Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Trojans


  • This topic is locked This topic is locked
6 replies to this topic

#1 shabam jenkins

shabam jenkins

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 07 August 2008 - 10:50 PM

Usually when I boot into XP AVG finds several things it considers a viruses everytime I start up windows. I tend to get pop-ups and sometimes I have to close explorer.exe through ctrl+alt+del to get sites to show in firefox. I've no idea what to do anymore. If this doesn't work I'm simply reformatting. Any help to my predicament is greatly appreciated!

Deckard's System Scanner v20071014.68
Run by Koori on 2008-08-07 23:36:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...failed; access is denied.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Koori.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:10 PM, on 8/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\JMRaidSetup.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Koori.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {0861cc12-b312-496f-b8e2-2ff641f0b8c5} - (no file)
O2 - BHO: (no name) - {17242CAD-D06C-4A04-B3BA-5A10217C3D52} - C:\WINDOWS\system32\ppeaohoq.dll
O2 - BHO: (no name) - {3401DB32-7F00-4EC7-A890-A75F64973843} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {D2376FB3-3D0D-414D-83AA-3AD6AD6B111F} - (no file)
O2 - BHO: {0384ef27-5dd7-6099-2614-74a3d735664f} - {f466537d-3a47-4162-9906-7dd572fe4830} - C:\WINDOWS\system32\bdbkyk.dll
O2 - BHO: (no name) - {F8F3BF31-ECD1-4FF0-A2EC-B2F363A55799} - C:\WINDOWS\system32\ssqrrOIB.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\System32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [700c16da] rundll32.exe "C:\WINDOWS\system32\vmyeorqo.dll",b
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Games\party poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Games\party poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://pegasusauth04.pearsoncmg.com/webwiz/s/stub.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: iiffCTLc - iiffCTLc.dll (file missing)
O20 - Winlogon Notify: urqqopo - urqqopo.dll (file missing)
O20 - Winlogon Notify: winwil32 - winwil32.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9367 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 MaVctrl - c:\windows\system32\drivers\mavc2k.sys <Not Verified; Mobile Action Technology Inc.; Handset Manager>

S2 npkcrypt - d:\games\maplestory\npkcrypt.sys (file missing)
S3 hamachi_oem (PlayLinc Adapter) - c:\windows\system32\drivers\gan_adapter.sys <Not Verified; Applied Networking Inc.; Hamachi Virtual Network Interface Driver, OEM>
S3 maa950c - c:\windows\system32\drivers\maa950c.sys <Not Verified; Mobile Action Technology Inc.; Handset Manager>
S3 maa950m - c:\windows\system32\drivers\maa950m.sys <Not Verified; Mobile Action Technology Inc.; Handset Manager>
S3 maa950u - c:\windows\system32\drivers\maa950u.sys <Not Verified; Mobile Action Technology Inc.; Handset Manager>
S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\progra~1\common~1\motive\mrempr5.sys (file missing)
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\progra~1\common~1\motive\mrendis5.sys (file missing)
S3 npkcusb - d:\games\maplestory\npkcusb.sys (file missing)
S3 ser2pl (USB Filter Driver) - c:\windows\system32\drivers\ser2pl.sys <Not Verified; Prolific Technology Inc.; Prolific USB-to-Serial Bridge Cable>
S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
S3 vsdatant - c:\windows\system32\vsdatant.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S3 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-07-07 and 2008-08-07 -----------------------------

2008-08-07 23:12:21 0 d-------- C:\WINDOWS\CSC
2008-08-07 22:04:18 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-08-07 21:53:51 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-08-07 21:49:16 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-08-07 21:49:16 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-08-07 21:49:16 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-08-07 21:49:16 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-08-07 21:49:16 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-08-07 21:49:16 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-08-07 21:49:16 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-08-07 21:49:16 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-08-07 21:49:16 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-08-07 21:49:16 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-08-07 21:49:16 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-08-07 21:49:16 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-08-07 21:49:16 0 d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-08-07 21:49:15 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-08-07 21:40:04 0 d-------- C:\Program Files\CCleaner
2008-08-07 21:38:11 0 d-------- C:\Program Files\Trend Micro
2008-08-07 20:22:19 2112 --a------ C:\WINDOWS\system32\vmhomemv.exe
2008-08-07 20:19:14 95808 --a------ C:\WINDOWS\system32\vmyeorqo.dll
2008-08-07 20:16:17 113216 --a------ C:\WINDOWS\system32\bdbkyk.dll
2008-08-07 20:16:16 113216 --a------ C:\WINDOWS\system32\dsuciidp.dll
2008-08-07 20:13:46 105024 --a------ C:\WINDOWS\system32\mbxnbycg.dll
2008-08-06 20:16:31 111168 --a------ C:\WINDOWS\system32\dlzamr.dll
2008-08-06 20:16:21 111168 --a------ C:\WINDOWS\system32\ioccssuw.dll
2008-08-06 20:13:19 2112 --a------ C:\WINDOWS\system32\xydltwnt.exe
2008-08-05 17:19:49 113216 --a------ C:\WINDOWS\system32\hgvelv.dll
2008-08-05 17:19:47 113216 --a------ C:\WINDOWS\system32\puvisiyd.dll
2008-08-05 17:16:58 2112 --a------ C:\WINDOWS\system32\snyayxva.exe
2008-08-05 17:04:17 118848 --a------ C:\WINDOWS\system32\ppeaohoq.dll
2008-08-05 17:02:01 105536 --a------ C:\WINDOWS\system32\eoatpebq.dll
2008-08-02 17:22:32 118336 --a------ C:\WINDOWS\system32\nnxsxp.dll
2008-08-02 17:22:30 118336 --a------ C:\WINDOWS\system32\ijgwtraw.dll
2008-08-02 17:20:13 96832 --a------ C:\WINDOWS\system32\jfmtbkrr.dll
2008-08-02 17:17:13 118848 --a------ C:\WINDOWS\system32\naqumywl.dll
2008-08-02 17:14:13 105024 --a------ C:\WINDOWS\system32\emcwharx.dll
2008-08-01 17:21:44 118848 --a------ C:\WINDOWS\system32\qbqgutgj.dll
2008-08-01 17:18:45 117824 --a------ C:\WINDOWS\system32\hfswplov.dll
2008-07-31 17:49:53 118848 --a------ C:\WINDOWS\system32\rexmswum.dll
2008-07-31 17:49:34 118848 --a------ C:\WINDOWS\system32\fjhmqews.dll
2008-07-31 17:15:01 118848 --a------ C:\WINDOWS\system32\jxguhwgo.dll
2008-07-29 22:29:21 118848 --a------ C:\WINDOWS\system32\yolvqgtf.dll
2008-07-29 22:26:15 118848 --a------ C:\WINDOWS\system32\tuinvmji.dll
2008-07-28 22:28:31 118848 --a------ C:\WINDOWS\system32\qxhurfxo.dll
2008-07-28 16:37:47 118848 --a------ C:\WINDOWS\system32\tiyhslej.dll
2008-07-28 16:37:30 118848 --a------ C:\WINDOWS\system32\jscobxws.dll
2008-07-28 16:37:13 118848 --a------ C:\WINDOWS\system32\toryiwap.dll
2008-07-28 16:36:55 118848 --a------ C:\WINDOWS\system32\dqdoegfd.dll
2008-07-25 22:00:12 967 --a------ C:\WINDOWS\ScUnin.pif
2008-07-25 22:00:12 94208 --a------ C:\WINDOWS\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2008-07-25 22:00:12 34366 --a------ C:\WINDOWS\scunin.dat
2008-07-17 23:16:55 118848 --a------ C:\WINDOWS\system32\rffhpimv.dll
2008-07-08 07:53:53 0 d-------- C:\Program Files\MSBuild
2008-07-08 07:53:01 0 d-------- C:\Program Files\Microsoft.NET
2008-07-08 07:50:49 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-07-08 07:50:09 0 d-------- C:\WINDOWS\SHELLNEW
2008-07-08 07:49:12 0 dr-h----- C:\MSOCache


-- Find3M Report ---------------------------------------------------------------

2008-08-07 23:37:06 870805 --ahs---- C:\WINDOWS\system32\BIOrrqss.ini2
2008-08-07 21:25:46 0 d-------- C:\Program Files\FlashGet
2008-08-07 21:16:44 0 d-------- C:\Documents and Settings\Koori\Application Data\uTorrent
2008-08-07 08:00:02 0 d-------- C:\Documents and Settings\Koori\Application Data\AVG7
2008-07-31 20:42:28 0 d-------- C:\Program Files\Macromedia
2008-07-31 20:42:28 0 d-------- C:\Documents and Settings\Koori\Application Data\Macromedia
2008-07-31 20:42:19 0 d-------- C:\Program Files\Common Files\Macromedia
2008-07-10 20:01:19 0 d-------- C:\Program Files\SlySoft
2008-07-10 19:56:51 0 d-------- C:\Documents and Settings\Koori\Application Data\LimeWire
2008-07-08 07:54:07 0 d-------- C:\Program Files\Microsoft Works
2008-07-08 07:53:29 0 d-------- C:\Program Files\Common Files
2008-07-07 22:15:23 0 d-------- C:\Documents and Settings\Koori\Application Data\Mozilla
2008-07-06 18:08:42 200 --a------ C:\WINDOWS\QCPC80UI.dat
2008-07-02 23:33:29 39581 --a------ C:\WINDOWS\DIIUnin.dat
2008-07-02 23:32:15 21840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2008-07-02 23:32:15 17212 --a------ C:\WINDOWS\system32\SIntf32.dll
2008-07-02 23:32:15 12067 --a------ C:\WINDOWS\system32\SIntf16.dll
2008-07-02 23:28:26 2829 --a------ C:\WINDOWS\DIIUnin.pif
2008-07-02 23:28:26 94208 --a------ C:\WINDOWS\DIIUnin.exe <Not Verified; Blizzard Entertainment; Diablo II Uninstaller>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0861cc12-b312-496f-b8e2-2ff641f0b8c5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17242CAD-D06C-4A04-B3BA-5A10217C3D52}]
08/05/2008 05:04 PM 118848 --a------ C:\WINDOWS\system32\ppeaohoq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3401DB32-7F00-4EC7-A890-A75F64973843}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f466537d-3a47-4162-9906-7dd572fe4830}]
08/07/2008 08:16 PM 113216 --a------ C:\WINDOWS\system32\bdbkyk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F8F3BF31-ECD1-4FF0-A2EC-B2F363A55799}]
05/05/2008 11:36 AM 280064 --a------ C:\WINDOWS\system32\ssqrrOIB.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"36X Raid Configurer"="C:\WINDOWS\System32\JMRaidSetup.exe" [11/16/2006 09:05 PM]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [09/25/2006 12:12 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [06/27/2008 10:38 PM]
"RTHDCPL"="RTHDCPL.EXE" [11/14/2006 05:21 AM C:\WINDOWS\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [05/16/2006 06:04 AM C:\WINDOWS\SkyTel.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 06:43 AM C:\WINDOWS\ALCMTR.EXE]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [04/10/2002 07:44 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 03:40 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"lxczbmgr.exe"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [02/08/2007 06:52 PM]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [02/08/2007 06:56 PM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 12:47 AM]
"700c16da"="C:\WINDOWS\system32\vmyeorqo.dll" [08/07/2008 08:19 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [11/12/2006 06:48 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [03/01/2006 07:43 PM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [01/03/2008 12:15 PM]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [03/15/2007 06:16 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 11:00 AM]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [07/21/2008 08:15 AM]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" []

C:\Documents and Settings\Koori\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [12/27/2007 11:03:35 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffCTLc]
iiffCTLc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqqopo]
urqqopo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 12/06/2005 10:16 PM 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwil32]
winwil32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssqrrOIB


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9ec892a-fea7-11db-88b5-001a4d401260}]
AutoRun\command- F:\SETUP.EXE




-- End of Deckard's System Scanner: finished at 2008-08-07 23:38:41 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU 6400 @ 2.13GHz
CPU 1: Intel® Core™2 CPU 6400 @ 2.13GHz
Percentage of Memory in Use: 17%
Physical Memory (total/avail): 3582.42 MiB / 2948.75 MiB
Pagefile Memory (total/avail): 4418.45 MiB / 3886.42 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1907.77 MiB

C: is Fixed (NTFS) - 22.03 GiB total, 9.72 GiB free.
D: is Fixed (NTFS) - 186.3 GiB total, 152.75 GiB free.
E: is CDROM (No Media)
F: is CDROM (CDFS)
G: is Fixed (NTFS) - 698.64 GiB total, 500.95 GiB free.

\\.\PHYSICALDRIVE0 - WDC WD1600JS-22NCB1 - 149.05 GiB - 3 partitions
\PARTITION0 (bootable) - Installable File System - 22.03 GiB - C:
\PARTITION1 - Unknown - 121.82 GiB
\PARTITION2 - Extended Partition - 5.2 GiB

\\.\PHYSICALDRIVE1 - SATA WDC WD20 SCSI Disk Device - 186.31 GiB - 1 partition
\PARTITION0 - Extended w/Extended Int 13 - 186.3 GiB - D:

\\.\PHYSICALDRIVE2 - Seagate FreeAgent Pro USB Device - 698.64 GiB - 1 partition
\PARTITION0 - Installable File System - 698.64 GiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG 7.5.526 v7.5.526 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"D:\\Games\\rise.exe"="D:\\Games\\rise.exe:*:Enabled:Rise of Nations"
"D:\\Games\\Rise of Nations\\rise.exe"="D:\\Games\\Rise of Nations\\rise.exe:*:Enabled:Rise of Nations"
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"="C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe:*:Enabled:Nero Home"
"D:\\Games\\COD 2\\CoD2MP_s.exe"="D:\\Games\\COD 2\\CoD2MP_s.exe:*:Enabled:CoD2MP_s"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"D:\\iTunes.exe"="D:\\iTunes.exe:*:Enabled:iTunes"
"D:\\Games\\Gunbound\\ENGLISH\\Gunbound Revolution\\GunBound.gme"="D:\\Games\\Gunbound\\ENGLISH\\Gunbound Revolution\\GunBound.gme:*:Enabled:GunBound"
"C:\\WINDOWS\\system32\\lxczcoms.exe"="C:\\WINDOWS\\system32\\lxczcoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"D:\\Games\\gunz\\Gunz.exe"="D:\\Games\\gunz\\Gunz.exe:*:Enabled:Gunz"
"C:\\ijji\\ENGLISH\\u_gbound.exe"="C:\\ijji\\ENGLISH\\u_gbound.exe:*:Enabled:<ijji Downloader>"
"D:\\Games\\Maplestory\\MapleStory.exe"="D:\\Games\\Maplestory\\MapleStory.exe:*:Enabled:MapleStory"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\Program Files\\mobile PhoneTools\\mPhonetools.exe"="C:\\Program Files\\mobile PhoneTools\\mPhonetools.exe:*:Enabled:mobile Phone Software"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\BitPim\\bitpim.exe"="C:\\Program Files\\BitPim\\bitpim.exe:*:Enabled:View and manipulate data on many CDMA phones from LG, Samsung, Sanyo and other manufacturers. This includes the PhoneBook, Calendar, WallPapers, RingTones (functionality varies by phone) and the Filesystem for most Qualcomm CDMA chipset based phones."
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Koori\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=KORY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Koori
LOGONSERVER=\\KORY
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\ATI Technologies\ATI.ACE\;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\GTK\2.0\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Koori\LOCALS~1\Temp
TMP=C:\DOCUME~1\Koori\LOCALS~1\Temp
USERDOMAIN=KORY
USERNAME=Koori
USERPROFILE=C:\Documents and Settings\Koori
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Koori (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\S3\P4M266\P4M266.isu"
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {926CC8AE-8414-43DF-8EB4-CF26D9C3C663}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uninstall.exe"
ABBYY FineReader 6.0 Sprint --> MsiExec.exe /X{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
AIM 6 --> C:\Program Files\AIM6\uninst.exe
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
Apple Mobile Device Support --> MsiExec.exe /I{763E8D6C-0098-4FF4-801A-3F311D2D9D80}
Apple Software Update --> MsiExec.exe /I{492724FC-3B26-46B4-824F-3CE2722D9AA0}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{685755F8-C74B-4613-8137-C90AF458228D}
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HYDRAVISION --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{083F79E4-6FE9-46FB-A6C6-4F8862742947}\setup.exe"
ATI Parental Control & Encoder --> MsiExec.exe /I{36CDA33B-909B-4719-97D1-C4B99309BDC7}
ATI Problem Report Wizard --> MsiExec.exe /X{5DA6F06A-B389-407B-BF8C-1548767914D8}
Avanquest update --> C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe -runfromtemp -l0x0009 -removeonly
AVG Free Edition --> C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
AVIVO Codecs --> MsiExec.exe /X{C941F1F1-25B3-4DF5-83E6-888C51A1AAB6}
BitPim 1.0.4 --> "C:\Program Files\BitPim\unins000.exe"
Call of Duty® 2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D0A05794-48C2-4424-A15A-9F20FCFDD374} /l1033
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Diablo II --> C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat
Drivers Install For Linksys Easylink Advisor --> MsiExec.exe /I{A1960A82-DB70-474D-A86B-FA74466103C6}
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
FlashGet(JetCar) --> C:\PROGRA~1\FlashGet\UNWISE.EXE C:\PROGRA~1\FlashGet\INSTALL.LOG
Foxit Reader --> C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
Gigabyte Raid Configurer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\SETUP.EXE" -l0x9 -removeonly
Guild Wars --> "D:\Games\Guild Wars\Gw.exe" -uninstall
Gunbound Revolution --> "D:\Games\Gunbound\ENGLISH\Gunbound Revolution\unins000.exe"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
ijji --> C:\ijji\ENGLISH\ijjiUninstall.exe
ijji FireFox Launcher 1.0 --> C:\Documents and Settings\Koori\Application Data\IJJIGame\uninst.exe
iPod for Windows 2006-03-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB} /l1033
iPod for Windows 2006-06-28 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BD57EA4D-026E-4F08-9B93-080E282B81FE} /l1033
iTunes --> MsiExec.exe /I{974C05A0-C76C-4724-A9A2-11D5D1355729}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Kyocera High-Speed Wireless Modem (Driver Removal) --> C:\WINDOWS\system32\Silabs\DriverUninstaller.exe VCP CP210x Cardinal\KWCXCOMM&0C88&FE43
Lexmark 1200 Series --> C:\Program Files\Lexmark 1200 Series\Install\x86\Uninst.exe
Lexmark Fax Solutions --> C:\Program Files\Lexmark Fax Solutions\Install\x86\Uninst.exe /R:faxunst
LimeWire 4.14.12 --> "C:\Program Files\LimeWire\uninstall.exe"
Linksys EasyLink Advisor 1.6 (0032) --> rundll32 C:\PROGRA~1\LINKSY~1\AUInst.dll,ExUninstall
Macromedia Flash MX 2004 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F353D44-73BB-4971-B31D-F7642E9E9531}\Setup.exe" -l0x9 UNINSTALL
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Save as PDF Add-in for 2007 Microsoft Office programs --> MsiExec.exe /X{90120000-00B0-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Motorola Driver Installation --> MsiExec.exe /I{3324A5DC-C7F6-430A-ACC8-F251CD8F4FC7}
Motorola Phone Tools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe" -l0x9 -removeonly
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
Nero 7 Demo --> MsiExec.exe /I{1B779CC7-5F25-29B3-5150-AF44A6201033}
ObjectDock --> C:\PROGRA~1\Stardock\OBJECT~2\UNWISE.EXE C:\PROGRA~1\Stardock\OBJECT~2\INSTALL.LOG
QCP Converter --> C:\Program Files\QCP Converter\uninstall.exe
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Royale Remixed Theme --> MsiExec.exe /I{993A94A9-DCE3-4774-B35D-D8C74FC1E0BE}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Starcraft --> C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
SUPER © Version 2007.bld.23 (July 4, 2007) --> C:\PROGRA~1\ERIGHT~1\SUPER\Setup.exe /remove /q0
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
Verizon Online DSL --> C:\Program Files\Common Files\SupportSoft\Verizon\vzuninstall.exe /starthidden
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
WindowBlinds --> C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\UNWISE.EXE C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\INSTALL.LOG
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type3718 / Error
Event Submitted/Written: 08/07/2008 10:18:30 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application hijackthis.exe, version 2.0.0.2, faulting module ssqrroib.dll, version 0.0.0.0, fault address 0x00062ed3.
Processing media-specific event for [hijackthis.exe!ws!]

Event Record #/Type3717 / Error
Event Submitted/Written: 08/07/2008 10:00:27 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application hijackthis.exe, version 2.0.0.2, faulting module ssqrroib.dll, version 0.0.0.0, fault address 0x00062ed3.
Processing media-specific event for [hijackthis.exe!ws!]

Event Record #/Type3716 / Error
Event Submitted/Written: 08/07/2008 10:00:19 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application hijackthis.exe, version 2.0.0.2, faulting module ssqrroib.dll, version 0.0.0.0, fault address 0x00062ed3.
Processing media-specific event for [hijackthis.exe!ws!]

Event Record #/Type3715 / Error
Event Submitted/Written: 08/07/2008 10:00:05 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application hijackthis.exe, version 2.0.0.2, faulting module ssqrroib.dll, version 0.0.0.0, fault address 0x00062ed3.
Processing media-specific event for [hijackthis.exe!ws!]

Event Record #/Type3701 / Error
Event Submitted/Written: 08/01/2008 11:48:48 PM
Event ID/Source: 100 / AVG7
Event Description:
2008-08-02 03:48:48,093 KORY [000228:000428] ERROR 000 AVG7.CC.plugins.CPluginManager plugin {491A562C-1E72-4BD9-B454-299127582DA5} action 335 running failed: The specified module could not be found. (126)



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type18815 / Warning
Event Submitted/Written: 08/07/2008 11:37:43 PM
Event ID/Source: 51 / Disk
Event Description:
An error was detected on device \Device\Harddisk2\D during a paging operation.

Event Record #/Type18813 / Error
Event Submitted/Written: 08/07/2008 11:35:20 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type18812 / Error
Event Submitted/Written: 08/07/2008 11:35:18 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type18811 / Error
Event Submitted/Written: 08/07/2008 11:35:16 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type18810 / Error
Event Submitted/Written: 08/07/2008 11:35:14 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.



-- End of Deckard's System Scanner: finished at 2008-08-07 23:38:41 ------------

BC AdBot (Login to Remove)

 


m

#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 08 August 2008 - 03:53 PM

Hi

Your main infection is a very bad vundo trojan infection ...

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt
THEN ...

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 shabam jenkins

shabam jenkins
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 09 August 2008 - 08:02 PM

I will list the logs in the order that you requested me to do.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, August 9, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, August 09, 2008 02:57:19
Records in database: 1071079
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 133842
Threat name: 7
Infected objects: 47
Suspicious objects: 0
Duration of the scan: 01:34:52


File name / Threat name / Threats count
C:\WINDOWS\system32\ssqrrOIB.dll//PE_Patch/C:\WINDOWS\system32\ssqrrOIB.dll//PE_Patch Infected: Trojan.Win32.Monder.gen 3
C:\WINDOWS\system32\rftiyqiu.dll/C:\WINDOWS\system32\rftiyqiu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.afhr 12
C:\WINDOWS\system32\tblayciq.dll/C:\WINDOWS\system32\tblayciq.dll Infected: Trojan.Win32.Monder.dxx 11
C:\Documents and Settings\Koori\Local Settings\Temporary Internet Files\Content.IE5\0OWPQ3XC\kb671231[2] Infected: not-a-virus:AdWare.Win32.Virtumonde.afhr 1
C:\Documents and Settings\Koori\Local Settings\Temporary Internet Files\Content.IE5\B9L1IF5V\kb456456[1] Infected: Trojan.Win32.Monder.dxx 1
C:\Documents and Settings\Koori\Local Settings\Temporary Internet Files\Content.IE5\DOGFYV2D\css4[1] Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\Koori\Local Settings\Temporary Internet Files\Content.IE5\DOGFYV2D\kriv[2] Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\Koori\Local Settings\Temporary Internet Files\Content.IE5\W3EH82U8\2oxu[1].dll Infected: not-a-virus:AdWare.Win32.BHO.cgs 1
C:\Documents and Settings\Koori\Local Settings\Temporary Internet Files\Content.IE5\W3EH82U8\3x0gj[1].dll Infected: not-a-virus:AdWare.Win32.BHO.cbd 1
C:\Documents and Settings\Koori\Local Settings\Temporary Internet Files\Content.IE5\WGUSL6MU\wc5c0[1].dll Infected: Trojan.Win32.Monder.awh 1
C:\Program Files\DAEMON Tools\SetupDTSB.exe Infected: not-a-virus:AdTool.Win32.WhenU.a 1
C:\WINDOWS\system32\dqdoegfd.dll Infected: Trojan.Win32.Monder.awh 1
C:\WINDOWS\system32\dvfuvbhj.dll Infected: Trojan.Win32.Monder.dxx 1
C:\WINDOWS\system32\hpdahdtq.dll Infected: Trojan.Win32.Monder.gen 1
C:\WINDOWS\system32\jscobxws.dll Infected: Trojan.Win32.Monder.awh 1
C:\WINDOWS\system32\qxhurfxo.dll Infected: Trojan.Win32.Monder.awh 1
C:\WINDOWS\system32\rftiyqiu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.afhr 1
C:\WINDOWS\system32\ssqrrOIB.dll Infected: Trojan.Win32.Monder.gen 1
C:\WINDOWS\system32\svsypvjp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.afhr 1
C:\WINDOWS\system32\tblayciq.dll Infected: Trojan.Win32.Monder.dxx 1
C:\WINDOWS\system32\tiyhslej.dll Infected: Trojan.Win32.Monder.awh 1
C:\WINDOWS\system32\toryiwap.dll Infected: Trojan.Win32.Monder.awh 1
C:\WINDOWS\system32\tuinvmji.dll Infected: Trojan.Win32.Monder.awh 1
C:\WINDOWS\system32\yolvqgtf.dll Infected: Trojan.Win32.Monder.awh 1

The selected area was scanned.







Malwarebytes' Anti-Malware 1.24
Database version: 1036
Windows 5.1.2600 Service Pack 2

8:38:37 PM 8/9/2008
mbam-log-8-9-2008 (20-38-37).txt

Scan type: Quick Scan
Objects scanned: 58087
Time elapsed: 9 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 21
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 44

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ssqrrOIB.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tblayciq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rftiyqiu.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2f437f94-a2ef-472e-9de3-7309eb8b4507} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2f437f94-a2ef-472e-9de3-7309eb8b4507} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f8f3bf31-ecd1-4ff0-a2ec-b2f363a55799} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f8f3bf31-ecd1-4ff0-a2ec-b2f363a55799} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{17242cad-d06c-4a04-b3ba-5a10217c3d52} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{17242cad-d06c-4a04-b3ba-5a10217c3d52} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3401DB32-7F00-4EC7-A890-A75F64973843} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2376fb3-3d0d-414d-83aa-3ad6ad6b111f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winwil32 (Dialer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\700c16da (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm733f2546 (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3401DB32-7F00-4EC7-A890-A75F64973843} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{d2376fb3-3d0d-414d-83aa-3ad6ad6b111f} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\ssqrroib -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ssqrroib -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\bcxeqa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqrrOIB.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\BIOrrqss.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\BIOrrqss.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dvfuvbhj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jhbvufvd.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tblayciq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qicyalbt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rftiyqiu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ppeaohoq.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\system32\fjhmqews.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dqdoegfd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\naqumywl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qbqgutgj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qxhurfxo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\soafnx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svsypvjp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tihodgqk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tiyhslej.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\toryiwap.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuinvmji.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jscobxws.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jxguhwgo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yolvqgtf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ieyjewdi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rexmswum.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rffhpimv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Koori\Local Settings\Temporary Internet Files\Content.IE5\0OWPQ3XC\kb671231[2] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Koori\Local Settings\Temporary Internet Files\Content.IE5\0OWPQ3XC\kb767887[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Koori\Local Settings\Temporary Internet Files\Content.IE5\B9L1IF5V\kb456456[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Koori\Local Settings\Temporary Internet Files\Content.IE5\DOGFYV2D\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Koori\Local Settings\Temporary Internet Files\Content.IE5\DOGFYV2D\kriv[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Koori\Local Settings\Temporary Internet Files\Content.IE5\W3EH82U8\2oxu[1].dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Koori\Local Settings\Temporary Internet Files\Content.IE5\W3EH82U8\3x0gj[1].dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Koori\Local Settings\Temporary Internet Files\Content.IE5\WGUSL6MU\wc5c0[1].dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winwil32.dll (Dialer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Delete on reboot.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drvkusr.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM733f2546.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM733f2546.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Koori\Local Settings\Temporary Internet Files\ijjistarter2FxB.exe (Trojan.Agent) -> Quarantined and deleted successfully.





ComboFix 08-08-09.03 - Koori 2008-08-09 20:54:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2883 [GMT -4:00]
Running from: C:\Documents and Settings\Koori\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Koori\Application Data\macromedia\Flash Player\#SharedObjects\WMYAFKXY\interclick.com
C:\Documents and Settings\Koori\Application Data\macromedia\Flash Player\#SharedObjects\WMYAFKXY\interclick.com\ud.sol
C:\Documents and Settings\Koori\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Koori\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\bcqdemcj.ini
C:\WINDOWS\system32\bdmewuno.ini
C:\WINDOWS\system32\copvvslp.ini
C:\WINDOWS\system32\efcycofu.ini
C:\WINDOWS\system32\eghkemvo.ini
C:\WINDOWS\system32\eiugrupl.ini
C:\WINDOWS\system32\evfluvdx.ini
C:\WINDOWS\system32\fbcdhkim.ini
C:\WINDOWS\system32\fieodarm.ini
C:\WINDOWS\system32\flbpxdfv.ini
C:\WINDOWS\system32\gpbnqhql.ini
C:\WINDOWS\system32\gqmnlhsb.ini
C:\WINDOWS\system32\hpdahdtq.dll
C:\WINDOWS\system32\hqbcukpm.ini
C:\WINDOWS\system32\impylimo.ini
C:\WINDOWS\system32\iribtjcu.ini
C:\WINDOWS\system32\iwswoged.ini
C:\WINDOWS\system32\jeyompvr.ini
C:\WINDOWS\system32\jnggjbqs.ini
C:\WINDOWS\system32\jrwtnmbv.ini
C:\WINDOWS\system32\khtsniqf.ini
C:\WINDOWS\system32\kxcusjfs.ini
C:\WINDOWS\system32\kyikjmdh.ini
C:\WINDOWS\system32\lrjimmbh.ini
C:\WINDOWS\system32\mpjkmcob.ini
C:\WINDOWS\system32\mrapadxp.ini
C:\WINDOWS\system32\nfqirchk.ini
C:\WINDOWS\system32\oqroeymv.ini
C:\WINDOWS\system32\pyxyvnjs.ini
C:\WINDOWS\system32\qeevrgcm.ini
C:\WINDOWS\system32\rmsxrapi.ini
C:\WINDOWS\system32\rrkbtmfj.ini
C:\WINDOWS\system32\ujplkuib.ini
C:\WINDOWS\system32\uqfgkqny.ini
C:\WINDOWS\system32\usrmhjeb.ini
C:\WINDOWS\system32\uxaweoxn.ini
C:\WINDOWS\system32\vyoorwhm.ini
C:\WINDOWS\system32\wctqdiui.ini
C:\WINDOWS\system32\wetdfraw.ini
C:\WINDOWS\system32\wjtqkyie.ini
C:\WINDOWS\system32\xpgipnvr.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

2008-08-09 20:12 . 2008-08-09 20:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 20:12 . 2008-08-09 20:12 <DIR> d-------- C:\Documents and Settings\Koori\Application Data\Malwarebytes
2008-08-09 20:12 . 2008-08-09 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 20:12 . 2008-07-30 20:15 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-09 20:12 . 2008-07-30 20:15 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-07 23:31 . 2008-08-07 23:31 <DIR> d-------- C:\Deckard
2008-08-07 21:49 . 2007-09-22 01:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-08-07 21:49 . 2008-08-07 22:04 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-07 21:40 . 2008-08-07 21:40 <DIR> d-------- C:\Program Files\CCleaner
2008-08-07 21:38 . 2008-08-07 21:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-07 21:35 . 2002-12-29 01:14 81,920 --a------ C:\WINDOWS\system32\Startup.cpl
2008-07-25 22:00 . 2008-07-25 22:00 94,208 --a------ C:\WINDOWS\ScUnin.exe
2008-07-25 22:00 . 2008-07-25 22:00 34,366 --a------ C:\WINDOWS\scunin.dat
2008-07-25 22:00 . 2008-07-25 22:00 967 --a------ C:\WINDOWS\ScUnin.pif
2008-07-21 08:11 . 2008-07-21 08:11 24,392 --a------ C:\WINDOWS\system32\drivers\ElbyCDIO.sys
2008-07-18 07:14 . 2008-07-18 07:14 99,648 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 12:00 --------- d-----w C:\Documents and Settings\Koori\Application Data\AVG7
2008-08-09 01:40 --------- d-----w C:\Documents and Settings\Koori\Application Data\uTorrent
2008-08-08 01:25 --------- d-----w C:\Program Files\FlashGet
2008-08-01 00:42 --------- d-----w C:\Program Files\Macromedia
2008-08-01 00:42 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-07-11 01:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-07-11 00:01 --------- d-----w C:\Program Files\SlySoft
2008-07-10 23:56 --------- d-----w C:\Documents and Settings\Koori\Application Data\LimeWire
2008-07-08 11:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-08 11:54 --------- d-----w C:\Program Files\Microsoft Works
2008-07-08 11:53 --------- d-----w C:\Program Files\MSBuild
2008-07-08 11:53 --------- d-----w C:\Program Files\Microsoft.NET
2008-07-08 11:50 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-07-03 03:32 21,840 ----a-w C:\WINDOWS\system32\SIntfNT.dll
2008-07-03 03:32 17,212 ----a-w C:\WINDOWS\system32\SIntf32.dll
2008-07-03 03:32 12,067 ----a-w C:\WINDOWS\system32\SIntf16.dll
2008-07-03 03:28 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-07-03 03:28 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2008-06-26 11:06 93,128 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2007-11-02 02:11 92,064 ----a-w C:\Documents and Settings\Koori\mqdmmdm.sys
2007-11-02 02:11 9,232 ----a-w C:\Documents and Settings\Koori\mqdmmdfl.sys
2007-11-02 02:11 79,328 ----a-w C:\Documents and Settings\Koori\mqdmserd.sys
2007-11-02 02:11 66,656 ----a-w C:\Documents and Settings\Koori\mqdmbus.sys
2007-11-02 02:11 6,208 ----a-w C:\Documents and Settings\Koori\mqdmcmnt.sys
2007-11-02 02:11 5,936 ----a-w C:\Documents and Settings\Koori\mqdmwhnt.sys
2007-11-02 02:11 4,048 ----a-w C:\Documents and Settings\Koori\mqdmcr.sys
2007-11-02 02:11 25,600 ----a-w C:\Documents and Settings\Koori\usbsermptxp.sys
2007-11-02 02:11 22,768 ----a-w C:\Documents and Settings\Koori\usbsermpt.sys
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 06:48 157592]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2006-03-01 19:43 90112]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 12:15 50528]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16 454784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:00 15360]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2008-07-21 08:15 89024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"36X Raid Configurer"="C:\WINDOWS\System32\JMRaidSetup.exe" [2006-11-16 21:05 1953792]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 12:12 90112]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-06-27 22:38 580096]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 19:44 679936]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"lxczbmgr.exe"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 18:52 74672]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 18:56 295856]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 05:21 16270848 C:\WINDOWS\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [2006-05-16 06:04 2879488 C:\WINDOWS\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 10:47 219136]

C:\Documents and Settings\Koori\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2007-12-27 23:03:35 3450608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-12-06 22:16 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"D:\\Games\\Rise of Nations\\rise.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"D:\\Games\\COD 2\\CoD2MP_s.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"D:\\Games\\Gunbound\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"C:\\WINDOWS\\system32\\lxczcoms.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\ijji\\ENGLISH\\u_gbound.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\BitPim\\bitpim.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R2 lxcz_device;lxcz_device;C:\WINDOWS\system32\lxczcoms.exe [2007-02-08 18:50]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-10-19 11:11]
S3 maa950c;maa950c;C:\WINDOWS\system32\Drivers\maa950c.sys [2005-06-16 18:11]
S3 maa950m;maa950m;C:\WINDOWS\system32\Drivers\maa950m.sys [2005-06-16 18:13]
S3 maa950u;maa950u;C:\WINDOWS\system32\Drivers\maa950u.sys [2007-01-18 11:03]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeUpdater - C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
Notify-iiffCTLc - iiffCTLc.dll
Notify-urqqopo - urqqopo.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Koori\Application Data\Mozilla\Firefox\Profiles\2ejn6ghh.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npActiveGS.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 20:57:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-08-09 20:59:10
ComboFix-quarantined-files.txt 2008-08-10 00:58:08

Pre-Run: 10,289,827,840 bytes free
Post-Run: 10,743,017,472 bytes free

202 --- E O F --- 2008-07-08 23:54:57

#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 10 August 2008 - 03:23 PM

Hi

Excellent :thumbsup:

Please Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's
(leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's
(leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm

...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

How's the computer running now ? It should be OK ...

Please run & post a new KASPERSKY ONLINE SCANNER 7 REPORT

& a new Hijackthis log ... just as a final check :)

Then I'll give you a couple of small things to do to finish off with ...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 shabam jenkins

shabam jenkins
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 11 August 2008 - 06:52 PM

My pc is running much better! I was about to give up and reformat, but that would have been a major pain. Thanks so much for the help!


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, August 11, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, August 11, 2008 05:21:22
Records in database: 1081144
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 118335
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:29:26


File name / Threat name / Threats count
C:\Program Files\DAEMON Tools\SetupDTSB.exe Infected: not-a-virus:AdTool.Win32.WhenU.a 1
C:\QooBox\Quarantine\C\WINDOWS\system32\hpdahdtq.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{5C46F126-5D6E-4972-B021-DC833E554E0A}\RP2\A0000046.dll Infected: Trojan.Win32.Monder.gen 1

The selected area was scanned.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:43 PM, on 8/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\JMRaidSetup.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\AIM6\aolsoftware.exe
D:\Games\Deus Ex\System\SystemFiles.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\System32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Games\party poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Games\party poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://pegasusauth04.pearsoncmg.com/webwiz/s/stub.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8474 bytes

#6 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 12 August 2008 - 08:40 AM

Hi

Your hijackthis log is clean :thumbsup:

We'll now uninstall Combofix, this will delete the C:\QooBox\Quarantine files found by KASPERSKY & also remove the infected restore point found by KASPERSKY... leaving the KASPERSKY scan clean as well :)

Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK

Posted Image

This will uninstall Combofix, delete any of its related folders and files (Qoobox, VundoFix Backups, Avenger, Deckard, _OTMoveIt), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Before you leave the site ...

Please Have a look here at ways to keep your computer safe :-

Simple steps to keep your computer secure! By Grinler > http://www.bleepingcomputer.com/forums/t/1628/simple-steps-to-keep-your-computer-secure/

& here :-

So how did I get infected in the first place? By TonyKlein > http://forums.spybot.info/showthread.php?t=279

Happy surfing :)

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#7 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 12 September 2008 - 05:13 PM

As this thread is resolved, :thumbsup: it is now locked.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users