Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Xp 2008 And Joke-bluescreen.c Infection! Please Help!


  • This topic is locked This topic is locked
5 replies to this topic

#1 borkedPC

borkedPC

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 27 July 2008 - 02:12 PM

Hello all, and thanks in advance for any much needed help you provide :D I will gladly give a small gift card for newegg.com to the first expert who helps me get rid of this once and for all :thumbsup: Sound good? Well, dont be too excited as it cannot be done, this crap wont leave my PC!!!

Ok, so my computer has been infected bad by "Antivirus XP 2008" which I guess includes "Joke-bluescreen.c"... Here's what I've done so far:

1) deleted sisinternals from the registry and Antivirus XP 2008 from the programs directory.
2) booted into safemode and ran Combofix (is it normal to get an error message when combofix starts doin it's thing that says "boot partition cannot be enumerated correctly"?)
3) it robooted me, and I made it go back into safemode where it finished up.
4) then from safemode I ran Malwarebytes anti-malware (it has been updated as of 7/26/2008)
5) then for the heck of it I ran Combofix again and saved the log.
6) then I rebooted into normal mode and ran DSS and saved the log.

... all seamed ok except for my desktop background still was hijacked, until I rebooted into normal mode again and the darn friggin Antivirus XP 2008 started running again.... It was reborn from somewhere, but where?

Instead of pasting the other huge jinormous logs on this thread, I thought it would be nicer if I uploaded them as txt files to my site and linked them here (let me know if you would rather me paste them in). But I will paste in the DSS log.

Combofix log
Malwarebytes log

Thanks again for your time -
Here's the DSS log:

Deckard's System Scanner v20071014.68
Run by username on 2008-07-27 11:36:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as username.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:02, on 7/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\rengvyza\tuxmvwvi.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\umonit.exe
C:\windows\system32\RunDLL32.exe
C:\windows\system32\lphc9wuj0el0c.exe
C:\windows\system32\ctfmon.exe
C:\windows\system32\xkpcxife.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\windows\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\slpservice.exe
C:\windows\system32\slpmonx.exe
C:\windows\system32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\windows\system32\SearchIndexer.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\rhccwuj0el0c\rhccwuj0el0c.exe
C:\windows\system32\pphc9wuj0el0c.exe
C:\Documents and Settings\username\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\DONBER~1.EXE
C:\windows\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: iebho Class - {296AE49F-E195-4835-895C-91788B938DF8} - C:\WINDOWS\ieiebho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: 1-Click Answers - {7754C418-F62E-44aa-B169-E719E718BCFD} - C:\PROGRA~1\1-CLIC~1\IEToolbar\AnswersToolbarU.dll
O3 - Toolbar: 1Click ImageExtractor - {5DE4E98D-DE09-4BC3-8A70-A6D9A24F4EC9} - C:\WINDOWS\1cie.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [lphc9wuj0el0c] C:\windows\system32\lphc9wuj0el0c.exe
O4 - HKLM\..\Run: [SMrhccwuj0el0c] C:\Program Files\rhccwuj0el0c\rhccwuj0el0c.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [procinfo] C:\windows\system32\xkpcxife.exe
O4 - HKCU\..\Run: [InfoCfgCmd] C:\windows\system32\fixgzepi.exe
O4 - HKCU\..\Run: [DscAdmCfg] C:\windows\system32\fixgzepi.exe
O4 - HKCU\..\Run: [MsgHlpSh] C:\windows\system32\zodezkli.exe
O4 - HKCU\..\Run: [sysgenen] C:\windows\system32\utwngtqf.exe
O4 - HKLM\..\Policies\Explorer\Run: [XuAAxKNjiZ] C:\Documents and Settings\All Users\Application Data\rengvyza\tuxmvwvi.exe
O8 - Extra context menu item: Answers... - file://C:\Program Files\1-Click Answers\Html\atiemenu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\windows\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\windows\system32\shdocvw.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\windows\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\windows\system32\shdocvw.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n024p/EN/install/gtdownlr.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175203407359
O16 - DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} (Plaxo Auto-Import Utility) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cab
O18 - Protocol: bw+0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {ACA1B0FC-344B-419E-94E5-188FA43F674E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: SmartSrvSet - {1811DC30-A2D9-8547-8BDD-08CD967C124D} - C:\Program Files\rticvu\SmartSrvSet.dll
O23 - Service: McAfee Application Installer Cleanup (0015371217098178) (0015371217098178mcinstcleanup) - Unknown owner - C:\DOCUME~1\DONBER~1\LOCALS~1\Temp\001537~1.EXE (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SLPMONX - ProdEx Technologies - C:\WINDOWS\system32\slpservice.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe

--
End of file - 22060 bytes

-- Files created between 2008-06-27 and 2008-07-27 -----------------------------

2008-07-27 11:36:30 94208 --a------ C:\windows\system32\pphc9wuj0el0c.exe
2008-07-27 11:36:30 0 d-------- C:\Documents and Settings\username\Application Data\rhccwuj0el0c
2008-07-27 11:36:23 0 d-------- C:\Program Files\rhccwuj0el0c
2008-07-27 11:33:24 60928 --a------ C:\windows\system32\blphc9wuj0el0c.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-07-27 11:33:23 86016 --a------ C:\windows\system32\utwngtqf.exe
2008-07-27 11:33:23 110080 --a------ C:\windows\system32\lphc9wuj0el0c.exe
2008-07-26 13:03:49 77824 --a------ C:\windows\system32\zodezkli.exe
2008-07-26 12:28:29 77824 --a------ C:\windows\system32\fixgzepi.exe
2008-07-26 11:45:49 110080 --a------ C:\windows\system32\sbetyjax.exe
2008-07-26 11:37:24 77824 --a------ C:\windows\system32\xkpcxife.exe
2008-07-25 18:22:49 77824 --a------ C:\windows\system32\tcdaxgbu.exe
2008-07-25 15:35:20 68096 --a------ C:\windows\zip.exe
2008-07-25 15:35:20 49152 --a------ C:\windows\VFind.exe
2008-07-25 15:35:20 212480 --a------ C:\windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-25 15:35:20 136704 --a------ C:\windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-25 15:35:20 161792 --a------ C:\windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-25 15:35:20 98816 --a------ C:\windows\sed.exe
2008-07-25 15:35:20 80412 --a------ C:\windows\grep.exe
2008-07-25 15:35:20 89504 --a------ C:\windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-24 13:31:49 1888 --a------ C:\windows\system32\tmp.reg
2008-07-24 11:35:46 0 d-------- C:\Program Files\rticvu
2008-07-24 10:45:26 0 d-------- C:\Program Files\Trend Micro
2008-07-24 09:37:22 0 d-------- C:\Documents and Settings\username\Application Data\Malwarebytes
2008-07-24 09:37:16 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-24 09:37:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-24 09:11:59 77824 --a------ C:\windows\system32\nujqlapc.exe
2008-07-24 08:27:15 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-24 08:27:07 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-24 08:27:07 0 d-------- C:\Documents and Settings\username\Application Data\SUPERAntiSpyware.com
2008-07-24 08:25:46 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-23 16:48:34 0 d-------- C:\Documents and Settings\All Users\Application Data\rengvyza
2008-07-14 14:31:34 0 d-------- C:\Documents and Settings\username\Application Data\CameraWindowDC
2008-07-14 14:31:33 0 d-------- C:\Documents and Settings\username\Application Data\CANON INC
2008-07-14 14:30:21 1743 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
2008-07-14 14:25:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-14 14:09:38 0 d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-07-09 13:37:45 0 d-------- C:\tmp
2008-07-09 11:10:25 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-07-09 11:08:06 0 d-------- C:\Program Files\McAfee.com
2008-07-09 11:08:03 0 d-------- C:\Program Files\Common Files\McAfee
2008-07-09 11:07:57 0 d-------- C:\Program Files\McAfee
2008-07-09 11:03:11 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-08 13:16:38 0 d-------- C:\Documents and Settings\Administrator.DONSDESKTOP\Application Data\Macromedia


-- Find3M Report ---------------------------------------------------------------

2008-07-27 11:36:10 0 d-------- C:\Documents and Settings\username\Application Data\WTablet
2008-07-27 11:26:33 0 d-------- C:\Program Files\Common Files
2008-07-24 11:33:01 0 d-------- C:\Program Files\Motorola Phone Tools
2008-07-24 11:32:02 0 d-------- C:\Program Files\Full Tilt Poker
2008-07-24 10:55:03 0 d-------- C:\Program Files\PokerStars.NET
2008-07-23 19:19:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-22 18:29:59 0 d-------- C:\Documents and Settings\username\Application Data\ZoomBrowser EX
2008-07-17 17:15:37 1682 --ahs---- C:\windows\system32\KGyGaAvL.sys
2008-07-14 14:27:04 0 d-------- C:\Program Files\QuickTime
2008-07-14 14:10:26 0 d-------- C:\Program Files\Canon
2008-07-14 14:00:00 0 d-------- C:\Program Files\ABBYY FineReader 6.0 Sprint
2008-07-09 12:14:22 0 d-------- C:\Documents and Settings\username\Application Data\U3
2008-07-06 08:37:19 0 d-------- C:\Documents and Settings\username\Application Data\Smilebox
2008-06-17 10:05:07 0 d-------- C:\Documents and Settings\username\Application Data\EPSON
2008-05-29 10:12:36 0 d-------- C:\Documents and Settings\username\Application Data\Windows Search


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [09/17/2007 09:07]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [03/16/2005 05:33]
"UMonit"="C:\WINDOWS\system32\umonit.exe" [01/05/2004 08:59]
"NvMediaCenter"="NvMCTray.dll" [09/17/2007 09:07 C:\WINDOWS\system32\nvmctray.dll]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [04/11/2007 15:32 C:\WINDOWS\KHALMNPR.Exe]
"lphc9wuj0el0c"="C:\windows\system32\lphc9wuj0el0c.exe" [07/27/2008 11:33]
"SMrhccwuj0el0c"="C:\Program Files\rhccwuj0el0c\rhccwuj0el0c.exe" [07/25/2008 03:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [04/13/2008 17:12]
"procinfo"="C:\windows\system32\xkpcxife.exe" [07/26/2008 11:37]
"InfoCfgCmd"="C:\windows\system32\fixgzepi.exe" [07/26/2008 12:39]
"DscAdmCfg"="C:\windows\system32\fixgzepi.exe" [07/26/2008 12:39]
"MsgHlpSh"="C:\windows\system32\zodezkli.exe" [07/26/2008 13:03]
"sysgenen"="C:\windows\system32\utwngtqf.exe" [07/27/2008 11:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"XuAAxKNjiZ"=C:\Documents and Settings\All Users\Application Data\rengvyza\tuxmvwvi.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [03/25/2008 05:56 303616]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SmartSrvSet"= {1811DC30-A2D9-8547-8BDD-08CD967C124D} - C:\Program Files\rticvu\SmartSrvSet.dll [07/24/2008 11:35 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\windows\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^1-Click Answers.lnk]
backup=C:\WINDOWS\pss\1-Click Answers.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
backup=C:\WINDOWS\pss\AT&T Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^F1U201.401.lnk]
backup=C:\WINDOWS\pss\F1U201.401.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=C:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^username^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^username^Start Menu^Programs^Startup^Iomega Product Registration.lnk]
backup=C:\WINDOWS\pss\Iomega Product Registration.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChkMntMsg]
C:\windows\system32\nujqlapc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON PictureMate]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE /P17 "EPSON PictureMate" /O6 "USB002" /M "PictureMate"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDUiP6700DMon]
C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProcApi]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
"C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCAutoLiveUpdate]
C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.exe -AUTO

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCSystemTray]
C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTDCPL]
RTDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
"C:\Documents and Settings\username\Application Data\Smilebox\SmileboxTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SrvApi]
C:\windows\system32\tcdaxgbu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64b8286a-55b8-11dc-a26f-001422355fb2}]
AutoRun\command- M:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-07-27 11:37:25 ------------

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 28 July 2008 - 12:51 AM

WARNING!
Looking at your system now, one or more of the identified infections is a backdoor Trojan. If this computer is ever used for on-line banking, I suggest you do the following IMMEDIATELY:

  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information. Please refrain from using this computer for online-banking/financial purpose until we give it all clear



Hello, my name is fenzodahl512 and welcome to BC.. You really shouldn't run ComboFix on your own.. It is a powerful tool that if misused can render your computer unbootable..



Please do the following...


Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




NEXT


Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\windows\system32\pphc9wuj0el0c.exe
    C:\Documents and Settings\username\Application Data\rhccwuj0el0c
    C:\Program Files\rhccwuj0el0c
    C:\windows\system32\blphc9wuj0el0c.scr
    C:\windows\system32\utwngtqf.exe
    C:\windows\system32\lphc9wuj0el0c.exe
    C:\windows\system32\zodezkli.exe
    C:\windows\system32\fixgzepi.exe
    C:\windows\system32\sbetyjax.exe
    C:\windows\system32\xkpcxife.exe
    C:\windows\system32\tcdaxgbu.exe
    C:\Program Files\rticvu
    C:\windows\system32\nujqlapc.exe
    C:\Documents and Settings\All Users\Application Data\rengvyza
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\lphc9wuj0el0c
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SMrhccwuj0el0c
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\procinfo
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\InfoCfgCmd
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\DscAdmCfg
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MsgHlpSh
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\sysgenen
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\NoDispBackgroundPage
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\NoDispScrSavPage
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run\\XuAAxKNjiZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\SmartSrvSet
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChkMntMsg
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SrvApi
    EmptyTemp
    purity
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Please post the following logs in your next reply..

1. OTMoveIt2
2. Malwarebytes'
3. A fresh DSS log (after Malwarebytes' step)


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 borkedPC

borkedPC
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 28 July 2008 - 01:04 PM

ok, so between the time that I posted and the time you posted, I ran more scans with malwarebytes and others, including AVG and yes... again combofix :)

I also had manually deleted some of the viruses in the system32 folder that your move it suggestion named... not really knowing exactly what they were, just knowing that they were new to the system32 and they must be BAD :)

Attached below are the new logs after following your directions exactly.

Thanks again for your time :thumbsup: :)

Attached Files



#4 borkedPC

borkedPC
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 28 July 2008 - 02:01 PM

I forgot to mention that the computer is acting 100% better, and I hope it is clean for good.

The only evidence of a virus, is that now whenever I make a change in msconfig and press apply, it comes back with an access denied message:

"An Access Denied error was returned while attempting to change a service. You may need to log on using an Administrator account to make the specified changes."

Any ideas on that one? I didn't change any services, just crap in the startup tab. and I am an administrator on my computer...

Cheers -
- borkedPC

#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 28 July 2008 - 05:30 PM

I forgot to mention that the computer is acting 100% better, and I hope it is clean for good.

The only evidence of a virus, is that now whenever I make a change in msconfig and press apply, it comes back with an access denied message:

"An Access Denied error was returned while attempting to change a service. You may need to log on using an Administrator account to make the specified changes."

Any ideas on that one? I didn't change any services, just crap in the startup tab. and I am an administrator on my computer...

Cheers -
- borkedPC



Ah.. that is out of my expertise.. Try this and then, report back to me.. By the way, your log looks clean to my eyes..


Please download from Flash_Disinfector by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 06 August 2008 - 08:36 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users