Forum Home
Press F1
Thread ID: 90225	2008-05-27 06:11:00	HijackThis log analysis	Renmoo (66)	Press F1

Post ID	Timestamp	Content	User
673085	2008-05-27 06:11:00	Dear Speedy, it would be great if you can analyze mine to find out what's wrong with my laptop. It was hit with a virus this morning, and I have been spending the whole day trying to get it fixed. I suspect yayvSjkL.dll is causing the trouble, but entering safe mode to remove it via HijackThis doesn't delete it (i.e. it is recurring). Thanks! :) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:14:20 p.m., on 27/05/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.17184) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\WINDOWS\ATK0100\HControl.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Wireless Console 2\wcourier.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe C:\Program Files\D-Tools\daemon.exe C:\PROGRA~1\Comodo\CBOClean\BOC425.exe C:\Program Files\Comodo\Firewall\cfp.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Free Download Manager\FUM\fumoei.exe D:\Program Backup\FreeRAM XP Pro 1.40.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Desktop Sidebar\dsidebar.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe C:\Program Files\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe C:\Program Files\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe C:\Program Files\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe C:\Program Files\BOINC\boincmgr.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe C:\Program Files\WordWeb\wweb32.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Comodo\CBOClean\BOCORE.exe C:\Program Files\Comodo\Firewall\cmdagent.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Streamload\MediaMax XL\StreamloadService.exe C:\Program Files\BOINC\boinc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\ATK0100\ATKOSD.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\BOINC\projects\www.worldcommunitygrid.org\wc g_hpf2_rosetta_5.18_windows_intelx86 C:\Program Files\BOINC\projects\www.worldcommunitygrid.org\wc g_hpf2_rosetta_5.18_windows_intelx86 C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe D:\Program Backup\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/My%20Web%20Sites/PersonalHomepage R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = www.ec.auckland.ac.nz:80 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {54018E98-10E3-46C6-9673-2999253F9C65} - C:\WINDOWS\system32\yayvSjkL.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Zshutdown] c:\sysprep\patch\sysprep.cmd O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1 O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\STARDOCK\WINCUS~1\BOOTSKIN\BootSkin.ex e" /StartupJobs O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -s O4 - HKLM\..\Run: [ avast! ] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Free Uploader Oe Integration] C:\Program Files\Free Download Manager\FUM\fumoei.exe O4 - HKCU\..\Run: [FreeRAM XP] "D:\Program Backup\FreeRAM XP Pro 1.40.exe" -win O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [YahooWidget] "C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [SIDEBAR] "C:\Program Files\Desktop Sidebar\dsidebar.exe" O4 - Startup: TransBar.lnk = C:\Program Files\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe O4 - Startup: Y'z Shadow.lnk = C:\Program Files\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe O4 - Startup: RocketDock.lnk = C:\Program Files\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe O4 - Startup: UberIcon.lnk = C:\Program Files\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Bluetooth Manager.lnk = ? O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - messenger.zone.msn.com O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - www.update.microsoft.com O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - www.update.microsoft.com O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - messenger.zone.msn.com O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - messenger.zone.msn.com O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll O20 - Winlogon Notify: yayvSjkL - C:\WINDOWS\SYSTEM32\yayvSjkL.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe O23 - Service: COMODO Firewall Pro Helper Service (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Streamload Service (StreamloadService) - Streamload - C:\Program Files\Streamload\MediaMax XL\StreamloadService.exe -- End of file - 12150 bytes	Renmoo (66)
673086	2008-05-27 07:46:00	I guess you mean this one can you delete it by going into C:\WINDOWS\system32 and delete the folder? what about running trojan remover and rogue remover from Speedy's sig What do all these extra buttons do (I'm hoping Speedy or Wainui can tell me thanks) O2 - BHO: (no name) - {54018E98-10E3-46C6-9673-2999253F9C65} - C:\WINDOWS\system32\yayvSjkL.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe Are you running Avast and AVG at the same time as you should only run one antivirus software at any one time? :2cents:	gary67 (56)
673087	2008-05-27 08:17:00	Hey Gary. I have tried out both RogueRemover and TrojanRemover (with the latest respective updates, of course), but both reported the system is clean. As I said, this entry is probably the source of the woes I am facing now: O2 - BHO: (no name) - {54018E98-10E3-46C6-9673-2999253F9C65} - C:\WINDOWS\system32\yayvSjkL.dll I have tried deleting it via Command Prompt, but to no avail. That file tries to add itself to the startup entry every 5 seconds, but its attempt has been blocked by TeaTimer so far (SDHelper.dll, I guess?). Cheers :)	Renmoo (66)
673088	2008-05-27 08:20:00	You might need Pancake then if Speedy can't help	gary67 (56)
673089	2008-05-27 08:24:00	I have tried deleting it via Command Prompt, but to no avail. That file tries to add itself to the startup entry every 5 seconds, but its attempt has been blocked by TeaTimer so far (SDHelper.dll, I guess?). Have you tried slaving the HD and deleting the dll from the 'other side'? Just an idea :D	jwil1 (65)
673090	2008-05-27 08:27:00	You might need Pancake then if Speedy can't help Bollocks! How would eating pancakes help? :p Windows Defender and AVG AntiSpyware reported nothing serious either. I will take a look at Pancake's signature now. :)	Renmoo (66)
673091	2008-05-27 08:50:00	Bollocks! How would eating pancakes help? :p :) No worries I'm not offended off to eat some yummy pancakes now with lemon juice and golden syrup (not the Chelsea one the real stuff Lyle's from England)	gary67 (56)
673092	2008-05-27 08:54:00	Run HJT again tick these then tick fix checked close browsers O2 - BHO: (no name) - {54018E98-10E3-46C6-9673-2999253F9C65} - C:\WINDOWS\system32\yayvSjkL.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) Whats this do?? O4 - HKLM\..\Run: [Zshutdown] c:\sysprep\patch\sysprep.cmd O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe Do you need this? how much ram is installed? O4 - HKCU\..\Run: [FreeRAM XP] "D:\Program Backup\FreeRAM XP Pro 1.40.exe" -win O20 - Winlogon Notify: yayvSjkL - C:\WINDOWS\SYSTEM32\yayvSjkL.dll Uninstall all versions of Java, your is out of date If yayvSjkL.dll wont go away, disable system restore and delete it in safe mode	Speedy Gonzales (78)
673093	2008-05-27 09:30:00	For Pancake: ComboFix 08-05-26.2 - Username 2008-05-27 20:36:40.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1212 [GMT 12:00] Running from: D:\Program Backup\ComboFix.exe Command switches used :: D:\Program Backup\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 ))))))))))))))))))))))))))))))) . 2008-05-27 19:23 . 2008-05-27 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP 2008-05-27 19:22 . 2008-05-27 19:22 <DIR> d-------- C:\Program Files\Trojan Remover 2008-05-27 19:22 . 2008-05-27 19:22 <DIR> d-------- C:\Documents and Settings\Username\Application Data\Simply Super Software 2008-05-27 19:22 . 2008-05-27 19:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software 2008-05-27 19:22 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll 2008-05-27 19:22 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll 2008-05-27 19:22 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll 2008-05-27 19:22 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll 2008-05-27 19:22 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll 2008-05-27 19:20 . 2008-05-27 19:20 <DIR> d-------- C:\Program Files\RogueRemover FREE 2008-05-27 10:57 . 2008-05-27 10:57 57,856 --a------ C:\WINDOWS\system32\yayvSjkL.dll 2008-05-27 10:51 . 2008-05-27 10:51 126,976 --a------ C:\WINDOWS\War3Unin.exe 2008-05-27 10:51 . 2008-05-27 10:51 17,755 --a------ C:\WINDOWS\War3Unin.dat 2008-05-27 10:51 . 2008-05-27 10:51 2,829 --a------ C:\WINDOWS\War3Unin.pif 2008-05-27 02:17 . 2008-05-27 02:17 <DIR> d-------- C:\Program Files\MSXML 6.0 2008-05-22 11:41 . 2008-05-22 11:41 <DIR> d-------- C:\Program Files\Pivot Stickfigure Animator 2008-05-09 00:43 . 2008-05-09 00:43 <DIR> d-------- C:\Documents and Settings\Username\Application Data\Bullzip 2008-05-09 00:42 . 2008-04-22 08:19 187,392 --a------ C:\WINDOWS\system32\bzpdf.dll 2008-05-09 00:42 . 2008-04-02 08:13 147,456 --a------ C:\WINDOWS\system32\bzpdfc.dll 2008-05-09 00:42 . 2005-09-08 01:03 86,728 --a------ C:\WINDOWS\system32\msxml6r.dll 2008-05-09 00:41 . 2008-05-09 00:42 <DIR> d-------- C:\Program Files\Bullzip 2008-05-08 23:23 . 2008-05-08 23:23 <DIR> d-------- C:\Documents and Settings\Username\Application Data\pdf995 2008-05-08 23:23 . 2008-05-08 23:23 28 --a------ C:\WINDOWS\pdf995.ini 2008-05-08 23:20 . 2008-05-08 23:20 <DIR> d-------- C:\Program Files\pdf995 2008-05-08 23:20 . 2008-05-08 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pdf995 2008-05-08 23:20 . 2008-05-08 23:20 249,856 --a------ C:\WINDOWS\system32\pdfmona.dll 2008-05-08 23:20 . 2008-05-08 23:20 51,716 --a------ C:\WINDOWS\system32\pdf995mon.dll 2008-05-08 23:20 . 2008-05-08 23:23 59 --a------ C:\WINDOWS\wpd99.drv 2008-05-08 19:28 . 2008-05-08 19:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage 2008-05-08 18:11 . 2008-05-08 18:11 <DIR> d--hs---- C:\FOUND.001 2008-04-28 23:54 . 2008-05-12 02:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-04-28 23:54 . 2008-04-28 23:54 1,409 --a------ C:\WINDOWS\QTFont.for . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-04-21 23:14 --------- d-----w C:\Program Files\StuffPlug3 2008-04-21 23:01 --------- d-----w C:\Program Files\Windows Live 2008-04-21 23:01 --------- d-----w C:\Program Files\Messenger Plus! Live 2008-04-20 00:12 --------- d-----w C:\Program Files\Desktop Sidebar 2008-04-20 00:12 --------- d-----w C:\Documents and Settings\Username\Application Data\Desktop Sidebar 2008-04-20 00:00 --------- d-----w C:\Program Files\Thoosje Sidebar V2.3 2008-04-19 23:56 --------- d-----w C:\Program Files\Sidebar 2008-04-16 22:21 --------- d-----w C:\Program Files\Windows Live(3) 2008-04-16 22:13 --------- d-----w C:\Program Files\StuffPlug3(2) 2008-04-16 22:13 --------- d-----w C:\Program Files\Messenger Plus! Live(2) 2008-04-16 22:10 --------- d-----w C:\Program Files\Windows Live(2) 2008-04-10 09:19 --------- d-----w C:\Program Files\FDRLab 2008-04-10 09:19 --------- d-----w C:\Documents and Settings\Username\Application Data\FDRLab 2008-04-06 04:23 5,650,432 ----a-w C:\WINDOWS\system32\logonuiX.exe 2008-03-30 02:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-03-30 00:00 --------- d-----w C:\Program Files\SystemRequirementsLab 2008-03-30 00:00 --------- d-----w C:\Documents and Settings\Username\Application Data\SystemRequirementsLab 2008-03-29 23:08 --------- d-----w C:\Program Files\TortoiseSVN 2008-03-28 09:30 --------- d-----w C:\Documents and Settings\Username\Application Data\vlc 2008-03-28 08:54 --------- d-----w C:\Program Files\VideoLAN 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll 2008-03-27 06:55 --------- d-----w C:\Documents and Settings\Username\Application Data\QuakeWorld Team Fortress 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys 2008-03-15 10:20 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE 2008-03-15 10:20 286,720 ------w C:\WINDOWS\Setup1.exe 2008-03-05 04:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll 2008-03-05 04:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll 2008-03-05 04:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll 2008-03-05 03:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll 2008-03-05 03:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll 2008-03-03 07:53 78,336 ------w C:\WINDOWS\system32\ieencode.dll 2008-03-03 07:53 78,336 ------w C:\WINDOWS\system32\dllcache\ieencode.dll 2008-03-03 07:52 70,656 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe 2008-03-03 07:52 599,552 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe 2008-03-03 07:52 41,984 ------w C:\WINDOWS\system32\licmgr10.dll 2008-03-03 07:52 41,984 ------w C:\WINDOWS\system32\dllcache\licmgr10.dll 2008-03-03 07:52 349,184 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll 2008-03-03 07:52 224,768 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll 2008-03-03 07:52 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll 2008-03-03 07:52 17,920 ------w C:\WINDOWS\system32\dllcache\corpol.dll 2008-03-03 07:52 17,920 ------w C:\WINDOWS\system32\corpol.dll 2008-03-03 07:52 116,224 ----a-w C:\WINDOWS\system32\dllcache\occache.dll 2008-03-03 07:52 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll 2008-03-03 07:51 94,208 ------w C:\WINDOWS\system32\dllcache\inseng.dll 2008-03-03 07:51 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2008-03-03 07:51 69,120 ------w C:\WINDOWS\system32\iesetup.dll 2008-03-03 07:51 69,120 ------w C:\WINDOWS\system32\dllcache\iesetup.dll 2008-03-03 07:51 69,120 ------w C:\WINDOWS\system32\dllcache\admparse.dll 2008-03-03 07:51 69,120 ------w C:\WINDOWS\system32\admparse.dll 2008-03-03 07:51 557,056 ------w C:\WINDOWS\system32\dllcache\jscript.dll 2008-03-03 07:51 44,032 ------w C:\WINDOWS\system32\dllcache\iernonce.dll 2008-03-03 07:51 149,504 ------w C:\WINDOWS\system32\dllcache\ieakui.dll 2008-03-03 07:51 126,464 ------w C:\WINDOWS\system32\dllcache\advpack.dll 2008-03-03 07:51 119,808 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll 2008-03-03 07:50 60,928 ------w C:\WINDOWS\system32\dllcache\icardie.dll 2008-03-03 07:50 48,128 ------w C:\WINDOWS\system32\mshtmler.dll 2008-03-03 07:50 48,128 ------w C:\WINDOWS\system32\dllcache\mshtmler.dll 2008-03-03 07:50 45,568 ------w C:\WINDOWS\system32\mshta.exe 2008-03-03 07:50 45,568 ------w C:\WINDOWS\system32\dllcache\mshta.exe 2008-03-03 07:50 44,544 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll 2008-03-03 07:50 36,352 ------w C:\WINDOWS\system32\imgutil.dll 2008-03-03 07:50 36,352 ------w C:\WINDOWS\system32\dllcache\imgutil.dll 2008-03-03 07:50 345,600 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll 2008-03-03 07:50 268,800 ------w C:\WINDOWS\system32\dllcache\iertutil.dll 2008-03-03 07:50 212,992 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll 2008-03-03 07:46 68,096 ----a-w C:\WINDOWS\system32\dllcache\hmmapi.dll 2008-03-03 07:34 440,832 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll 2008-03-01 13:06 133,120 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll 2008-03-01 01:47 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat 2006-10-02 14:43 2,402,550 ----a-w C:\WINDOWS\inf\SET4D.tmp . ------- Sigcheck ------- 2007-06-13 23:23 975360 9784e0719124e4a23989aef9e7ca02d6 C:\WINDOWS\explorer.exe 2007-06-13 23:23 975360 9784e0719124e4a23989aef9e7ca02d6 C:\WINDOWS\system32\dllcache\explorer.exe 2007-06-14 00:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe 2004-08-04 20:00 974336 a5c1f2cf7c31874e66478910b43d6513 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54018E98-10E3-46C6-9673-2999253F9C65}] 2008-05-27 10:57 57856 --a------ C:\WINDOWS\system32\yayvSjkL.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\1T ortoiseSVN] @={30351346-7B7D-4FCC-81B4-1E394CA267EB} [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\2T ortoiseSVN] @={30351347-7B7D-4FCC-81B4-1E394CA267EB} [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\3T ortoiseSVN] @={30351348-7B7D-4FCC-81B4-1E394CA267EB} [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\4T ortoiseSVN] @={3035134B-7B7D-4FCC-81B4-1E394CA267EB} [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\5T ortoiseSVN] @={3035134C-7B7D-4FCC-81B4-1E394CA267EB} [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\6T ortoiseSVN] @={3035134D-7B7D-4FCC-81B4-1E394CA267EB} [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\7T ortoiseSVN] @={3035134E-7B7D-4FCC-81B4-1E394CA267EB} [HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}] 2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}] 2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}] 2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}] 2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}] 2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}] 2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}] 2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360] "Free Uploader Oe Integration"="C:\Program Files\Free Download Manager\FUM\fumoei.exe" [2007-06-10 18:02 40960] "FreeRAM XP"="D:\Program Backup\FreeRAM XP Pro 1.40.exe" [2003-11-30 23:13 1354240] "msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2008-02-10 13:56 5724184] "YahooWidget"="C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe" [2007-11-21 08:14 3730472] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] "SIDEBAR"="C:\Program Files\Desktop Sidebar\dsidebar.exe" [2006-07-09 21:58 1777664] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2006-04-17 02:24 110592] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-27 09:47 7573504] "nwiz"="nwiz.exe" [2006-04-27 09:47 1519616 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-04-27 09:47 86016] "RTHDCPL"="RTHDCPL.EXE" [2005-12-18 23:52 15797248 C:\WINDOWS\RTHDCPL.exe] "Wireless Console 2"="C:\Program Files\Wireless Console 2\wcourier.exe" [2005-10-17 17:09 987136] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-20 23:26 761945] "Zshutdown"="c:\sysprep\patch\sysprep.cmd" [ ] "Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-06 17:13 86016] "DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 20:00 208952] "IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 20:00 44032] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 20:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168] "BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-08-08 19:49 338432] "BootSkin Startup Jobs"="C:\PROGRA~1\STARDOCK\WINCUS~1\BOOTSKIN\BootSkin.ex e" [2004-04-26 16:21 270336] "COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\cfp.exe" [2007-12-03 10:59 1481984] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 11:19 79224] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-05-21 14:00 877136] C:\Documents and Settings\Username\Start Menu\Programs\Startup\ TransBar.lnk - C:\Program Files\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-06-02 08:41:18 65536] Y'z Shadow.lnk - C:\Program Files\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe [2006-05-21 20:43:14 155648] RocketDock.lnk - C:\Program Files\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-19 11:05:02 630784] UberIcon.lnk - C:\Program Files\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 20:43:08 180224] BOINC Manager.lnk - C:\Program Files\BOINC\boincmgr.exe [2007-03-01 11:19:50 3604480] WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2007-11-16 10:09:22 44384] Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 11:11:42 49152] [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks] "{54018E98-10E3-46C6-9673-2999253F9C65}"= C:\WINDOWS\system32\yayvSjkL.dll [2008-05-27 10:57 57856] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayvSjkL] yayvSjkL.dll 2008-05-27 10:57 57856 C:\WINDOWS\system32\yayvSjkL.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.asv2"= asusasv2.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ASUS ChkMail.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ASUS ChkMail.lnk backup=C:\WINDOWS\pss\ASUS ChkMail.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Username^Start Menu^Programs^Startup^WordWeb.lnk] path=C:\Documents and Settings\Username\Start Menu\Programs\Startup\WordWeb.lnk backup=C:\WINDOWS\pss\WordWeb.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Live Update] --a------ 2006-02-21 15:20 180224 C:\Program Files\ASUS\ASUS Live Update\ALU.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk] --a------ 2007-01-02 10:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2004-10-14 05:24 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL] --a------ 2006-01-19 21:34 544768 C:\WINDOWS\sm56hlpr.exe [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\VoipStunt.com\\VoipStunt\\VoipStunt.exe"= "C:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 11:20] R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-12-03 10:59] R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-12-03 10:59] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswF sBlk.sys [2008-05-16 11:16] R3 ASNDIS5;ASNDIS5 Protocol Driver;C:\WINDOWS\system32\ASNDIS5.SYS [2002-09-09 19:54] R3 genmcmnUSB;USB Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gflmouhid.sys [2004-04-19 15:01] R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-06 14:49] R3 SynMini;USB2.0 1.3M Web Cam;C:\WINDOWS\system32\Drivers\SynMini.sys [2005-10-03 10:26] R3 SynScan;USB2.0 1.3M Web Cam Still Image;C:\WINDOWS\system32\Drivers\SynScan.sys [2005-10-03 10:26] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\H] \Shell\AutoRun\command - H:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\J] \Shell\AutoRun\command - J:\autoplay.exe *Newly Created Service* - CATCHME . Contents of the 'Scheduled Tasks' folder "2008-05-27 05:11:36 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe . ************************************************** ************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-27 20:40:17 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\guard32.dll -> C:\WINDOWS\system32\yayvSjkL.dll PROCESS: C:\WINDOWS\system32\lsass.exe -> C:\WINDOWS\system32\guard32.dll PROCESS: C:\WINDOWS\explorer.exe -> C:\Program Files\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.dll -> C:\Program Files\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon.dll -> C:\Program Files\TortoiseSVN\iconv\_tbl_simple.so -> C:\Program Files\TortoiseSVN\iconv\windows-1252.so -> C:\Program Files\TortoiseSVN\iconv\utf-8.so . Completion time: 2008-05-27 20:41:08 ComboFix-quarantined-files.txt 2008-05-27 08:41:02 Pre-Run: 32,000,344,064 bytes free Post-Run: 32,688,635,904 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOW S [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 297	Renmoo (66)
673094	2008-05-27 09:36:00	FreeRAMXPPro is just there for me to monitor amount of free RAM available. I don't ever use its function of freeing up the RAM :) TeaTimer.exe (as part of Spybot S & D) is responsible for monitoring entries that have been added or deleted from the startup list. As for this entry: "C:\Program Files\Windows Defender\MSASCui.exe" -hide It is just the Windows Defender application? This entry: O4 - HKLM\..\Run: [Zshutdown] c:\sysprep\patch\sysprep.cmd Got me googling for quite some time. Not entirely sure whether it is legitimate program. I have tried deleting O20 - Winlogon Notify: yayvSjkL - C:\WINDOWS\SYSTEM32\yayvSjkL.dll under safe mode (without turning off System Restore), but it still remains. Will it make a difference if I turn off System Restore in the first place? Cheers Speedy :)	Renmoo (66)
1 2 3