Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown malware/virus


  • This topic is locked This topic is locked
16 replies to this topic

#1 Eternalgravity

Eternalgravity

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 10 October 2008 - 08:25 PM

Windows XP home edition
Service Pack 2/IE7 updates (having trouble updating to SP3 or updating at all from microsoft)
It's a private computer, so no networking.

One minute I'm browsing the net, suddenly all my windows closed, my computer turned off, restarted, and my antivirus/spyware programs were popping up warnings. Even though they were warning me, there was no accessing the programs or information on what virus/spyware was causing the problem.

Tried going to my Task Manager, but it's unselectable. CtrlAltDlt gets a pop up stating 'Task Manager has been disabled by your administrator'.

With winpatrol I had two exe disabled on the StartUp Program list, stupid me didn't think to write the names down. One I think was Braskspa.exe and another was Jona/Johnas-something. I figured they would just appear disabled like the other programs. Not so. (When HJT was ran, they didn't pop up on the log that I could see)

In winpatrol's running programs section I have zgrqpgpw.exe popping up at every startup. Googled, came up with no info. I keep killing task so my comp moves faster.
Besides the admin/task manager issues I am redirected to 'related' search sites when opening links from google or using search sites..
There was also the matter where I'd get a disconnected message..while the computer indicated it was still online.

I followed the rec'd actions in 'Preparation' guide, except for the Adaware. I was having problems getting it to finish downloading all the definitions (same with the Windows Updates, though still no luck with them). I finally managed to get it to do so after running the other programs and removing any nasties they found.
Adaware still is acting funny, not running like it should. So I'm not sure what its deal is.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:47 PM, on 10/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\DOCUME~1\OWNER\LOCALS~1\TEMP\_VWUPSRV.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\All Users\Application Data\tkrihmxm\zgrqpgpw.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PeoplePC\ISP6300\Browser\Bartshel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PeoplePC\ISP6300\Browser\PPShared.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://product.corel.com/query.htm?lang=EN...src=&other=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\Program Files\Grisoft\AVG Free\avgemc.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe -atboottime
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6300\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Policies\Explorer\Run: [cZ2K8fNPPi] C:\Documents and Settings\All Users\Application Data\tkrihmxm\zgrqpgpw.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O20 - AppInit_DLLs:
O21 - SSODL: ShMntWeb - {44BF99A1-D96E-D1A8-165F-093B09B4FCA3} - C:\Program Files\vdicmyc\ShMntWeb.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: AntiVir Update Temp (TmpUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\DOCUME~1\OWNER\LOCALS~1\TEMP\_VWUPSRV.EXE

--
End of file - 7193 bytes

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:31 AM

Posted 15 October 2008 - 01:03 PM

Hi Eternalgravity,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Note 1. Please refrain from making any changes to your system from now on as it might prolong handling your log and make the job for both of us more difficult.
  • To get an idea about the current condition of you computer download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

      Note 1:The logs will be created in this folder: C:\rsit

      Note 2:The tool takes not more than one minute to scan the system.
  • Tell me if you have run any other tool.

  • Tell me about the current condition of your computer.


#3 Eternalgravity

Eternalgravity
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 15 October 2008 - 09:48 PM

I've run Hijack this (obviously), AVG, Spybot, Adaware, CWshredder (I think that was the name), and have Winpatrol watching things. All are newest versions and updated. I have the latest patches for Windows as well.

Besides what I wrote in my first post, I am now having errors with SDhelper.dll that close my internet explorer. And going to clean out my recycle bin, it came up with the question do I want to delete 'WINDOWS". Nothing is appearing in the recycle bin..and needless to say I didn't clean my recycle bin.

Log.txt
Logfile of random's system information tool 1.04 (written by random/random)
Run by Owner at 2008-10-15 22:42:57
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 9 GB (18%) free of 52 GB
Total RAM: 254 MB (12% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:56 PM, on 10/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BillP Studios\WinPatrol\bak\WinPatrol.exe
C:\Program Files\Belkin\F5D8051v2\BelkinWCUI.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PeoplePC\ISP6300\Browser\Bartshel.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\PeoplePC\ISP6300\Browser\PPShared.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\DOCUME~1\OWNER\LOCALS~1\TEMP\_VWUPSRV.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://product.corel.com/query.htm?lang=EN...src=&other=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\Program Files\Grisoft\AVG Free\avgemc.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe -atboottime
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6300\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [cZ2K8fNPPi] C:\Documents and Settings\All Users\Application Data\tkrihmxm\zgrqpgpw.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Belkin Wireless Networking Utility.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O20 - AppInit_DLLs:
O21 - SSODL: ShMntWeb - {44BF99A1-D96E-D1A8-165F-093B09B4FCA3} - C:\Program Files\vdicmyc\ShMntWeb.dll (file missing)
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: AntiVir Update Temp (TmpUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\DOCUME~1\OWNER\LOCALS~1\TEMP\_VWUPSRV.EXE

--
End of file - 7192 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{A8FB8EB3-183B-4598-924D-86F0E5E37085} - PeoplePal Toolbar - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll [2006-01-24 220672]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"=C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe []
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe [2008-06-27 579584]
"AVG7_EMC"=C:\Program Files\Grisoft\AVG Free\avgemc.exe [2008-02-04 406528]
"LTMSG"=LTMSG.exe 7 []
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe -atboottime []
"Bart Station"=C:\Program Files\PeoplePC\ISP6300\BIN\PPCOLink.exe [2006-03-21 20480]
"AlcxMonitor"=C:\WINDOWS\ALCXMNTR.EXE [2004-09-07 57344]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"cZ2K8fNPPi"=C:\Documents and Settings\All Users\Application Data\tkrihmxm\zgrqpgpw.exe [2008-10-08 73728]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Belkin Wireless Networking Utility.lnk - C:\Program Files\Belkin\F5D8051v2\BelkinWCUI.exe
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"=" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2002-05-15 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
ShMntWeb - {44BF99A1-D96E-D1A8-165F-093B09B4FCA3} - C:\Program Files\vdicmyc\ShMntWeb.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll [2006-08-23 5906432]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Grisoft\AVG Free\avginet.exe"="C:\Program Files\Grisoft\AVG Free\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG Free\avgemc.exe"="C:\Program Files\Grisoft\AVG Free\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\Grisoft\AVG Free\avgcc.exe"="C:\Program Files\Grisoft\AVG Free\avgcc.exe:*:Enabled:avgcc.exe"
"C:\Program Files\Grisoft\AVG Free\avgamsvr.exe"="C:\Program Files\Grisoft\AVG Free\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

======File associations======

.bat - edit -
.cmd - edit -
.inf - open -
.ini - open - notepad.exe %1
.js - edit - C:\WINDOWS\system32\Notepad.exe %1
.reg - edit -
.txt - open - notepad.exe %1
.vbs - edit - C:\WINDOWS\system32\Notepad.exe %1

======List of files/folders created in the last 1 months======

2008-10-15 22:42:57 ----D---- C:\rsit
2008-10-15 04:04:13 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-15 04:04:06 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-15 04:03:57 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-15 04:03:48 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-15 04:03:30 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-10-15 04:00:28 ----HDC---- C:\WINDOWS\$NtUninstallKB923689$
2008-10-14 17:11:34 ----D---- C:\Program Files\Belkin
2008-10-14 17:11:05 ----D---- C:\Documents and Settings\Owner\Application Data\InstallShield
2008-10-12 03:49:06 ----HDC---- C:\WINDOWS\$NtUninstallKB936782_WMP10$
2008-10-09 13:34:39 ----D---- C:\Program Files\Trend Micro
2008-10-09 03:12:23 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-10-09 03:12:15 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-10-09 03:12:08 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-10-09 03:12:01 ----HDC---- C:\WINDOWS\$NtUninstallKB923723$
2008-10-09 03:11:52 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-10-09 03:11:43 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-10-09 03:11:30 ----HDC---- C:\WINDOWS\$NtUninstallKB941569$
2008-10-09 03:09:35 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-10-09 03:09:26 ----HDC---- C:\WINDOWS\$NtUninstallKB951072-v2$
2008-10-09 03:09:16 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-10-09 03:09:06 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-10-09 03:08:48 ----HDC---- C:\WINDOWS\$NtUninstallKB950749$
2008-10-09 03:08:33 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-10-09 03:08:26 ----HDC---- C:\WINDOWS\$NtUninstallKB932823-v3$
2008-10-09 03:08:10 ----HDC---- C:\WINDOWS\$NtUninstallKB944338-v2$
2008-10-08 23:03:18 ----HDC---- C:\WINDOWS\$NtUninstallKB953839$
2008-10-08 21:43:59 ----D---- C:\WINDOWS\system32\PreInstall
2008-10-08 21:43:55 ----HDC---- C:\WINDOWS\$NtUninstallKB898461$
2008-10-08 19:57:44 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2008-10-08 19:57:44 ----A---- C:\WINDOWS\system32\mucltui.dll
2008-10-08 19:57:34 ----A---- C:\WINDOWS\system32\wucltui.dll.mui
2008-10-08 19:57:33 ----A---- C:\WINDOWS\system32\wuaueng.dll.mui
2008-10-08 19:57:33 ----A---- C:\WINDOWS\system32\wuapi.dll.mui
2008-10-08 19:57:32 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2008-10-08 13:50:20 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-08 01:29:29 ----D---- C:\Documents and Settings\All Users\Application Data\tkrihmxm
2008-10-08 01:29:27 ----A---- C:\WINDOWS\system32\brastk.exe
2008-10-08 01:29:01 ----D---- C:\Program Files\vdicmyc
2008-10-08 01:27:30 ----A---- C:\WINDOWS\system32\jonahspa.exe

======List of files/folders modified in the last 1 months======

2008-10-15 22:42:46 ----D---- C:\Documents and Settings\Owner\Application Data\Free Download Manager
2008-10-15 22:42:41 ----D---- C:\WINDOWS\Prefetch
2008-10-15 20:52:23 ----D---- C:\Program Files\Any Video Converter
2008-10-15 20:52:22 ----D---- C:\Documents and Settings\Owner\Application Data\Any Video Converter
2008-10-15 20:51:46 ----AD---- C:\WINDOWS
2008-10-15 20:51:04 ----D---- C:\Program Files\Shattered Light
2008-10-15 20:48:15 ----D---- C:\Program Files\Winamp
2008-10-15 20:48:08 ----AD---- C:\Program Files
2008-10-15 20:47:40 ----SHD---- C:\Config.Msi
2008-10-15 20:47:12 ----D---- C:\WINDOWS\system32
2008-10-15 20:47:12 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-10-15 20:46:47 ----SHD---- C:\WINDOWS\Installer
2008-10-15 20:42:44 ----D---- C:\WINDOWS\Temp
2008-10-15 20:42:34 ----A---- C:\WINDOWS\ModemLog_Agere Win Modem.txt
2008-10-15 20:34:42 ----D---- C:\WINDOWS\system32\CatRoot2
2008-10-15 04:04:44 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-10-15 04:04:17 ----D---- C:\WINDOWS\inf
2008-10-15 04:04:15 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-10-15 04:04:15 ----D---- C:\WINDOWS\system32\drivers
2008-10-15 04:04:12 ----HD---- C:\WINDOWS\$hf_mig$
2008-10-15 04:04:09 ----A---- C:\WINDOWS\imsins.BAK
2008-10-14 17:24:05 ----RHD---- C:\$VAULT$.AVG
2008-10-14 17:11:31 ----HD---- C:\Program Files\InstallShield Installation Information
2008-10-14 00:30:14 ----A---- C:\WINDOWS\Ulead32.ini
2008-10-11 13:32:25 ----D---- C:\WINDOWS\Debug
2008-10-10 20:33:10 ----D---- C:\Documents and Settings\Owner\Application Data\AVG7
2008-10-09 08:55:43 ----SHD---- C:\RECYCLER
2008-10-09 08:53:22 ----A---- C:\WINDOWS\ntbtlog.txt
2008-10-09 03:12:10 ----D---- C:\Program Files\Messenger
2008-10-09 03:08:34 ----D---- C:\WINDOWS\WinSxS
2008-10-08 19:59:18 ----D---- C:\WINDOWS\system32\CatRoot
2008-10-08 19:58:25 ----D---- C:\WINDOWS\Help
2008-10-08 19:38:23 ----D---- C:\Program Files\Internet Explorer
2008-10-08 19:36:22 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-08 16:39:01 ----AC---- C:\WINDOWS\wininit.ini
2008-10-08 15:50:56 ----D---- C:\Documents and Settings
2008-10-08 14:00:37 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-10-08 13:52:52 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-08 13:51:58 ----D---- C:\Program Files\Lavasoft
2008-10-08 13:50:20 ----D---- C:\Program Files\Common Files
2008-10-07 15:19:40 ----A---- C:\WINDOWS\system32\MRT.exe
2008-10-05 13:35:42 ----AC---- C:\WINDOWS\WORDPAD.INI
2008-09-20 13:28:24 ----A---- C:\WINDOWS\cdPlayer.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2002-05-22 90336]
R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2005-09-22 82380]
R1 Avg7Core;AVG7 Kernel; C:\WINDOWS\System32\Drivers\avg7core.sys [2008-02-04 821856]
R1 Avg7RsW;AVG7 Wrap Driver; C:\WINDOWS\System32\Drivers\avg7rsw.sys [2006-10-31 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP; C:\WINDOWS\System32\Drivers\avg7rsxp.sys [2007-03-24 27776]
R1 AvgClean;AVG7 Clean Driver; C:\WINDOWS\System32\Drivers\avgclean.sys [2008-02-04 10760]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2002-06-19 5589]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2002-06-19 22995]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-18 12032]
R2 AvgTdi;AVG Network Redirector; C:\WINDOWS\System32\Drivers\avgtdi.sys [2006-10-31 4960]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2002-06-06 40368]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2002-07-16 23701]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2002-07-16 34805]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2002-07-16 4117]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2002-07-16 2201]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2002-07-16 54900]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2002-07-16 14421]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2002-07-16 6325]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2002-07-16 91156]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2002-07-16 95125]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2002-05-22 69504]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-10-01 2279424]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2002-05-22 78045]
R3 ltmodem5;Agere Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2005-05-05 652689]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 MRVW245;Belkin N1 Wireless USB Network Adapter Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\MRVW245.sys [2007-09-27 461952]
R3 MxlW2k;MxlW2k; C:\WINDOWS\system32\drivers\MxlW2k.sys [2002-07-24 28164]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2002-03-09 13780]
R3 Ps2;PS2; C:\WINDOWS\System32\DRIVERS\PS2.sys [2001-06-04 14112]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-04 20992]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB Root Hub (usbport); C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2004-08-04 37376]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\System32\DRIVERS\p3.sys [2004-08-04 42496]
S2 CoachCap;Concord EyeQ Duo 2000 USB Video Capture V1.00; C:\WINDOWS\system32\drivers\CoachCap.sys [2002-03-03 93068]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [2005-07-15 51120]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [2005-07-15 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [2005-07-15 21744]
S3 i81x;i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [2001-08-08 158140]
S3 iAimFP0;iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [2001-08-08 12479]
S3 iAimFP1;iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [2001-08-08 12031]
S3 iAimFP2;iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [2001-08-08 11679]
S3 iAimFP3;iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [2001-08-08 11999]
S3 iAimFP4;iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [2001-08-08 19359]
S3 iAimTV0;iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [2001-08-08 29215]
S3 iAimTV1;iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [2001-08-08 19199]
S3 iAimTV3;iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [2001-08-08 33503]
S3 iAimTV4;iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [2001-08-08 23519]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-04 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2002-05-03 931882]
S3 nv4;nv4; C:\WINDOWS\System32\DRIVERS\nv4.sys [2001-08-17 731648]
S3 S3Psddr;S3Psddr; C:\WINDOWS\System32\DRIVERS\s3gnbm.sys [2002-07-13 155008]
S3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2002-04-09 188032]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\System32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\System32\DRIVERS\StreamIP.sys [2004-08-04 15360]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2004-08-04 17024]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-04 15104]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2005-01-28 18944]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-10-08 611664]
R2 Avg7Alrt;AVG7 Alert Manager Server; C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe [2008-02-04 418816]
R2 Avg7UpdSvc;AVG7 Update Service; C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe [2006-10-31 49664]
R2 AVGEMS;AVG E-mail Scanner; C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe [2008-02-04 406528]
R2 TabletService;TabletService; C:\WINDOWS\System32\Tablet.exe [2005-01-10 729088]
R2 TmpUpSrv;AntiVir Update Temp; C:\DOCUME~1\OWNER\LOCALS~1\TEMP\_VWUPSRV.EXE [2005-10-19 45096]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\System32\wdfmgr.exe [2005-01-28 38912]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2004-08-04 267776]
S2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2002-05-03 61440]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\HPZipm12.exe [2004-09-29 69632]

-----------------EOF-----------------


Info.txt
info.txt logfile of random's system information tool 1.04 2008-10-15 22:44:11

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->c:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->C:\WINDOWS\uninst.exe -fC:\Maxis\SimPark\DeIsL1.isu
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Photoshop Elements 2.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop Elements 2\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop Elements 2\Uninst.dll"
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AVG Free Edition-->C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL
Belkin N1 Wireless USB Adapter Setup-->C:\Program Files\InstallShield Installation Information\{39A409D2-F7DF-4D52-B7F9-5E397A92B130}\setup.exe -runfromtemp -l0x0009 -removeonly
Concord EyeQ Duo 2000 Digital Camera-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{64DB6124-C6FE-11D6-88BF-009027BD5EBD}
Concord EyeQ Duo 2000 Memory Browser TWAIN Driver V1.00-->C:\WINDOWS\System32\rundll32.exe setupapi,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\coachMB.inf
Detto IntelliMover Demo-->MsiExec.exe /X{E62C706B-1352-4DCA-B4D4-81C24750B70F}
DivX-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Ease Audio Converter 3.70-->"C:\Documents and Settings\Owner\Desktop\EaseAudioConverter\unins000.exe"
Express Burn Uninstall-->C:\Program Files\NCH Swift Sound\ExpressBurn\uninst.exe
Free Download Manager 2.5-->"C:\Program Files\Free Download Manager\unins000.exe"
Game Ski (remove only)-->"C:\Program Files\Game Ski\uninst.exe"
GIF Construction Set Professional-->C:\WINDOWS\ALCHUNIN.EXE C:\Program Files\Alchemy Mindworks\GIF Construction Set Professional\INSTALLD.TXT
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hover-->c:\Windows\Desktop\unins000.exe
hp center-->C:\WINDOWS\BWUnin-6.1.0.153.exe -AppId 137903
hp deskjet 3320 series (Remove only)-->C:\Program Files\hp deskjet 3320 series\hpfiui.exe -c -vdivid=HPF -vpnum=95 -vinstport=USB/DeskJet 3320/ -vproduct=3320 -huninstall
hp deskjet 656c series (Remove only)-->C:\Program Files\hp deskjet 656c series\hpfiui.exe -c -vdivid=HPF -vpnum=89 -vinstport=USB002 -vproduct=656c -huninstall
HP Image Zone 4.7-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
hp learning adventure-->c:\program files\HPSelect\Frontend\uninstall.exe
HP Memories Disc-->MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
HP Photo and Imaging 1.1 - Photosmart Cameras-->MsiExec.exe /X{1EEE2A9F-6471-42fa-8923-E8879168CE26}
HP PSC & OfficeJet 4.7-->"C:\Program Files\HP\Digital Imaging\{5469D537-9B44-4c78-BF2D-5F9807564F74}\setup\hpzscr01.exe" -datfile hposcr05.dat
hp toolkit-->c:\Windows\HPTK\unhptkit.exe
Inactive HP Printer Drivers (Remove only)-->RunDll32 hpuninst.dll,InstallHinfSection UninstDefault 132 prntunin.inf
Intel® 845G Chipset Graphics Driver Software-->RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
InterActual Player-->C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVD-->"C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
iPhoto Plus 4-->C:\WINDOWS\uninst.exe -f"C:\Program Files\iPhoto Plus 4\DeIsL2.isu"
J2SE Development Kit 5.0 Update 4-->MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0150040}
J2SE Runtime Environment 5.0 Update 9-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Jigsaw Puzzle Lite (remove only)-->"C:\Program Files\KraiSoft\Jigsaw Puzzle Lite\uninstall.exe"
KBD-->C:\HP\KBD\KBD.EXE uninstalled
Lernout & Hauspie TruVoice American English TTS Engine-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
LiveUpdate 1.7 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Microsoft Creative Writer 2-->C:\Program Files\Microsoft Kids\Common Files\Setup\setup.exe /L MsCrWrU.lst /W MsCrWrU.stf
Microsoft Data Access Components KB870669-->C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
MS Access 97 SP2-->C:\Program Files\Microsoft Office\setup\setup.exe
MSN Music Assistant-->rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MUSICMATCH Jukebox-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\Uninst.isu" -cC:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.dll
nik Color Efex Pro 2.0 GE-->C:\WINDOWS\unvise32.exe C:\Program Files\nik Color Efex Pro 2.0 GE\uninstal.log
NVIDIA Windows 2000/XP Display Drivers-->rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvhp.inf
Painter-->C:\PROGRA~1\Painter\UNWISE.EXE C:\PROGRA~1\Painter\INSTALL.LOG
PC-Doctor for Windows-->C:\WINDOWS\UNWISE.EXE C:\PROGRA~1\PC-DOC~1\INSTALL.LOG
PeoplePC Online-->C:\WINDOWS\system32\PPCOUNIN.EXE
PeoplePC:PeoplePal Toolbar 6.3-->C:\DOCUME~1\Owner\LOCALS~1\Temp\ppaluninst.exe
PS2-->C:\WINDOWS\system32\ps2.exe uninstall
Python 2.2 combined Win32 extensions-->C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
Python 2.2.1-->C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
Quicken Financial Center-->C:\PROGRA~1\QUICKE~1\rem\UNWISE.EXE /s C:\PROGRA~1\QUICKE~1\rem\INSTALL.LOG
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RealFlight G2 Simulator-->E:\CPanel.exe REALFLIGHT2
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RealRace Simulator-->C:\Program Files\Common Files\KnifeEdge\cpanel.exe REALRACE
S3Display-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Display'
S3Gamma2-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Gamma2'
S3Info2-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Info2'
S3Overlay-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Overlay'
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944338-v2)-->"C:\WINDOWS\$NtUninstallKB944338-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Serif DrawPlus 3.0-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Serif\dp30\DrawPlus_uninst.isu"
Shockwave-->C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SWF to MP3 Converter 2.3 build 149-->C:\Documents and Settings\Owner\Desktop\SWF2MP3\uninst.exe
Tablet-->C:\Program Files\Tablet\Remove.exe /u
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB932823-v3)-->"C:\WINDOWS\$NtUninstallKB932823-v3$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Video mp3 Extractor 1.2-->"C:\Program Files\Video mp3 Extractor\unins000.exe"
ViviCam 2700/2200 series-->C:\WINDOWS\twain_32\mdsc2\uninstal.EXE C:\WINDOWS\twain_32\mdsc2\INSTALL.LOG
Web Publishing Wizard-->RunDll32 syssetup.dll,SetupInfObjectInstallAction webp_uninstall 4 webpost.inf
Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Live Messenger-->MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
WinPatrol-->C:\WINDOWS\uninst.exe -f"C:\Program Files\BillP Studios\WinPatrol\DeIsL2.isu" -cC:\PROGRA~1\BILLPS~1\WINPAT~1\_ISREG32.DLL
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
WordPerfect Productivity Pack-->C:\WINDOWS\Corel\uninst32.exe
WordPerfect Productivity Pack-->C:\WINDOWS\Corel\Uninst32.exe
ZoneAlarm-->C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
Zoo Tycoon Expanded-->"C:\Program Files\Microsoft Games\Zoo Tycoon\UNINSTAL.EXE" /runtemp /addremove

======Hosts File======

127.0.0.1 download.kazaa.com
127.0.0.1 www.download.kazaa.com
127.0.0.1 cl.kazaa.com
127.0.0.1 www.cl.kazaa.com
127.0.0.1 crl.thawte.com
127.0.0.1 www.crl.thawte.com
127.0.0.1 crl.thawte.com
127.0.0.1 www.crl.thawte.com
127.0.0.1 cl.kazaa.com
127.0.0.1 www.cl.kazaa.com

======Security center information======

AV: AVG 7.5.524

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Python22;C:\Program files\PC-Doctor for Windows XP\WINDSAPI
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0207
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO

-----------------EOF-----------------

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:31 AM

Posted 16 October 2008 - 12:56 AM

Thanks for the feedback.
  • Turn off Windows automatic updates as it might lead to unexpected results at this stage. We will be going to update Windows later on when we cleanded the infection:
    • Go to start -> Control Panel -> double-click System to open it.
    • Go to the Automatic Updates tab.
    • Select the "Turn off Automatic Updates" box.
    • Click Apply and then OK.
  • You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do.
    • First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck both Resident "SD Helper" and Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup

      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
    • Then download ResetTeaTimer.exe to your desktop. (In case you use Firefox, rightclick the link and choose "Save Link As").
      • Doubleclick ResetTeaTimer.exe and let it run.
    This will only take a few seconds.

  • Go to start > Run copy/paste: The following lines one by one in the run box and click OK after each line.

    sc stop TmpUpSrv
    sc delete TmpUpSrv


  • We are going to repair broken file associations.
    • Download Deckard's Association File Tool daft.exe and save it to your desktop.
    • Double click on it and click Run.
    • Click on the Scan button.
    • The faulty file associations will appear in red beside a checkbox. Just place a checkmark (tick) in the boxes in question.
    • Click the Fix button.
  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Policies\Explorer\Run: [cZ2K8fNPPi] C:\Documents and Settings\All Users\Application Data\tkrihmxm\zgrqpgpw.exe
    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
    O20 - AppInit_DLLs:
    O21 - SSODL: ShMntWeb - {44BF99A1-D96E-D1A8-165F-093B09B4FCA3} - C:\Program Files\vdicmyc\ShMntWeb.dll (file missing)
    O23 - Service: AntiVir Update Temp (TmpUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\DOCUME~1\OWNER\LOCALS~1\TEMP\_VWUPSRV.EXE


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Please download ATF Cleaner by Atribune & save it to your desktop.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main "Select Files to Delete" choose: Select All.
    • Click the Empty Selected button.
    • If you use Firefox browser click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      If you would like to keep your saved passwords, please click No at the prompt.
    • If you use Opera browser click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      If you would like to keep your saved passwords, please click No at the prompt.
    • Click Exit on the Main menu to close the program.
  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log after running it and removing what it finds, or removing files after reboot.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Please run RSIT, set the list of Files/Folders created to 2 Months and copy/paste the content of log.txt to your reply (this time RSIT creates just one log).
Please copy/paste in your next reply:
  • The log of MBAM.
  • The RSIT log.


#5 Eternalgravity

Eternalgravity
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 16 October 2008 - 10:11 AM

Everything went smoothly. But when I was running Malwarebytes AVG caught two viruses (jonahspa.exe and brastk.exe, ones I mentioned in my first post). I moved them to the vault. Will that effect anything?

Malwarebytes log:
Malwarebytes' Anti-Malware 1.28
Database version: 1275
Windows 5.1.2600 Service Pack 2

10/16/2008 10:54:41 AM
mbam-log-2008-10-16 (10-54-41).txt

Scan type: Quick Scan
Objects scanned: 60408
Time elapsed: 18 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 19
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\dpcupdater.dpcupdater (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dpcupdater.dpcupdater.1 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\dpcproxy (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


RSIT log.txt:
Logfile of random's system information tool 1.04 (written by random/random)
Run by Owner at 2008-10-16 11:06:55
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 9 GB (18%) free of 52 GB
Total RAM: 254 MB (21% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:16 AM, on 10/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\F5D8051v2\BelkinWCUI.exe
C:\Program Files\PeoplePC\ISP6300\Browser\Bartshel.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\PeoplePC\ISP6300\Browser\PPShared.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://product.corel.com/query.htm?lang=EN...src=&other=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\Program Files\Grisoft\AVG Free\avgemc.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe -atboottime
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6300\BIN\PPCOLink.exe -STATION
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Belkin Wireless Networking Utility.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

--
End of file - 5468 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"=C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe []
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe [2008-06-27 579584]
"AVG7_EMC"=C:\Program Files\Grisoft\AVG Free\avgemc.exe [2008-02-04 406528]
"LTMSG"=LTMSG.exe 7 []
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe -atboottime []
"Bart Station"=C:\Program Files\PeoplePC\ISP6300\BIN\PPCOLink.exe [2006-03-21 20480]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Belkin Wireless Networking Utility.lnk - C:\Program Files\Belkin\F5D8051v2\BelkinWCUI.exe
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2002-05-15 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll [2006-08-23 5906432]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Grisoft\AVG Free\avginet.exe"="C:\Program Files\Grisoft\AVG Free\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG Free\avgemc.exe"="C:\Program Files\Grisoft\AVG Free\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\Grisoft\AVG Free\avgcc.exe"="C:\Program Files\Grisoft\AVG Free\avgcc.exe:*:Enabled:avgcc.exe"
"C:\Program Files\Grisoft\AVG Free\avgamsvr.exe"="C:\Program Files\Grisoft\AVG Free\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

======File associations======

.js - edit - C:\WINDOWS\system32\Notepad.exe %1

======List of files/folders created in the last 2 months======

2008-10-16 10:33:53 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-10-16 10:33:44 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-16 10:33:44 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-15 22:42:57 ----D---- C:\rsit
2008-10-15 04:04:13 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-15 04:04:06 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-15 04:03:57 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-15 04:03:48 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-15 04:03:30 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-10-15 04:00:28 ----HDC---- C:\WINDOWS\$NtUninstallKB923689$
2008-10-14 17:11:34 ----D---- C:\Program Files\Belkin
2008-10-14 17:11:05 ----D---- C:\Documents and Settings\Owner\Application Data\InstallShield
2008-10-12 03:49:06 ----HDC---- C:\WINDOWS\$NtUninstallKB936782_WMP10$
2008-10-09 13:34:39 ----D---- C:\Program Files\Trend Micro
2008-10-09 03:12:23 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-10-09 03:12:15 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-10-09 03:12:08 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-10-09 03:12:01 ----HDC---- C:\WINDOWS\$NtUninstallKB923723$
2008-10-09 03:11:52 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-10-09 03:11:43 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-10-09 03:11:30 ----HDC---- C:\WINDOWS\$NtUninstallKB941569$
2008-10-09 03:09:35 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-10-09 03:09:26 ----HDC---- C:\WINDOWS\$NtUninstallKB951072-v2$
2008-10-09 03:09:16 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-10-09 03:09:06 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-10-09 03:08:48 ----HDC---- C:\WINDOWS\$NtUninstallKB950749$
2008-10-09 03:08:33 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-10-09 03:08:26 ----HDC---- C:\WINDOWS\$NtUninstallKB932823-v3$
2008-10-09 03:08:10 ----HDC---- C:\WINDOWS\$NtUninstallKB944338-v2$
2008-10-08 23:03:18 ----HDC---- C:\WINDOWS\$NtUninstallKB953839$
2008-10-08 21:43:59 ----D---- C:\WINDOWS\system32\PreInstall
2008-10-08 21:43:55 ----HDC---- C:\WINDOWS\$NtUninstallKB898461$
2008-10-08 19:57:44 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2008-10-08 19:57:44 ----A---- C:\WINDOWS\system32\mucltui.dll
2008-10-08 19:57:34 ----A---- C:\WINDOWS\system32\wucltui.dll.mui
2008-10-08 19:57:33 ----A---- C:\WINDOWS\system32\wuaueng.dll.mui
2008-10-08 19:57:33 ----A---- C:\WINDOWS\system32\wuapi.dll.mui
2008-10-08 19:57:32 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2008-10-08 13:50:20 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-08 01:29:29 ----D---- C:\Documents and Settings\All Users\Application Data\tkrihmxm
2008-10-08 01:29:01 ----D---- C:\Program Files\vdicmyc

======List of files/folders modified in the last 2 months======

2008-10-16 11:06:58 ----D---- C:\WINDOWS\Prefetch
2008-10-16 11:02:45 ----D---- C:\WINDOWS\system32
2008-10-16 11:02:45 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-10-16 10:59:07 ----D---- C:\WINDOWS\Temp
2008-10-16 10:58:57 ----A---- C:\WINDOWS\ModemLog_Agere Win Modem.txt
2008-10-16 10:55:38 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-10-16 10:55:10 ----D---- C:\Documents and Settings\Owner\Application Data\Free Download Manager
2008-10-16 10:41:30 ----RHD---- C:\$VAULT$.AVG
2008-10-16 10:33:46 ----D---- C:\WINDOWS\system32\drivers
2008-10-16 10:33:44 ----AD---- C:\Program Files
2008-10-16 10:29:23 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-10-15 20:52:23 ----D---- C:\Program Files\Any Video Converter
2008-10-15 20:52:22 ----D---- C:\Documents and Settings\Owner\Application Data\Any Video Converter
2008-10-15 20:51:46 ----AD---- C:\WINDOWS
2008-10-15 20:51:04 ----D---- C:\Program Files\Shattered Light
2008-10-15 20:51:01 ----D---- C:\WINDOWS\Fonts
2008-10-15 20:49:18 ----D---- C:\Program Files\Hewlett-Packard
2008-10-15 20:48:15 ----D---- C:\Program Files\Winamp
2008-10-15 20:47:42 ----SHD---- C:\WINDOWS\Installer
2008-10-15 20:47:40 ----SHD---- C:\Config.Msi
2008-10-15 20:34:42 ----D---- C:\WINDOWS\system32\CatRoot2
2008-10-15 04:04:17 ----D---- C:\WINDOWS\inf
2008-10-15 04:04:15 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-10-15 04:04:12 ----HD---- C:\WINDOWS\$hf_mig$
2008-10-15 04:04:09 ----A---- C:\WINDOWS\imsins.BAK
2008-10-14 17:11:31 ----HD---- C:\Program Files\InstallShield Installation Information
2008-10-14 00:30:14 ----A---- C:\WINDOWS\Ulead32.ini
2008-10-11 13:32:25 ----D---- C:\WINDOWS\Debug
2008-10-10 20:33:10 ----D---- C:\Documents and Settings\Owner\Application Data\AVG7
2008-10-09 08:55:43 ----SHD---- C:\RECYCLER
2008-10-09 08:53:22 ----A---- C:\WINDOWS\ntbtlog.txt
2008-10-09 03:12:10 ----D---- C:\Program Files\Messenger
2008-10-09 03:08:34 ----D---- C:\WINDOWS\WinSxS
2008-10-08 19:59:18 ----D---- C:\WINDOWS\system32\CatRoot
2008-10-08 19:58:25 ----D---- C:\WINDOWS\Help
2008-10-08 19:38:23 ----D---- C:\Program Files\Internet Explorer
2008-10-08 19:36:22 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-08 16:39:01 ----AC---- C:\WINDOWS\wininit.ini
2008-10-08 15:50:56 ----D---- C:\Documents and Settings
2008-10-08 14:00:37 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-10-08 13:52:52 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-08 13:51:58 ----D---- C:\Program Files\Lavasoft
2008-10-08 13:50:20 ----D---- C:\Program Files\Common Files
2008-10-07 15:19:40 ----A---- C:\WINDOWS\system32\MRT.exe
2008-10-05 13:35:42 ----AC---- C:\WINDOWS\WORDPAD.INI
2008-09-20 13:28:24 ----A---- C:\WINDOWS\cdPlayer.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2002-05-22 90336]
R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2005-09-22 82380]
R1 Avg7Core;AVG7 Kernel; C:\WINDOWS\System32\Drivers\avg7core.sys [2008-02-04 821856]
R1 Avg7RsW;AVG7 Wrap Driver; C:\WINDOWS\System32\Drivers\avg7rsw.sys [2006-10-31 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP; C:\WINDOWS\System32\Drivers\avg7rsxp.sys [2007-03-24 27776]
R1 AvgClean;AVG7 Clean Driver; C:\WINDOWS\System32\Drivers\avgclean.sys [2008-02-04 10760]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2002-06-19 5589]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2002-06-19 22995]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-18 12032]
R2 AvgTdi;AVG Network Redirector; C:\WINDOWS\System32\Drivers\avgtdi.sys [2006-10-31 4960]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2002-06-06 40368]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2002-07-16 23701]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2002-07-16 34805]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2002-07-16 4117]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2002-07-16 2201]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2002-07-16 54900]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2002-07-16 14421]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2002-07-16 6325]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2002-07-16 91156]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2002-07-16 95125]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2002-05-22 69504]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-10-01 2279424]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2002-05-22 78045]
R3 ltmodem5;Agere Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2005-05-05 652689]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 MRVW245;Belkin N1 Wireless USB Network Adapter Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\MRVW245.sys [2007-09-27 461952]
R3 MxlW2k;MxlW2k; C:\WINDOWS\system32\drivers\MxlW2k.sys [2002-07-24 28164]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2002-03-09 13780]
R3 Ps2;PS2; C:\WINDOWS\System32\DRIVERS\PS2.sys [2001-06-04 14112]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-04 20992]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB Root Hub (usbport); C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2004-08-04 37376]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\System32\DRIVERS\p3.sys [2004-08-04 42496]
S2 CoachCap;Concord EyeQ Duo 2000 USB Video Capture V1.00; C:\WINDOWS\system32\drivers\CoachCap.sys [2002-03-03 93068]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [2005-07-15 51120]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [2005-07-15 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [2005-07-15 21744]
S3 i81x;i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [2001-08-08 158140]
S3 iAimFP0;iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [2001-08-08 12479]
S3 iAimFP1;iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [2001-08-08 12031]
S3 iAimFP2;iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [2001-08-08 11679]
S3 iAimFP3;iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [2001-08-08 11999]
S3 iAimFP4;iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [2001-08-08 19359]
S3 iAimTV0;iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [2001-08-08 29215]
S3 iAimTV1;iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [2001-08-08 19199]
S3 iAimTV3;iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [2001-08-08 33503]
S3 iAimTV4;iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [2001-08-08 23519]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-04 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2002-05-03 931882]
S3 nv4;nv4; C:\WINDOWS\System32\DRIVERS\nv4.sys [2001-08-17 731648]
S3 S3Psddr;S3Psddr; C:\WINDOWS\System32\DRIVERS\s3gnbm.sys [2002-07-13 155008]
S3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2002-04-09 188032]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\System32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\System32\DRIVERS\StreamIP.sys [2004-08-04 15360]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2004-08-04 17024]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-04 15104]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2005-01-28 18944]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-10-08 611664]
R2 Avg7Alrt;AVG7 Alert Manager Server; C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe [2008-02-04 418816]
R2 Avg7UpdSvc;AVG7 Update Service; C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe [2006-10-31 49664]
R2 AVGEMS;AVG E-mail Scanner; C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe [2008-02-04 406528]
R2 TabletService;TabletService; C:\WINDOWS\System32\Tablet.exe [2005-01-10 729088]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\System32\wdfmgr.exe [2005-01-28 38912]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2004-08-04 267776]
S2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2002-05-03 61440]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\HPZipm12.exe [2004-09-29 69632]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]

-----------------EOF-----------------

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:31 AM

Posted 16 October 2008 - 12:34 PM

Everything went smoothly. But when I was running Malwarebytes AVG caught two viruses (jonahspa.exe and brastk.exe, ones I mentioned in my first post). I moved them to the vault. Will that effect anything?


Not at all, we would have removed them anyway.
  • Your AVG antivirus is outdated. Is is very important to have your computer protected by up to date Antivirus. To upgrade your antivirus version visit this site:
    http://free.grisoft.com/ww.homepage.
    • Download the setup file of the new version but do not install it yet.
    • Go to Add/Remove Programs and uninstall/remove AVG 7.
    • Reboot.
    • Install the new version. Update it and run a full/complete scan. Let it remove/quarantine what it finds.
    • Please paste and copy the content of its scan log to your reply.
  • Please make sure that you can view all system and hidden files. Instructions on how to do this can be found here:
    How to see hidden files in Windows

    Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete the folder(s) in bold:

    C:\Documents and Settings\All Users\Application Data\tkrihmxm
    C:\Program Files\vdicmyc

  • There seems still one broken entry left (js) perhaps becaus the infection was still active. Please run DAFT once more to fix it.

  • We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully.

    You have to install the Recovery Console before running the tool because Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


    Instruction to install Recovery Console :

    Go to Microsoft's website => http://support.microsoft.com/kb/310994

    Select the download that's appropriate for your Operating System


    Posted Image


    Download the file & save it as it's originally named, next to ComboFix.exe.


    Posted Image


    Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Drag the setup package onto ComboFix.exe and drop it.
    • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
    • At the next prompt, click 'Yes' to run the full ComboFix scan.

      Posted Image
    • When the tool is finished, it will produce a report for you.
    Please copy and paste the content of C:\ComboFix.txt for further review.

  • Please copy and paste a fresh Hijackthis log to your reply.


#7 Eternalgravity

Eternalgravity
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 16 October 2008 - 05:46 PM

Heh, I expected to hit a dead end earlier. Finally did.
I couldn't find where to copy/paste the log for AVG.
I deleted the two folders fine.
DAFT didn't show the broken registry, just said everything was fine.

And I have a question, should I burn any files (non-windows) I want to keep onto disks? Before doing Combofix. I was reluctant to do so with the pesky viruses.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:31 AM

Posted 16 October 2008 - 06:33 PM

  • The AVG log should be under History menu > scan result. But you have run the scan and it suffices, no need for the log.

  • Running ComboFix is a double check not an absolute needed one. It checks a few things like rootkits hidden files, some registry changes, system files, etc. If you had still the pesky viruses, running ComboFix was almost inevitable as I have not come across a stronger and at the same time safer tool like Combofix. However, as I said your system looks clean and I wanted to have a second opinion from a top scanner as it always might find something hidden or overlooked. If you feel you don't need that extra check it is up to you. Please let me know your decision as I would like to recommend you a few preventive measures before we round off. If you wanted to run it you don't need any burning, if it did I had suggested it as I don't risk putting your system in danger.


#9 Eternalgravity

Eternalgravity
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 16 October 2008 - 06:55 PM

I think I'll pass on the combofix for now. If something else seems to be off I'll make another thread about it, and will definetly do combofix the next round. I've never had luck with backup disks..so if something went wrong....I don't have the finances to buy a new comp.

Fire away with the preventive measures. After this, I'm up for any extra measures to keep out of this situation again.

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:31 AM

Posted 16 October 2008 - 07:10 PM

Windows XP home edition
Service Pack 2/IE7 updates (having trouble updating to SP3 or updating at all from microsoft)


One of the security measures is being able to update Microsoft Windows, Internet explorer & Microsoft Office. Lets try now to update Windows to SP3.

Could you try it now?

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:31 AM

Posted 16 October 2008 - 07:27 PM

I guess you might be downloading the update now. Tell me if you have a Windows installation CD. Not that we need it, just in case.

I am a few minutes more online then going to sleep.

Edited by farbar, 16 October 2008 - 07:36 PM.


#12 Eternalgravity

Eternalgravity
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 16 October 2008 - 09:31 PM

SP3 downloaded.
I don't have a Windows Installation CD.

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:31 AM

Posted 17 October 2008 - 02:05 AM

Have you installed it or not yet?

#14 Eternalgravity

Eternalgravity
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 17 October 2008 - 11:07 AM

SP3 is installed.

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:31 AM

Posted 17 October 2008 - 11:36 AM

Well done. :thumbsup:

Remove RSIT and its folder C:\rsit. Remove any tool we have used from your desktop. You may keep ATF Cleaner. It is up to you to enable TeaTimer or let it disable.

In order to reduce the possible infection in the future, you may follow the following steps:
  • First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.
  • Change the folder options to default if it was needed to change in order to show the hidden files and folders during the fixes we made.

  • Sometimes the Privacy, Security and other settings are altered by the malware. Check and if needed reset them to default:
    • Open Internet explorer > Tools menu > Internet options.
    • Under privacy tab press default.
    • Under security tab press default.
    • Under General tab press Delete... then Delete All Check Also delete files and settings stored by Add-ons click Yes.
  • Your log looks clean. But your computer is still very much susceptible in particular to hacking and intrusion from outside. I strongly advise you to install a firewall before surfing. The windows firewall is not good enough. The Windows firewall provides protection from outside threats as long as the malware is not on your system. When the malware gets to your computer Windows firewall is no more effective. You find more information on firewalls below.
    Click for more information on:Understanding and Using Firewalls

    There are several good free programs available like:
    Sunbelt-Kerio
    Comodo Firewall Pro
    Online Armor Free edition

    Note: If you decide to install Comodo, while installing uncheck the option related to Ask Toolbar.

  • Install Javacoolsİ SpywareBlaster -
    SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. What you need is updating it once in 2-3 weeks and enabling the restriction. You can find more information and a download link here.

Let me know you have read this so that I can close the thread.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users