Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

White X In Red Circle


  • This topic is locked This topic is locked
6 replies to this topic

#1 PopSmith

PopSmith

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 26 July 2008 - 01:14 AM

My friends computer got the white X in a red circle. The infection that does a popup every few seconds saying "You have been infected".

I ran ComboFix and it seemed to get rid of it but I want to be sure its gone.

Deckard's System Scanner v20071014.68
Run by Irvine on 2008-07-26 00:05:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-07-26 06:05:38 UTC - RP4 - Deckard's System Scanner Restore Point
3: 2008-07-26 05:54:36 UTC - RP3 - ComboFix created restore point
2: 2008-07-26 05:50:26 UTC - RP2 - ComboFix created restore point
1: 2008-07-26 05:35:33 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-26 00:06:33
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\WinPatrol\WinPatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Irvine\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe


--
End of file - 4566 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.5.3.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.5.3.0>
R2 npkcrypt - c:\nexon\maplestory\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>

S4 HP Status Server - c:\windows\system32\spool\drivers\w32x86\3\hpboid.exe <Not Verified; Hewlett-Packard Company; HP Status Server>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: Modem Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_104D0200&REV_0900\4&44996B3&0&0102
Manufacturer:
Name: Modem Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_104D0200&REV_0900\4&44996B3&0&0102
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/100 VE Network Connection
Device ID: PCI\VEN_8086&DEV_1068&SUBSYS_81D0104D&REV_03\4&2FA23535&0&40F0
Manufacturer: Intel
Name: Intel® PRO/100 VE Network Connection
PNP Device ID: PCI\VEN_8086&DEV_1068&SUBSYS_81D0104D&REV_03\4&2FA23535&0&40F0
Service: E100B


-- Scheduled Tasks -------------------------------------------------------------

2008-05-14 14:02:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-26 and 2008-07-26 -----------------------------

2008-07-25 23:54:25 0 d-------- C:\C@mboF1x
2008-07-25 23:50:56 0 d-------- C:\cmdcons
2008-07-25 23:50:07 68096 --a------ C:\WINDOWS\zip.exe
2008-07-25 23:50:07 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-25 23:50:07 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-25 23:50:07 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-25 23:50:07 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-25 23:50:07 98816 --a------ C:\WINDOWS\sed.exe
2008-07-25 23:50:07 80412 --a------ C:\WINDOWS\grep.exe
2008-07-25 23:50:07 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-25 23:33:27 0 d-------- C:\Combo-Fix


-- Find3M Report ---------------------------------------------------------------

2008-07-25 23:56:12 0 d-------- C:\Program Files\Common Files
2008-06-07 23:14:03 1848 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-07 20:47:40 0 d-------- C:\Program Files\Lavasoft
2008-06-07 20:47:05 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-26 16:09:56 0 d-------- C:\Program Files\Diablo II
2008-05-26 16:09:24 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-05-24 13:34:51 13204 --a------ C:\WINDOWS\upezybap.sys
2008-05-24 13:34:51 17343 --a------ C:\WINDOWS\ufih.exe
2008-05-24 13:34:51 14054 --a------ C:\WINDOWS\ucunosog.scr
2008-05-24 13:34:51 14310 --a------ C:\Program Files\Common Files\quwubojyb.vbs
2008-05-24 13:34:51 14657 --a------ C:\Documents and Settings\Irvine\Application Data\udoheb.dll
2008-05-24 13:34:50 11170 --a------ C:\WINDOWS\system32\jutabazoju.bat
2008-05-24 13:34:50 19871 --a------ C:\WINDOWS\qetulicut.exe
2008-05-24 13:34:50 13752 --a------ C:\Program Files\Common Files\eguxebymym.dat
2008-05-24 02:11:18 17321 --a------ C:\WINDOWS\ylufuryqo.bin
2008-05-24 02:11:18 11910 --a------ C:\WINDOWS\ycixuhahy.bat
2008-05-24 02:11:18 11698 --a------ C:\WINDOWS\unahoqezaj.com
2008-05-24 02:11:18 13936 --a------ C:\WINDOWS\ruwenofew.scr
2008-05-24 02:11:18 13416 --a------ C:\WINDOWS\ibawihaz.bin
2008-05-24 02:11:18 12643 --a------ C:\WINDOWS\dozug.vbs
2008-05-24 02:11:18 14389 --a------ C:\Program Files\Common Files\uzatiwyqy.dll
2008-05-24 02:11:18 15089 --a------ C:\Program Files\Common Files\mase.reg
2008-05-24 02:11:18 18063 --a------ C:\Program Files\Common Files\ecin.pif
2008-05-24 02:11:18 16127 --a------ C:\Documents and Settings\Irvine\Application Data\ymoze.vbs
2008-05-24 02:11:18 14879 --a------ C:\Documents and Settings\Irvine\Application Data\razozyx.bin
2008-05-24 02:11:18 15191 --a------ C:\Documents and Settings\Irvine\Application Data\osyqove.sys
2008-05-24 02:11:18 13110 --a------ C:\Documents and Settings\Irvine\Application Data\jytutanohu._sy
2008-05-24 02:11:18 18400 --a------ C:\Documents and Settings\Irvine\Application Data\ebivugehej.dl
2008-05-24 01:58:44 15329 --a------ C:\WINDOWS\yhopegazo.bat
2008-05-24 01:58:44 19613 --a------ C:\WINDOWS\urykilidi.sys
2008-05-24 01:58:44 13476 --a------ C:\WINDOWS\system32\ivin.reg
2008-05-24 01:58:44 13084 --a------ C:\WINDOWS\system32\axecamaz.vbs
2008-05-24 01:58:44 19839 --a------ C:\WINDOWS\civihuxi.pif
2008-05-24 01:58:44 10465 --a------ C:\Program Files\Common Files\wonigo.dl
2008-05-24 01:58:44 19447 --a------ C:\Program Files\Common Files\ucupewava.dl
2008-05-24 01:58:44 11131 --a------ C:\Program Files\Common Files\lugyxavevy.bat
2008-05-24 01:58:44 14112 --a------ C:\Documents and Settings\Irvine\Application Data\qikyzeriri.dl
2008-05-24 01:58:44 14957 --a------ C:\Documents and Settings\Irvine\Application Data\lilam.vbs
2008-05-24 01:50:52 18132 --a------ C:\WINDOWS\ilyru.dll
2008-05-24 01:50:52 13006 --a------ C:\WINDOWS\gulavuhumo.vbs
2008-05-24 01:50:52 17573 --a------ C:\WINDOWS\abidoturot.dat
2008-05-24 01:50:52 13340 --a------ C:\Program Files\Common Files\ucuf.pif
2008-05-24 01:50:52 11127 --a------ C:\Program Files\Common Files\obeqilalyv.reg
2008-05-24 01:50:52 13558 --a------ C:\Program Files\Common Files\kadafedu.com
2008-05-24 01:50:52 17915 --a------ C:\Program Files\Common Files\cyqesimyd.vbs
2008-05-24 01:50:52 19131 --a------ C:\Program Files\Common Files\bowisaze.dl
2008-05-24 01:50:52 18002 --a------ C:\Program Files\Common Files\ajuxur.reg
2008-05-24 01:50:52 18207 --a------ C:\Documents and Settings\Irvine\Application Data\towudaqon.ban
2008-05-24 01:50:52 10151 --a------ C:\Documents and Settings\Irvine\Application Data\gecodozaq.reg
2008-05-24 01:50:52 17265 --a------ C:\Documents and Settings\Irvine\Application Data\corofuzi.exe
2008-05-24 01:50:36 12454 --a------ C:\WINDOWS\system32\obajoqam.reg
2008-05-24 01:50:36 11136 --a------ C:\WINDOWS\dybivubi.pif
2008-05-24 01:50:36 17823 --a------ C:\Program Files\Common Files\opuc.inf
2008-05-24 01:50:36 19126 --a------ C:\Documents and Settings\Irvine\Application Data\yjuvulyr._dl
2008-05-24 01:50:36 18431 --a------ C:\Documents and Settings\Irvine\Application Data\setekidiji._sy
2008-05-24 01:50:36 12356 --a------ C:\Documents and Settings\Irvine\Application Data\ewalyr.dat
2008-05-24 01:50:36 12473 --a------ C:\Documents and Settings\Irvine\Application Data\ejyzyji.inf
2008-05-24 01:50:36 14382 --a------ C:\Documents and Settings\Irvine\Application Data\conyje.bat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [04/29/2005 01:56 PM]
"ISBMgr.exe"="C:\Program Files\Sony\ISB Utility\ISBMgr.exe" [02/20/2004 02:12 PM]
"WinPatrol"="C:\Program Files\WinPatrol\winpatrol.exe" [03/26/2007 04:16 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/09/2005 03:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 05/20/2005 05:42 PM 73728 C:\WINDOWS\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-07-26 00:07:15 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.86GHz
Percentage of Memory in Use: 50%
Physical Memory (total/avail): 510.42 MiB / 253.45 MiB
Pagefile Memory (total/avail): 1243.24 MiB / 1030.18 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1936.87 MiB

C: is Fixed (NTFS) - 87.14 GiB total, 59.84 GiB free.
D: is CDROM (CDFS)
E: is Removable (No Media)

\\.\PHYSICALDRIVE1 - MemoryStick or MemoryStickPro Device

\\.\PHYSICALDRIVE0 - TOSHIBA MK1031GAS - 93.16 GiB - 2 partitions
\PARTITION0 - Unknown - 6.01 GiB
\PARTITION1 (bootable) - Installable File System - 87.14 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Irvine\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SIRIRVINE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Irvine
LOGONSERVER=\\SIRIRVINE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Intel\Wireless\Bin;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Irvine\LOCALS~1\Temp
TMP=C:\DOCUME~1\Irvine\LOCALS~1\Temp
USERDOMAIN=SIRIRVINE
USERNAME=Irvine
USERPROFILE=C:\Documents and Settings\Irvine
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Irvine (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Anapod Explorer (remove only) --> "C:\Program Files\Red Chair Software\Anapod Explorer\uninst.exe"
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Diablo II --> C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat
Energy Skate Park --> C:\WINDOWS\system32\javaws.exe -uninstall -prompt "http://phet.colorado.edu/sims/energy-skate-park/energy-skate-park.jnlp"
Heroes of Might and Magic III Complete --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\3DO\Heroes 3 Complete\Heroes of Might and Magic III Complete.isu" -c"C:\Program Files\Common Files\3DO Shared\3DOUnInst.dll
High Definition Audio Driver Package - KB835221 -->
Intel® PRO Network Connections Drivers --> Prounstl.exe
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java™ SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
MapleStory --> MsiExec.exe /I{4D854B04-562A-4F18-A61B-1397DC01D915}
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver --> MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
Norton Security Scan --> MsiExec.exe /I{48B82226-75E3-4E90-92CC-D30F79EA6380}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Orcad Family Release 9.2 Lite Edition --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\OrcadLite\Uninst_R92Lite.isu"
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Radio Waves --> C:\WINDOWS\system32\javaws.exe -uninstall -prompt "http://phet.colorado.edu/sims/radio-waves/radio-waves.jnlp"
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Setting Utility Series --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{59452470-A902-477F-9338-9B88101681BD}\Setup.exe" -l0x9 UNINSTALL
Signal Circuit --> C:\WINDOWS\system32\javaws.exe -uninstall -prompt "http://phet.colorado.edu/sims/signal-circuit/signal-circuit.jnlp"
Sony USB Mouse --> Pmuninst.exe MouseSuite98
Sony Utilities DLL --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF3D45BB-2260-4008-88EA-492E7744A9DF}\Setup.exe" -l0x9
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Travoltage --> C:\WINDOWS\system32\javaws.exe -uninstall -prompt "http://phet.colorado.edu/sims/travoltage/travoltage.jnlp"
VAIO Event Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0D85ADD-DD61-4B43-87A0-6DA52A211A8B}\Setup.exe" -l0x9
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VLC\uninstall.exe
Windows Driver Package - Sony Corporation (SPI) HIDCLASS (08/20/2002 7.0.3.820) --> C:\PROGRA~1\DIFX\DPInst.exe /u C:\WINDOWS\system32\DRVSTORE\sonypi_0E9DEB6BB4A0D1CBD0FF2C91DF1515D6B339F160\sonypi.inf
WinPatrol --> MsiExec.exe /X{8E0D233D-8B06-47A1-BA22-3A767CCD69E3}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type2034 / Error
Event Submitted/Written: 07/19/2008 01:20:40 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application xpsecuritycenter.exe, version 1.0.0.1, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [xpsecuritycenter.exe!ws!]

Event Record #/Type2010 / Warning
Event Submitted/Written: 07/13/2008 11:23:28 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type2006 / Error
Event Submitted/Written: 07/13/2008 10:10:40 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application xpsecuritycenter.exe, version 1.0.0.1, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [xpsecuritycenter.exe!ws!]

Event Record #/Type2005 / Error
Event Submitted/Written: 07/13/2008 05:56:50 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application xpsecuritycenter.exe, version 1.0.0.1, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [xpsecuritycenter.exe!ws!]

Event Record #/Type1964 / Error
Event Submitted/Written: 07/05/2008 00:43:47 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application xpsecuritycenter.exe, version 1.0.0.1, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [xpsecuritycenter.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type13664 / Error
Event Submitted/Written: 07/25/2008 11:58:36 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Beep

Event Record #/Type13610 / Warning
Event Submitted/Written: 07/25/2008 00:58:10 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type13609 / Warning
Event Submitted/Written: 07/25/2008 00:26:47 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type13606 / Warning
Event Submitted/Written: 07/24/2008 11:52:47 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type13266 / Warning
Event Submitted/Written: 07/07/2008 11:19:34 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-07-26 00:07:15 ------------

BC AdBot (Login to Remove)

 


m

#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:05 PM

Posted 26 July 2008 - 07:14 AM

Hello PopSmith

Welcome to BleepingComputer :thumbsup:
========================
The first thing I will need you to do is to Download ONE of these anti-virus programs and install it.
These are free.
AVG free 8.0
Note this is free antispyware protection and Antivirus protection.
or
Antivir
=================
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\upezybap.sys
    C:\WINDOWS\ufih.exe
    C:\WINDOWS\ucunosog.scr
    C:\Program Files\Common Files\quwubojyb.vbs
    C:\Documents and Settings\Irvine\Application Data\udoheb.dll
    C:\WINDOWS\system32\jutabazoju.bat
    C:\WINDOWS\qetulicut.exe
    C:\Program Files\Common Files\eguxebymym.dat
    C:\WINDOWS\ylufuryqo.bin
    C:\WINDOWS\ycixuhahy.bat
    C:\WINDOWS\unahoqezaj.com
    C:\WINDOWS\ruwenofew.scr
    C:\WINDOWS\ibawihaz.bin
    C:\WINDOWS\dozug.vbs
    C:\Program Files\Common Files\uzatiwyqy.dll
    C:\Program Files\Common Files\mase.reg
    C:\Program Files\Common Files\ecin.pif
    C:\Documents and Settings\Irvine\Application Data\ymoze.vbs
    C:\Documents and Settings\Irvine\Application Data\razozyx.bin
    C:\Documents and Settings\Irvine\Application Data\osyqove.sys
    C:\Documents and Settings\Irvine\Application Data\jytutanohu._sy
    C:\Documents and Settings\Irvine\Application Data\ebivugehej.dl
    C:\WINDOWS\yhopegazo.bat
    C:\WINDOWS\urykilidi.sys
    C:\WINDOWS\system32\ivin.reg
    C:\WINDOWS\system32\axecamaz.vbs
    C:\WINDOWS\civihuxi.pif
    C:\Program Files\Common Files\wonigo.dl
    C:\Program Files\Common Files\ucupewava.dl
    C:\Program Files\Common Files\lugyxavevy.bat
    C:\Documents and Settings\Irvine\Application Data\qikyzeriri.dl
    C:\Documents and Settings\Irvine\Application Data\lilam.vbs
    C:\WINDOWS\ilyru.dll
    C:\WINDOWS\gulavuhumo.vbs
    C:\WINDOWS\abidoturot.dat
    C:\Program Files\Common Files\ucuf.pif
    C:\Program Files\Common Files\obeqilalyv.reg
    C:\Program Files\Common Files\kadafedu.com
    C:\Program Files\Common Files\cyqesimyd.vbs
    C:\Program Files\Common Files\bowisaze.dl
    C:\Program Files\Common Files\ajuxur.reg
    C:\Documents and Settings\Irvine\Application Data\towudaqon.ban
    C:\Documents and Settings\Irvine\Application Data\gecodozaq.reg
    C:\Documents and Settings\Irvine\Application Data\corofuzi.exe
    C:\WINDOWS\system32\obajoqam.reg
    C:\WINDOWS\dybivubi.pif
    C:\Program Files\Common Files\opuc.inf
    C:\Documents and Settings\Irvine\Application Data\yjuvulyr._dl
    C:\Documents and Settings\Irvine\Application Data\setekidiji._sy
    C:\Documents and Settings\Irvine\Application Data\ewalyr.dat
    C:\Documents and Settings\Irvine\Application Data\ejyzyji.inf
    C:\Documents and Settings\Irvine\Application Data\conyje.bat
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=======================
Post that log and a new dss log please in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 PopSmith

PopSmith
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 27 July 2008 - 10:35 PM

Thank you for the reply kahdah!

Here is the DSS log:

Deckard's System Scanner v20071014.68
Run by Irvine on 2008-07-27 21:28:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-27 21:30:00
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\WinPatrol\WinPatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Irvine\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe


--
End of file - 5167 bytes

-- Files created between 2008-06-27 and 2008-07-27 -----------------------------

2008-07-27 21:24:01 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-27 21:23:48 0 d-------- C:\Program Files\AVG
2008-07-27 21:23:48 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-25 23:54:25 0 d-------- C:\C@mboF1x
2008-07-25 23:50:56 0 d-------- C:\cmdcons
2008-07-25 23:50:07 68096 --a------ C:\WINDOWS\zip.exe
2008-07-25 23:50:07 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-25 23:50:07 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-25 23:50:07 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-25 23:50:07 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-25 23:50:07 98816 --a------ C:\WINDOWS\sed.exe
2008-07-25 23:50:07 80412 --a------ C:\WINDOWS\grep.exe
2008-07-25 23:50:07 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-25 23:33:27 0 d-------- C:\Combo-Fix


-- Find3M Report ---------------------------------------------------------------

2008-07-27 21:27:48 0 d-------- C:\Program Files\Common Files
2008-06-07 23:14:03 1848 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-07 20:47:40 0 d-------- C:\Program Files\Lavasoft
2008-06-07 20:47:05 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-26 16:09:24 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [04/29/2005 01:56 PM]
"ISBMgr.exe"="C:\Program Files\Sony\ISB Utility\ISBMgr.exe" [02/20/2004 02:12 PM]
"WinPatrol"="C:\Program Files\WinPatrol\winpatrol.exe" [03/26/2007 04:16 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/09/2005 03:56 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/27/2008 09:23 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 05/20/2005 05:42 PM 73728 C:\WINDOWS\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - AVG8WD
*Newly Created Service* - AVGLDX86
*Newly Created Service* - AVGMFX86



-- End of Deckard's System Scanner: finished at 2008-07-27 21:30:37 ------------

OTMoveIt2 Log:
C:\WINDOWS\upezybap.sys moved successfully.
C:\WINDOWS\ufih.exe moved successfully.
C:\WINDOWS\ucunosog.scr moved successfully.
C:\Program Files\Common Files\quwubojyb.vbs moved successfully.
LoadLibrary failed for C:\Documents and Settings\Irvine\Application Data\udoheb.dll
C:\Documents and Settings\Irvine\Application Data\udoheb.dll NOT unregistered.
C:\Documents and Settings\Irvine\Application Data\udoheb.dll moved successfully.
C:\WINDOWS\system32\jutabazoju.bat moved successfully.
C:\WINDOWS\qetulicut.exe moved successfully.
C:\Program Files\Common Files\eguxebymym.dat moved successfully.
C:\WINDOWS\ylufuryqo.bin moved successfully.
C:\WINDOWS\ycixuhahy.bat moved successfully.
C:\WINDOWS\unahoqezaj.com moved successfully.
C:\WINDOWS\ruwenofew.scr moved successfully.
C:\WINDOWS\ibawihaz.bin moved successfully.
C:\WINDOWS\dozug.vbs moved successfully.
LoadLibrary failed for C:\Program Files\Common Files\uzatiwyqy.dll
C:\Program Files\Common Files\uzatiwyqy.dll NOT unregistered.
C:\Program Files\Common Files\uzatiwyqy.dll moved successfully.
C:\Program Files\Common Files\mase.reg moved successfully.
C:\Program Files\Common Files\ecin.pif moved successfully.
C:\Documents and Settings\Irvine\Application Data\ymoze.vbs moved successfully.
C:\Documents and Settings\Irvine\Application Data\razozyx.bin moved successfully.
C:\Documents and Settings\Irvine\Application Data\osyqove.sys moved successfully.
C:\Documents and Settings\Irvine\Application Data\jytutanohu._sy moved successfully.
C:\Documents and Settings\Irvine\Application Data\ebivugehej.dl moved successfully.
C:\WINDOWS\yhopegazo.bat moved successfully.
C:\WINDOWS\urykilidi.sys moved successfully.
C:\WINDOWS\system32\ivin.reg moved successfully.
C:\WINDOWS\system32\axecamaz.vbs moved successfully.
C:\WINDOWS\civihuxi.pif moved successfully.
C:\Program Files\Common Files\wonigo.dl moved successfully.
C:\Program Files\Common Files\ucupewava.dl moved successfully.
C:\Program Files\Common Files\lugyxavevy.bat moved successfully.
C:\Documents and Settings\Irvine\Application Data\qikyzeriri.dl moved successfully.
C:\Documents and Settings\Irvine\Application Data\lilam.vbs moved successfully.
LoadLibrary failed for C:\WINDOWS\ilyru.dll
C:\WINDOWS\ilyru.dll NOT unregistered.
C:\WINDOWS\ilyru.dll moved successfully.
C:\WINDOWS\gulavuhumo.vbs moved successfully.
C:\WINDOWS\abidoturot.dat moved successfully.
C:\Program Files\Common Files\ucuf.pif moved successfully.
C:\Program Files\Common Files\obeqilalyv.reg moved successfully.
C:\Program Files\Common Files\kadafedu.com moved successfully.
C:\Program Files\Common Files\cyqesimyd.vbs moved successfully.
C:\Program Files\Common Files\bowisaze.dl moved successfully.
C:\Program Files\Common Files\ajuxur.reg moved successfully.
C:\Documents and Settings\Irvine\Application Data\towudaqon.ban moved successfully.
C:\Documents and Settings\Irvine\Application Data\gecodozaq.reg moved successfully.
C:\Documents and Settings\Irvine\Application Data\corofuzi.exe moved successfully.
C:\WINDOWS\system32\obajoqam.reg moved successfully.
C:\WINDOWS\dybivubi.pif moved successfully.
C:\Program Files\Common Files\opuc.inf moved successfully.
C:\Documents and Settings\Irvine\Application Data\yjuvulyr._dl moved successfully.
C:\Documents and Settings\Irvine\Application Data\setekidiji._sy moved successfully.
C:\Documents and Settings\Irvine\Application Data\ewalyr.dat moved successfully.
C:\Documents and Settings\Irvine\Application Data\ejyzyji.inf moved successfully.
C:\Documents and Settings\Irvine\Application Data\conyje.bat moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07272008_212738

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:05 PM

Posted 28 July 2008 - 04:08 AM

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 PopSmith

PopSmith
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 01 August 2008 - 11:56 PM

Oddly enough I installed, updated and ran MBAM as instructed and it didn't find anything. :thumbsup:

Here is the log that it gave me though:

Malwarebytes' Anti-Malware 1.24
Database version: 1015
Windows 5.1.2600 Service Pack 2

10:50:04 PM 8/1/2008
mbam-log-8-1-2008 (22-50-04).txt

Scan type: Quick Scan
Objects scanned: 38659
Time elapsed: 5 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:05 PM

Posted 02 August 2008 - 05:44 AM

No problem I was just running it to catch any leftovers.

Please do the following:
Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==============================================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:05 PM

Posted 16 August 2008 - 08:28 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users