Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bad Trojan Virus


  • Please log in to reply
31 replies to this topic

#1 endemic15

endemic15

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 02 March 2008 - 03:43 PM

It could be winfixer. It has a very good hold of my system.

Thoughts?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:09 PM, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BM5f8097c2] Rundll32.exe "C:\WINDOWS\system32\jlgwujhx.dll",s
O4 - HKLM\..\Run: [5cb3a45e] rundll32.exe "C:\WINDOWS\system32\ompggjnu.dll",b
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://nyc-pxy02.insidemedia.net/whalecom0...m0/iNotes6W.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188731753609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5917 bytes

Edited by endemic15, 02 March 2008 - 04:45 PM.


BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:01:08 AM

Posted 03 March 2008 - 12:35 AM

Hi,

Looks like virtumonde.

Please download
VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • If your security software asks about installing a service; please allow it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting
from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 endemic15

endemic15
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 03 March 2008 - 02:50 AM

Thanks. Here ya go.


VundoFix V6.7.10

Checking Java version...

Scan started at 2:27:11 AM 3/3/2008

Listing files found while scanning....

C:\WINDOWS\system32\bmtifplu.dll
C:\WINDOWS\system32\dccdd.ini
C:\WINDOWS\system32\dccdd.ini2
C:\WINDOWS\system32\ddccd.dll
C:\WINDOWS\system32\dpalgrxe.dll
C:\WINDOWS\system32\jjrewkbj.dll
C:\WINDOWS\system32\jlgwujhx.dll
C:\WINDOWS\system32\ompggjnu.dll
C:\WINDOWS\system32\vlpbbtvv.dll
C:\WINDOWS\system32\yaywtuu.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bmtifplu.dll
C:\WINDOWS\system32\bmtifplu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dccdd.ini
C:\WINDOWS\system32\dccdd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\dccdd.ini2
C:\WINDOWS\system32\dccdd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddccd.dll
C:\WINDOWS\system32\ddccd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dpalgrxe.dll
C:\WINDOWS\system32\dpalgrxe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjrewkbj.dll
C:\WINDOWS\system32\jjrewkbj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jlgwujhx.dll
C:\WINDOWS\system32\jlgwujhx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ompggjnu.dll
C:\WINDOWS\system32\ompggjnu.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\vlpbbtvv.dll
C:\WINDOWS\system32\vlpbbtvv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yaywtuu.dll
C:\WINDOWS\system32\yaywtuu.dll Could not be deleted.

Performing Repairs to the registry.
Done!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:10 AM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {63846341-4DFE-4CB0-8548-C01C8DDEC750} - C:\WINDOWS\system32\ddccd.dll (file missing)
O2 - BHO: {c7354a1b-3455-81fb-a784-781b0d4a931b} - {b139a4d0-b187-487a-bf18-5543b1a4537c} - C:\WINDOWS\system32\bmtifplu.dll (file missing)
O2 - BHO: (no name) - {CE22ABA3-B540-4D26-9BE2-425AF0F411E8} - C:\WINDOWS\system32\yaywtuu.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BM5f8097c2] Rundll32.exe "C:\WINDOWS\system32\jlgwujhx.dll",s
O4 - HKLM\..\Run: [5cb3a45e] rundll32.exe "C:\WINDOWS\system32\ompggjnu.dll",b
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://nyc-pxy02.insidemedia.net/whalecom0...m0/iNotes6W.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188731753609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7153 bytes

#4 endemic15

endemic15
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 03 March 2008 - 07:49 PM

FYI - Nod32 just ran a system scan on startup, cause it picked up a virus, now it's showing every file is infected.

#5 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:01:08 AM

Posted 04 March 2008 - 02:05 AM

Ewwww

Show me the log from NOD32 please?
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#6 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:01:08 AM

Posted 04 March 2008 - 02:17 AM

Me again -- sorry my other post was so hasty --

If all your files are infected --- better back up your important pictures, documents and music before doing anything else ..

What I am concerned with at this point is your virus scanner deleting files to the point where you can't restart system to recover important data.
Often too even if the virus can be removed from each file -- they end up corrupted so they no longer work right.

Most file infecting viruses do result in complete format/re-install of the operating system along with all your programs because all exes and scr files are infected.
Often others too.

Normally though music, pictures and documents are OK.

I'd like to know what the infection is before we say its a write-off. Some file infectors are cleanable.

While doing backups --- don't back up any programs or compressed (zipped/rarred) files with exes.
Pics, docs, music is about all I wanna try backing up at this time till we know more.

If you do end up formatting then using backups --- it is imparative you scan those backups before using any. Just in case.

Thanks
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#7 endemic15

endemic15
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 04 March 2008 - 02:24 AM

here's the threat log from nod 32... it wont let me copy the whole log. but these keep repeating.

Time Module Object Name Threat Action User Information
3/3/2008 19:39:51 PM Kernel file C:\WINDOWS\system32\eylpqdhq.dll Win32/Adware.AdMedia application Alert was generated during the system startup file check.
3/3/2008 19:39:51 PM Kernel file C:\WINDOWS\system32\yaywtuu.dll Win32/Adware.Virtumonde application Alert was generated during the system startup file check.
3/3/2008 19:39:50 PM Kernel file c:\windows\system32\yaywtuu.dll Win32/Adware.Virtumonde application Alert was generated during the system startup file check.
3/3/2008 19:39:43 PM Kernel file c:\windows\system32\eylpqdhq.dll Win32/Adware.AdMedia application Alert was generated during the system startup file check.
3/2/2008 16:43:43 PM IMON archive http://sec.storageguardsoft.com/securepccl...nstaller_en.cab Win32/Adware.WinFixer application quarantined - Connection terminated 93E9EFB3BC2845D\qw
3/2/2008 15:34:31 PM IMON file http://scanner2.malware-scan.com/5_swp/sca...d=2&mt_info probably a variant of JS/TrojanDownloader.Agent.NBQ trojan Connection terminated 93E9EFB3BC2845D\qw
3/1/2008 13:43:57 PM AMON file C:\DOCUME~1\qw\LOCALS~1\Temp\removalfile.bat Win32/Adware.Virtumonde application quarantined - deleted - error while cleaning - operation unavailable for this type of object Event occurred on a newly created file. The file was moved to quarantine. You may close this window.

Edited by endemic15, 04 March 2008 - 02:34 AM.


#8 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:01:08 AM

Posted 04 March 2008 - 02:32 AM

Hi,

I'm not sure how to see the actual log of what threats were found in NOD32 as I have not used it in forever --
Can you remember the name of the virus found?
Namely the one it said was infecting all your files?
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#9 endemic15

endemic15
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 04 March 2008 - 02:34 AM

Sorry check above. I just modified the post.

#10 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:01:08 AM

Posted 04 March 2008 - 02:42 AM

Ahh OK.
that's better!

Virtumonde is a bit hard to get rid of but this isn't what I thought NOD was warning about.
Not file infectors here. Shew!!

gimme a few min and I'll post new instructions for more system info.

Thanks
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#11 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:01:08 AM

Posted 04 March 2008 - 02:43 AM

Download Deckard's System Scanner to your Desktop from one of these links:

http://www.techsupportforum.com/sectools/Deckard/dss.exe
http://deckard.geekstogo.com/dss.exe

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, a text file will open - Main.txt
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt here.
A folder, C:\Deckard\System Scanner, will also open. In it will be another text file, Extra.txt.
Please attach Extra.txt to your post.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

To attach a file to a new post, simply
Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:

C:\Deckard\System Scanner\Extra.txt

Click Upload.

What DSS will do:
--create a new System Restore point in Windows XP and Vista.
--clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
--check some important areas of your system and produce a report for your analyst to review.
--System Scanner automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#12 endemic15

endemic15
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 04 March 2008 - 02:49 AM

here ya go:

Deckard's System Scanner v20071014.68
Run by qw on 2008-03-04 02:44:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
17: 2008-03-04 10:44:54 UTC - RP656 - Deckard's System Scanner Restore Point
16: 2008-03-04 04:16:59 UTC - RP655 - System Checkpoint
15: 2008-03-03 01:15:15 UTC - RP654 - System Checkpoint
14: 2008-03-01 21:52:39 UTC - RP653 - Last known good configuration
13: 2008-03-01 21:50:47 UTC - RP652 - System Checkpoint


-- First Restore Point --
1: 2008-03-01 21:49:47 UTC - RP640 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as qw.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:46:09 AM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\qw\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\qw.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {19DDB597-3908-4EE2-83D6-A9B5A8D584D4} - C:\WINDOWS\system32\vtstu.dll
O2 - BHO: {af305302-b96d-6ebb-a964-ca83d9846562} - {2656489d-38ac-469a-bbe6-d69b203503fa} - C:\WINDOWS\system32\udkyrbod.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {63846341-4DFE-4CB0-8548-C01C8DDEC750} - C:\WINDOWS\system32\ddccd.dll (file missing)
O2 - BHO: (no name) - {b139a4d0-b187-487a-bf18-5543b1a4537c} - (no file)
O2 - BHO: (no name) - {CE22ABA3-B540-4D26-9BE2-425AF0F411E8} - C:\WINDOWS\system32\yaywtuu.dll (file missing)
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [5cb3a45e] rundll32.exe "C:\WINDOWS\system32\wqsgubmd.dll",b
O4 - HKLM\..\Run: [BM5f8097c2] Rundll32.exe "C:\WINDOWS\system32\eylpqdhq.dll",s
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://nyc-pxy02.insidemedia.net/whalecom0...m0/iNotes6W.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188731753609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7114 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 DigiFilter - c:\windows\system32\drivers\digifilter.sys <Not Verified; Digidesign, A Division of Avid Technology, Inc.; Pro Tools®>
R0 MDPMGRNT - c:\windows\system32\drivers\mdpmgrnt.sys <Not Verified; Mediafour Corporation; Mediafour MacDrive>
R0 TPkd - c:\windows\system32\drivers\tpkd.sys <Not Verified; PACE Anti-Piracy, Inc.; InterLok®>
R1 Asapi - c:\windows\system32\drivers\asapi.sys <Not Verified; VOB Computersysteme GmbH; asapi>

S3 BCM42RLY - c:\windows\system32\bcm42rly.sys (file missing)
S3 catchme - c:\docume~1\qw\locals~1\temp\catchme.sys (file missing)
S3 dalwdmservice (dal service) - c:\windows\system32\drivers\dalwdm.sys <Not Verified; Digidesign, A Division of Avid Technology, Inc.; Pro Tools®>
S3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 IPFilter (Microsoft IntelliPoint Features driver) - c:\windows\system32\drivers\ipfilter.sys (file missing)
S3 KMW_KBD (Kensington Input Devices Class filter driver) - c:\windows\system32\drivers\kmw_kbd.sys (file missing)
S3 KMW_USB (Kensington MouseWorks USB filter driver) - c:\windows\system32\drivers\kmw_usb.sys <Not Verified; Kensington Technology Group; KMW>
S3 MDFSYSNT - c:\windows\system32\drivers\mdfsysnt.sys <Not Verified; Mediafour Corporation; MacDrive>
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys (file missing)
S3 PCASp50 (PCASp50 NDIS Protocol Driver) - c:\windows\system32\drivers\pcasp50.sys (file missing)
S3 rt2500usb (DWL-G122(rev.:thumbsup: USB Wireless LAN Driver) - c:\windows\system32\drivers\rt2500usb.sys <Not Verified; Ralink Technology Inc.; Ralink 802.11g Wireless USB Adapters>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 iPAHelper.exe - c:\program files\ipod access for windows\ipahelper.exe
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S4 DigiRefresh (Digidesign MME Refresh Service) - c:\program files\digidesign\drivers\mmerefresh.exe -s (file missing)
S4 Diskeeper - "c:\program files\executive software\diskeeper\dkservice.exe" <Not Verified; Executive Software International, Inc.; Diskeeper ™ Disk Defragmenter>
S4 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-03-04 02:00:00 350 --a------ C:\WINDOWS\Tasks\At3.job
2008-03-04 01:00:00 350 --a------ C:\WINDOWS\Tasks\At2.job
2008-03-04 00:00:00 350 --a------ C:\WINDOWS\Tasks\At1.job
2008-03-03 23:00:00 350 --a------ C:\WINDOWS\Tasks\At24.job
2008-03-03 22:00:00 350 --a------ C:\WINDOWS\Tasks\At23.job
2008-03-03 21:00:00 350 --a------ C:\WINDOWS\Tasks\At22.job
2008-03-03 20:00:00 350 --a------ C:\WINDOWS\Tasks\At21.job
2008-03-03 03:00:00 350 --a------ C:\WINDOWS\Tasks\At4.job
2008-03-02 19:00:00 350 --a------ C:\WINDOWS\Tasks\At20.job
2008-03-02 18:00:00 350 --a------ C:\WINDOWS\Tasks\At19.job
2008-03-02 17:00:00 350 --a------ C:\WINDOWS\Tasks\At18.job
2008-03-02 16:00:00 350 --a------ C:\WINDOWS\Tasks\At17.job
2008-03-01 15:00:00 350 --a------ C:\WINDOWS\Tasks\At16.job
2008-03-01 14:00:00 350 --a------ C:\WINDOWS\Tasks\At15.job
2008-03-01 13:00:00 350 --a------ C:\WINDOWS\Tasks\At14.job
2008-03-01 12:00:00 350 --a------ C:\WINDOWS\Tasks\At13.job
2008-02-29 22:52:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-02-29 11:00:00 350 --a------ C:\WINDOWS\Tasks\At12.job
2008-02-29 10:00:00 350 --a------ C:\WINDOWS\Tasks\At11.job
2008-02-29 09:00:00 350 --a------ C:\WINDOWS\Tasks\At10.job
2008-02-29 08:00:00 350 --a------ C:\WINDOWS\Tasks\At9.job
2008-02-23 06:00:00 350 --a------ C:\WINDOWS\Tasks\At7.job
2008-02-23 05:00:00 350 --a------ C:\WINDOWS\Tasks\At6.job
2008-02-22 04:00:00 350 --a------ C:\WINDOWS\Tasks\At5.job
2008-02-21 07:00:00 350 --a------ C:\WINDOWS\Tasks\At8.job


-- Files created between 2008-02-04 and 2008-03-04 -----------------------------

2008-03-03 02:53:48 84544 --a------ C:\WINDOWS\system32\wqsgubmd.dll
2008-03-03 02:53:45 89664 --a------ C:\WINDOWS\system32\udkyrbod.dll
2008-03-03 02:52:56 260655 --ahs---- C:\WINDOWS\system32\utstv.ini2
2008-03-03 02:52:54 291328 --a------ C:\WINDOWS\system32\vtstu.dll
2008-03-03 02:27:11 0 d-------- C:\VundoFix Backups
2008-03-02 17:26:43 691545 --a------ C:\WINDOWS\unins000.exe
2008-03-02 17:26:43 2547 --a------ C:\WINDOWS\unins000.dat
2008-03-02 15:32:03 0 d-------- C:\Program Files\Trend Micro
2008-03-01 13:44:08 0 d-------- C:\Program Files\Magic Video Converter
2008-02-09 15:48:51 0 d-------- C:\Program Files\Microsoft Works
2008-02-09 15:47:53 0 d-------- C:\Program Files\Microsoft.NET
2008-02-09 15:46:17 0 d-------- C:\WINDOWS\SHELLNEW
2008-02-09 15:45:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-09 15:45:40 0 dr-h----- C:\MSOCache


-- Find3M Report ---------------------------------------------------------------

2008-03-02 15:29:40 0 d-------- C:\Program Files\SpywareBlaster
2008-03-01 17:44:10 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-01 17:04:47 0 d-------- C:\Program Files\Soulseek
2008-02-24 16:32:17 0 d-------- C:\Documents and Settings\qw\Application Data\Digidesign
2008-02-18 15:57:14 0 d-------- C:\Program Files\Windows Media Connect 2
2008-02-18 01:29:39 0 d-------- C:\Program Files\BitComet
2008-02-09 15:48:25 0 d-------- C:\Program Files\Common Files
2008-01-22 22:17:49 0 d-------- C:\Documents and Settings\qw\Application Data\CoreFTP
2008-01-21 19:42:45 0 d-------- C:\Program Files\Audacity
2008-01-21 18:17:01 0 d-------- C:\Program Files\Replay Media Catcher
2008-01-20 22:28:33 0 d-------- C:\Documents and Settings\qw\Application Data\Opera
2008-01-19 12:49:58 0 d-------- C:\Program Files\iTunes
2008-01-19 12:49:49 0 d-------- C:\Program Files\iPod
2008-01-19 12:48:53 0 d-------- C:\Program Files\QuickTime
2008-01-13 22:18:36 287 --a------ C:\Documents and Settings\qw\Application Data\iPod Access v4 Prefs
2008-01-13 22:16:12 0 d-------- C:\Program Files\iPod Access for Windows
2008-01-13 22:02:13 10 --ah----- C:\Documents and Settings\qw\Application Data\iPodAccess_Time
2008-01-06 08:03:50 0 d-------- C:\Program Files\CoreFTP
2008-01-04 23:44:10 0 d-------- C:\Documents and Settings\qw\Application Data\AdobeUM
2008-01-04 23:38:53 0 d-------- C:\Documents and Settings\qw\Application Data\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{19DDB597-3908-4EE2-83D6-A9B5A8D584D4}]
03/03/2008 02:52 AM 291328 --a------ C:\WINDOWS\system32\vtstu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2656489d-38ac-469a-bbe6-d69b203503fa}]
03/03/2008 02:53 AM 89664 --a------ C:\WINDOWS\system32\udkyrbod.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63846341-4DFE-4CB0-8548-C01C8DDEC750}]
C:\WINDOWS\system32\ddccd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b139a4d0-b187-487a-bf18-5543b1a4537c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE22ABA3-B540-4D26-9BE2-425AF0F411E8}]
C:\WINDOWS\system32\yaywtuu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ptipbmf"="ptipbmf.dll" [06/19/2003 11:06 PM C:\WINDOWS\system32\ptipbmf.dll]
"POINTER"="point32.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 12:11 AM]
"DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" []
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [09/01/2007 09:58 PM]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/28/2007 07:52 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/10/2008 03:27 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/15/2008 03:22 AM]
"5cb3a45e"="C:\WINDOWS\system32\wqsgubmd.dll" [03/03/2008 02:53 AM]
"BM5f8097c2"="C:\WINDOWS\system32\eylpqdhq.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:00 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{CE22ABA3-B540-4D26-9BE2-425AF0F411E8}"= C:\WINDOWS\system32\yaywtuu.dll [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtstu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Getting Started with MacDrive 5.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Getting Started with MacDrive 5.lnk
backup=C:\WINDOWS\pss\Getting Started with MacDrive 5.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
backup=C:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^qw^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\qw\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
"C:\Program Files\BitComet\BitComet.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
"C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative MediaSource Go]
"C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
"C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
"C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mediafour Mac Volume Notifications]
"C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSWheel]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SoundMAX Agent Service (default)"=2 (0x2)
"rpcapd"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Diskeeper"=2 (0x2)
"DigiRefresh"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Capture Device Service"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Adobe LM Service"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b01f0549-a6bd-11dc-9777-00112fe17869}]
AutoRun\command- wd_windows_tools\setup.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8002 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-03-04 02:47:02 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3400+
Percentage of Memory in Use: 48%
Physical Memory (total/avail): 1022.73 MiB / 529.8 MiB
Pagefile Memory (total/avail): 2516.09 MiB / 2189.39 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1926.06 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 17.85 GiB free.
D: is Fixed (NTFS) - 111.79 GiB total, 28.68 GiB free.
E: is CDROM (CDFS)

\\.\PHYSICALDRIVE1 - WDC WD1200JB-00GVA0 - 111.79 GiB - 1 partition
\PARTITION0 - Installable File System - 111.79 GiB - D:

\\.\PHYSICALDRIVE0 - WDC WD800JB-00JJA0 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: ESET NOD32 antivirus system 2.70 v2.70 (ESET, spol. s r.o.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Enabled:SoulSeek"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\FTP Commander\\ftpcomm.exe"="C:\\Program Files\\FTP Commander\\ftpcomm.exe:*:Enabled:ftpcomm"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\qw\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=93E9EFB3BC2845D
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\qw
LOGONSERVER=\\93E9EFB3BC2845D
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\Executive Software\Diskeeper\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 12 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0c00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\qw\LOCALS~1\Temp
TMP=C:\DOCUME~1\qw\LOCALS~1\Temp
USERDOMAIN=93E9EFB3BC2845D
USERNAME=qw
USERPROFILE=C:\Documents and Settings\qw
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

qw (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Aimersoft DVD Ripper(Build 1.0.16) --> "C:\Program Files\Aimersoft\DVD Ripper\unins000.exe"
AmpliTube --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C352D8A-6105-44C8-9371-43599AA01375}\setup.exe" -l0x9
Antares Auto-Tune 3.00 RTAS PC --> C:\PROGRA~1\DIGIDE~2\Dae\Plug-Ins\UNWISE.EXE C:\PROGRA~1\DIGIDE~2\Dae\Plug-Ins\INSTALL.LOG
Antares Autotune DX v4.12 --> C:\PROGRA~1\Antares\AUTOTU~1\ANTARE~1\UNWISE.EXE C:\PROGRA~1\Antares\AUTOTU~1\ANTARE~1\INSTALL.LOG
Antares AVOX Vocal Kit Bundle RTAS v1.02 --> C:\PROGRA~1\UNWISE.EXE C:\PROGRA~1\INSTALL.LOG
Antares Kantos v1.02 VST & RTAS --> C:\PROGRA~1\Antares\UNWISE.EXE C:\PROGRA~1\Antares\INSTALL.LOG
Antares Microphone Modeler DX v1.32 --> C:\PROGRA~1\Antares\MicModDX\UNINST~1\UNWISE.EXE C:\PROGRA~1\Antares\MicModDX\UNINST~1\INSTALL.LOG
Antares Tube v1.02 RTAS --> C:\PROGRA~1\Antares\UNWISE.EXE C:\PROGRA~1\Antares\INSTALL.LOG
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ASAPI Update --> C:\WINDOWS\system32\IWUNIN~1.EXE -uninstall C:\WINDOWS\ISUNINST.EXE -fC:\PROGRA~1\VOB\ASAPIU~1\ASAPI.isu
ASIO4ALL v2 --> C:\Program Files\ASIO4ALL v2\uninstall.exe
BitComet 0.94 --> C:\Program Files\BitComet\uninst.exe
Bomb Factory (48k Edition) v3.15 --> C:\PROGRA~1\DIGIDE~2\Dae\UNWISE.EXE C:\PROGRA~1\DIGIDE~2\Dae\INSTALL.LOG
Bomb Factory PlugIns --> C:\PROGRA~1\\BOMBFA~1\UNWISE.EXE C:\PROGRA~1\\BOMBFA~1\INSTALL.LOG
Celemony Melodyne v2.5.0.6 Studio Edition --> C:\PROGRA~1\Celemony\MELODY~1.5\UNWISE.EXE C:\PROGRA~1\Celemony\MELODY~1.5\INSTALL.LOG
Core FTP LE 2.0 --> C:\PROGRA~1\CoreFTP\UNWISE.EXE C:\PROGRA~1\CoreFTP\INSTALL.LOG
Digidesign ASIO Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{54FCF706-A181-489C-9C34-DBCF764DC214}\Setup.exe" -l0x9 FromUninstall
DigiDesign DINR AudioSuite v3.41.330 --> C:\PROGRA~1\DIGIDE~2\UNINST~1\UNWISE.EXE C:\PROGRA~1\DIGIDE~2\UNINST~1\DINR.LOG
DigiDesign Focusrite D2 1.71.345 --> C:\PROGRA~1\DIGIDE~2\UNINST~1\UNWISE.EXE C:\PROGRA~1\DIGIDE~2\UNINST~1\focusrited2.LOG
DigiDesign Focusrite D3 AudioSuite 1.51.345 --> C:\PROGRA~1\DIGIDE~2\UNINST~1\UNWISE.EXE C:\PROGRA~1\DIGIDE~2\UNINST~1\focusrite.LOG
Digidesign Maxim --> C:\PROGRA~1\DIGIDE~2\PROTOO~1\Maxim\UNWISE.EXE C:\PROGRA~1\DIGIDE~2\PROTOO~1\Maxim\INSTALL.LOG
Digidesign Pro Tools® LE 6.4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7C79B479-0ACE-4DCA-AA6B-5E617C356D72}\Setup.exe" -l0x9 FromMaintenance
Digidesign Pro Tools® LE 6.7 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2855E177-C18C-4834-AC0A-01D8E015D167}\Setup.exe" -l0x9 FromMaintenance
Digidesign Shared Plug-Ins --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DBCD674C-1751-4548-9005-980F03083187}\Setup.exe" -l0x9 FromUninstall
Digidesign Soundreplacer --> C:\PROGRA~1\DIGIDE~2\UNWISE.EXE C:\PROGRA~1\DIGIDE~2\INSTALL.LOG
Diskeeper Professional Edition --> MsiExec.exe /X{76EF79CA-A6A8-41C4-AE49-E49BA075FA51}
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
Elemental Audio Max Bundle --> C:\PROGRA~1\ELEMEN~1\UNWISE.EXE C:\PROGRA~1\ELEMEN~1\INSTALL.LOG
FMJSoft Chromatia Tuner v2.0 --> C:\PROGRA~1\CHROMA~1\UNWISE.EXE C:\PROGRA~1\CHROMA~1\INSTALL.LOG
Focusrite d3 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Digidesign\Uninstaller Logs\Focusrite d3.isu"
FXpansion DR-008 --> C:\PROGRA~1\FXPANS~1\DR-008\UNWISE.EXE C:\PROGRA~1\FXPANS~1\DR-008\INSTALL.LOG
GRM Tools RTAS v1.04 --> C:\PROGRA~1\GRMTOO~1.4\UNWISE.EXE C:\PROGRA~1\GRMTOO~1.4\INSTALL.LOG
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Customer Participation Program 7.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Imaging Device Functions 7.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Essential --> MsiExec.exe /X{6994491D-D491-48F1-AE1F-E179C1FFFC2F}
HP Photosmart, Officejet and Deskjet 7.0.A --> C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzscr01.exe -datfile hposcr11.dat
HP Software Update --> MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}
HP Solution Center 7.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
InterVideo DeviceService --> MsiExec.exe /I{521AAD14-5030-44BB-8B0E-5CE65FCE57E0}
iPod Access for Windows v4.1.3 --> "C:\Program Files\iPod Access for Windows\unins000.exe"
iTunes --> MsiExec.exe /I{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}
iZotope Ozone v3.05 --> C:\PROGRA~1\iZotope\Ozone\OZONE3~1\UNWISE.EXE C:\PROGRA~1\iZotope\Ozone\OZONE3~1\INSTALL.LOG
iZotope Spectron v1.02 --> C:\PROGRA~1\iZotope\Spectron\UNWISE.EXE C:\PROGRA~1\iZotope\Spectron\INSTALL.LOG
iZotope Spectron v1.04 --> C:\PROGRA~1\iZotope\Spectron\UNINST~1\UNWISE.EXE C:\PROGRA~1\iZotope\Spectron\UNINST~1\INSTALL.LOG
iZotope Trash v1.04 --> C:\PROGRA~1\iZotope\Trash\UNINST~1\UNWISE.EXE C:\PROGRA~1\iZotope\Trash\UNINST~1\INSTALL.LOG
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LADSPA_plugins-win-0.4.15 --> "C:\Program Files\Audacity\Plug-Ins\unins000.exe"
Lexicon PSP 42 VST DX v1.0 --> C:\PROGRA~1\STEINB~1\VSTPLU~1\LEXICO~1\Log\UNWISE.EXE C:\PROGRA~1\STEINB~1\VSTPLU~1\LEXICO~1\Log\INSTALL.LOG
Lounge Lizard EP-2 v2.0 --> C:\PROGRA~1\LOUNGE~1\UNINST~1\UNWISE.EXE C:\PROGRA~1\LOUNGE~1\UNINST~1\INSTALL.LOG
MacDrive 5 --> MsiExec.exe /I {35492B7F-47BB-42DD-8FB5-C2F817256078}
Magic Video Converter Trial Version (English) 8.0.2.18 --> "C:\Program Files\Magic Video Converter\unins000.exe"
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007 --> MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}\setup.exe" -l0x9 -uninst
Native Instruments Guitar Rig v1.2 --> C:\PROGRA~1\NATIVE~1\GUITAR~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\GUITAR~1\INSTALL.LOG
Nero - Burning Rom --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
NOD32 antivirus system --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
Nomad Factory Blue Tubes Bundle v2.0 --> C:\PROGRA~1\STEINB~1\VSTPLU~1\NOMADF~2\BLUETU~1\NOMADF~1\UNWISE.EXE C:\PROGRA~1\STEINB~1\VSTPLU~1\NOMADF~2\BLUETU~1\NOMADF~1\INSTALL.LOG
Nomad Factory Liquid Bundle VST v1.6 --> C:\PROGRA~1\STEINB~1\VSTPLU~1\NOMADF~2\LIQUID~1\UNWISE.EXE C:\PROGRA~1\STEINB~1\VSTPLU~1\NOMADF~2\LIQUID~1\INSTALL.LOG
Nomad Factory Rock Amp Legends VST v1.0 --> C:\PROGRA~1\STEINB~1\VSTPLU~1\NOMADF~1\UNWISE.EXE C:\PROGRA~1\STEINB~1\VSTPLU~1\NOMADF~1\INSTALL.LOG
Nuendo Dolby Digital Encoder 1.01 --> C:\PROGRA~1\SPECTR~1\UNINST~1\NUENDO~1\UNWISE.EXE C:\PROGRA~1\SPECTR~1\UNINST~1\NUENDO~1\INSTALL.LOG
OCR Software by I.R.I.S 7.0 --> C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
OrangeVocoder v2.0-OxYGeN --> C:\WINDOWS\vocoder\UNWISE.EXE C:\WINDOWS\vocoder\INSTALL.LOG
PACE System Files --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28F58CDE-6241-4B11-8232-6A5D4FB06E8B}\Setup.exe" -l0x9 FromUninstall
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Pitch 'n Time AudioSuite --> C:\PROGRA~1\DIGIDE~2\UNINST~1\UNWISE.EXE C:\PROGRA~1\DIGIDE~2\UNINST~1\pitchandtime.log
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
PSP 84 v1.0 --> C:\PROGRA~1\PSP84~1\UNWISE.EXE C:\PROGRA~1\PSP84~1\INSTALL.LOG
PSP Nitro VST and DX 1.0 --> C:\WINDOWS\iun6002.exe "C:\Program Files\PSP Nitro\irunin.ini"
PSP VintageWarmer v1.5d --> C:\PROGRA~1\PSPVIN~1\UNWISE.EXE C:\PROGRA~1\PSPVIN~1\INSTALL.LOG
PSP_Audioware_Mastercomp_DX_RTAS_VST_v1.0-PLZ --> C:\PROGRA~1\PSP_AU~1\MASTER~1\UNWISE.EXE C:\PROGRA~1\PSP_AU~1\MASTER~1\INSTALL.LOG
quantum-fx 1.06 --> "C:\Program Files\db-audioware\quantum-fx\uninstall.exe"
QuickTime --> MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Replay AV 8 --> C:\WINDOWS\iun6002.exe "C:\Program Files\Replay AV 8\uninstallRAV8.ini"
Replay Converter 2.75C --> C:\WINDOWS\iun6002.exe "C:\Program Files\Replay AV 8\iruninRCV.ini"
Replay Media Catcher --> "C:\WINDOWS\Replay Media Catcher\uninstall.exe" "/U:C:\Program Files\Replay Media Catcher\Uninstall\uninstall.xml"
ReValver --> "C:\Program Files\Alien Connections\ReValver\alloff.exe" C:\WINDOWS\uninst.exe -f"C:\Program Files\Alien Connections\ReValver\DeIsL1.isu" -cC:\PROGRA~1\ALIENC~1\ReValver\_ISREG32.DLL
rgcAudio Pentagon I v1.21 --> C:\PROGRA~1\STEINB~1\VSTPLU~1\RGCAUD~1.21\UNWISE.EXE C:\PROGRA~1\STEINB~1\VSTPLU~1\RGCAUD~1.21\INSTALL.LOG
rgcAudio Pentagon I VSTi v1.0 --> "C:\Program Files\Cubase VST32\Vstplugins\Vstplugins\unins000.exe"
rgcAudio Triangle I VSTi v1.1 --> "C:\Program Files\Cubase VST32\Vstplugins\unins000.exe"
rpsoft 2000 Convert --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Convrp00\ST6UNST.LOG"
Serato Scratch Studio Edition RTAS v1.0 --> C:\PROGRA~1\Serato\SCRATC~1\UNWISE.EXE C:\PROGRA~1\Serato\SCRATC~1\INSTALL.LOG
Serato.Pitch.n.Time.RTAS.v2.2.1 --> C:\PROGRA~1\DIGIDE~2\Dae\Serato\UNWISE.EXE C:\PROGRA~1\DIGIDE~2\Dae\Serato\INSTALL.LOG
Sonalksis SV-315 Compressor Plug-in (evaluation) --> MsiExec.exe /I{0B33A412-13FF-4F2C-8C7A-64D71E8A5CBC}
Sony Inflator RTAS v1.0 --> C:\PROGRA~1\DIGIDE~2\Dae\Plug-Ins\DAE\Plug-Ins\Inflator\UNWISE.EXE C:\PROGRA~1\DIGIDE~2\Dae\Plug-Ins\DAE\Plug-Ins\Inflator\INSTALL.LOG
SoulSeek Client 156c --> "C:\Program Files\Soulseek\uninstall.exe"
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Spark FXMachine 2.1 --> C:\PROGRA~1\TcWorks\SPARKF~1\UNWISE.EXE C:\PROGRA~1\TcWorks\SPARKF~1\INSTALL.LOG
SPEED 1.04 --> C:\PROGRA~1\DIGIDE~2\UNINST~1\UNWISE.EXE C:\PROGRA~1\DIGIDE~2\UNINST~1\speed.log
SpinAudio 3DDelays 1.0 --> C:\Program Files\Spin Audio\Common\uninst.exe "3DDelays"
SpinAudio 3DPanner Studio 1.0 --> C:\Program Files\Spin Audio\Common\3dpsunin.exe
SpinAudio RoomVerb M2 2.0 Demo --> C:\Program Files\Spin Audio\Common\uninst.exe "RoomVerb M2 2.0"
SpinAudio RoomVerb M2 2.1 --> C:\Program Files\SpinAudio\RoomVerb M2\uninst.exe "RoomVerb M2"
SpinAudio RoomVerb M2 v2.1.142 --> C:\PROGRA~1\SPINAU~2\ROOMVE~1\UNWISE.EXE C:\PROGRA~1\SPINAU~2\ROOMVE~1\INSTALL.LOG
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
Steinberg GRM-Tools Volume One v1.2 --> C:\PROGRA~1\STEINB~1\VSTPLU~1\GRM-TO~1\UNWISE.EXE C:\PROGRA~1\STEINB~1\VSTPLU~1\GRM-TO~1\INSTALL.LOG
Steinberg GRM Tools Vol.2 --> C:\PROGRA~1\STEINB~1\VSTPLU~1\GRMTOO~1\UNWISE.EXE C:\PROGRA~1\STEINB~1\VSTPLU~1\GRMTOO~1\INSTALL.log
Steinberg WaveLab 5.00a --> C:\PROGRA~1\STEINB~1\WaveLab\UNWISE.EXE C:\PROGRA~1\STEINB~1\WaveLab\INSTALL.LOG
Synchro Arts VocAlign Project AudioSuite PlugIn v2.8 --> C:\PROGRA~1\SYNCHR~1\VOCALI~1\UNWISE.EXE C:\PROGRA~1\SYNCHR~1\VOCALI~1\INSTALL.LOG
TC Native Bundle DX VST v2.02 --> C:\PROGRA~1\TCNATI~1.02\UNWISE.EXE C:\PROGRA~1\TCNATI~1.02\INSTALL.LOG
TC.Works.Mercury.v1.01.VSTi.Factory.Presets.for.LAP --> C:\PROGRA~1\Emagic\Logic5\PLUG-I~1\MERCUR~1\UNWISE.EXE C:\PROGRA~1\Emagic\Logic5\PLUG-I~1\MERCUR~1\INSTALL.LOG
TC.Works.Native.Bundle.v3.0.VST.WinAll-cRime --> C:\PROGRA~1\TCNATI~1\UNWISE.EXE C:\PROGRA~1\TCNATI~1\INSTALL.LOG
TimeWorks Mastering EQ --> C:\PROGRA~1\TIMEWO~1\MASTER~1\UNWISE.EXE C:\PROGRA~1\TIMEWO~1\MASTER~1\INSTALL.LOG
Timeworks Millenium Pack --> C:\Audio\TIMEWO~1\UNWISE.EXE C:\Audio\TIMEWO~1\INSTALL.LOG
Timeworks ReverbX --> C:\PROGRA~1\TIMEWO~1\ReverbX\UNWISE.EXE C:\PROGRA~1\TIMEWO~1\ReverbX\INSTALL.LOG
Tweak UI --> "C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
VIA Integrated Setup Wizard --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{9497EBAA-87AD-41E6-8ED6-E1E52995A76C}
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Voxengo GlissEQ VST 2.0 --> "C:\Program Files\Steinberg\Vstplugins\Voxengo GlissEQ VST\uninstall.exe"
Voxengo PHA-979 VST 1.1 --> "C:\Program Files\Steinberg\Vstplugins\Voxengo PHA-979 VST\uninstall.exe"
VST to RTAS Adapter --> C:\PROGRA~1\FXPANS~1\Vst2Rtas\UNWISE.EXE C:\PROGRA~1\FXPANS~1\Vst2Rtas\INSTALL.LOG
WaveMachine Labs Drumagog VST RTAS v4.02 --> C:\PROGRA~1\DRUMAG~1\UNWISE.EXE C:\PROGRA~1\DRUMAG~1\INSTALL.LOG
Waves 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C4D25EB-6513-4702-8355-F4194DE2E1D9}\setup.exe" -l0x9
Waves Diamond Bundle v5.0 --> C:\PROGRA~1\Waves\UNINST~1\UNWISE.EXE C:\PROGRA~1\Waves\UNINST~1\INSTALL.LOG
Waves IR1 v5.1 --> C:\PROGRA~1\Waves\UNINST~2\UNWISE.EXE C:\PROGRA~1\Waves\UNINST~2\INSTALL.LOG
Waves L3 Multimaximizer v1.0 --> C:\PROGRA~1\Waves\MULTIM~1\UNWISE.EXE C:\PROGRA~1\Waves\MULTIM~1\INSTALL.LOG
Waves Renaissance Collection 2 --> C:\PROGRA~1\Waves\rencoll2\UNWISE.EXE C:\PROGRA~1\Waves\rencoll2\rencoll2.log
WD Diagnostics --> MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinPcap 4.0 --> C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type8058 / Error
Event Submitted/Written: 02/29/2008 10:37:06 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module imon.dll, version 2.70.39.0, fault address 0x0002472a.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type8010 / Error
Event Submitted/Written: 02/22/2008 03:37:08 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application itunes.exe, version 7.6.0.29, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00018fea.
Processing media-specific event for [itunes.exe!ws!]

Event Record #/Type7916 / Warning
Event Submitted/Written: 02/09/2008 03:48:55 PM
Event ID/Source: 63 / WinMgmt
Event Description:
A provider, OffProv12, has been registered in the WMI namespace, Root\MSAPPS12, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Event Record #/Type7862 / Error
Event Submitted/Written: 02/03/2008 05:22:25 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module imon.dll, version 2.70.39.0, fault address 0x0002472a.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type45486 / Error
Event Submitted/Written: 03/04/2008 02:00:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At3.job command failed to start due to the following error:
%%2147942402

Event Record #/Type45485 / Error
Event Submitted/Written: 03/04/2008 01:00:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At2.job command failed to start due to the following error:
%%2147942402

Event Record #/Type45484 / Error
Event Submitted/Written: 03/04/2008 00:00:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At1.job command failed to start due to the following error:
%%2147942402

Event Record #/Type45483 / Error
Event Submitted/Written: 03/03/2008 11:00:00 PM
Event ID/Source: 7901 / Schedule
Event Description:
The At24.job command failed to start due to the following error:
%%2147942402

Event Record #/Type45482 / Error
Event Submitted/Written: 03/03/2008 10:00:00 PM
Event ID/Source: 7901 / Schedule
Event Description:
The At23.job command failed to start due to the following error:
%%2147942402



-- End of Deckard's System Scanner: finished at 2008-03-04 02:47:02 ------------

#13 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:01:08 AM

Posted 04 March 2008 - 03:51 AM

Thanks :blink:

Please disable SpybotSD TeaTimer, as it may hinder the removal of the infection. You can enable it after you're clean.
To disable SpybotSD TeaTimer:

1.) Open Spybot and click on Mode and check Advanced Mode
2.) Check yes to next window.
3.) Click on Tools in bottom left hand corner.
4.) Click on System Startup icon.
5.) Uncheck Teatimer box.
6.) Click Allow Change box.

You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm

Next:

Please follow instructions on this page for using ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the c:\combofix.txt please when done.

Notes:

--Do not mouseclick combofix's window while it's running. That may cause it to stall

--ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
--Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell me.
--Your internet connection will be terminated while ComboFix runs. Do Not attempt to re-enable it. Should ComboFix terminate prematurely, restart the computer to restore connectivity.

Let me know how system is running.

thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#14 endemic15

endemic15
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 04 March 2008 - 09:19 AM

Here's the latest...

I have 2 error windows that popup at startup:

RUNDLL C\WINDOWS\System32\eylpqdhq.dll
RUNDLL C\WINDOWS\System32\wqsgubmd.dll

Also, a pop up window that says the "A" drive is not accessible." I rarely/ever use the A drive, so I could disable the A drive altogether.



ComboFix 08-03-04.2 - qw 2008-03-04 9:06:17.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.692 [GMT -8:00]
Running from: C:\Documents and Settings\qw\Local Settings\Temporary Internet Files\Content.IE5\01Q3K1IZ\ComboFix[1].exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM5f8097c2.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\msettings.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bvwrquge.dll
C:\WINDOWS\system32\dmbugsqw.ini
C:\WINDOWS\system32\eguqrwvb.ini
C:\WINDOWS\system32\nybuwqrm.dll
C:\WINDOWS\system32\udkyrbod.dll
C:\WINDOWS\system32\unjggpmo.ini
C:\WINDOWS\system32\utstv.ini
C:\WINDOWS\system32\utstv.ini2
C:\WINDOWS\system32\vtstu.dll
C:\WINDOWS\system32\vvtbbplv.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-03-04 02:44 . 2008-03-04 02:44 <DIR> d-------- C:\Deckard
2008-03-03 02:27 . 2008-03-03 22:09 <DIR> d-------- C:\VundoFix Backups
2008-03-02 17:26 . 2008-03-02 17:26 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-02 17:26 . 2008-03-02 17:26 2,547 --a------ C:\WINDOWS\unins000.dat
2008-03-02 15:32 . 2008-03-02 15:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-01 13:44 . 2008-03-01 14:01 <DIR> d-------- C:\Program Files\Magic Video Converter
2008-03-01 13:44 . 2003-03-19 11:03 544,768 --a------ C:\WINDOWS\system32\msvcr71d.dll
2008-02-09 15:51 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-09 15:51 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-02-09 15:51 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-09 15:49 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-02-09 15:48 . 2008-02-09 15:48 <DIR> d-------- C:\Program Files\Microsoft Works
2008-02-09 15:47 . 2008-02-09 15:47 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-09 15:46 . 2008-02-09 15:46 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-02-09 15:45 . 2008-02-09 15:45 <DIR> dr-h----- C:\MSOCache
2008-02-09 15:45 . 2008-02-09 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-03 10:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-03 10:47 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-02 23:29 --------- d-----w C:\Program Files\SpywareBlaster
2008-03-02 01:04 --------- d-----w C:\Program Files\Soulseek
2008-02-25 00:32 --------- d-----w C:\Documents and Settings\qw\Application Data\Digidesign
2008-02-18 23:57 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-18 09:29 --------- d-----w C:\Program Files\BitComet
2008-02-08 02:29 --------- d-----w C:\Program Files\ESET
2008-01-23 06:17 --------- d-----w C:\Documents and Settings\qw\Application Data\CoreFTP
2008-01-22 03:42 --------- d-----w C:\Program Files\Audacity
2008-01-22 02:17 --------- d-----w C:\Program Files\Replay Media Catcher
2008-01-19 20:49 --------- d-----w C:\Program Files\iTunes
2008-01-19 20:49 --------- d-----w C:\Program Files\iPod
2008-01-19 20:48 --------- d-----w C:\Program Files\QuickTime
2008-01-14 06:16 --------- d-----w C:\Program Files\iPod Access for Windows
2008-01-14 06:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Findley Designs
2008-01-06 16:03 --------- d-----w C:\Program Files\CoreFTP
2008-01-05 07:44 --------- d-----w C:\Documents and Settings\qw\Application Data\AdobeUM
2005-12-20 08:56 13,164 -c--a-w C:\Program Files\INSTALL.LOG
2003-08-25 04:05 339,944 -c--a-w C:\Program Files\UNWISE.EXE
2007-03-09 07:12 27,648 -csha-w C:\WINDOWS\system32\AVSredirect.dll
2007-06-27 02:08 286,752 -csha-w C:\WINDOWS\system32\drivers\fidbox.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63846341-4DFE-4CB0-8548-C01C8DDEC750}]
C:\WINDOWS\system32\ddccd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{A08FB30D-51C4-4E54-AA5E-FF18739802EA}]
@=Mediafour Mac Volume Icons

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ptipbmf"="ptipbmf.dll" [2003-06-19 23:06 118784 C:\WINDOWS\system32\ptipbmf.dll]
"POINTER"="point32.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [ ]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-01 21:58 949376]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-28 07:52 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"BM5f8097c2"="C:\WINDOWS\system32\eylpqdhq.dll" [ ]
"5cb3a45e"="C:\WINDOWS\system32\wqsgubmd.dll" [ ]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Getting Started with MacDrive 5.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Getting Started with MacDrive 5.lnk
backup=C:\WINDOWS\pss\Getting Started with MacDrive 5.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
backup=C:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^qw^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\qw\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-10-04 07:20 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
--a------ 2007-10-08 00:54 6338872 C:\Program Files\BitComet\BitComet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative MediaSource Go]
C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
--a--c--- 2005-07-26 16:52 184408 C:\Program Files\Executive Software\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2006-02-19 01:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mediafour Mac Volume Notifications]
-ra--c--- 2002-12-17 14:43 61440 C:\Program Files\Common Files\Mediafour\MACVNTFY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a--c--- 2004-08-29 12:23 53248 C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a--c--- 2004-08-29 12:23 131072 C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSWheel]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a--c--- 2001-07-09 02:50 155648 C:\WINDOWS\system32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2007-04-28 07:52 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SoundMAX Agent Service (default)"=2 (0x2)
"rpcapd"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Diskeeper"=2 (0x2)
"DigiRefresh"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Capture Device Service"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26524:TCP"= 26524:TCP:BitComet 26524 TCP
"26524:UDP"= 26524:UDP:BitComet 26524 UDP
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration
"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery

R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFi~1.sys [2004-03-31 03:00]
R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys [2003-11-05 16:06]
R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-10-30 19:22]
R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 19:27]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2006-11-28 21:46]
S3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys [2004-09-27 12:51]
S3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys []
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\system32\DRIVERS\KMW_USB.sys [2004-01-19 15:07]
S3 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys [2003-10-07 13:38]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b01f0549-a6bd-11dc-9777-00112fe17869}]
\Shell\AutoRun\command - wd_windows_tools\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 06:52:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-04 08:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\8L0jE8ey.exe
"2008-03-04 17:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\8L0jE8ey.exe
"2008-02-29 18:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\8L0jE8ey.exe
"2008-02-29 19:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\8L0jE8ey.exe
"2008-03-01 20:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\8L0jE8ey.exe
"2008-03-01 21:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\8L0jE8ey.exe
"2008-03-01 22:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\8L0jE8ey.exe
"2008-03-01 23:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\8L0jE8ey.exe
"2008-03-03 00:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\8L0jE8ey.exe
"2008-03-03 01:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\8L0jE8ey.exe
"2008-03-03 02:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\8L0jE8ey.exe
"2008-03-04 09:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\8L0jE8ey.exe
"2008-03-03 03:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\8L0jE8ey.exe
"2008-03-04 04:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\8L0jE8ey.exe
"2008-03-04 05:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\8L0jE8ey.exe
"2008-03-04 06:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\8L0jE8ey.exe
"2008-03-04 07:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\8L0jE8ey.exe
"2008-03-04 10:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\8L0jE8ey.exe
"2008-03-04 11:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\8L0jE8ey.exe
"2008-02-22 12:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\8L0jE8ey.exe
"2008-02-23 13:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\8L0jE8ey.exe
"2008-02-23 14:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\8L0jE8ey.exe
"2008-02-21 15:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\8L0jE8ey.exe
"2008-02-29 16:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\8L0jE8ey.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 09:13:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-04 9:15:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-04 17:15:51
.
2008-02-20 11:01:26 --- E O F ---

Edited by endemic15, 04 March 2008 - 09:25 AM.


#15 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:01:08 AM

Posted 05 March 2008 - 06:11 AM

Hi,

sorry for delay -- ISP acting nutty again.

should be no need to disable floppy -- I'd like to figure out what is going on with it.
Something is calling for it -- I wanna know what. :blink:

I have 2 error windows that popup at startup:

RUNDLL C\WINDOWS\System32\eylpqdhq.dll
RUNDLL C\WINDOWS\System32\wqsgubmd.dll


Good sign -- those dll files system is trying to run are no longer present. (baddies)
So you get error.
Next round should clear that up.

Please download combofix again -- but save it to the desktop, Don't run it from the download site.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Next:

Open notepad and copy the following text to it.

file::
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63846341-4DFE-4CB0-8548-C01C8DDEC750}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM5f8097c2"=-
"5cb3a45e"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b01f0549-a6bd-11dc-9777-00112fe17869}]

Save this as CFScript.txt to the desktop. It must be on desktop with combofix to work.

Shut down running programs and disconnect from internet.

Drag CFScript.txt on top of ComboFix.exe

like this:

Posted Image

Post the new ComboFix.txt please.

Let me know how system is running.

thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users