HijackThis Log for XP with bolenja, bolenjx?

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

3 Pages

1 2 3 >

HijackThis Log for XP with bolenja, bolenjx?, Computer is in rough shape, may have more than the above malware.

Options

GRBrown View Member Profile	Jan 14 2009, 01:47 AM Post #1
Member Group: Members Posts: 21 Joined: 14-January 09 Member No.: 282,387	Hi Everyone, First of all let me extend my gratitude for any assistance, or for that matter any attempts at providing assistance, that those on this forum provide. It is most definitely appreciated in the extreme. Secondly, let me apologize in advance if I somehow misstep and don't follow the correct protocols for an initial post. The computer that is having difficulties is actually my Back of House Computer for a store that I own, and I just happened to have HijackThis with me, so I ran it, copied the log, and am now posting what I've got. If more information is needed just let me know and I will gladly provide it. So, without further adieu, the problems I'm having: Windows XP Computer This is the Back of House computer for my store which Runs the AlohaQS Software (Basically a Cash Register Program) for my actual front cash register. Definite Uglies on the Computer are Bolenja.exe and Bolenjx.exe... there may very well be others. Some industrious employee got on the computer when it wasn't locked down and managed to mess things up pretty thoroughly. In addition to the distinct Spyware items, there are also a number of misguided attempts to perhaps fix what they broke. Record/Logs with names like Spy-Rid, spyguard.exe, Also when the computer boots up into Windows XP it pops up and error message that reads the following: C:\WINDOWS\shell.exe Windows cannot find C:\WINDOWS\shell.exe. Make sure you type the name correctly and then try again. I close this window out and then I have access to my files and folders, but cannot access the Control Panel (it's not even listed) and periodically I get an error message that inidicates that access to the Registry Editor (or regedit) has been disabled by the administrator. Or something to that effect. Well those are the basics and here is the HiJackThis log for my computer as well as the startuplist. Any help would be great. Thanks again in advance. Sincerely G. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:06:52 PM, on 1/13/2009 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\lsass.exe C:\WINDOWS\System32\ctfmon.exe C:\AlohaQS\bin\CTLSVR.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\Alohboh\Desktop\HJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe O2 - BHO: (no name) - {06DBC41D-B12E-4133-876A-64E0C8FDD1D3} - C:\WINDOWS\System32\APPHEL.dll O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\Helper\Helper8.dll O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINDOWS\system32\ssqqpqo.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [lsass] C:\WINDOWS\lsass.exe O4 - HKLM\..\Run: [bolenja] bolenja.exe O4 - HKLM\..\Run: [bolenjx] bolenjx.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKUS\S-1-5-21-2248645817-3289682256-113954702-1009\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User '?') O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O15 - Trusted IP range: http://192.168.2.1 O15 - Trusted IP range: http://192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{4C8379DF-D0D2-4C2E-999C-F03572DBA64A}: NameServer = 192.168.0.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{4C8379DF-D0D2-4C2E-999C-F03572DBA64A}: NameServer = 192.168.0.1 O20 - AppInit_DLLs: C:\WINDOWS\system32\kus109.dat O20 - Winlogon Notify: csfdll - C:\WINDOWS\Media\smartwarxyu.dll O20 - Winlogon Notify: ssqqpqo - C:\WINDOWS\SYSTEM32\ssqqpqo.dll O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VHJvcGljYWwgU21vb3RoaWUgVHJvcGljYWwgUw\command.exe (file missing) O23 - Service: CtlSvr - Ibertech, Inc - C:\AlohaQS\bin\CTLSVR.EXE O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 6390 bytes And then here is the startuplist.... StartupList report, 1/13/2009, 11:13:56 PM StartupList version: 1.52.2 Started from : C:\Documents and Settings\Alohboh\Desktop\HJackThis.EXE Detected: Windows XP SP1 (WinNT 5.01.2600) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\lsass.exe C:\WINDOWS\System32\ctfmon.exe C:\AlohaQS\bin\CTLSVR.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\Alohboh\Desktop\HJackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run IgfxTray = C:\WINDOWS\System32\igfxtray.exe HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe IntelMeM = C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe dla = C:\WINDOWS\system32\dla\tfswctrl.exe HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe SoundMAXPnP = C:\Program Files\Analog Devices\Core\smax4pnp.exe lsass = C:\WINDOWS\lsass.exe bolenja = bolenja.exe bolenjx = bolenjx.exe -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run [OptionalComponents] = -------------------------------------------------- Load/Run keys from C:\WINDOWS\WIN.INI: load=INI section not found run=INI section not found Load/Run keys from Registry: HKLM\..\Windows NT\CurrentVersion\WinLogon: load=Registry value not found HKLM\..\Windows NT\CurrentVersion\WinLogon: run=Registry value not found HKLM\..\Windows\CurrentVersion\WinLogon: load=Registry key not found HKLM\..\Windows\CurrentVersion\WinLogon: run=Registry key not found HKCU\..\Windows NT\CurrentVersion\WinLogon: load=Registry value not found HKCU\..\Windows NT\CurrentVersion\WinLogon: run=Registry value not found HKCU\..\Windows\CurrentVersion\WinLogon: load=Registry key not found HKCU\..\Windows\CurrentVersion\WinLogon: run=Registry key not found HKCU\..\Windows NT\CurrentVersion\Windows: load= HKCU\..\Windows NT\CurrentVersion\Windows: run=Registry value not found HKLM\..\Windows NT\CurrentVersion\Windows: load=Registry value not found HKLM\..\Windows NT\CurrentVersion\Windows: run=Registry value not found HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:\WINDOWS\system32\kus109.dat -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=INI section not found SCRNSAVE.EXE=INI section not found drivers=INI section not found Shell & screensaver key from Registry: Shell=Explorer.exe C:\WINDOWS\shell.exe SCRNSAVE.EXE=C:\WINDOWS\System32\SS3DFO.SCR drivers=Registry value not found Policies Shell key: HKCU\..\Policies: Shell=Registry value not found HKLM\..\Policies: Shell=Registry value not found -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\WINDOWS\System32\APPHEL.dll - {06DBC41D-B12E-4133-876A-64E0C8FDD1D3} e404 helper - C:\Program Files\Helper\Helper8.dll - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} (no name) - C:\WINDOWS\system32\ssqqpqo.dll - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} -------------------------------------------------- Enumerating Task Scheduler jobs: At1.job At2.job At3.job At4.job At5.job At6.job At7.job At8.job ISP signup reminder 1.job Norton AntiVirus - Scan my computer - Alohboh.job PCA.job Symantec NetDetect.job -------------------------------------------------- Enumerating Download Program Files: [{9F1C11AA-197B-4942-BA54-47A8489BB47F}] CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8204.5217939815 [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash9d.ocx CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab -------------------------------------------------- Enumerating Windows NT logon/logoff scripts: No scripts set to run Windows NT checkdisk command: BootExecute = autocheck autochk * Windows NT 'Wininit.ini': PendingFileRenameOperations: c:\windows\system32\multikz.exe\|\|C:\Documents and Settings\Alohboh\Application Data\xvvid.nsf\|\|C:\Documents and Settings\Alohboh\Application Data\xvvid.nsf\|\|\|n -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll -------------------------------------------------- End of report, 6,334 bytes Report generated in 0.062 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only Any thoughts?

fenzodahl512 View Member Profile	Jan 14 2009, 05:03 AM Post #2
Forum Addict Group: HJT Team Posts: 5,949 Joined: 4-December 07 Member No.: 174,482	Please download Malwarebytes' Anti-Malware from HERE or HERE Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan" Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Full Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. *NEXT* Please download RSIT by random/random and save it to your Desktop. Double click on RSIT.exe to run RSIT Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months Click Continue at the disclaimer screen. Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply. *NEXT* Please download GMER and unzip it to your Desktop. Open the program and click on the Rootkit tab. Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’. Click on Scan. When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread. Post me these logs in your next reply.. Post each log in separate post.. 1. Malwarebytes' 2. RSIT log.txt 3. RSIT info.txt 4. Attach GMER result.. -------------------- Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine.. Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive Away for three months (22 August - 1 December 2009)

GRBrown View Member Profile	Jan 14 2009, 06:43 PM Post #3
Member Group: Members Posts: 21 Joined: 14-January 09 Member No.: 282,387	Hey Fenzodahl, Thank you very much for the guidance thus far. Here's where I am at regarding the directions you provided. First, Malwarebytes would not install with a normal bootup. Each Time I tried it got cut off, often before the actual installation even began. Even changing the name of the executable file did not change this behavior (I tried this because it was required for getting HijackThis to run originally). So ultimately I rebooted into Safe Mode on Windows XP and I was finally able to install Malwarebytes; but as such MalwareBytes was run with windows in Safe Mode (I'm just not sure if that affects the results). Malwarebytes was run successfully, and I followed your procedures exactly. It seems most of the files it tagged were quarantine as oppossed to deleted, but perhaps this is the norm. Upon reboot it did do an additional chkdsk scan and some other exciting stuff before loading windows... which I assume was simply apart of the "deleteing files that have to be deleted on reboot" process that Malwarebytes prompted me on. Once the computer finished the "extra procedures" and fully booted into windows, I noticed that I still do not have a Control Panel Option. I then installed and ran both RSIT and GMER, which installed without difficulty and ran fine with a normal Windows XP bootup. The only other quirk is the following "Warning Message" popped up at various times (which was present before, and I assume is a portion of the Malware on the computer). It said: Windows Security Alert Warning! Potential Spyware Operation! Your computer is making unauthorised copies of your system and Internet files. Run full scan now to prevent any unauthorised access to your files! Click YES to download Spyware Remover ... It only allowed a Yes or No option, as the close (X) option was greyed out. Well that gives you all the details of the procedures you outline, so as you requested I will now post the logs from each of the steps you requested in their own sections. Thanks again for all the help and I look forward to your next suggestions. Sincerely, GRBrown

GRBrown View Member Profile	Jan 14 2009, 06:45 PM Post #4
Member Group: Members Posts: 21 Joined: 14-January 09 Member No.: 282,387	Here is the Malwarebytes Log: Malwarebytes' Anti-Malware 1.32 Database version: 1653 Windows 5.1.2600 Service Pack 1 1/14/2009 5:16:16 PM mbam-log-2009-01-14 (17-16-16).txt Scan type: Full Scan (C:\\|) Objects scanned: 339339 Time elapsed: 34 minute(s), 9 second(s) Memory Processes Infected: 0 Memory Modules Infected: 3 Registry Keys Infected: 126 Registry Values Infected: 10 Registry Data Items Infected: 8 Folders Infected: 8 Files Infected: 132 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\SYSTEM32\ddccc.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\SYSTEM32\ssqqpqo.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\SYSTEM32\xlibgfl254.dll (Trojan.Vundo) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7c58094f-50e6-44bb-b816-b1bf6a5aff3e} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{7c58094f-50e6-44bb-b816-b1bf6a5aff3e} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a397109a-f3bb-4b2e-87c8-d1371cd4ea05} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{a397109a-f3bb-4b2e-87c8-d1371cd4ea05} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ff64059d-4d2a-4d6b-aa0f-2ee4a2fe3856} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqqpqo (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{ff64059d-4d2a-4d6b-aa0f-2ee4a2fe3856} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06dbc41d-b12e-4133-876a-64e0c8fdd1d3} (Trojan.BHO.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{06dbc41d-b12e-4133-876a-64e0c8fdd1d3} (Trojan.BHO.H) -> Delete on reboot. HKEY_CLASSES_ROOT\e404.e404mgr (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{f10587e9-0e47-4cbe-84ae-7dd20b8684bb} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f10587e9-0e47-4cbe-84ae-7dd20b8684bb} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\e404.e404mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\popupblocker.iegpb (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\popupblocker.iegpb.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\sbiebho.iefw (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\sbiebho.iefw.2 (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{0037f041-5ec7-46aa-be24-6b4e01215611} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{01181392-ea52-4aef-88fa-1cbcd8de6825} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{012c872d-6d66-499a-b69d-4a9c63690262} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{07a25120-a92b-4baa-a514-eed6667d6d83} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{07c02614-ef46-41a4-88c9-2a867848b31d} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{102c560b-d15c-4ba1-b163-7bb4acd26c34} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{12c7b02f-145d-46a4-b2e8-4255b601230a} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{13c1e692-405a-430c-9ac7-3c274369ff71} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{15e0b9d1-6869-4b44-b64d-f60a350e725c} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{165bc2ec-0b03-4bd6-9e60-6323427b01ed} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{1690de52-5b60-42ca-9688-16b1a233094c} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{170b0977-27ea-426e-9b38-febab1724a1f} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{1a8af5b9-87c4-454a-965f-8b1e00a51d93} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{1b01b4f2-4cc1-4154-ab18-20a0bc553d24} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{1bc793ee-2447-4034-858a-de65d6d2bec9} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{1f5cf3c9-f384-4bce-b9a1-c5a00c6f2872} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{26ab4ac4-23d3-4004-b9d8-bff54166503c} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{2b68f0b9-3294-4e83-b026-d30894a6b062} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{354242fc-4dde-48fd-9960-8801b4cf5cf4} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{36d8eec8-86fe-41ab-917d-b1db221347fc} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{39038d48-70ac-4b19-beb8-88cad47f2deb} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{4689349f-0b3a-4698-a404-2e81c9b05acc} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{4d56ddff-895a-438f-9b16-54618b3a47f7} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{4e30c4b0-1fb1-427d-90b3-be85c877b236} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{4f3145e3-67de-4654-9eaf-d72133fe65e7} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{4fb926ad-73e7-4bf5-bbf1-58a8f3eeb289} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{59da55f2-d42c-492e-8cee-897717d47877} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{605196d3-a6cc-43ac-8104-e8cdca25ef58} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{627fb506-61e4-4d02-bdaf-bfd38c75e43f} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{65b96902-f3e3-4391-a523-848f1d30b12b} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{6fe6d492-28b1-4a8d-88e9-22e1e3530da0} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{76e3de06-3f95-4b6e-91b4-710498e437f4} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{89107b18-d3d4-46cb-8045-1af57b8c4535} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{8c4e45a4-fdbc-4de0-8d1f-4ec38d4f3023} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{8ed41818-1cb1-4d9e-8a21-4f7edf9b59c3} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{957de9d3-6ca7-4e7e-aa1d-3d13eb7cf99b} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{a914b7cf-086d-4fe0-9108-3d72b97e5c2c} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{a9e3320e-52a9-4cb1-892f-ae8088d68a8e} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{aa958db8-1102-4091-ac05-ecbc7b2e426d} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{ad33aad5-f364-430f-8e2d-ce034150afdf} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{ae539347-f840-4c45-83d2-6e9225a3ec62} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{ae57830d-be33-4935-9d91-62f2eb0e8be3} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{b6a908fa-6237-4791-ac61-8b6a28add9b6} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{c7eb7da1-0b05-40d5-b73a-4b5ea77e7d67} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{ca27a95a-2b8c-478d-af5e-2e1761467eb4} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{cb32d487-2bdb-49ed-8b75-8ebfe6b0990b} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{cc789624-c0d2-469b-a34b-fc32117194e9} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{cda873d3-a380-4b32-b4b7-a25d2e63cdba} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{cf612595-40eb-443d-9bc2-2165aba6352f} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{dcd09900-b1db-4855-a41a-6245c1b2bcba} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{e2e7d7e7-ea40-4cc3-89fb-fc6c43c8ca77} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{e3cd3689-b032-4d47-8d5f-d886628914a6} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{e4fb5b1d-83e5-4df3-892d-1a0e48f91e75} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{e52bddde-b92c-4174-8247-21d9118fa036} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{e5a292c6-2ce5-4702-b1fc-1f9d5f7f810d} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{e691676d-381a-4fa2-8188-f8597aa5e789} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{e6c3097f-1cf8-4563-8318-d25ccaaa1191} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{e779dc78-51e9-4630-a8d4-c9ae3548c6c7} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{e8e367a1-57d1-49cb-b1b0-192b95bd5e6a} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{e9c36375-c7a5-45f7-8b78-ad56965903e7} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{ebeabc4b-ae96-45cf-b5c8-fef6364a6d41} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{ef9aa426-50f9-4d27-94ba-8844a165ddd5} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{f084f574-f1b6-4e2b-9338-b321082693fc} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{f4d40fe2-8fef-45b0-8ddc-8fbd080e6a37} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{f6185cf5-6a50-4be8-8f13-c4b8a13641f9} (Rogue.Spy-Rid) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{fecb6f44-0b53-43c3-b5e8-aa03ece60aa9} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{d2436533-33f9-495c-9cd9-daf21e67ffeb} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/webinst.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\AppID\{ea7522f6-87cf-411e-8a55-19ee4344b676} (Rogue.Multiple) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be} (Trojan.Network.Monitor) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920} (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{80cc53df-d8b9-44b1-8c3c-20fac46265d0} (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{8d25bb2a-dd6e-4244-89ed-9fe0628e852a} (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{e28b42f8-56a7-4828-8a74-002f4177204d} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{e0dca13e-41d3-5d2f-895d-3be6738708ec} (Adware.PurityScan) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dhlp (Rogue.PCSecureSystem) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\dhlp (Rogue.PCSecureSystem) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dhlp (Rogue.PCSecureSystem) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\secdrv (Rootkit.Agents) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\secdrv (Rootkit.Agents) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\secdrv (Rootkit.Agents) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ultra soft (Rogue.Multiple) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\aldd (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\AppID\webinst.dll (Rogue.Multiple) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\InfeStop (Rogue.InfeStopRemover) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\AppID\pblock.DLL (Rogue.PCSecureSystem) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\WinAble (Trojan.Adloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo (Adware.PurityScan) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\WebBuying (Adware.WebBuying) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService (Adware.CommAd) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\core (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor (Trojan.Service) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\core (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\core (Rootkit.Agent) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0c8d6e0c (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{ff64059d-4d2a-4d6b-aa0f-2ee4a2fe3856} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\webinst.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ADP (Rogue.Multiple) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.starsdoor.com (Backdoor.Bot) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\ddccc -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ddccc -> Delete on reboot. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Vundo) -> Data: xlibgfl254.dll -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe C:\WINDOWS\shell.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully. Folders Infected: C:\Program Files\Network Monitor (Trojan.DNSChanger) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\NI.UGA6P_0001_N122M2210 (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\SalesMon (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\SalesMon\Data (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully. C:\SpyGuardPro (Rogue.SpyGuardPro) -> Delete on reboot. C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Application Data\ultra (Rogue.Multiple) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\SYSTEM32\rkyseb.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\ddccc.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\SYSTEM32\cccdd.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\cccdd.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\ssqqpqo.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\SYSTEM32\kckryigt.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\tgiyrkck.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\nktfpuil.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\liupftkn.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\norbtymc.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\cmytbron.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\ybokoqwl.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\lwqokoby.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\APPHEL.dll (Trojan.BHO.H) -> Delete on reboot. C:\WINDOWS\SYSTEM32\xlibgfl254.dll (Trojan.Vundo) -> Delete on reboot. C:\Program Files\Helper\Helper8.dll (Trojan.BHO) -> Quarantined and deleted successfully. C:\WINDOWS\Downloaded Program Files\webinst.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\wsusupd.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Application Data\nvsvc1024.dll (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Desktop\From Program Files\3269.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Desktop\From Program Files\ucleaner_setup.exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Desktop\Temp probably spyware pulled from docnsettings alohaboh appdata\sysfixer.exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\!update.exe (Adware.PurityScan) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\.tt301.tmp (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\16power.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\3264.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\32look.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\32mon.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\32win.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\6464.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\64win.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\agent16.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\agentpower.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\agentsyn.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\agentsys.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\agentwin.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\host32.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\hostagent.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\hostpower.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\hostsys.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\hostwin.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\lookhost.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\looksv.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\mon32.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\monlook.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\monsyn.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\powerhost.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\powerlook.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\powersv.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\powerwin.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\serverhost.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\serverpower.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\svsys.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\syn16.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\synsv.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\synsyn.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\sys64.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\sysagent.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\sysserver.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\syssyn.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\syswin.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\winhost.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\winserver.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\winsyn.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\winsys.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\Temporary Internet Files\Content.IE5\8XYROPMB\3269[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\Temporary Internet Files\Content.IE5\8XYROPMB\spoolsv[1].exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temporary Internet Files\Content.IE5\HR1KCDWF\CAH8IHTB (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temporary Internet Files\Content.IE5\HR1KCDWF\CAIFWPIV (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temporary Internet Files\Content.IE5\I12RSBID\!update-4495[1].0000 (Adware.PurityScan) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temporary Internet Files\Content.IE5\I12RSBID\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temporary Internet Files\Content.IE5\P80STL4W\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Program Files\spoolsv.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. C:\Program Files\TTC.dll (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe (Adware.PurityScan) -> Quarantined and deleted successfully. C:\Program Files\MSN\niqyrezim4444.dll (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Program Files\MSN\niqyrezim83122.dll (Trojan.Downloader) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP238\A0770145.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP244\A0800289.exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP244\A0800290.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}(2)\RP226(2)\snapshot(2)\MFEX-6020.DAT (Trojan.Fakealert) -> Delete on reboot. C:\WINDOWS\SYSTEM32\hgghghe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\iifghge.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\mkpiffi.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\qomkifg.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\rqrpolk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\tuvstsq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\vdqrnjiw.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\wlcq.dll (Adware.PurityScan) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\abc2\bmbrpl2.exe (Trojan.ZQuest) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\DRIVERS\dhlp.sys (Rogue.PCSecureSystem) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\DRIVERS\SECDRV.SYS (Rootkit.Agents) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\hel9\pozpwb23.exe (Adware.WebBuying) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\oc9\qopre83122.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\NI.UGA6P_0001_N122M2210\settings.ini (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\NI.UGA6P_0001_N122M2210\setup.exe (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\NI.UGA6P_0001_N122M2210\setup.len (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully. C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Application Data\ultra\uninstall.bat (Rogue.Multiple) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\snapsnet.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\yazzsnet.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\DRIVERS\BEEP.SYS (Fake.Beep.Sys) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\DLLCACHE\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Local Settings\Temp\wavvsnet.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\Media\temp.bat (Spyware.Delf) -> Quarantined and deleted successfully. C:\WINDOWS\17PHolmes572.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\INF\ultra.inf (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\INF\ultra.PNF (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\bolenja.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\spoolvs.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\printer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\users32.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\wowfx.dll (Trojan.QHost) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Application Data\Microsoft\Internet Explorer\Quick Launch\InfeStop.lnk (Rogue.InfeStopRemover) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Application Data\Microsoft\Internet Explorer\Quick Launch\Spy-Rid remover.lnk (Rogue.Spy-Rid) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Application Data\Microsoft\Internet Explorer\Quick Launch\Easy Spyware Cleaner.lnk (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully. C:\Program Files\Common Files\Yazzle1281OinAdmin.exe (Adware.PurityScan) -> Quarantined and deleted successfully. C:\WINDOWS\b122.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\mgrs.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\Spyware Remover.ico (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\Casino.ico (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\Free Online Dating.ico (Malware.Trace) -> Quarantined and deleted successfully. C:\Documents and Settings\Alohboh\Application Data\printer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Program Files\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully. C:\Program Files\smss.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk (Rootkit.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\DRIVERS\core.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

GRBrown View Member Profile	Jan 14 2009, 06:46 PM Post #5
Member Group: Members Posts: 21 Joined: 14-January 09 Member No.: 282,387	Here is the RSIT LOG.TXT file: Logfile of random's system information tool 1.05 (written by random/random) Run by Alohboh at 2009-01-14 17:28:01 Microsoft Windows XP Home Edition Service Pack 1 System drive C: has 65 GB (85%) free of 76 GB Total RAM: 510 MB (59% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:28:18 PM, on 1/14/2009 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\bolenja.exe C:\WINDOWS\bolenjx.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\system32\spoolsv.exe C:\AlohaQS\bin\CTLSVR.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Documents and Settings\Alohboh\Desktop\RSIT.exe C:\Program Files\Symantec\LiveUpdate\AUpdate.exe C:\Program Files\trend micro\Alohboh.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ O2 - BHO: (no name) - {06DBC41D-B12E-4133-876A-64E0C8FDD1D3} - C:\WINDOWS\System32\APPHEL.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [bolenja] bolenja.exe O4 - HKLM\..\Run: [bolenjx] bolenjx.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O15 - Trusted IP range: http://192.168.2.1 O15 - Trusted IP range: http://192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{4C8379DF-D0D2-4C2E-999C-F03572DBA64A}: NameServer = 192.168.0.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{4C8379DF-D0D2-4C2E-999C-F03572DBA64A}: NameServer = 192.168.0.1 O20 - AppInit_DLLs: C:\WINDOWS\system32\kus109.dat O20 - Winlogon Notify: csfdll - C:\WINDOWS\Media\smartwarxyu.dll O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: CtlSvr - Ibertech, Inc - C:\AlohaQS\bin\CTLSVR.EXE O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 6142 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\At1.job C:\WINDOWS\tasks\At2.job C:\WINDOWS\tasks\At3.job C:\WINDOWS\tasks\At4.job C:\WINDOWS\tasks\At5.job C:\WINDOWS\tasks\At6.job C:\WINDOWS\tasks\At7.job C:\WINDOWS\tasks\At8.job C:\WINDOWS\tasks\ISP signup reminder 1.job C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Alohboh.job C:\WINDOWS\tasks\PCA.job C:\WINDOWS\tasks\Symantec NetDetect.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06DBC41D-B12E-4133-876A-64E0C8FDD1D3}] C:\WINDOWS\System32\APPHEL.dll [2002-08-29 84480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {8E718888-423F-11D2-876E-00A0C9082467} - &Radio - C:\WINDOWS\System32\msdxm.ocx [2003-09-17 844048] {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - Norton Internet Security - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll [2004-10-28 103568] {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Norton AntiVirus - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll [2005-01-10 218736] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"=C:\WINDOWS\System32\igfxtray.exe [2008-01-21 155648] "HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe [] "IntelMeM"=C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe [2008-01-21 221184] "dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [] "HPDJ Taskbar Utility"=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe [2008-01-21 172032] "SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2008-01-21 1404928] "bolenja"=C:\WINDOWS\bolenja.exe [2009-01-14 5120] "bolenjx"=C:\WINDOWS\bolenjx.exe [2009-01-14 14336] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"=C:\WINDOWS\System32\ctfmon.exe [2002-08-29 13312] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-10-10 39792] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bolenja] C:\WINDOWS\bolenja.exe [2009-01-14 5120] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bolenjx] C:\WINDOWS\bolenjx.exe [2009-01-14 14336] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2005-03-23 58992] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe [2008-01-21 77824] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe [2008-01-21 218240] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe [2008-01-21 100056] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLS"="C:\WINDOWS\system32\kus109.dat" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csfdll] C:\WINDOWS\Media\smartwarxyu.dll [2007-12-21 51712] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui] C:\WINDOWS\system32\igfxsrvc.dll [2003-04-07 315392] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify] C:\WINDOWS\system32\PCANotify.dll [2003-10-31 8704] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableRegistryTools"=1 "DisableTaskMgr"=1 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 "DisableRegistryTools"=1 "DisableTaskMgr"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 "NoControlPanel"=1 "NoWindowsUpdate"=1 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "C:\Documents and Settings\Alohboh\Application Data\printer.exe"="C:\Documents and Settings\Alohboh\Application Data\printer.exe::Enabled:@xpsp2res.dll,-22019" "C:\WINDOWS\System32\printer.exe"="C:\WINDOWS\System32\printer.exe::Enabled:@xpsp2res.dll,-22019" "C:\WINDOWS\System32\spoolvs.exe"="C:\WINDOWS\System32\spoolvs.exe::Enabled:@xpsp2res.dll,-22019" "C:\WINDOWS\shell.exe"="C:\WINDOWS\shell.exe::Enabled:@xpsp2res.dll,-22019" "C:\Documents and Settings\Alohboh\Start Menu\Programs\Startup\findfast.exe"="C:\Documents and Settings\Alohboh\Start Menu\Programs\Startup\findfast.exe::Enabled:@xpsp2res.dll,-22019" "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe"="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe::Enabled:@xpsp2res.dll,-22019" "%windir%\system32\winav.exe"="%windir%\system32\winav.exe::Enabled:@xpsp2res.dll,-22019" "C:\Documents and Settings\Alohboh\Application Data\mcrupdate.exe"="C:\Documents and Settings\Alohboh\Application Data\mcrupdate.exe::Enabled:@xpsp2res.dll,-22019" "C:\Documents and Settings\Alohboh\Application Data\pcant.exe"="C:\Documents and Settings\Alohboh\Application Data\pcant.exe::Enabled:@xpsp2res.dll,-22019" "C:\Documents and Settings\Alohboh\Application Data\sysfixer.exe"="C:\Documents and Settings\Alohboh\Application Data\sysfixer.exe::Enabled:@xpsp2res.dll,-22019" "C:\Documents and Settings\Alohboh\Application Data\pcpriv.exe"="C:\Documents and Settings\Alohboh\Application Data\pcpriv.exe::Enabled:@xpsp2res.dll,-22019" "C:\Documents and Settings\Alohboh\Application Data\trant.exe"="C:\Documents and Settings\Alohboh\Application Data\trant.exe::Enabled:@xpsp2res.dll,-22019" "C:\Documents and Settings\Alohboh\Application Data\avsyscare.exe"="C:\Documents and Settings\Alohboh\Application Data\avsyscare.exe::Enabled:@xpsp2res.dll,-22019" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "C:\Documents and Settings\Alohboh\Application Data\printer.exe"="C:\Documents and Settings\Alohboh\Application Data\printer.exe::Enabled:@xpsp2res.dll,-22019" "C:\WINDOWS\System32\printer.exe"="C:\WINDOWS\System32\printer.exe::Enabled:@xpsp2res.dll,-22019" "C:\WINDOWS\System32\spoolvs.exe"="C:\WINDOWS\System32\spoolvs.exe::Enabled:@xpsp2res.dll,-22019" "C:\WINDOWS\shell.exe"="C:\WINDOWS\shell.exe::Enabled:@xpsp2res.dll,-22019" "C:\Documents and Settings\Alohboh\Start Menu\Programs\Startup\findfast.exe"="C:\Documents and Settings\Alohboh\Start Menu\Programs\Startup\findfast.exe::Enabled:@xpsp2res.dll,-22019" "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe"="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe::Enabled:@xpsp2res.dll,-22019" "%windir%\system32\winav.exe"="%windir%\system32\winav.exe::Enabled:@xpsp2res.dll,-22019" "C:\Documents and Settings\Alohboh\Application Data\mcrupdate.exe"="C:\Documents and Settings\Alohboh\Application Data\mcrupdate.exe::Enabled:@xpsp2res.dll,-22019" "C:\Documents and Settings\Alohboh\Application Data\pcant.exe"="C:\Documents and Settings\Alohboh\Application Data\pcant.exe::Enabled:@xpsp2res.dll,-22019" "C:\Documents and Settings\Alohboh\Application Data\sysfixer.exe"="C:\Documents and Settings\Alohboh\Application Data\sysfixer.exe::Enabled:@xpsp2res.dll,-22019" "C:\Documents and Settings\Alohboh\Application Data\pcpriv.exe"="C:\Documents and Settings\Alohboh\Application Data\pcpriv.exe::Enabled:@xpsp2res.dll,-22019" "C:\Documents and Settings\Alohboh\Application Data\trant.exe"="C:\Documents and Settings\Alohboh\Application Data\trant.exe::Enabled:@xpsp2res.dll,-22019" "C:\Documents and Settings\Alohboh\Application Data\avsyscare.exe"="C:\Documents and Settings\Alohboh\Application Data\avsyscare.exe::Enabled:@xpsp2res.dll,-22019" ======List of files/folders created in the last 3 months====== 2009-01-14 17:28:01 ----D---- C:\rsit 2009-01-14 17:28:01 ----D---- C:\Program Files\trend micro 2009-01-14 17:24:00 ----A---- C:\WINDOWS\System32\multikz.exe 2009-01-14 16:38:39 ----D---- C:\Documents and Settings\Alohboh\Application Data\Malwarebytes 2009-01-14 16:28:42 ----D---- C:\Program Files\Malwarebytes' Anti-Malware 2009-01-14 16:28:42 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2009-01-14 13:01:29 ----A---- C:\WINDOWS\bolenjx.exe 2009-01-07 15:45:22 ----A---- C:\WINDOWS\bolenja.exe 2009-01-07 14:00:42 ----D---- C:\WINDOWS\pss 2008-12-29 05:34:02 ----A---- C:\WINDOWS\System32\07aeaa72-.txt 2008-12-29 05:33:49 ----ASH---- C:\WINDOWS\System32\llkkj.ini ======List of files/folders modified in the last 3 months====== 2009-01-14 17:28:01 ----RD---- C:\Program Files 2009-01-14 17:24:53 ----D---- C:\WINDOWS\Temp 2009-01-14 17:24:26 ----A---- C:\WINDOWS\ModemLog_BCM V.90 56K Modem.txt 2009-01-14 17:24:19 ----D---- C:\WINDOWS\Debug 2009-01-14 17:24:00 ----D---- C:\WINDOWS\SYSTEM32 2009-01-14 17:23:56 ----D---- C:\Program Files\Common Files\Symantec Shared 2009-01-14 17:18:18 ----D---- C:\WINDOWS\System32\DRIVERS 2009-01-14 17:18:18 ----D---- C:\WINDOWS 2009-01-14 17:17:29 ----A---- C:\WINDOWS\ntbtlog.txt 2009-01-14 17:16:15 ----D---- C:\WINDOWS\System32\oc9 2009-01-14 17:16:15 ----D---- C:\WINDOWS\System32\hel9 2009-01-14 17:16:15 ----D---- C:\WINDOWS\System32\abc2 2009-01-14 17:16:14 ----D---- C:\Program Files\Helper 2009-01-14 16:31:30 ----A---- C:\WINDOWS\SchedLgU.Txt 2009-01-14 16:27:25 ----D---- C:\WINDOWS\Prefetch 2009-01-14 13:03:25 ----D---- C:\AlohaQS 2009-01-12 10:18:09 ----A---- C:\WINDOWS\WIN.INI 2009-01-07 15:47:13 ----RASH---- C:\BOOT.INI 2009-01-07 15:47:13 ----A---- C:\WINDOWS\SYSTEM.INI 2009-01-07 15:35:31 ----RD---- C:\WINDOWS\Web 2009-01-07 15:35:00 ----A---- C:\WINDOWS\System32\bolenjcfa.txt 2009-01-05 14:36:05 ----D---- C:\WINDOWS\System32\CatRoot2 ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 AW_HOST;AW_HOST; C:\WINDOWS\system32\drivers\aw_host5.sys [2003-10-23 16984] R1 awlegacy;awlegacy; C:\WINDOWS\System32\Drivers\awlegacy.sys [2003-04-21 10901] R1 omci;OMCI WDM Device Driver; C:\WINDOWS\System32\DRIVERS\omci.sys [2002-11-08 17217] R1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRTPEL.SYS [] R1 ShldDrv;Panda File Shield Driver; C:\WINDOWS\System32\DRIVERS\ShlDrv51.sys [2007-05-23 38968] R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2004-01-14 5621] R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2004-01-14 23219] R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2005-04-05 267192] R2 ASCTRM;ASCTRM; C:\WINDOWS\System32\drivers\ASCTRM.sys [2004-06-23 8552] R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2004-02-27 40480] R2 hardlock;hardlock; \??\C:\WINDOWS\System32\drivers\hardlock.sys [] R2 Haspnt;Haspnt; \??\C:\WINDOWS\System32\drivers\Haspnt.sys [] R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2003-04-09 11043] R2 PavProc;Panda Process Protection Driver; \??\C:\WINDOWS\System32\DRIVERS\PavProc.sys [] R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\System32\drivers\symlcbrd.sys [] R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2004-03-15 25685] R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2004-03-15 34837] R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2004-03-15 4117] R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2004-03-15 2233] R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2004-03-15 85972] R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2004-03-15 14229] R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2004-03-15 6357] R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2004-03-15 98580] R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2004-03-15 100597] R3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-04-15 113504] R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-04-15 78752] R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816] R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2003-05-23 43136] R3 BCMModem;BCM V.90 56K Modem; C:\WINDOWS\System32\DRIVERS\BCMDM.sys [2001-08-17 871388] R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [2005-10-21 49920] R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [2005-10-21 16496] R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [2005-10-21 21568] R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2003-04-15 90907] R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128] R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050615.008\NAVENG.Sys [] R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050615.008\NavEx15.Sys [] R3 SAVRT;SAVRT; \??\C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRT.SYS [] R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-11-18 591808] R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS [] R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2005-04-05 17976] R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2003-08-02 28160] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2003-08-02 25216] R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2003-08-02 53120] R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2002-08-29 24960] R3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2002-08-29 14208] R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2002-08-29 21760] R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2003-08-02 19328] S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\System32\DRIVERS\p3.sys [2002-08-29 37504] S3 bvrp_pci;bvrp_pci; C:\WINDOWS\System32\drivers\bvrp_pci.sys [] S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2004-02-10 154112] S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\System32\DRIVERS\el90xbc5.sys [2001-08-17 66591] S3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\HSF_DP.sys [2003-11-17 1042432] S3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys [2003-11-17 212224] S3 i81x;i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [2001-08-17 138240] S3 iAimFP0;iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [2001-08-17 12672] S3 iAimFP1;iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [2001-08-17 12288] S3 iAimFP2;iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [2001-08-17 12032] S3 iAimFP3;iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [2001-08-17 12160] S3 iAimFP4;iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [2001-08-17 18688] S3 iAimTV0;iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [2001-08-17 29440] S3 iAimTV1;iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [2001-08-17 19456] S3 iAimTV2;iAimTV2; C:\WINDOWS\System32\DRIVERS\wATV03nt.sys [2001-08-17 44928] S3 iAimTV3;iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [2001-08-17 31104] S3 iAimTV4;iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [2001-08-17 23680] S3 IntelC51;IntelC51; C:\WINDOWS\System32\DRIVERS\IntelC51.sys [2004-03-05 1233525] S3 IntelC52;IntelC52; C:\WINDOWS\System32\DRIVERS\IntelC52.sys [2004-03-05 647929] S3 IntelC53;IntelC53; C:\WINDOWS\System32\DRIVERS\IntelC53.sys [2004-03-05 60949] S3 mohfilt;mohfilt; C:\WINDOWS\System32\DRIVERS\mohfilt.sys [2004-03-05 37048] S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2002-08-28 891711] S3 senfilt;senfilt; C:\WINDOWS\system32\drivers\senfilt.sys [2004-09-17 732928] S3 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [] S3 SYMDNS;SYMDNS; C:\WINDOWS\System32\Drivers\SYMDNS.SYS [2005-04-05 11512] S3 SYMFW;SYMFW; C:\WINDOWS\System32\Drivers\SYMFW.SYS [2005-04-05 173208] S3 SYMIDS;SYMIDS; C:\WINDOWS\System32\Drivers\SYMIDS.SYS [2005-04-05 36984] S3 SYMIDSCO;SYMIDSCO; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20050512.030\symidsco.sys [] S3 SYMNDIS;SYMNDIS; C:\WINDOWS\System32\Drivers\SYMNDIS.SYS [2005-04-05 47192] S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys [] S3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2003-11-17 680704] S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agp440.sys [2001-08-17 25472] S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agpCPQ.sys [2001-08-17 29056] S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\alim1541.sys [2001-08-17 27648] S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\System32\DRIVERS\amdagp.sys [2001-08-17 27648] S4 cbidf;cbidf; C:\WINDOWS\System32\DRIVERS\cbidf2k.sys [2001-08-17 13952] S4 IntelIde;IntelIde; C:\WINDOWS\System32\DRIVERS\intelide.sys [2002-08-29 4736] S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\sisagp.sys [2001-08-17 26112] S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\viaagp.sys [2001-08-17 27392] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2005-03-23 198256] R2 ccProxy;Symantec Network Proxy; C:\Program Files\Common Files\Symantec Shared\ccProxy.exe [2005-03-23 235120] R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2005-03-23 165488] R2 CtlSvr;CtlSvr; C:\AlohaQS\bin\CTLSVR.EXE [2002-02-24 1703936] R2 ISSVC;ISSvc; C:\Program Files\Norton Internet Security\ISSVC.exe [2005-04-18 83584] R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120] R2 MSSQL$MICROSOFTBCM;MSSQL$MICROSOFTBCM; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe [2003-05-31 7544916] R2 navapsvc;Norton AntiVirus Auto-Protect Service; C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe [2005-01-10 177264] R2 PavPrSrv;Panda Process Protection Service; C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe [2007-06-14 63024] R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2005-05-06 822424] S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2002-08-29 250368] S2 SBService;ScriptBlocking Service; C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe [2005-01-10 67184] S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768] S3 awhost32;pcAnywhere Host Service; C:\Program Files\Symantec\pcAnywhere\awhost32.exe [2003-10-31 106496] S3 ccPwdSvc;Symantec Password Validation; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2005-03-23 79472] S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2002-12-17 66112] S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136] S3 SAVScan;SAVScan; C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe [2005-03-07 198368] S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2005-04-05 206552] S3 SPBBCSvc;Symantec SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2004-07-21 173160] S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE [2002-12-17 311872] -----------------EOF-----------------

GRBrown View Member Profile	Jan 14 2009, 06:48 PM Post #6
Member Group: Members Posts: 21 Joined: 14-January 09 Member No.: 282,387	Here is the RSIT INFO.TXT file: info.txt logfile of random's system information tool 1.05 2009-01-14 17:28:28 ======Uninstall list====== -->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu -->C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature -->C:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6} -->C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19} -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Adobe Flash Player 9 ActiveX-->C:\WINDOWS\System32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock Adobe Flash Player 9 ActiveX-->MsiExec.exe /X{685A56F8-75B6-44AD-B3DA-FB0A3266B47C} Adobe Reader 8.1.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003} Broadcom Management Programs-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{89EE857B-8970-4F9F-AB58-A1C873AC72B3} /l1033 Business Contact Manager for Outlook 2003-->MsiExec.exe /I{66563AD8-637B-407F-BCA7-0233A16891AB} CC_ccProxyExt-->MsiExec.exe /I{DA42FDCA-7C5A-43EF-9A05-CCE148ADF919} ccCommon-->MsiExec.exe /I{DC367608-64A7-4BF7-92F4-8BAA25BA02DB} ccPxyCore-->MsiExec.exe /I{FC08587A-4F01-4188-819F-F55880022917} Conexant D850 56K V.9x DFVc Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf Dell Digital Jukebox Driver-->C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s Dell Solution Center-->MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288} Dell Support-->MsiExec.exe /X{43FCA273-9534-40DB-B7C5-D7758875616A} DirectX 9 Hotfix - KB839643-->C:\WINDOWS\$NtUninstallKB839643-DirectX9$\spuninst\spuninst.exe HASP Device Driver-->C:\WINDOWS\System32\UNWISE.EXE C:\WINDOWS\System32\hdd32.log HijackThis 2.0.2-->"C:\Documents and Settings\Alohboh\Desktop\HijackThis.exe" /uninstall HP PSC & Officejet 4.2 Corporate Edition-->"C:\Program Files\HP\Digital Imaging\{AC1314E7-D28C-40A1-B322-80D2868D35CE}\setup\hpzscr01.exe" -datfile hposcr04.dat Intel® 537EP V9x DF PCI Modem-->rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem" Intel® Extreme Graphics Driver-->RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562 Intel® PRO Network Adapters and Drivers-->Prounstl.exe Internet Explorer Default Page-->MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395} Jasc Paint Shop Photo Album-->MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0} Jasc Paint Shop Pro 8 Dell Edition-->MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328} Java 2 Runtime Environment, SE v1.4.2-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000} Learn2 Player (Uninstall Only)-->C:\Program Files\Learn2.com\StRunner\stuninst.exe LiveReg (Symantec Corporation)-->C:\Program Files\Common Files\Symantec Shared\LiveReg\VCSetup.exe /REMOVE LiveUpdate 2.6 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins004.exe" Microsoft .NET Framework 1.1 Hotfix (KB886903)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M886903\M886903Uninstall.msp" Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} Microsoft Data Access Components KB870669-->C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf Microsoft Office Small Business Edition 2003-->MsiExec.exe /I{91CA0409-6000-11D3-8CFE-0150048383C9} Modem Event Monitor-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}\setup.exe" -l0x9 Modem Helper-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel Modem On Hold-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText MSRedist-->MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69} Norton AntiSpam-->MsiExec.exe /I{3B29A786-5803-4e9e-9B58-3014A5B4E519} Norton AntiSpam-->MsiExec.exe /I{5677563D-0CB1-485f-9E18-C5025306BB3F} Norton AntiVirus 2005-->MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B} Norton Internet Security 2005 (Symantec Corporation)-->C:\Program Files\Common Files\Symantec Shared\SymSetup\{A93C9E60-29B6-49da-BA21-F70AC6AADE20}.exe /X Norton Internet Security-->MsiExec.exe /I{12E2B9E9-05B1-407d-B0FD-B5F350535125} Norton Internet Security-->MsiExec.exe /I{449F3A9E-9903-4a0d-A209-08030D45A935} Norton Internet Security-->MsiExec.exe /I{48185814-A224-447a-81DA-71BD20580E1B} Norton Internet Security-->MsiExec.exe /I{526AD5DC-CFC4-4f2a-8442-C84CC91D6C7F} Norton Internet Security-->MsiExec.exe /I{A93C9E60-29B6-49da-BA21-F70AC6AADE20} Norton Internet Security-->MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555} Norton Internet Security-->MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43} Norton Internet Security-->MsiExec.exe /I{FC2C0536-583C-46c0-844A-62CECAE01F22} Norton WMI Update-->MsiExec.exe /X{E85FA9A1-C241-4698-893B-DD99509B8DB0} Norton WMI Update-->MsiExec.exe /X{F64306A5-4C32-41bb-B153-53986527FAB4} QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log RealPlayer Basic-->C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks\|RealPlayer\|6.0 Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe" Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe" Security Update for Windows XP (KB893066)-->"C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe" Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe" Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe" Security Update for Windows XP (KB896426)-->"C:\WINDOWS\$NtUninstallKB896426$\spuninst\spuninst.exe" Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe" Sonic DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6} Sonic RecordNow!-->MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19} Sonic Update Manager-->MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3} SPBBC-->MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56} Symantec pcAnywhere-->MsiExec.exe /I{F05E8183-866A-11D3-97DF-0000F8D8F2E9} Symantec Script Blocking Installer-->MsiExec.exe /I{D327AFC9-7BAA-473A-8319-6EB7A0D40138} SymNet-->MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2} Ultr@VNC Release 1.0.0 RC 18 - Win32-->"C:\Program Files\UltraVNC\unins000.exe" Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe" Windows Media Player Hotfix [See Q828026 for more information]-->C:\WINDOWS\$NtUninstallQ828026$\spuninst\spuninst.exe Windows XP Hotfix - KB824105-->C:\WINDOWS\$NtUninstallKB824105$\spuninst\spuninst.exe Windows XP Hotfix - KB824141-->C:\WINDOWS\$NtUninstallKB824141$\spuninst\spuninst.exe Windows XP Hotfix - KB833407-->C:\WINDOWS\$NtUninstallKB833407$\spuninst\spuninst.exe Windows XP Hotfix - KB833987-->C:\WINDOWS\$NtUninstallKB833987$\spuninst\spuninst.exe Windows XP Hotfix - KB837001-->C:\WINDOWS\$NtUninstallKB837001$\spuninst\spuninst.exe Windows XP Hotfix - KB839645-->C:\WINDOWS\$NtUninstallKB839645$\spuninst\spuninst.exe Windows XP Hotfix - KB840315-->C:\WINDOWS\$NtUninstallKB840315$\spuninst\spuninst.exe Windows XP Hotfix - KB840374-->C:\WINDOWS\$NtUninstallKB840374$\spuninst\spuninst.exe Windows XP Hotfix - KB841356-->C:\WINDOWS\$NtUninstallKB841356$\spuninst\spuninst.exe Windows XP Hotfix - KB841873-->C:\WINDOWS\$NtUninstallKB841873$\spuninst\spuninst.exe Windows XP Hotfix - KB842773-->C:\WINDOWS\$NtUninstallKB842773$\spuninst\spuninst.exe Windows XP Hotfix - KB867282-->C:\WINDOWS\$NtUninstallKB867282-IE6SP1-20050127.163319$\spuninst\spuninst.exe Windows XP Hotfix - KB871250-->C:\WINDOWS\$NtUninstallKB871250$\spuninst\spuninst.exe Windows XP Hotfix - KB873333-->C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe Windows XP Hotfix - KB883939-->"C:\WINDOWS\$NtUninstallKB883939-IE6SP1-20050428.125228$\spuninst\spuninst.exe" Windows XP Hotfix - KB885250-->C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe Windows XP Hotfix - KB890047-->C:\WINDOWS\$NtUninstallKB890047$\spuninst\spuninst.exe Windows XP Hotfix - KB890175-->C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe" Windows XP Hotfix - KB891711-->C:\WINDOWS\$NtUninstallKB891711$\spuninst\spuninst.exe Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe Windows XP Hotfix - KB893086-->"C:\WINDOWS\$NtUninstallKB893086$\spuninst\spuninst.exe" Windows XP Hotfix - KB897715-->"C:\WINDOWS\$NtUninstallKB897715-OE6SP1-20050503.210336$\spuninst\spuninst.exe" System event log Computer Name: ALOHABOH Event Code: 26 Message: Application popup: regsvr32.exe - Application Error : The instruction at "0x7474ca0c" referenced memory at "0x00851004". The memory could not be "read". Click on OK to terminate the program Record Number: 825 Source Name: Application Popup Time Written: 20081122200340.000000-300 Event Type: information User: Computer Name: ALOHABOH Event Code: 26 Message: Application popup: regsvr32.exe - Application Error : The instruction at "0x7474ca0c" referenced memory at "0x00851004". The memory could not be "read". Click on OK to terminate the program Record Number: 824 Source Name: Application Popup Time Written: 20081122200229.000000-300 Event Type: information User: Computer Name: ALOHABOH Event Code: 26 Message: Application popup: regsvr32.exe - Application Error : The instruction at "0x7474ca0c" referenced memory at "0x00851004". The memory could not be "read". Click on OK to terminate the program Record Number: 823 Source Name: Application Popup Time Written: 20081122200119.000000-300 Event Type: information User: Computer Name: ALOHABOH Event Code: 29 Message: The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 239 minutes. NtpClient has no source of accurate time. Record Number: 822 Source Name: W32Time Time Written: 20081122181251.000000-300 Event Type: error User: Computer Name: ALOHABOH Event Code: 17 Message: Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 240 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751) Record Number: 821 Source Name: W32Time Time Written: 20081122181251.000000-300 Event Type: error User: Application event log Computer Name: ALOHABOH Event Code: 26 Message: Application starting Record Number: 5 Source Name: ccEvtMgr Time Written: 20080111070209.000000-300 Event Type: information User: NT AUTHORITY\SYSTEM Computer Name: ALOHABOH Event Code: 1 Message: Application started Record Number: 4 Source Name: ccSetMgr Time Written: 20080111070209.000000-300 Event Type: information User: NT AUTHORITY\SYSTEM Computer Name: ALOHABOH Event Code: 26 Message: Record Number: 3 Source Name: ISService Time Written: 20080111070209.000000-300 Event Type: information User: NT AUTHORITY\SYSTEM Computer Name: ALOHABOH Event Code: 26 Message: Application starting Record Number: 2 Source Name: ccSetMgr Time Written: 20080111070209.000000-300 Event Type: information User: NT AUTHORITY\SYSTEM Computer Name: ALOHABOH Event Code: 26 Message: Application starting Record Number: 1 Source Name: ccProxy Time Written: 20080111070209.000000-300 Event Type: information User: NT AUTHORITY\SYSTEM ======Environment variables====== "ComSpec"=%SystemRoot%\system32\cmd.exe "IBERDIR"=C:\AlohaQS "IBERROOT"=AlohaQS "NUMBER_OF_PROCESSORS"=1 "NUMTERMS"=2 "OS"=Windows_NT "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Microsoft Office\OFFICE11\Business Contact Manager\IM;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Microsoft Office\OFFICE11\Business Contact Manager\;C:\Program Files\Symantec\pcAnywhere\ "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH "PROCESSOR_ARCHITECTURE"=x86 "PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 7, GenuineIntel "PROCESSOR_LEVEL"=15 "PROCESSOR_REVISION"=0207 "ROBUST"=TRUE "SERVER"=ALOHABOH "TEMP"=%SystemRoot%\TEMP "TERMSTR"=TERM "TMP"=%SystemRoot%\TEMP "windir"=%SystemRoot% -----------------EOF-----------------

GRBrown View Member Profile	Jan 14 2009, 06:49 PM Post #7
Member Group: Members Posts: 21 Joined: 14-January 09 Member No.: 282,387	And Finally, here are the GMER scan results: GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2009-01-14 17:45:31 Windows 5.1.2600 Service Pack 1 ---- System - GMER 1.0.14 ---- SSDT 822E7F98 ZwConnectPort INT 0x06 \??\C:\WINDOWS\System32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) EF6AF16D INT 0x0E \??\C:\WINDOWS\System32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) EF6AEFC2 Code rxnskyhv.dat ObOpenObjectByName ---- Kernel code sections - GMER 1.0.14 ---- PAGE ntoskrnl.exe!ObOpenObjectByName 805556C9 6 Bytes JMP F87B8312 rxnskyhv.dat ? rxnskyhv.dat The system cannot find the file specified. ! .text ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00380429 ---- User code sections - GMER 1.0.14 ---- .text C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[212] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00910429 .text C:\WINDOWS\system32\winlogon.exe[456] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00490429 .text C:\WINDOWS\system32\winlogon.exe[456] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 004905D0 .text C:\WINDOWS\system32\winlogon.exe[456] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 00490526 .text C:\WINDOWS\system32\winlogon.exe[456] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 00490543 .text C:\WINDOWS\system32\services.exe[504] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00520429 .text C:\WINDOWS\system32\services.exe[504] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 005205D0 .text C:\WINDOWS\system32\services.exe[504] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 00520526 .text C:\WINDOWS\system32\services.exe[504] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 00520543 .text C:\WINDOWS\system32\lsass.exe[516] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00500429 .text C:\WINDOWS\system32\lsass.exe[516] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 005005D0 .text C:\WINDOWS\system32\lsass.exe[516] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 00500526 .text C:\WINDOWS\system32\lsass.exe[516] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 00500543 .text C:\AlohaQS\bin\CTLSVR.EXE[600] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 003A0429 .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[660] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00890429 .text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[712] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 003C0429 .text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[712] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 003C05D0 .text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[712] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 003C0526 .text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[712] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 003C0543 .text C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe[880] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 005F0429 .text C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe[880] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 005F05D0 .text C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe[880] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 005F0526 .text C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe[880] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 005F0543 .text C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe[956] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00840429 .text C:\WINDOWS\System32\svchost.exe[1148] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00560429 .text C:\WINDOWS\System32\svchost.exe[1148] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 005605D0 .text C:\WINDOWS\System32\svchost.exe[1148] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 00560526 .text C:\WINDOWS\System32\svchost.exe[1148] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 00560543 .text C:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00560429 .text C:\WINDOWS\system32\svchost.exe[1288] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 005605D0 .text C:\WINDOWS\system32\svchost.exe[1288] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 00560526 .text C:\WINDOWS\system32\svchost.exe[1288] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 00560543 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1344] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 003C0429 .text C:\WINDOWS\bolenja.exe[1352] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00370429 .text C:\WINDOWS\bolenjx.exe[1360] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00850429 .text C:\WINDOWS\System32\ctfmon.exe[1368] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00380429 .text C:\WINDOWS\System32\svchost.exe[1384] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00500429 .text C:\WINDOWS\System32\svchost.exe[1384] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 005005D0 .text C:\WINDOWS\System32\svchost.exe[1384] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 00500526 .text C:\WINDOWS\System32\svchost.exe[1384] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 00500543 .text C:\WINDOWS\System32\svchost.exe[1472] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00560429 .text C:\WINDOWS\System32\svchost.exe[1472] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 005605D0 .text C:\WINDOWS\System32\svchost.exe[1472] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 00560526 .text C:\WINDOWS\System32\svchost.exe[1472] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 00560543 .text C:\WINDOWS\System32\svchost.exe[1516] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00500429 .text C:\WINDOWS\System32\svchost.exe[1516] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 005005D0 .text C:\WINDOWS\System32\svchost.exe[1516] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 00500526 .text C:\WINDOWS\System32\svchost.exe[1516] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 00500543 .text C:\WINDOWS\system32\spoolsv.exe[1736] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 007A0429 .text C:\WINDOWS\system32\spoolsv.exe[1736] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 007A05D0 .text C:\WINDOWS\system32\spoolsv.exe[1736] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 007A0526 .text C:\WINDOWS\system32\spoolsv.exe[1736] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 007A0543 .text C:\WINDOWS\Explorer.EXE[1868] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 007B0429 .text C:\WINDOWS\Explorer.EXE[1868] ntdll.dll!NtQueryDirectoryFile 77F5BD48 6 Bytes PUSH 131451AC; RET .text C:\WINDOWS\Explorer.EXE[1868] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 007B05D0 .text C:\WINDOWS\Explorer.EXE[1868] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 007B0526 .text C:\WINDOWS\Explorer.EXE[1868] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 007B0543 .text C:\Program Files\Common Files\Symantec Shared\ccProxy.exe[1880] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00380429 .text C:\Program Files\Common Files\Symantec Shared\ccProxy.exe[1880] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 003805D0 .text C:\Program Files\Common Files\Symantec Shared\ccProxy.exe[1880] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 00380526 .text C:\Program Files\Common Files\Symantec Shared\ccProxy.exe[1880] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 00380543 .text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1968] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 005F0429 .text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1968] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 005F05D0 .text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1968] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 005F0526 .text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1968] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 005F0543 .text C:\Program Files\Norton Internet Security\ISSVC.exe[1984] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 005E0429 .text C:\Program Files\Norton Internet Security\ISSVC.exe[1984] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 005E05D0 .text C:\Program Files\Norton Internet Security\ISSVC.exe[1984] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 005E0526 .text C:\Program Files\Norton Internet Security\ISSVC.exe[1984] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 005E0543 .text C:\Documents and Settings\Alohboh\Desktop\gmer\gmer.exe[2012] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00380429 .text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2044] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 005F0429 .text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2044] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 005F05D0 .text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2044] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 005F0526 .text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2044] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 005F0543 ---- User IAT/EAT - GMER 1.0.14 ---- IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [0A93A9B0] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [0A93A800] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [0A93A890] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [0A93AB10] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [0A93A9B0] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [0A93A800] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!FreeLibrary] [0A93AB10] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [0A93A890] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [0A93A9B0] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [0A93A890] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!FreeLibrary] [0A93AB10] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [0A93A800] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [0A93A800] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [0A93A890] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [0A93AB10] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\System32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [0A93A890] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\System32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [0A93A800] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\System32\NETAPI32.dll [KERNEL32.dll!FreeLibrary] [0A93AB10] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] [0A93A9B0] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\OLE32.DLL [KERNEL32.dll!FreeLibraryAndExitThread] [0A93AB40] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] [0A93A800] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\OLE32.DLL [KERNEL32.dll!FreeLibrary] [0A93AB10] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] [0A93A890] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [0A93A800] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [0A93A890] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [0A93A920] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [0A93A9B0] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [0A93AB10] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [0A93A920] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [0A93A9B0] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [0A93A890] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibrary] [0A93AB10] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [0A93AB40] C:\AlohaQS\bin\SHW32.dll IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [0A93A800] C:\AlohaQS\bin\SHW32.dll ---- Devices - GMER 1.0.14 ---- Device \FileSystem\Ntfs \Ntfs ShlDrv51.sys (PandaShield driver/Panda Software) AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) Device \FileSystem\Fastfat \FatCdrom ShlDrv51.sys (PandaShield driver/Panda Software) AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \FileSystem\Fastfat \Fat ShlDrv51.sys (PandaShield driver/Panda Software) AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) ---- Services - GMER 1.0.14 ---- Service system32\drivers\rxnskyhv.dat (* hidden * ) [BOOT] eljalihj <-- ROOTKIT !!! ---- EOF - GMER 1.0.14 ----

fenzodahl512 View Member Profile	Jan 15 2009, 03:32 AM Post #8
Forum Addict Group: HJT Team Posts: 5,949 Joined: 4-December 07 Member No.: 174,482	Please download ComboFix from Here or Here to your Desktop. Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop If you are using Firefox, make sure that your download settings are as follows: Tools->Options->Main tab Set to "Always ask me where to Save the files". During the download, rename Combofix to Combo-Fix as follows: It is important you rename Combofix during the download, but not after. Please do not rename Combofix to other names, but only to the one indicated. Close any open browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click on this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.* ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- Double click on combo-Fix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review. Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall -------------------- Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine.. Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive Away for three months (22 August - 1 December 2009)

GRBrown View Member Profile	Jan 16 2009, 01:08 AM Post #9
Member Group: Members Posts: 21 Joined: 14-January 09 Member No.: 282,387	Hey Wan, I did as you instructed and ran Combo-Fix, however I did encounter a couple of hiccups along the way and unfortunately your instructions did not provide specific information about how to deal with the occurences that arose. Here's what happened: Ran the renamed Combo-Fix from the desktop. It started fine, but then fairly quickly it told me that I did not have the "Windows Recovery Console" installed on my computer, and then asked me (with strong encouragements) whether I would like to download and install it now. Since I didn't have any specific feedback within your instructions I selected "No". Was this the correct thing to do, or should I have first downloaded and installed the Windows Recovery Console as Combo-Fix recommended? *Please keep in mind, as a relative newb when it comes to these particular procedures for malware removal I feel like I'm on very uncertain ground. Therefore, because your instructions said to "close any open browsers" and that "Combofix will disconnect your machine from the Internet as soon as it starts" and "Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished", I took the more conservative/cautious approach and avoided deviating from what your instructions told me to do. As such I might recommend that in the future when you are giving instructions related to Combo-Fix that you specifically address this prompt about the Windows Recovery Console and what the person should do when prompted to download it... that will just give newbs greater confidence about the process. After answering "No" to the WRC download question Combo-Fix ran smoothly and went through it's different stages just fine. Then Combo-Fix said that it was now going to "reboot windows"! Well it sat, and sat, and sat, and sat, and after 30 minutes it still had not rebooted windows. So, not knowing any better, I went ahead and did a manual reboot. Upon the reboot everything loaded up basically fine, so I relauched Combo-Fix and ran it again (figuring it had stalled). Again I was prompted about the WRC download... I said No, and again it completed all it's stages, and then once more it announced that Combo-Fix was going to "reboot windows", only this time it finished the message and said.. "DO NOT Manually reboot the computer". [It did not say this the first time] In any event this time it rebooted after about only 2 or 3 minutes, created the log, and everything ended fine. I copied the log, ran HijackThis again, copied those logs and here we are. So, to summarize and clarify, the first time I ran Combo-Fix it got all the way to the rebooting stage, but never completed the process and never created a log. It only fully ran correctly and produced a log on the SECOND running of Combo-Fix and that is what I am posting below. Also, I ran HijackThis with the default settings, and I also ran the startuplist portion but both of the boxes next to the run button for that startuplog were left "unchecked" [in case that matters]. Oh, and after successfully running all of this when I would reboot the computer it would load up Windows fine, but it would run sluggishly... then after 3-5 minutes the desktop would sort of "refresh/reload" and then it would respond more quickly? Don't know if that means something or not. My last little tidbit before posting the logs would only be a little suggestion for the future: Maybe include in your instructions specific guidance on whether or not to download and install the Windows Recovery Console when prompted. And, approximately how many stages there are so people don't panic when it takes awhile. And finally, notify them that Combo-Fix will "reboot windows" part way through the process and let them know how long this should take. [And while we are on it, how long should it take for this to happen? Should I have waited longer than the 30 minutes? Just curious] Anyway, those are my suggestions that might make things clearer for me, or people like me, when working through these procedures. That's just my 2 cents. Now let me state very clearly that I am extremely pleased and thankful for your assistance, I feel like we've made solid progress for which I am truly grateful. My comments above are only designed to be constructive feedback on how you can give greater guidance, and in turn greater confidence, when dealing with people who are pretty unfamiliar with this process and the programs involved. Once more thank you very much for you time and assistance Wan, it is very much appreciated!!! Now then, the logs are listed below in their own posts. I look forward to your next suggestions. Sincerely, G

GRBrown View Member Profile	Jan 16 2009, 01:11 AM Post #10
Member Group: Members Posts: 21 Joined: 14-January 09 Member No.: 282,387	Combo-Fix Log [Remember, this is the log from what as technically the second running of Combo-Fiz] ComboFix 09-01-13.04 - Alohboh 2009-01-15 21:32:40.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.510.303 [GMT -5:00] Running from: c:\documents and settings\Alohboh\Desktop\Combo-Fix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\ini.ini\ c:\windows\system32\gehmyyxb.ini c:\windows\system32\kus109.dat c:\windows\system32\llkkj.ini . ---- Previous Run ------- . c:\documents and settings\Alohboh\Application Data\YSTEM3~1 c:\documents and settings\Alohboh\Application Data\YSTEM3~1\d?dplay.exe c:\documents and settings\Alohboh\ResErrors.log c:\program files\Common Files\scurit~1 c:\program files\Common Files\scurit~1\dvdplay.ex_ c:\program files\Common Files\scurit~1\s?curity\ c:\program files\Helper c:\program files\Helper\ifastseek.dll c:\program files\ini.ini\ c:\temp\tn3 c:\windows\bolenja.exe c:\windows\bolenjx.exe c:\windows\Downloaded Program Files\setup.inf c:\windows\icroso~1.net c:\windows\icroso~1.net\?icrosoft.NET\ c:\windows\IE4 Error Log.txt c:\windows\kus109.dat c:\windows\Media\F2233warxy11.dll c:\windows\Media\smartwarxyu.dll c:\windows\system32\abc2 c:\windows\system32\drivers\fad.sys c:\windows\system32\ex1 c:\windows\SYSTEM32\fhkmp.ini c:\windows\SYSTEM32\fhkmp.ini2 c:\windows\system32\idcfap.bmp c:\windows\system32\ineWc01 c:\windows\system32\ineWc01\ineWc011065.exe c:\windows\system32\kus109.dat c:\windows\system32\multikz.exe c:\windows\system32\oc9 c:\windows\SYSTEM32\stvwa.ini c:\windows\SYSTEM32\stvwa.ini2 c:\windows\system32\users32.dat c:\windows\system32\wtsisvcc32.exe c:\windows\SYSTEM32\ybeeg.ini c:\windows\SYSTEM32\ybeeg.ini2 c:\windows\SYSTEM32\yycdd.ini c:\windows\SYSTEM32\yycdd.ini2 c:\windows\Web\default.htt c:\windows\Web\DESKMOVR.HTT c:\windows\Web\SAFEMODE.HTT . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CORE -------\Legacy_DHLP ((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 ))))))))))))))))))))))))))))))) . 2009-01-14 17:31 . 2009-01-14 17:31 250 --a------ c:\windows\gmer.ini 2009-01-14 17:28 . 2009-01-14 17:28 <DIR> d-------- C:\rsit 2009-01-14 17:28 . 2009-01-14 17:28 <DIR> d-------- c:\program files\trend micro 2009-01-14 16:38 . 2009-01-14 16:38 <DIR> d-------- c:\documents and settings\Alohboh\Application Data\Malwarebytes 2009-01-14 16:38 . 2009-01-04 18:38 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys 2009-01-14 16:28 . 2009-01-14 16:38 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-01-14 16:28 . 2009-01-14 16:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-01-14 16:28 . 2009-01-04 18:38 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-16 02:37 --------- d-----w c:\program files\Common Files\Symantec Shared 2008-01-22 14:23 0 ----a-w c:\documents and settings\Alohboh\del.bat 2008-01-21 15:32 246 ----a-w c:\program files\Common Files\rycil844 2008-01-20 18:12 61 ----a-w c:\program files\ini.ini 2007-07-28 09:06 135 ----a-w c:\program files\Common Files\viloz.html . Files Infected - Patched c:\program files\QuickTime\qttask.exe c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe c:\progra~1\SYMNET~1\SNDMon.exe c:\windows\System32\igfxtray.exe c:\program files\Intel\Modem Event Monitor\IntelMEM.exe c:\windows\System32\spool\drivers\w32x86\3\hpztsb10.exe c:\program files\Analog Devices\Core\smax4pnp.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06DBC41D-B12E-4133-876A-64E0C8FDD1D3}] 2002-08-29 05:00 84480 --a------ c:\windows\System32\APPHEL.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\System32\igfxtray.exe" [2008-01-21 155648] "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2008-01-21 221184] "HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb10.exe" [2008-01-21 172032] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-01-21 1404928] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify] 2003-10-31 11:01 8704 c:\windows\SYSTEM32\PCANotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2007-10-10 19:51 39792 c:\program files\Adobe\Reader 8.0\Reader\Reader_SL.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] --a------ 2005-03-23 14:34 58992 c:\program files\Common Files\Symantec Shared\CCAPP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-01-21 10:33 77824 c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt] --a------ 2008-01-21 10:33 218240 c:\program files\Common Files\Symantec Shared\Security Center\usrprmpt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor] --a------ 2008-01-21 10:33 100056 c:\progra~1\SYMNET~1\sndmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "AntivirusOverride"=dword:00000001 R0 eljalihj;eljalihj;c:\windows\System32\drivers\rxnskyhv.dat --> c:\windows\System32\drivers\rxnskyhv.dat [?] R1 ShldDrv;Panda File Shield Driver;c:\windows\SYSTEM32\DRIVERS\ShlDrv51.sys [2008-01-22 38968] R4 PavProc;Panda Process Protection Driver;c:\windows\SYSTEM32\DRIVERS\PavProc.sys [2008-01-22 178872] S0 sipuf;sipuf;c:\windows\System32\drivers\gviteepr.sys --> c:\windows\System32\drivers\gviteepr.sys [?] --- Other Services/Drivers In Memory --- Deregistered - ccSetMgr Deregistered - CryptSvc Deregistered - CtlSvr Deregistered - Dhcp Deregistered - Dnscache Deregistered - ERSvc Deregistered - EventSystem Deregistered - FastUserSwitchingCompatibility Deregistered - Fax Deregistered - helpsvc Deregistered - ImapiService Deregistered - ISSVC Deregistered - lanmanserver Deregistered - lanmanworkstation Deregistered - LmHosts Deregistered - MDM Deregistered - MSSQL$MICROSOFTBCM Deregistered - navapsvc Deregistered - Netman Deregistered - Nla Deregistered - PavPrSrv Deregistered - PolicyAgent Deregistered - ProtectedStorage Deregistered - RasMan Deregistered - RpcSs Deregistered - SamSs Deregistered - SBService Deregistered - Schedule Deregistered - seclogon Deregistered - SENS Deregistered - SharedAccess Deregistered - ShellHWDetection Deregistered - Spooler Deregistered - srservice Deregistered - SSDPSRV Deregistered - stisvc Deregistered - Symantec Core LC Deregistered - TapiSrv Deregistered - TermService Deregistered - Themes Deregistered - TrkWks Deregistered - uploadmgr Deregistered - w32time Deregistered - WebClient Deregistered - winmgmt Deregistered - wuauserv Deregistered - WZCSVC . Contents of the 'Scheduled Tasks' folder 2009-01-15 c:\windows\Tasks\At1.job - c:\b50\AlohaPoll.bat [2005-05-18 14:06] 2009-01-15 c:\windows\Tasks\At2.job - c:\b50\AlohaPoll.bat [2005-05-18 14:06] 2009-01-15 c:\windows\Tasks\At3.job - c:\b50\AlohaPoll.bat [2005-05-18 14:06] 2009-01-15 c:\windows\Tasks\At4.job - c:\b50\AlohaPoll.bat [2005-05-18 14:06] 2009-01-15 c:\windows\Tasks\At5.job - c:\b50\AlohaPoll.bat [2005-05-18 14:06] 2009-01-15 c:\windows\Tasks\At6.job - c:\b50\AlohaPoll.bat [2005-05-18 14:06] 2009-01-15 c:\windows\Tasks\At7.job - c:\b50\AlohaPoll.bat [2005-05-18 14:06] 2009-01-15 c:\windows\Tasks\At8.job - c:\b50\AlohaPoll.bat [2005-05-18 14:06] 2005-03-24 c:\windows\Tasks\ISP signup reminder 1.job - c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 05:00] 2009-01-03 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Alohboh.job - c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-01-10 11:20] 2009-01-16 c:\windows\Tasks\PCA.job - c:\b50\StopStartpcA.bat [2005-05-20 15:37] 2009-01-16 c:\windows\Tasks\Symantec NetDetect.job - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 12:24] . - - - - ORPHANS REMOVED - - - - HKLM-Run-HotKeysCmds - c:\windows\System32\hkcmd.exe HKLM-Run-dla - c:\windows\system32\dla\tfswctrl.exe MSConfigStartUp-bolenja - bolenja.exe MSConfigStartUp-bolenjx - bolenjx.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com mStart Page = hxxp://www.google.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm Trusted Zone: www.google.com Trusted Zone: .microsoft.com TCP: {4C8379DF-D0D2-4C2E-999C-F03572DBA64A} = 192.168.0.1 . *********************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-15 21:38:27 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\eljalihj] "ImagePath"="system32\drivers\rxnskyhv.dat" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(452) c:\windows\System32\ODBC32.dll - - - - - - - > 'lsass.exe'(1100) c:\windows\System32\dssenh.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\CCPROXY.EXE c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE c:\program files\Norton Internet Security\ISSVC.exe c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE c:\alohaqs\BIN\CTLSVR.EXE c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe c:\program files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE c:\program files\Common Files\Panda Software\PavShld\PavPrSrv.exe c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe . ************************************************************************ . Completion time: 2009-01-15 21:42:25 - machine was rebooted [Alohboh] ComboFix-quarantined-files.txt 2009-01-16 02:42:21 Pre-Run: 68,268,875,776 bytes free Post-Run: 68,192,821,248 bytes free 250

GRBrown View Member Profile	Jan 16 2009, 01:13 AM Post #11
Member Group: Members Posts: 21 Joined: 14-January 09 Member No.: 282,387	Here are the HijackThis Log AND the startuplist logs that were created after running Combo-Fix successfully the second time. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:49:57 PM, on 1/15/2009 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\system32\spoolsv.exe C:\AlohaQS\bin\CTLSVR.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Alohboh\Desktop\HJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ O2 - BHO: (no name) - {06DBC41D-B12E-4133-876A-64E0C8FDD1D3} - C:\WINDOWS\System32\APPHEL.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O15 - Trusted IP range: http://192.168.2.1 O15 - Trusted IP range: http://192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{4C8379DF-D0D2-4C2E-999C-F03572DBA64A}: NameServer = 192.168.0.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{4C8379DF-D0D2-4C2E-999C-F03572DBA64A}: NameServer = 192.168.0.1 O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: CtlSvr - Ibertech, Inc - C:\AlohaQS\bin\CTLSVR.EXE O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 5788 bytes StartupList report, 1/15/2009, 9:52:16 PM StartupList version: 1.52.2 Started from : C:\Documents and Settings\Alohboh\Desktop\HJackThis.EXE Detected: Windows XP SP1 (WinNT 5.01.2600) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\system32\spoolsv.exe C:\AlohaQS\bin\CTLSVR.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Alohboh\Desktop\HJackThis.exe -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run IgfxTray = C:\WINDOWS\System32\igfxtray.exe IntelMeM = C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe SoundMAXPnP = C:\Program Files\Analog Devices\Core\smax4pnp.exe -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run [OptionalComponents] = -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=INI section not found SCRNSAVE.EXE=INI section not found drivers=INI section not found Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=Registry value not found drivers=Registry value not found Policies Shell key: HKCU\..\Policies: Shell=Registry value not found HKLM\..\Policies: Shell=Registry value not found -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\WINDOWS\System32\APPHEL.dll - {06DBC41D-B12E-4133-876A-64E0C8FDD1D3} -------------------------------------------------- Enumerating Task Scheduler jobs: At1.job At2.job At3.job At4.job At5.job At6.job At7.job At8.job ISP signup reminder 1.job Norton AntiVirus - Scan my computer - Alohboh.job PCA.job Symantec NetDetect.job -------------------------------------------------- Enumerating Download Program Files: [{9F1C11AA-197B-4942-BA54-47A8489BB47F}] CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8204.5217939815 [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash9d.ocx CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\system32\stobject.dll -------------------------------------------------- End of report, 4,702 bytes Report generated in 0.047 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only

fenzodahl512 View Member Profile	Jan 16 2009, 01:40 AM Post #12
Forum Addict Group: HJT Team Posts: 5,949 Joined: 4-December 07 Member No.: 174,482	Hello... Delete your version of Combo-Fix and download a fresh one from below.. This time, please install Recovery Console and please just say Yes to everything that ComboFix wants to do Link 1 Link 2 Link 3 As usual, run it and post the log here This post has been edited by fenzodahl512: Jan 16 2009, 01:41 AM -------------------- Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine.. Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive Away for three months (22 August - 1 December 2009)

GRBrown View Member Profile	Jan 16 2009, 02:55 AM Post #13
Member Group: Members Posts: 21 Joined: 14-January 09 Member No.: 282,387	Hey Wan, Thanks for the feedback and the clarification! I'll make sure to re-download and re-run Combo-Fix again, and select Yes for the Recovery Console download. Just out of curiosity though, did the logs tell you much of anything? Did the initial first running, and then the complete second running of Combo-Fix that I did earlier (and that was fully successful), achieve any desired results... even though I did not install the Console? How about the most recent HijackThis Log? Any progress? It does seem like the computer is running better. Finally, are there any other steps that you can reasonably give me to do after re-running Combo-Fix? I ask only because it seems the timing of our schedules is a little off (your messages tend to post fairly late at night, btw 1 am and 5 am my time), and since the computer I'm working on is 30 minutes away at my store, it means that I really only get one swipe at it per day. So, if there are any other steps that you can reasonably speculate would be worth doing after the next Combo-Fix run (with the Console being installed of course), then that would be great. If however you really need to see the next Combo-Fix Log before you give any additional steps, that's cool too... I figured it was worth checking, just in case it might save us both some time. But it's all good. Thanks again for the great feedback. G P.S. I just recalled one other oddity during the first running of Combo-Fix. As Combo-Fix did it's thing, deleting stuff or whatever, periodically windows would open dialog boxes that announced programs were shutting down unexpectedly (looked like it was probably malware junk that was running in the background that Combo-Fix was attacking)... anyway, Windows of course prompted me to send error reports to microsoft along the way. When these prompts were present it seemed that Combo-Fix paused until you answered the windows request for error reporting. I of course selected Don't Send for each prompt to keep it from connecting to the internet. But that was another little tidbit in the process that was weird... it really seemed like Combo-Fix could not proceed until those prompts were answered. Just thought you should know. Thanks again Wan. Sincerely, G.

fenzodahl512 View Member Profile	Jan 16 2009, 03:59 AM Post #14
Forum Addict Group: HJT Team Posts: 5,949 Joined: 4-December 07 Member No.: 174,482	QUOTE Just out of curiosity though, did the logs tell you much of anything? Pretty much, everything that we need to know.. QUOTE Did the initial first running, and then the complete second running of Combo-Fix that I did earlier (and that was fully successful), achieve any desired results... even though I did not install the Console? I can see it delete some files.. But we need to install RC QUOTE How about the most recent HijackThis Log? Any progress? I prefer to see other logs.. QUOTE (your messages tend to post fairly late at night, btw 1 am and 5 am my time) I'm from Malaysia.. My timeline is GMT +8.. When I type this msg, I just returned from my class QUOTE If however you really need to see the next Combo-Fix Log before you give any additional steps, that's cool too... I will need to see it QUOTE it really seemed like Combo-Fix could not proceed until those prompts were answered. What prompt?.. Can you give me the details?.. Screenshot would be very nice Waiting for latest ComboFix log -------------------- Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine.. Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive Away for three months (22 August - 1 December 2009)

GRBrown View Member Profile	Jan 16 2009, 04:21 AM Post #15
Member Group: Members Posts: 21 Joined: 14-January 09 Member No.: 282,387	Hey Wan, That's cool, like I said it was worth checking to see if there might be some extra steps that I could go ahead a take. But I'll get you the the new Combo-Fix log and then we can take it from there. Interestingly I'm in Florida, so we are technically on almost opposite schedules. Fortunately I'm a bit of a night owl so I'm often up late (too late for my own good even). In fact I'm headed to bed after this post, and right now as I type this it is 4:20 am my time, and from the world clock it appears to be 5:20 pm in Malaysia. So when I get up in 7 hours, it will already be a little past midnight your time. Crazy. But heh, it's working my friend, and I truly appreciate you taking the time to help out. Well that's probably it for me right now. Have a nice evening, and I'll catch up with you, later today my time, and tomorrow your time. G

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

3 Pages

1 2 3 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 21st November 2009 - 01:19 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides