Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Vundo


  • Please log in to reply
1 reply to this topic

#1 sdtgt

sdtgt

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 30 April 2008 - 02:31 AM

Hi,

I've had a persistent Vundo infection for several weeks now. I have tried vundofix, virtumundobegone and the symantec removal tool to no avail. The infection has also virtually disabled my VirusScan software. Although it detects the trojan and quarantines the file every few seconds, the file and infection remain in the windows\system32 folder. I have run DSS. Here is the output. I'd really appreciate your help with this.

Thanks,

sid

main.txt
Deckard's System Scanner v20071014.68
Run by squeal on 2008-04-30 02:25:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-04-30 06:26:17 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 81% (more than 75%).
System Drive C: has 3.79 GiB (less than 15%) free.


-- HijackThis (run as squeal.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:40:46 AM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Alarm Clock\Alarm Clock.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Wall Street Journal Online News Alerts\WSJAlerts.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\MediaMonkey\MediaMonkey.exe
C:\Documents and Settings\squeal\Desktop\dss.exe
C:\DOCUME~1\squeal\Desktop\squeal.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4675BD0B-7AD1-49E1-ADA0-84470DCEEBE5} - C:\WINDOWS\system32\opnmJDVp.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Dell QuickSet] "C:\Program Files\Dell\QuickSet\quickset.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\gnotify.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE" /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Wall Street Journal Online News Alerts] "C:\Program Files\Wall Street Journal Online News Alerts\WSJAlerts.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: McAfee Host Intrusion Prevention Tray.lnk = ?
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer\Add_AllO.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://onecare.live.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://update.microsoft.com/windowsupdate/...b?1159115584790
O16 - DPF: {CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_06) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Rhino Software, Inc. +1(262) 560-9627 - C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10506 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 FirePM (McAfee HIP Component FirePM) - c:\windows\system32\drivers\firepm.sys <Not Verified; McAfee, Inc.; McAfee Host Intrusion Prevention>
R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 FireHook (McAfee HIP Component FireHook) - c:\windows\system32\drivers\firehk5x.sys <Not Verified; McAfee, Inc.; McAfee Host Intrusion Prevention>
R1 FireTDI (McAfee HIP Component FireTDI) - c:\windows\system32\drivers\firetdi.sys <Not Verified; McAfee, Inc.; McAfee Host Intrusion Prevention>
R1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.5.3.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.5.3.0>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 firelm01 - c:\windows\system32\drivers\firelm01.sys
R3 hidsys - c:\windows\system32\drivers\hidsys.sys <Not Verified; McAfee, Inc.; McAfee Host Intrusion Prevention>
R3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; McAfee Inc.; VirusScan>

S3 nhcDriverDevice (Notebook Hardware Control Driver) - c:\windows\system32\drivers\nhcdriver.sys <Not Verified; pBUS-167 Software - http://www.pbus-167.com; Notebook Hardware Control Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 enterceptAgent (McAfee Host Intrusion Prevention Service) - "c:\program files\mcafee\host intrusion prevention\firesvc.exe" <Not Verified; McAfee, Inc.; McAfee Host Intrusion Prevention>
R2 McAfeeFramework (McAfee Framework Service) - "c:\program files\mcafee\common framework\frameworkservice.exe" /servicestart <Not Verified; McAfee, Inc.; McAfee Common Framework>
R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>
R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 Serv-U (Serv-U FTP Server) - c:\program files\rhinosoft.com\serv-u\servudaemon.exe <Not Verified; Rhino Software, Inc. +1(262) 560-9627; Serv-U FTP Server>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>
R2 WLANKEEPER (Intel® PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSO Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_24C6&SUBSYS_542314F1&REV_01\3&61AAA01&0&FE
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_24C6&SUBSYS_542314F1&REV_01\3&61AAA01&0&FE
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-04-25 05:00:00 1500 --a------ C:\WINDOWS\Tasks\wrSpySweeper_3421C46FE1ED461C9443702699EEDD95.job


-- Files created between 2008-03-30 and 2008-04-30 -----------------------------

2008-04-30 02:07:00 0 d-------- C:\WINDOWS\LastGood
2008-04-24 06:30:55 0 d-------- C:\quarantine
2008-04-21 08:54:46 180224 --a------ C:\WINDOWS\system32\KevlarSigs.dll <Not Verified; McAfee, Inc.; McAfee Host Intrusion Prevention>
2008-04-21 08:54:46 53248 --a------ C:\WINDOWS\system32\hidapistub.dll <Not Verified; McAfee, Inc.; McAfee Host Intrusion Prevention>
2008-04-21 08:54:46 172032 --a------ C:\WINDOWS\system32\hidapi.dll <Not Verified; McAfee, Inc.; McAfee Host Intrusion Prevention>
2008-04-21 08:54:45 23865 --a------ C:\WINDOWS\system32\kevlar_api_hook_list.dat
2008-04-21 08:52:47 187904 --a------ C:\WINDOWS\system32\drivers\HidSys.sys <Not Verified; McAfee, Inc.; McAfee Host Intrusion Prevention>
2008-04-17 21:39:41 92736 --a------ C:\WINDOWS\system32\ssoctwfy.dll
2008-04-10 21:50:35 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-10 21:45:06 0 d--h----- C:\Documents and Settings\Administrator\Templates <TEMPLA~1>
2008-04-10 21:45:06 0 dr------- C:\Documents and Settings\Administrator\Start Menu <STARTM~1>
2008-04-10 21:45:06 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-10 21:45:06 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-04-10 21:45:06 0 d--h----- C:\Documents and Settings\Administrator\PrintHood <PRINTH~1>
2008-04-10 21:45:06 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-10 21:45:06 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-10 21:45:06 0 d-------- C:\Documents and Settings\Administrator\My Documents <MYDOCU~1>
2008-04-10 21:45:06 0 d--h----- C:\Documents and Settings\Administrator\Local Settings <LOCALS~1>
2008-04-10 21:45:06 0 d-------- C:\Documents and Settings\Administrator\Favorites <FAVORI~1>
2008-04-10 21:45:06 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-10 21:45:06 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-04-10 21:45:06 0 dr-h----- C:\Documents and Settings\Administrator\Application Data <APPLIC~1>
2008-04-10 21:45:06 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-10 21:45:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-04-08 22:31:04 91712 --a------ C:\WINDOWS\system32\axqhtwri.dll
2008-04-08 22:28:05 3648 --a------ C:\WINDOWS\system32\ccbrocha.dll
2008-04-06 21:55:22 89664 --a------ C:\WINDOWS\system32\gnsosurp.dll
2008-04-06 21:50:03 87104 --a------ C:\WINDOWS\system32\lycxfhls.dll
2008-04-06 21:48:50 0 d-------- C:\WINDOWS\CSC
2008-04-06 21:08:03 0 d-------- C:\VundoFix Backups
2008-04-06 16:19:04 85056 --a------ C:\WINDOWS\system32\qrpathmv.dll
2008-04-06 16:16:21 89664 --a------ C:\WINDOWS\system32\jkyflrbg.dll
2008-04-05 14:06:36 1 --a------ C:\WINDOWS\system32\48754188
2008-04-04 13:37:12 87104 --a------ C:\WINDOWS\system32\jcfntihj.dll
2008-04-03 13:41:15 89152 --a------ C:\WINDOWS\system32\tovnhqmd.dll
2008-04-02 13:44:11 91712 --a------ C:\WINDOWS\system32\pmswtgxy.dll
2008-04-02 13:35:11 88128 --a------ C:\WINDOWS\system32\qdjbopvn.dll
2008-04-01 14:58:24 0 d-------- C:\Documents and Settings\squeal\Application Data\goombah
2008-04-01 14:22:59 0 d-------- C:\Program Files\Emergent Music LLC
2008-03-31 04:55:06 90176 --a------ C:\WINDOWS\system32\ieoksums.dll
2008-03-30 16:51:06 186708 --ahs---- C:\WINDOWS\system32\pVDJmnpo.ini2
2008-03-30 16:51:02 268288 --a------ C:\WINDOWS\system32\opnmJDVp.dll


-- Find3M Report ---------------------------------------------------------------

2008-04-30 02:42:33 0 d-------- C:\Documents and Settings\squeal\Application Data\Skype
2008-04-30 02:07:06 0 d-------- C:\Program Files\Windows Live Safety Center
2008-04-30 00:00:50 0 d-------- C:\Documents and Settings\squeal\Application Data\skypePM
2008-04-21 22:44:13 3 --a------ C:\WINDOWS\system32\SysCalls.dat
2008-04-11 03:20:12 0 d-------- C:\Program Files\OpenOffice.org 2.0
2008-04-08 10:08:49 0 d-------- C:\Documents and Settings\squeal\Application Data\Ruckus Network
2008-04-03 19:58:56 0 d-------- C:\Program Files\Skype
2008-04-01 14:58:43 0 d-------- C:\Program Files\Ruckus Player
2008-03-08 13:04:28 0 d-------- C:\Program Files\Java
2008-03-06 18:09:29 0 d-------- C:\Program Files\Common Files\snpstd2
2008-03-06 18:05:33 0 d-------- C:\Program Files\Common Files
2008-03-06 18:05:26 0 d--h----- C:\Program Files\InstallShield Installation Information


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4675BD0B-7AD1-49E1-ADA0-84470DCEEBE5}]
03/30/2008 04:51 PM 268288 --a------ C:\WINDOWS\system32\opnmJDVp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" [12/07/2005 03:55 AM]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [09/22/2004 08:00 PM]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [03/04/2005 11:26 AM]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [08/02/2006 12:38 AM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [08/02/2006 12:32 AM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/05/2005 09:05 PM]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [08/11/2005 04:30 PM]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [07/15/2005 05:48 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/20/2007 09:02 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 02:20 AM]
"EPSON Stylus C45 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.exe" [01/13/2004 04:30 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"SNPSTD2"="C:\WINDOWS\vsnpstd2.exe" [01/05/2004 07:34 PM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 09:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34 PM]
"Wall Street Journal Online News Alerts"="C:\Program Files\Wall Street Journal Online News Alerts\WSJAlerts.exe" [01/11/2005 08:55 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
"Aim6"="" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [02/01/2008 06:22 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
McAfee Host Intrusion Prevention Tray.lnk - C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe [9/24/2006 12:46:18 PM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\opnmJDVp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b430f0ce-6ee5-11dc-9ebd-00114367103d}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d34c6411-00ad-11dc-9e79-000e35d6c572}]
Auto\command- RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e




-- End of Deckard's System Scanner: finished at 2008-04-30 02:48:56 ------------





Extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.80GHz
Percentage of Memory in Use: 64%
Physical Memory (total/avail): 1023.23 MiB / 362.71 MiB
Pagefile Memory (total/avail): 2461.52 MiB / 1598.57 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.8 MiB

C: is Fixed (NTFS) - 52.99 GiB total, 3.79 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - HTS726060M9AT00 - 55.89 GiB - 3 partitions
\PARTITION0 - Unknown - 47.03 MiB
\PARTITION1 (bootable) - Installable File System - 52.99 GiB - C:
\PARTITION2 - Unknown - 2.85 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Wall Street Journal Online News Alerts\\WSJAlerts.exe"="C:\\Program Files\\Wall Street Journal Online News Alerts\\WSJAlerts.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\Program Files\\Last.fm\\LastFM.exe"="C:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:LastFM"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Ruckus Player\\Ruckus.exe"="C:\\Program Files\\Ruckus Player\\Ruckus.exe:*:Enabled:Ruckus"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Conceptworld\\QNPlus\\QNPlus.exe"="C:\\Program Files\\Conceptworld\\QNPlus\\QNPlus.exe:*:Disabled:Quick Notes Plus v5.0"
"C:\\Program Files\\RhinoSoft.com\\Serv-U\\ServUDaemon.exe"="C:\\Program Files\\RhinoSoft.com\\Serv-U\\ServUDaemon.exe:*:Enabled:Serv-U FTP Server"
"C:\\Program Files\\Wall Street Journal Online News Alerts\\WSJAlerts.exe"="C:\\Program Files\\Wall Street Journal Online News Alerts\\WSJAlerts.exe"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Age of Empires II\\Age2_x1\\age2_x1.exe"="C:\\Program Files\\Age of Empires II\\Age2_x1\\age2_x1.exe:*:Enabled:Age of Empires II Expansion"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Rockstar Games\\Grand Theft Auto\\WINO\\Grand Theft Auto.exe"="C:\\Program Files\\Rockstar Games\\Grand Theft Auto\\WINO\\Grand Theft Auto.exe:*:Enabled:Grand Theft Auto"
"C:\\Program Files\\Apache Software Foundation\\Apache2.2\\bin\\httpd.exe"="C:\\Program Files\\Apache Software Foundation\\Apache2.2\\bin\\httpd.exe:*:Enabled:Apache HTTP Server"
"C:\\WINDOWS\\system32\\javaw.exe"="C:\\WINDOWS\\system32\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\squeal\Application Data
CLASSPATH=C:\xpressmp\lib\xprs.jar;C:\xpressmp\lib\xprb.jar;C:\xpressmp\lib\xprm.jar;.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SID
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\squeal
INCLUDE=C:\xpressmp\include;C:\xpressmp\bin;C:\Perl\bin\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\GTK\2.0\bin;c:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\QuickTime\QTSystem\
LIB=C:\xpressmp\lib;C:\xpressmp\include;C:\xpressmp\bin;C:\Perl\bin\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\GTK\2.0\bin;c:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\QuickTime\QTSystem\
LOGONSERVER=\\SID
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\Program Files\PHP\;C:\xpressmp\bin;C:\Perl\bin\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\GTK\2.0\bin;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PHPRC=C:\Program Files\PHP\
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d06
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\squeal\LOCALS~1\Temp
TMP=C:\DOCUME~1\squeal\LOCALS~1\Temp
USERDOMAIN=SID
USERNAME=squeal
USERPROFILE=C:\Documents and Settings\squeal
windir=C:\WINDOWS
XPRESSDIR=C:\xpressmp


-- User Profiles ---------------------------------------------------------------

squeal (admin)
Administrator (new local, admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\RUCKUS~1\UNWISE.EXE /a C:\PROGRA~1\RUCKUS~1\INSTALL.LOG
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat Connect Add-in --> C:\Documents and Settings\squeal\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin6x5\connectaddin6x5.exe -uninstall
Adobe Digital Editions --> C:\Documents and Settings\squeal\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\digitaleditions2x0\digitaleditions2x0.exe -uninstall
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AIM 6 --> C:\Program Files\AIM6\uninst.exe
AIM Spyware Remover --> MsiExec.exe /X{D8755BAB-6316-4EB6-80A0-4FB875642756}
Alarm Clock v1.0 --> "C:\Program Files\Alarm Clock\unins000.exe"
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
BitTorrent 4.22.4 --> "C:\Program Files\BitTorrent\uninstall.exe"
Bonjour Core for Windows --> MsiExec.exe /I{56DF5C9E-6392-46D3-B366-297B14E1DAAF}
Broadcom 440x 10/100 Integrated Controller --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{52504CE6-E909-4113-B232-4AFEC6543A61} /l1033
C-Major Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities Digital Photo Professional 3.0 --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\Digital Photo Professional\Uninst.ini"
Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
Click to Convert / PDF Toolbox --> C:\PROGRA~1\CLICKT~1\UNWISE.EXE C:\PROGRA~1\CLICKT~1\INSTALL.LOG
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Digital Guitar Tuner 2.3 --> "C:\Program Files\Digital Guitar Tuner 2.3\unins000.exe"
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
Express Burn --> C:\Program Files\NCH Swift Sound\ExpressBurn\uninst.exe
Express Rip --> C:\Program Files\NCH Swift Sound\ExpressRip\uninst.exe
Flickr Uploadr 2.5.0.15 --> "C:\Program Files\Flickr Uploadr\uninstall.exe"
Forex trade Calculator 1.10 --> "C:\Program Files\FxCalc\unins000.exe"
GCalc 3 --> C:\WINDOWS\system32\javaws.exe -uninstall -prompt "http://gcalc.net/jar/gcalc3.jnlp"
GCH Guitar academy --> C:\Program Files\GCH Guitar academy\uninstall.exe
Google Gmail Notifier --> "C:\Program Files\Google\Gmail Notifier\UninstallGmail.exe"
Goombah Partner COM Server --> MsiExec.exe /I{EBBE2FB2-FBED-44F6-B95F-230AB5A65B28}
Grand Theft Auto --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Rockstar Games\Grand Theft Auto\Uninst.isu"
Guitar Pro 5.2 --> "C:\Program Files\Guitar Pro 5\unins000.exe"
HijackThis 2.0.2 --> "C:\Documents and Settings\squeal\Desktop\HijackThis.exe" /uninstall
Image Resizer Powertoy for Windows XP --> MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29}
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
Internal Network Card Power Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F528948-0E80-4C96-B455-DE4167CB1DF7}\setup.exe" -l0x9 UNINSTALL APPDRVNT4
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Last.fm 1.1.0.0 --> "C:\Program Files\Last.fm\unins000.exe"
LimeWire 4.12.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Macromedia Flash Player 8 --> MsiExec.exe /X{6815FCDD-401D-481E-BA88-31B4754C2B46}
McAfee Host Intrusion Prevention --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FEF2C100-2CA4-4A6A-A535-07B46117B323}\setup.exe" -l0x9 /confirm -removeonly
McAfee VirusScan Enterprise --> MsiExec.exe /I{5DF3D1BB-894E-4DCD-8275-159AC9829B43}
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver --> MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
mDrWiFi --> MsiExec.exe /I{90CC4231-94AC-45CD-991A-0253BFAC0650}
MediaMonkey 3.0 --> "C:\Program Files\MediaMonkey\unins000.exe"
MetaProducts Offline Explorer --> C:\Program Files\Offline Explorer\OE.exe /UnInstall
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI --> MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Notebook Hardware Control 2.0 Pre-Release-04 --> C:\Program Files\Notebook Hardware Control\uninst.exe
PDF Toolbox 6.0 --> "C:\Program Files\PDF Toolbox\unins000.exe"
PHP 5.2.1 --> MsiExec.exe /I{EF812FEC-6B0C-4B1C-8C4F-C88FEB415EFE}
PitchPerfect Uninstall --> C:\Program Files\NCH Swift Sound\PitchPerfect\uninst.exe
Power Indiabulls --> MsiExec.exe /I{BB941ED6-B441-49B7-92FE-D35940FC5762}
Power Tab Editor 1.7 --> MsiExec.exe /I{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}
PrimoPDF --> "C:\WINDOWS\PrimoPDF\uninstall.exe" "/U:C:\Program Files\activePDF\PrimoPDF\Uninstall\uninstall.xml"
PrimoPDF Redistribution Package --> MsiExec.exe /I{885744A4-1A01-44B0-858A-0AE6738CBCF7}
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 UNINSTALL APPDRVNT4
QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
Real Alternative 1.60 --> "C:\Program Files\Real Alternative\unins000.exe"
Ruckus Player --> C:\PROGRA~1\RUCKUS~1\UNWISE.EXE C:\PROGRA~1\RUCKUS~1\INSTALL.LOG
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
SequoiaView --> C:\Program Files\SequoiaView\Uninstal.exe
Serv-U 6.3 --> "C:\Program Files\RhinoSoft.com\Serv-U\unins000.exe"
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SmartFTP Client --> MsiExec.exe /I{C169D3BB-9A27-43F5-9979-09A0D65FE95C}
SmartFTP Client 2.5 Setup Files (remove only) --> C:\Program Files\SmartFTP Client 2.5 Setup Files\uninst-sftp.exe
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Switch --> C:\Program Files\NCH Swift Sound\Switch\uninst.exe
The GIMP 2.2.13 --> "C:\Program Files\GIMP-2.0\unins000.exe"
Timershot Powertoy for Windows XP --> MsiExec.exe /I{A743BBCC-3438-4BB3-8397-6C9D9AC125A6}
Twelve Keys --> C:\Program Files\NCH Swift Sound\TwelveKeys\uninst.exe
USB PC Camera (SN9C103) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EADAA6F7-991F-4CE9-B5CE-FCF3D81F7C7D}\Setup.exe" -l0x9
VideoLAN VLC media player 0.8.6a --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Viewpoint Toolbar --> C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\Uninstaller.exe /u /k /url "http://www.viewpoint.com/pub/uninstallcompleted.html"
Wall Street Journal Online News Alerts (remove only) --> C:\Program Files\Wall Street Journal Online News Alerts\Uninstall.exe
WavePad Uninstall --> C:\Program Files\NCH Swift Sound\WavePad\uninst.exe
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinSCP 4.0.4 --> "C:\Program Files\WinSCP\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type23412 / Error
Event Submitted/Written: 04/30/2008 01:00:31 AM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: The file C:\WINDOWS\system32\opnmJDVp.dll is infected with the Vundo Trojan. Undetermined clean error, quarantine failed. Detected using Scan engine version 5200 DAT version 5269.(from SID IP 127.0.0.1 user NT AUTHORITY\SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type23411 / Error
Event Submitted/Written: 04/29/2008 10:28:41 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: The file C:\WINDOWS\system32\opnmJDVp.dll is infected with the Vundo Trojan. Undetermined clean error, quarantine failed. Detected using Scan engine version 5200 DAT version 5269.(from SID IP 127.0.0.1 user NT AUTHORITY\SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type23410 / Error
Event Submitted/Written: 04/29/2008 09:56:33 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: The file C:\WINDOWS\system32\opnmJDVp.dll is infected with the Vundo Trojan. Undetermined clean error, quarantine failed. Detected using Scan engine version 5200 DAT version 5269.(from SID IP 127.0.0.1 user NT AUTHORITY\SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type23409 / Error
Event Submitted/Written: 04/29/2008 07:27:58 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: The file C:\WINDOWS\system32\opnmJDVp.dll is infected with the Vundo Trojan. Undetermined clean error, quarantine failed. Detected using Scan engine version 5200 DAT version 5269.(from SID IP 127.0.0.1 user NT AUTHORITY\SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type23408 / Error
Event Submitted/Written: 04/29/2008 07:25:36 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: The file C:\WINDOWS\system32\opnmJDVp.dll is infected with the Vundo Trojan. Undetermined clean error, quarantine failed. Detected using Scan engine version 5200 DAT version 5269.(from SID IP 127.0.0.1 user NT AUTHORITY\SYSTEM running VirusScan Enter 8.0 OAS)



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type46992 / Warning
Event Submitted/Written: 04/30/2008 02:28:18 AM / 04/30/2008 02:28:19 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type46984 / Warning
Event Submitted/Written: 04/30/2008 02:00:24 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type46970 / Warning
Event Submitted/Written: 04/29/2008 03:36:49 PM / 04/29/2008 03:36:53 PM
Event ID/Source: 256 / PlugPlayManager
Event Description:
Timed out sending notification of device interface change to window of "IWMSWindow"

Event Record #/Type46960 / Error
Event Submitted/Written: 04/29/2008 09:48:59 AM
Event ID/Source: 1000 / Dhcp
Event Description:
Your computer has lost the lease to its IP address 128.61.53.46 on the
Network Card with network address 00114367103D.

Event Record #/Type46959 / Warning
Event Submitted/Written: 04/29/2008 09:48:59 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00114367103D. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.



-- End of Deckard's System Scanner: finished at 2008-04-30 02:48:56 ------------

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:52 AM

Posted 30 April 2008 - 09:26 AM

Hello Sid and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users