click – Apply - OK

Click on Scan Tab. Move dot from Express scan to Complete Scan. Click on The Green arrow to the right. It will now scan your drive(s), say yes to all

After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

Start Superantispyware.

Hit - Scan Your Computer - button

Click on the drive(s) you want to scan. Put a check in - Perform Complete Scan, then next,

it will scan now. When scan have finished, put a checkmark with all items it found. Next, after cleaning, allow it to Reboot

Start Superantispyware again –

Click Preferences and then click the statistics/logs tab.

Click the dated log and press view log and a text file will appear.

Post this log along with fresh combofix log, Dr.Web log.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Bluemoon
New Member

Date Joined Apr 2008
Total Posts : 3

Posted 4-13-2008 5:21 (GMT +1)

i don't think i can do what u said as i am running Vista and you said in the above post that one of the tools only works on me an XP what should i do?

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13642

Posted 4-13-2008 5:56 (GMT +1)

My bad, sorry. Continue without ATF - cleaner

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Forum Information

Currently it is Saturday, November 22, 2008 2:49 PM (GMT +1)
There are a total of 64.052 posts in 15.836 threads.
In the last 3 days there were 26 new threads and 157 reply posts. View Active Threads