Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help With Clean Up Of Trojan.win32.monderc.gen And Trojan.vundo


  • Please log in to reply
6 replies to this topic

#1 j_mcnulty

j_mcnulty

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 02 August 2008 - 06:08 AM

I think I may still have some malware slowing me down after having tried to disinfect for various infections. A few days ago, my trial version of Kaspersky 9 gave me a pop-up indicating that I was infected with trojan.win32.monderc.gen. I tried to disinfect, but after rebooting, it was still there. Since then, I've tried various things based on some logs that I've read in your forums. It seems that I can't get rid of something called trojan.vundo and variants of that.

Today, I...
1) cleaned up all cookies and history on both my IE and Firefox browsers,
2) downloaded and ran both 'Superantispyware' and 'MalwareBytes' AntiMalware', and
3) ran 'ComboFix'.

Things seem to be running OK now, but I thought the same thing yesterday, and this morning I was back to square one with everything running slowly. I just downloaded and ran Hijackthis (DSS) as per your site's instructions before posting.

Can you please have a look at either my hijackthis log or my ComboFix log?

Thanks in advance for your help.

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:13 PM

Posted 02 August 2008 - 06:16 AM

Welcome to BC! Post both logs and I'll take a look for you.. :thumbsup:

#3 j_mcnulty

j_mcnulty
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 02 August 2008 - 06:52 AM

Here is my ComboFix log




ComboFix 08-07-29.1 - A 2008-08-02 16:40:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.874.66.1033.18.988 [GMT -12:00]
Running from: C:\Documents and Settings\A\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\A\Application Data\inst.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\AybHgfii.ini
C:\WINDOWS\system32\AybHgfii.ini2
C:\WINDOWS\system32\cnicesls.ini
C:\WINDOWS\system32\dihoukyc.ini
C:\WINDOWS\system32\iifgHbyA.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nsvcltbb.ini
C:\WINDOWS\system32\ojcbynsj.ini
C:\WINDOWS\system32\omoetkch.ini
C:\WINDOWS\system32\scuitsxe.ini
C:\WINDOWS\system32\scuitsxe.ini2
C:\WINDOWS\system32\scuitsxe.tmp
C:\WINDOWS\system32\tvvjotlf.ini2
C:\WINDOWS\system32\tvvjotlf.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2008-07-03 to 2008-08-03 )))))))))))))))))))))))))))))))
.

2008-07-31 19:51 . 2008-07-31 19:51 <DIR> d----c--- C:\Program Files\SUPERAntiSpyware
2008-07-31 19:51 . 2008-07-31 19:51 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-31 19:51 . 2008-07-31 19:51 <DIR> d----c--- C:\Documents and Settings\A\Application Data\SUPERAntiSpyware.com
2008-07-30 18:29 . 2008-07-30 18:29 <DIR> d----c--- C:\Documents and Settings\A\Application Data\Malwarebytes
2008-07-30 18:28 . 2008-07-23 20:09 17,144 --a--c--- C:\WINDOWS\system32\drivers\mbam.sys
2008-07-30 18:26 . 2008-07-30 18:26 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-30 18:26 . 2008-07-23 20:09 38,472 --a--c--- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-30 18:25 . 2008-07-30 18:29 <DIR> d----c--- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-27 22:34 . 2008-08-02 16:46 3,243,552 --ahsc--- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-27 22:34 . 2008-08-02 16:46 417,824 --ahsc--- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-27 22:34 . 2008-08-02 16:46 28,516 --ahsc--- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-27 22:34 . 2008-08-02 16:46 2,508 --ahsc--- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-27 19:11 . 2008-07-27 22:48 96,559 --a--c--- C:\WINDOWS\system32\drivers\klin.dat
2008-07-27 19:11 . 2008-07-27 22:48 87,855 --a--c--- C:\WINDOWS\system32\drivers\klick.dat
2008-07-27 11:53 . 2008-07-27 11:53 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn
2008-07-27 11:53 . 2008-07-27 11:53 1,409 --a--c--- C:\WINDOWS\QTFont.for
2008-07-24 17:56 . 2008-07-30 17:48 <DIR> d----c--- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-22 13:28 . 2008-07-22 13:28 1,409 --a--c--- C:\WINDOWS\system32\tmpDFC42.FOT
2008-07-22 13:28 . 2008-07-22 13:28 1,409 --a--c--- C:\WINDOWS\system32\tmpD8F42.FOT
2008-07-22 13:28 . 2008-07-22 13:28 1,409 --a--c--- C:\WINDOWS\system32\tmp8CD42.FOT
2008-07-22 13:28 . 2008-07-22 13:28 1,409 --a--c--- C:\WINDOWS\system32\tmp85052.FOT
2008-07-22 13:28 . 2008-07-22 13:28 1,409 --a--c--- C:\WINDOWS\system32\tmp5E052.FOT
2008-07-22 13:28 . 2008-07-22 13:28 1,409 --a--c--- C:\WINDOWS\system32\tmp0C152.FOT
2008-07-22 09:52 . 2008-07-22 09:52 <DIR> d----c--- C:\Program Files\Common Files\ResearchSoft
2008-07-22 09:50 . 2008-07-24 17:56 <DIR> d----c--- C:\Program Files\EndNote X2
2008-07-22 09:50 . 2008-07-24 17:56 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Thomson.ResearchSoft.Installers
2008-07-09 09:06 . 2008-07-09 09:06 1,409 --a--c--- C:\WINDOWS\system32\tmpE17C2.FOT
2008-07-09 09:06 . 2008-07-09 09:06 1,409 --a--c--- C:\WINDOWS\system32\tmpC1AC2.FOT
2008-07-09 09:06 . 2008-07-09 09:06 1,409 --a--c--- C:\WINDOWS\system32\tmp8DAC2.FOT
2008-07-09 09:06 . 2008-07-09 09:06 1,409 --a--c--- C:\WINDOWS\system32\tmp4D8C2.FOT
2008-07-09 09:06 . 2008-07-09 09:06 1,409 --a--c--- C:\WINDOWS\system32\tmp366C2.FOT
2008-07-09 09:06 . 2008-07-09 09:06 1,409 --a--c--- C:\WINDOWS\system32\tmp089C2.FOT
2008-07-09 08:58 . 2008-07-09 08:58 1,409 --a--c--- C:\WINDOWS\system32\tmpBB707.FOT
2008-07-09 08:58 . 2008-07-09 08:58 1,409 --a--c--- C:\WINDOWS\system32\tmpAA207.FOT
2008-07-09 08:58 . 2008-07-09 08:58 1,409 --a--c--- C:\WINDOWS\system32\tmp76807.FOT
2008-07-09 08:58 . 2008-07-09 08:58 1,409 --a--c--- C:\WINDOWS\system32\tmp6E507.FOT
2008-07-09 08:58 . 2008-07-09 08:58 1,409 --a--c--- C:\WINDOWS\system32\tmp65307.FOT
2008-07-09 08:58 . 2008-07-09 08:58 1,409 --a--c--- C:\WINDOWS\system32\tmp1C607.FOT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-03 04:32 --------- dc----w C:\Program Files\MSN Messenger
2008-08-03 03:53 --------- dc----w C:\Program Files\DAEMON Tools
2008-08-03 03:27 --------- dc----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-03 03:27 --------- dc----w C:\Documents and Settings\A\Application Data\Skype
2008-08-02 07:22 --------- dc----w C:\Documents and Settings\A\Application Data\skypePM
2008-07-28 10:27 --------- dc----w C:\Program Files\Kaspersky Lab
2008-07-28 10:25 --------- dc----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-28 07:52 112,144 -c--a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-07-28 07:10 --------- dc----w C:\Documents and Settings\A\Application Data\uTorrent
2008-07-28 01:26 --------- dc----w C:\Documents and Settings\A\Application Data\Yahoo!
2008-07-22 22:02 --------- dc----w C:\Documents and Settings\A\Application Data\EndNote
2008-07-22 21:52 --------- dc----w C:\Program Files\Common Files\Risxtd
2008-07-15 09:43 --------- dc----w C:\Documents and Settings\A\Application Data\Vso
2008-06-30 06:50 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-06-30 06:48 --------- dc----w C:\Program Files\Disney Interactive
2008-06-15 11:40 --------- dc----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-15 11:34 --------- dc----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-15 11:32 --------- dc----w C:\Program Files\Yahoo!
2008-06-15 00:18 --------- dc----w C:\Program Files\Vimicro
2008-06-15 00:18 --------- dc----w C:\Program Files\Common Files\InstallShield
2008-06-10 07:15 --------- dc----w C:\Program Files\Skype
2008-06-10 07:15 --------- dc----w C:\Program Files\Common Files\Skype
2008-06-10 07:15 --------- dc----w C:\Documents and Settings\All Users\Application Data\Skype
2008-06-06 06:56 43,520 -c--a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-05-25 08:17 47,360 -c--a-w C:\Documents and Settings\A\Application Data\pcouffin.sys
2008-02-06 06:57 5,713 -c--a-w C:\Program Files\install.log
2007-10-18 08:07 35,968 -c--a-w C:\Documents and Settings\A\Application Data\GDIPFONTCACHEV1.DAT
2004-12-01 03:20 137,216 -c--a-r C:\Program Files\fmod.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 11:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-15 10:38 68856]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-05-30 15:54 21718312]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-02-26 03:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-02-26 03:17 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-26 03:17 118784]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-03-03 03:39 6144]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-08 16:50 155648]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 03:46 172032]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 10:05 135168]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 15:44 61440]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-16 08:43 274432]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 22:32 53248]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 02:57 133016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"BigDog303"="C:\WINDOWS\VM303_STI.EXE" [2005-06-23 11:13 61440]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-04-25 18:21 201992]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-10-13 09:35 61952 C:\WINDOWS\system32\hdashcut.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 10:06 88363 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]
"msnsc"="C:\WINDOWS\system32\msnsc.exe" [2006-01-14 14:49 62054]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-03 11:56 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-05-26 10:00:57 113664]
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2002-01-09 21:53:14 200704]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 07:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;C:\WINDOWS\system32\DRIVERS\klfltdev.sys [2008-03-13 19:02]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
R3 SetupSys;Conexant Setup API;C:\WINDOWS\system32\drivers\SetupSys.sys [2001-01-09 09:58]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ee0e886-f07d-11dc-af9e-0013d3109c25}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a571122-9af8-11db-b8b3-0013d3109c25}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe ryl1j1kag0at8v448pumjohxrf5l7gkup1sq6yy9w3ssv072n52at8v448p.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{936b7896-550e-11dc-9c50-0013d3109c25}]
\shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs
.
Contents of the 'Scheduled Tasks' folder

2008-07-12 C:\WINDOWS\Tasks\EasyShare Registration Task.job
- C:\WINDOWS\system32\rundll32.exe [2004-08-03 11:56]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-78f1cbd4 - C:\WINDOWS\system32\fltojvvt.dll
HKLM-Run-BM7bc2f848 - C:\WINDOWS\system32\hhgcbtnd.dll
Notify-fcccbxvv - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://hotmail.com/
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie
R0 -: HKLM-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKLM-Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 -: HKCU-Internet Settings,ProxyOverride = local
R0 -: HKCU-Search,SearchAssistant = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie
O8 -: &Search
O8 -: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 -: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 -: Open in new background tab - C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?6cb60bab759b4841a427d91421fe8d67
O8 -: Open in new foreground tab - C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?6cb60bab759b4841a427d91421fe8d67
O8 -: ส่&งออกไปยัง Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 -: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

O16 -: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} - hxxp://www.myipq.com/hosting/cibrowser/cibrowser_1_1_1_119.cab
C:\WINDOWS\Downloaded Program Files\cibrowser11.inf
C:\WINDOWS\system32\cibrowser11.ocx

O16 -: {D96D2F74-0B74-47D2-964F-B67E9F69F1CD} - hxxp://asp.congnamul.com/AspActiveX/CongnamulMap4Asp_V29.cab
C:\WINDOWS\Downloaded Program Files\CongnamulMap4Asp.inf

O16 -: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} - hxxp://www.congnamul.com/ActiveX/Release/Congnamul/CongnamulMap_V17.cab
C:\WINDOWS\Downloaded Program Files\CongnamulMap.inf


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-02 16:47:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-08-02 16:51:30 - machine was rebooted [A]
ComboFix-quarantined-files.txt 2008-08-03 04:51:23

Pre-Run: 9,692,360,704 bytes free
Post-Run: 14,574,456,832 bytes free

240

#4 j_mcnulty

j_mcnulty
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 02 August 2008 - 06:55 AM

Here are my main.txt and extra.txt from DSS (hijackthis). Thanks alot for your help!

Main.txt

Deckard's System Scanner v20071014.68
Run by A on 2008-08-02 17:38:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-08-03 05:38:37 UTC - RP4 - Deckard's System Scanner Restore Point
3: 2008-08-03 04:38:43 UTC - RP3 - ComboFix created restore point
2: 2008-08-03 04:36:52 UTC - RP2 - after running superantispyware and MBAM and cleaning cookies, etc. (before comboFix)
1: 2008-08-03 04:35:09 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as A.exe) ---------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:40:22, on 02/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\VM303_STI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\True\hi-speed Navigator\hi-speed Navigator.exe
C:\Documents and Settings\A\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\A.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! ?u???C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! ?u???C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?6cb60bab759b4841a427d91421fe8d67
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?6cb60bab759b4841a427d91421fe8d67
O8 - Extra context menu item: ส่&งออกไปยัง Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} (Innotive Cibrowser Control 1.1) - http://www.myipq.com/hosting/cibrowser/cib...r_1_1_1_119.cab
O16 - DPF: {D96D2F74-0B74-47D2-964F-B67E9F69F1CD} (CongnamulMap4Asp Control) - http://asp.congnamul.com/AspActiveX/CongnamulMap4Asp_V29.cab
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/Release/C...amulMap_V17.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8C34C9A-56F9-4F4A-AE6F-55EF2C655225}: NameServer = 203.144.207.29 203.144.207.49
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 10972 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 MASPINT - c:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 SetupSys (Conexant Setup API) - c:\windows\system32\drivers\setupsys.sys <Not Verified; Conexant; Diagnostic Interface>
R3 SunkFilt (Alcor Micro Corp - 9360) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt>
R3 ZSMC303 (VIMICRO USB PC Camera (ZC0301PLH)) - c:\windows\system32\drivers\usbvm303.sys <Not Verified; Vimicro Corporation; >

S3 Sunkfiltp (HP && Alcor Micro Corp for Phison) - c:\windows\system32\drivers\sunkfiltp.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-08-02 16:42:00 246 --a----c- C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-07-12 10:08:00 428 --a----c- C:\WINDOWS\Tasks\EasyShare Registration Task.job


-- Files created between 2008-07-02 and 2008-08-02 -----------------------------

2008-08-02 17:40:10 0 d------c- C:\Program Files\Trend Micro
2008-07-31 19:51:53 0 d------c- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-31 19:51:41 0 d------c- C:\Program Files\SUPERAntiSpyware
2008-07-31 19:51:41 0 d------c- C:\Documents and Settings\A\Application Data\SUPERAntiSpyware.com
2008-07-31 19:49:53 0 d------c- C:\cmdcons
2008-07-31 19:46:54 68096 --a----c- C:\WINDOWS\zip.exe
2008-07-31 19:46:54 49152 --a----c- C:\WINDOWS\VFind.exe
2008-07-31 19:46:54 212480 --a----c- C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-31 19:46:54 136704 --a----c- C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-31 19:46:54 161792 --a----c- C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-31 19:46:54 98816 --a----c- C:\WINDOWS\sed.exe
2008-07-31 19:46:54 80412 --a----c- C:\WINDOWS\grep.exe
2008-07-31 19:46:54 89504 --a----c- C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-30 18:29:46 0 d------c- C:\Documents and Settings\A\Application Data\Malwarebytes
2008-07-30 18:26:11 0 d------c- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-30 18:25:32 0 d------c- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-27 22:34:41 417824 --ahs--c- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-27 22:34:41 3243552 --ahs--c- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-27 19:11:20 96559 --a----c- C:\WINDOWS\system32\drivers\klin.dat
2008-07-27 19:11:20 87855 --a----c- C:\WINDOWS\system32\drivers\klick.dat
2008-07-27 17:25:15 6291456 --a------ C:\Documents and Settings\A\ntuser.dat
2008-07-24 17:56:41 0 d------c- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-22 09:52:50 0 d------c- C:\Program Files\Common Files\ResearchSoft
2008-07-22 09:50:35 0 d------c- C:\Program Files\EndNote X2
2008-07-22 09:50:14 0 d------c- C:\Documents and Settings\All Users\Application Data\Thomson.ResearchSoft.Installers


-- Find3M Report ---------------------------------------------------------------

2008-08-02 16:53:37 0 d------c- C:\Documents and Settings\A\Application Data\Skype
2008-08-02 16:50:26 142701 --a----c- C:\logfile
2008-08-02 16:49:30 0 d------c- C:\Documents and Settings\A\Application Data\skypePM
2008-08-02 16:42:01 0 d------c- C:\Program Files\Common Files
2008-08-02 16:32:45 0 d------c- C:\Program Files\MSN Messenger
2008-08-02 15:53:51 0 d------c- C:\Program Files\DAEMON Tools
2008-08-02 11:38:59 664 --a----c- C:\Documents and Settings\A\Application Data\vso_ts_preview.xml
2008-07-27 22:27:51 0 d------c- C:\Program Files\Kaspersky Lab
2008-07-27 19:10:39 0 d------c- C:\Documents and Settings\A\Application Data\uTorrent
2008-07-27 13:26:49 0 d------c- C:\Documents and Settings\A\Application Data\Yahoo!
2008-07-22 10:02:12 0 d------c- C:\Documents and Settings\A\Application Data\EndNote
2008-07-22 09:52:56 0 d------c- C:\Program Files\Common Files\Risxtd
2008-07-14 21:43:00 0 d------c- C:\Documents and Settings\A\Application Data\Vso
2008-06-29 18:50:22 0 d--h---c- C:\Program Files\InstallShield Installation Information
2008-06-29 18:48:05 0 d------c- C:\Program Files\Disney Interactive
2008-06-18 18:25:12 0 d------c- C:\Documents and Settings\A\Application Data\Google
2008-06-15 10:26:51 304 --a----c- C:\WINDOWS\EReg515.dat
2008-06-14 23:34:33 0 d------c- C:\Documents and Settings\A\Application Data\Adobe
2008-06-14 23:32:30 0 d------c- C:\Program Files\Yahoo!
2008-06-14 12:18:10 0 d------c- C:\Program Files\Vimicro
2008-06-14 12:18:10 0 d------c- C:\Program Files\Common Files\InstallShield
2008-06-09 19:18:55 56 --ah---c- C:\WINDOWS\system32\ezsidmv.dat
2008-06-09 19:15:27 0 d------c- C:\Program Files\Skype
2008-06-09 19:15:24 0 d------c- C:\Program Files\Common Files\Skype
2008-06-05 18:56:59 43520 --a----c- C:\WINDOWS\system32\CmdLineExt03.dll
2008-05-24 20:17:06 34 --a----c- C:\Documents and Settings\A\Application Data\pcouffin.log
2008-05-24 20:17:03 47360 --a----c- C:\Documents and Settings\A\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-05-24 20:17:03 1144 --a----c- C:\Documents and Settings\A\Application Data\pcouffin.inf
2008-05-24 20:17:03 7887 --a----c- C:\Documents and Settings\A\Application Data\pcouffin.cat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [26/02/2006 03:17]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [26/02/2006 03:17]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [26/02/2006 03:17]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [13/10/2005 09:35 C:\WINDOWS\system32\hdashcut.exe]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [03/03/2006 03:39]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [02/11/2004 20:24]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [08/07/2001 16:50]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [22/12/2003 08:38]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [04/03/2004 03:46]
"AGRSMMSG"="AGRSMMSG.exe" [29/06/2004 10:06 C:\WINDOWS\AGRSMMSG.exe]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [27/02/2004 10:05]
"KBD"="C:\HP\KBD\KBD.EXE" [02/02/2005 15:44]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [16/09/2005 08:43]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [16/02/2005 23:11]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [04/02/2002 22:32]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [10/12/2005 02:57]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/09/2006 15:57]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]
"BigDog303"="C:\WINDOWS\VM303_STI.exe" [23/06/2005 11:13]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [25/04/2008 18:21]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03/08/2004 11:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [15/10/2007 10:38]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [30/05/2008 15:54]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [30/08/2007 17:43]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [28/05/2008 10:33]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
"msnsc"=C:\WINDOWS\system32\msnsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [13/05/2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ee0e886-f07d-11dc-af9e-0013d3109c25}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a571122-9af8-11db-b8b3-0013d3109c25}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe ryl1j1kag0at8v448pumjohxrf5l7gkup1sq6yy9w3ssv072n52at8v448p.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{936b7896-550e-11dc-9c50-0013d3109c25}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs




-- End of Deckard's System Scanner: finished at 2008-08-02 17:41:03 ------------




extra.txt



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.06GHz
Percentage of Memory in Use: 33%
Physical Memory (total/avail): 1527.36 MiB / 1021.02 MiB
Pagefile Memory (total/avail): 2133.04 MiB / 1812.31 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1927.73 MiB

C: is Fixed (NTFS) - 40 GiB total, 13.53 GiB free.
D: is Fixed (NTFS) - 34.52 GiB total, 14.31 GiB free.
E: is CDROM (No Media)
F: is Fixed (NTFS) - 149.04 GiB total, 44.09 GiB free.
G: is CDROM (No Media)
J: is Removable (No Media)
K: is Removable (No Media)
L: is CDROM (No Media)
M: is CDROM (No Media)
N: is Removable (No Media)
O: is Removable (No Media)

\\.\PHYSICALDRIVE1 - ST3160815AS - 149.05 GiB - 1 partition
\PARTITION0 - Extended w/Extended Int 13 - 149.04 GiB - F:

\\.\PHYSICALDRIVE0 - ST380013AS - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 40 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 34.52 GiB - D:

\\.\PHYSICALDRIVE3 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE5 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE2 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: Kaspersky Internet Security v8.0.0.357 (Kaspersky Lab) Disabled
AV: Kaspersky Internet Security v8.0.0.357 (Kaspersky Lab) Disabled Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:?Torrent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\A\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=WIN06V4
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\A
LOGONSERVER=\\WIN06V4
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\A\LOCALS~1\Temp
TMP=C:\DOCUME~1\A\LOCALS~1\Temp
USERDOMAIN=WIN06V4
USERNAME=A
USERPROFILE=C:\Documents and Settings\A
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

A (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 2.30 Beta 16 --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\7-zip.inf,SevenZip.Uninstall
ACDSee 7.0 --> MsiExec.exe /I{ECE0113B-23D0-4DD8-89E6-D2F026CABF03}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Agere Systems PCI Soft Modem --> agrsmdel
Britannica CD 2000 Deluxe Edition --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Britannica\BCD\bcd2000mm.isu"
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Cinderella's Dollhouse --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\DISNEY~1\DISNEY~1\DeIsL1.isu
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
ConvertXtoDVD 3.0.0.1 --> "C:\Program Files\VSO\ConvertX\3\unins000.exe"
Disney's Mickey Mouse Kindergarten --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Disney Interactive\Mickey Mouse Kindergarten\DeIsL1.isu" -c"C:\Program Files\Disney Interactive\Mickey Mouse Kindergarten\Saved Games\Uninst.dll
Disney's Winnie the Pooh Spelling --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FCE73230-EE4D-11D5-B233-0050DACD394D}\setup.exe" -l0x9 Uninstall
Empire Earth II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DF315348-721C-40B8-BAE2-58C6C7D935A2}\setup.exe" -l0x9 -removeonly
EndNote X2 --> MsiExec.exe /I{002B1E90-3241-4D45-8831-E89020F8E7E6}
EQ5 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Electric Quilt Company\EQ5\Uninst.isu"
EQ5 Embroidery --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2EAA62E6-89C6-409F-9758-8296187CAA25}
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{42938595-0D83-404D-9F73-F8177FDD531A}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock --> MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC --> MsiExec.exe /I{073F22CE-9A5B-4A40-A604-C7270AC6BF34}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
essvatgt --> MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}
fflink --> MsiExec.exe /I{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}
FinePixViewer Ver.3.2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{24ED4D80-8294-11D5-96CD-0040266301AD} /l1033
Flickr Uploadr 2.5.0.15 --> "C:\Program Files\Flickr Uploadr\uninstall.exe"
Form Fill (Windows Live Toolbar) --> MsiExec.exe /X{F5AF5CDA-76FC-4794-9F28-09B6D54E7431}
FUJIFILM USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5490882C-6961-11D5-BAE5-00E0188E010B}\SETUP.EXE"
getPlus®_ocx --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Hewlett-Packard Multimedia Keyboard/Mouse Solution --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{FCD50C2E-7DB3-4C18-8D73-6E24CEBD4021}
hi-speed Navigator --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3A34E57B-CE24-4A7F-AD20-4C8B62029D5E}\setup.exe" -l0x9 -removeonly
HP Deskjet 3740 --> msiexec /x{F901CA6D-A074-42D3-A11D-33AAE6FFD0C1}
HP Update --> MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582
Intel® PRO Network Connections Drivers --> Prounstl.exe
iPod for Windows 2005-09-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC} /l1033
ISI ResearchSoft - Export Helper --> C:\PROGRA~1\COMMON~1\Risxtd\_UNINST.EXE
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{78F4DFCE-1336-4027-BCB2-1A00C24A8653} /l1033
JumpStart Advanced Kindergarten --> C:\Program Files\Common Files\Knowledge Adventure\Uninstall\UNKinder2002.exe
K-Lite Codec Pack 3.2.0 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kaspersky Internet Security 2009 --> MsiExec.exe /I{8CB14A64-CEF4-4C8F-B1C8-1C3B8752CB55}
Kaspersky Internet Security 2009 --> MsiExec.exe /I{8CB14A64-CEF4-4C8F-B1C8-1C3B8752CB55}
KBD --> C:\HP\KBD\KBD.EXE uninstalled
kgcbaby --> MsiExec.exe /I{E18B549C-5D15-45DA-8D8F-8FD2BD946344}
kgcbase --> MsiExec.exe /I{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}
kgchday --> MsiExec.exe /I{11F3F858-4131-4FFA-A560-3FE282933B6E}
kgchlwn --> MsiExec.exe /I{03EDED24-8375-407D-A721-4643D9768BE1}
kgcinvt --> MsiExec.exe /I{9BD54685-1496-46A5-AB62-357CD140ED8B}
kgckids --> MsiExec.exe /I{693C08A7-9E76-43FF-B11E-9A58175474C4}
kgcmove --> MsiExec.exe /I{A1588373-1D86-4D44-86C9-78ABD190F9CC}
kgcvday --> MsiExec.exe /I{8A8664E1-84C8-4936-891C-BC1F07797549}
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140002_b40bcc\Setup.exe /APR-REMOVE
LucasArts' Rogue Squadron --> C:\WINDOWS\uninst.exe -f"C:\Program Files\LucasArts\ROGUE\DeIsL1.isu"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Map Button (Windows Live Toolbar) --> MsiExec.exe /X{ECDA9BD9-A54E-462A-8191-A2B569D9AB34}
Microsoft Office XP English User Interface Pack --> MsiExec.exe /I{901E0409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Professional พร้อมด้วย FrontPage --> MsiExec.exe /I{9028041E-6000-11D3-8CFE-0050048383C9}
MicroStaff WINASPI --> C:\MWASPI\uninst.exe
Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Messenger 7.5 --> rundll32.exe setupapi,InstallHinfSection DefaultUnInstall 132 C:\WINDOWS\Inf\msn75.inf
Multimedia Card Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4B408BD5-310E-4B02-90AC-71BEE6E2ED0E}
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
netbrdg --> MsiExec.exe /I{4537EA4B-F603-4181-89FB-2953FC695AB1}
OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
OneCare Advisor (Windows Live Toolbar) --> MsiExec.exe /X{DF821FC5-C198-452B-A0D4-82433EFEAE9B}
Phonics Quest --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FB63359-E6C4-4965-81BD-164E2FA52F22}\setup.exe" -l0x9 Phonics Quest
Popup Blocker (Windows Live Toolbar) --> MsiExec.exe /X{117CD9C0-0F15-4633-93D7-F957B50535A5}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Princess Magical Dress-Up --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A3554902-AB4A-11D5-AA2E-0008C760B784}\setup.exe" Princess Magical Dress-Up
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
PSpell.exe custom database --> C:\WINDOWS\system32\sdbinst.exe -u "C:\WINDOWS\AppPatch\Custom\{e61013bb-cfd0-459c-9d67-082894eab154}.sdb"
QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
skin0001 --> MsiExec.exe /I{5316DFC9-CE99-4458-9AB3-E8726EDE0210}
SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
Skype? 3.8 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SopCast 1.1.2 --> C:\Program Files\SopCast\uninst.exe
staticcr --> MsiExec.exe /I{8943CE61-53BD-475E-90E1-A580869E98A2}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
Tabbed Browsing (Windows Live Toolbar) --> MsiExec.exe /X{1707BF02-0F5C-4A6C-8F17-053BB73E443F}
The Rosetta Stone --> C:\WINDOWS\unvise32.exe C:\Program Files\The Rosetta Stone\TRS Support\uninstal.log
Thief - Deadly Shadows --> C:\Program Files\Thief - Deadly Shadows\Uninst.exe /pid:{B5E0195A-A38A-46B2-A770-9F2362834E2B} /asd
tooltips --> MsiExec.exe /I{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}
True Crime - Streets of LA --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{1A1FE271-EA21-40E5-90FC-51A8EFBC0A30}
Vimicro USB PC Camera (ZC0301PLH) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CE3B8E96-B0AF-4871-9178-1519B58E3A93}\Setup.exe" -l0x9
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
Windows Live Favorites for Windows Live Toolbar --> MsiExec.exe /X{DCE65B11-710D-4C54-9DE5-1A6A0BD2186B}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Outlook Toolbar (Windows Live Toolbar) --> MsiExec.exe /X{A40D6757-B145-4FE7-B694-89180A9F3F64}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {DA0FFF7B-DA9D-46A2-A329-87804ECA58EA}
Windows Live Toolbar --> MsiExec.exe /X{DA0FFF7B-DA9D-46A2-A329-87804ECA58EA}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{3727B920-F5A3-46A4-AC02-94F421A039C7}
Windows Live Toolbar Feed Detector (Windows Live Toolbar) --> MsiExec.exe /X{38024121-D084-4E7D-B1A2-1A04CB5C4CF3}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! คuจใฆC --> C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
ตTorrent --> "C:\Program Files\uTorrent\uninstall.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type1715 / Error
Event Submitted/Written: 08/02/2008 03:07:02 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application hi-speed Navigator.exe, version 3.1.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1705 / Error
Event Submitted/Written: 08/02/2008 11:26:08 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application avp.exe, version 8.0.0.357, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00018fea.
Processing media-specific event for [avp.exe!ws!]

Event Record #/Type1694 / Error
Event Submitted/Written: 07/31/2008 07:37:46 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application firefox.exe, version 1.8.20080.4669, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1676 / Error
Event Submitted/Written: 07/29/2008 07:26:12 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application hpwucli.exe, version 4.0.3.1, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [hpwucli.exe!ws!]

Event Record #/Type1675 / Error
Event Submitted/Written: 07/28/2008 11:47:57 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2064 / Error
Event Submitted/Written: 08/02/2008 04:56:29 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.1.33 for the Network Card with network address 0013D3109C25 has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type2063 / Warning
Event Submitted/Written: 08/02/2008 04:56:24 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0013D3109C25. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type2003 / Error
Event Submitted/Written: 08/02/2008 03:27:12 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The System Restore Service service terminated with the following error:
%%2

Event Record #/Type2001 / Error
Event Submitted/Written: 08/02/2008 03:26:36 PM
Event ID/Source: 104 / SRService
Event Description:
The System Restore initialization process failed.

Event Record #/Type1991 / Error
Event Submitted/Written: 08/02/2008 02:37:59 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.1.33 for the Network Card with network address 0013D3109C25 has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).



-- End of Deckard's System Scanner: finished at 2008-08-02 17:41:03 ------------

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:13 PM

Posted 02 August 2008 - 11:18 AM

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop but do not run it.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Please open the Suspicious File Packer you downloaded earlier.
Paste the following bold part into the Suspicious File Packer window:

C:\WINDOWS\system32\msnsc.exe

Allow SFP to pack the file. This will generate a CAB archive on your desktop.

Reboot back to normal mode.

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.
Please let me know when you have submitted the files.

#6 j_mcnulty

j_mcnulty
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 02 August 2008 - 10:26 PM

D-trojanator,

I'm j_mcnulty and you were helping me yesterday with the disinfection of some potential malware. You had a look at my hijackthis and Combofix logs, and then you suggested that I download Suspicious File Packer to pack C:\WINDOWS\system32\msnsc.exe I did so, and I now I've posted the CAB file to the location that you requested.

I really appreciate all of your help.

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:13 PM

Posted 03 August 2008 - 01:26 AM

Hi and thanks for uploading that file.

I scanned it through various antivirus engines and one came back to me with:
Trojan-Dropper.Win32.Delf.FZ <-- so we need to remove it.. :thumbsup:

Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'. In the field, copy and paste the filepath a few lines below.
Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes:
C:\WINDOWS\system32\msnsc.exe

Allow the PC to reboot, if it doesn't do it automatically, please reboot manually.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please perform this online scan: Kaspersky Webscan
Note that this scanner will only work on Internet Explorer, so please use this browser for the scan.
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.

When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users