Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan - Vundo, possibly more


  • This topic is locked This topic is locked
14 replies to this topic

#1 MBA_Ty

MBA_Ty

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 04 December 2008 - 02:38 PM

Yep, I downloaded a nice little DJ program off PB which had a bunch of nasties when I ran the installer. I had the red 'x', the random file names popping up in my tray as "corrupt, plz use chkdsk utility." Also, it redirects me to random sites, I get random ad popups, and I am denied access to certain sites (including this one) unless I go behind proxy, which I am currently doing. Here is my RSIT output logs, with 'log' first and 'info' second. Thanks guys. (PS: I always check out my files before I dl them, this one had no issues reported on the bay, so I was surprised to say the least)

Logfile of random's system information tool 1.04 (written by random/random)
Run by Ty at 2008-12-04 14:19:10
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 4 GB (16%) free of 27 GB
Total RAM: 1006 MB (66% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:15 PM, on 12/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32ctfmon.exe
C:Program FilesInternet Exploreriexplore.exe
C:Documents and SettingsTyDesktopRSIT.exe
C:Program FilesTrend MicroHijackThisTy.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://google.com
R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = webproxy.umflint.edu:8080
O2 - BHO: (no name) - {0d09e7b0-b55b-4e18-a1dd-5d85924e3194} - C:WINDOWSsystem32mafopiwo.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:Program FilesSiber SystemsAI RoboFormroboform.dll
O4 - HKLM..Run: [MSConfig] C:WINDOWSPCHealthHelpCtrBinariesMSConfig.exe /auto
O4 - HKLM..Run: [rirawapola] Rundll32.exe "C:WINDOWSsystem32telopezo.dll",s
O4 - HKLM..Run: [CPM313e2b3d] Rundll32.exe "c:windowssystem32tusihivi.dll",a
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKUSS-1-5-19..Run: [rirawapola] Rundll32.exe "C:WINDOWSsystem32telopezo.dll",s (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [rirawapola] Rundll32.exe "C:WINDOWSsystem32telopezo.dll",s (User 'NETWORK SERVICE')
O8 - Extra context menu item: Customize Menu - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_07binssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_07binssv.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:PROGRA~1MI3AA1~1INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:PROGRA~1MI3AA1~1INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:PROGRA~1MI3AA1~1INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:windowssystem32nwprovau.dll
O15 - Trusted Zone: *.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program FilesAVGAVG8avgpp.dll
O20 - AppInit_DLLs: C:WINDOWSsystem32fiyamepe.dll c:windowssystem32tusihivi.dll
O20 - Winlogon Notify: !SASWinLogon - C:Program FilesSUPERAntiSpywareSASWINLO.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:windowssystem32tusihivi.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:windowssystem32tusihivi.dll

--
End of file - 4701 bytes

======Scheduled tasks folder======

C:WINDOWStasksAppleSoftwareUpdate.job
C:WINDOWStasksGoogleUpdateTaskUser.job
C:WINDOWStasksqlrumtmj.job

======Registry dump======

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{0d09e7b0-b55b-4e18-a1dd-5d85924e3194}]
C:WINDOWSsystem32mafopiwo.dll [2008-09-04 64053]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar]
{724d43a0-0d85-11d4-9908-00400523e39a} - &RoboForm - C:Program FilesSiber SystemsAI RoboFormroboform.dll [2008-10-05 5759816]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
"MSConfig"=C:WINDOWSPCHealthHelpCtrBinariesMSConfig.exe [2008-04-13 169984]
"rirawapola"=C:WINDOWSsystem32telopezo.dll [2008-09-04 64053]
"CPM313e2b3d"=c:windowssystem32tusihivi.dll [2008-12-04 94261]

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
"ctfmon.exe"=C:WINDOWSsystem32ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupreg320d18a1]
C:WINDOWSsystem32xmfmbljm.dll [2008-12-02 70656]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAppleSyncNotifier]
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleSyncNotifier.exe [2008-10-01 111936]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregBluetoothAuthenticationAgent]
C:WINDOWSsystem32bthprops.cpl [2008-04-13 110592]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregCPM313e2b3d]
c:windowssystem32tusihivi.dll [2008-12-04 94261]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregCTEMON.EXE]
/h []

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregctfmon.exe]
C:WINDOWSsystem32ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregdvd43]
C:Program Filesdvd43dvd43_tray.exe [2006-05-22 694272]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregEPM-DM]
c:acerepmepm-dm.exe [2005-06-10 196608]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregePowerManagement]
C:AcerePMePM.exe [2005-03-15 2893824]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregeRecoveryService]
C:WindowsSystem32Check.exe [2005-03-23 245760]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregGoogle Desktop Search]
C:Program FilesGoogleGoogle Desktop SearchGoogleDesktop.exe [2008-08-21 29744]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregGoogle Update]
C:Documents and SettingsTyLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe [2008-09-03 133104]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupreggoogletalk]
C:Program FilesGoogleGoogle Talkgoogletalk.exe [2007-01-01 3739648]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregH/PC Connection Agent]
C:Program FilesMicrosoft ActiveSyncWcescomm.exe [2006-11-13 1289000]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregHotKeysCmds]
C:WINDOWSsystem32hkcmd.exe [2004-02-11 118784]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregHsekihumevixi]
C:WINDOWSKmasirumecahal.dll []

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregIgfxTray]
C:WINDOWSsystem32igfxtray.exe [2004-02-11 155648]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregIMJPMIG8.1]
C:WINDOWSIMEimjp8_1IMJPMIG.EXE [2004-08-04 208952]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregIntelliPoint]
C:Program FilesMicrosoft IntelliPointipoint.exe [2006-07-07 600896]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregiTunesHelper]
C:Program FilesiTunesiTunesHelper.exe [2008-10-01 289576]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregitype]
C:Program FilesMicrosoft IntelliType Proitype.exe [2006-07-07 576320]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregJnskdfmf9eldfd]
C:DOCUME~1TyLOCALS~1Tempcsrssc.exe [2008-12-03 21505]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregLaunchApp]
Alaunch []

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregMSMSGS]
C:Program FilesMessengermsmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregMSPY2002]
C:WINDOWSsystem32IMEPINTLGNTImScInst.exe [2004-08-04 59392]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregPando]
C:Program FilesPando NetworksPandoPando.exe /Minimized []

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregPHIME2002A]
C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE [2004-08-04 455168]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregPHIME2002ASync]
C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE [2004-08-04 455168]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregQuickTime Task]
C:Program FilesQuickTimeQTTask.exe [2008-09-06 413696]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregRemoteControl]
C:Program FilesCyberLinkPowerDVDPDVDServ.exe []

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregrirawapola]
C:WINDOWSsystem32telopezo.dll [2008-09-04 64053]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregRoboForm]
C:Program FilesSiber SystemsAI RoboFormRoboTaskBarIcon.exe [2008-10-05 160592]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSkype]
C:Program FilesSkypePhoneSkype.exe /nosplash /minimized []

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSunJavaUpdateSched]
C:Program FilesJavajre1.6.0_07binjusched.exe [2008-06-10 144784]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSUPERAntiSpyware]
C:Program FilesSUPERAntiSpywared92635c8-b86e-4dca-aa86-f7af214c85bd.exe [2008-11-17 1805552]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregsvschost.exe]
C:WINDOWSsystem32svschost.exe -check []

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSynTPEnh]
C:Program FilesSynapticsSynTPSynTPEnh.exe [2004-05-20 532480]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSynTPLpr]
C:Program FilesSynapticsSynTPSynTPLpr.exe [2004-05-20 98304]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregTkBellExe]
C:Program FilesCommon FilesRealUpdate_OBrealsched.exe [2008-02-17 185896]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregUyotuhe]
C:WINDOWSefizuyocadi.dll []

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregxsjfn83jkemfofght]
C:DOCUME~1TyLOCALS~1Tempwinlogin.exe [2008-11-29 15000]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:PROGRA~1AdobeACROBA~2.0ReaderREADER~1.EXE [2008-04-23 29696]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^RSDLUpdater.exe.lnk]
C:WINDOWSWINDOWSRSDLUP~1.EXE []

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigservices]
"ose"=3
"MDM"=2
"iPod Service"=3
"IDriverT"=3
"GoogleDesktopManager-061008-081103"=3
"avg8wd"=2
"avg8emc"=2
"Ati HotKey Poller"=2
"Apple Mobile Device"=2
"anbmService"=2

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows]
"AppInit_DLLS"="C:WINDOWSsystem32fiyamepe.dll c:windowssystem32tusihivi.dll"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify!SASWinLogon]
C:Program FilesSUPERAntiSpywareSASWINLO.dll [2008-07-23 352256]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyigfxcui]
C:WINDOWSsystem32igfxsrvc.dll [2004-02-11 339968]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyWgaLogon]
C:WINDOWSsystem32WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:WINDOWSsystem32WPDShServiceObj.dll [2006-10-18 133632]
SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:windowssystem32tusihivi.dll [2008-12-04 94261]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionexplorerSharedTaskScheduler]
STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:windowssystem32tusihivi.dll [2008-12-04 94261]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:Program FilesSUPERAntiSpywareSASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa]
"authentication packages"=msv1_0
C:WINDOWSsystem32geBtQjIY
"notification packages"=scecli
C:WINDOWSsystem32fiyamepe.dll

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootnetworknm]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootnetworknm.sys]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesexplorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=1

[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofileauthorizedapplicationslist]
"%windir%system32sessmgr.exe"="%windir%system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:Program FilesSoulseekslsk.exe"="C:Program FilesSoulseekslsk.exe:*:Enabled:SoulSeek"
"C:Program FilesTrilliantrillian.exe"="C:Program FilesTrilliantrillian.exe:*:Enabled:Trillian"
"C:StubInstaller.exe"="C:StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:Program FilesLimeWireLimeWire.exe"="C:Program FilesLimeWireLimeWire.exe:*:Enabled:LimeWire"
"C:Program FilesBitTorrentbittorrent.exe"="C:Program FilesBitTorrentbittorrent.exe:*:Enabled:BitTorrent"
"C:Program FilesInternet ExplorerIEXPLORE.EXE"="C:Program FilesInternet ExplorerIEXPLORE.EXE:*:Enabled:Internet Explorer"
"%windir%Network Diagnosticxpnetdiag.exe"="%windir%Network Diagnosticxpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:Program FilesPando NetworksPandoPando.exe"="C:Program FilesPando NetworksPandoPando.exe:*:Enabled:pando"
"C:Program FileseMuleemule.exe"="C:Program FileseMuleemule.exe:*:Enabled:eMule"
"C:Program FilesSkypePhoneSkype.exe"="C:Program FilesSkypePhoneSkype.exe:*:Enabled:Skype"
"C:Program FilesFiraxis GamesSid Meier's Civilization 4Civilization4.exe"="C:Program FilesFiraxis GamesSid Meier's Civilization 4Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:Program FilesAzureusAzureus.exe"="C:Program FilesAzureusAzureus.exe:*:Enabled:Azureus"
"C:Program FilesMozilla Firefoxfirefox.exe"="C:Program FilesMozilla Firefoxfirefox.exe:*:Enabled:Firefox"
"C:Program FilesSopCastadvSopAdver.exe"="C:Program FilesSopCastadvSopAdver.exe:*:Enabled:SopCast Adver"
"C:Program FilesSopCastSopCast.exe"="C:Program FilesSopCastSopCast.exe:*:Enabled:SopCast Main Application"
"C:Program FilesTVAntsTvants.exe"="C:Program FilesTVAntsTvants.exe:*:Enabled:TVAnts"
"C:Program FilesVideoLANVLCvlc.exe"="C:Program FilesVideoLANVLCvlc.exe:*:Enabled:VLC media player"
"C:Program FilesFrostWireFrostWire.exe"="C:Program FilesFrostWireFrostWire.exe:*:Enabled:FrostWire"
"C:Program FilesGoogleGoogle Talkgoogletalk.exe"="C:Program FilesGoogleGoogle Talkgoogletalk.exe:*:Enabled:Google Talk"
"C:Program FilesiTunesiTunes.exe"="C:Program FilesiTunesiTunes.exe:*:Enabled:iTunes"
"C:Program FilesMicrosoft ActiveSyncrapimgr.exe"="C:Program FilesMicrosoft ActiveSyncrapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:Program FilesMicrosoft ActiveSyncwcescomm.exe"="C:Program FilesMicrosoft ActiveSyncwcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:Program FilesMicrosoft ActiveSyncWCESMgr.exe"="C:Program FilesMicrosoft ActiveSyncWCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:Program FilesMotorolaSoftware Updatemsu.exe"="C:Program FilesMotorolaSoftware Updatemsu.exe:*:Enabled:msu"
"C:Documents and SettingsTyLocal SettingsApplication DataGoogleChromeApplicationchrome.exe"="C:Documents and SettingsTyLocal SettingsApplication DataGoogleChromeApplicationchrome.exe:*:Enabled:Google Chrome"
"C:Program FilesMotorolaRSD LiteSDL.exe"="C:Program FilesMotorolaRSD LiteSDL.exe:*:Enabled:SDL"
"C:WINDOWSSystem32NOTEPAD.EXE"="C:WINDOWSSystem32NOTEPAD.EXE:*:Disabled:Notepad"
"C:Program FilesAVGAVG8avgemc.exe"="C:Program FilesAVGAVG8avgemc.exe:*:Enabled:avgemc.exe"
"C:Program FilesAVGAVG8avgupd.exe"="C:Program FilesAVGAVG8avgupd.exe:*:Enabled:avgupd.exe"
"C:WINDOWSEXPLORER.EXE"="C:WINDOWSEXPLORER.EXE:*:Enabled:Explorer"
"C:WINDOWSSystem32logonui.exe"="C:WINDOWSSystem32logonui.exe:*:Enabled:logonui"
"C:WINDOWSSystem32WINLOGON.EXE"="C:WINDOWSSystem32WINLOGON.EXE:*:Enabled:winlogon"
"C:WINDOWSSystem32rundll32.exe"="C:WINDOWSSystem32rundll32.exe:*:Enabled:rundll32"

[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicydomainprofileauthorizedapplicationslist]
"%windir%system32sessmgr.exe"="%windir%system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%Network Diagnosticxpnetdiag.exe"="%windir%Network Diagnosticxpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:Program FilesMicrosoft ActiveSyncrapimgr.exe"="C:Program FilesMicrosoft ActiveSyncrapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:Program FilesMicrosoft ActiveSyncwcescomm.exe"="C:Program FilesMicrosoft ActiveSyncwcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:Program FilesMicrosoft ActiveSyncWCESMgr.exe"="C:Program FilesMicrosoft ActiveSyncWCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

======List of files/folders created in the last 1 months======

2008-12-04 14:19:10 ----D---- C:rsit
2008-12-04 12:52:49 ----SH---- C:WINDOWSsystem32olurodot.ini
2008-12-03 18:13:34 ----SH---- C:WINDOWSsystem32etanakoy.ini
2008-12-03 17:07:26 ----A---- C:WINDOWSsystem32~.exe
2008-12-03 02:54:37 ----D---- C:!KillBox
2008-12-03 02:43:39 ----D---- C:Program FilesTrend Micro
2008-12-03 02:33:19 ----HD---- C:$AVG8.VAULT$
2008-12-03 02:26:41 ----A---- C:WINDOWSsystem32avgrsstx.dll
2008-12-03 02:26:25 ----D---- C:Program FilesAVG
2008-12-03 02:26:25 ----D---- C:Documents and SettingsAll UsersApplication Dataavg8
2008-12-03 02:23:35 ----A---- C:WINDOWSsystem32.tmp
2008-12-02 20:42:16 ----ASH---- C:WINDOWSsystem32mjlbmfmx.ini
2008-12-02 20:10:27 ----SH---- C:WINDOWSsystem32mjlbmfmx.ini2
2008-12-02 20:05:27 ----SH---- C:WINDOWSsystem32mjlbmfmx.tmp
2008-12-02 20:02:18 ----D---- C:Documents and SettingsAll UsersApplication DataSUPERAntiSpyware.com
2008-12-02 20:01:01 ----A---- C:WINDOWSunuwiqin.dll
2008-12-02 19:58:12 ----D---- C:Program FilesSUPERAntiSpyware
2008-12-02 19:58:12 ----D---- C:Documents and SettingsTyApplication DataSUPERAntiSpyware.com
2008-12-02 19:57:50 ----D---- C:Program FilesCommon FilesWise Installation Wizard
2008-12-02 19:54:40 ----A---- C:WINDOWSsystem32xmfmbljm.dll
2008-12-02 19:51:45 ----N---- C:WINDOWSsystem32ixfikfmj.dll
2008-12-02 19:51:45 ----N---- C:WINDOWSsystem32itxsbj.dll
2008-11-29 15:45:23 ----A---- C:WINDOWSerapafiq.dll
2008-11-29 15:28:39 ----D---- C:WINDOWSMinidump
2008-11-29 15:25:36 ----A---- C:WINDOWSsystem32392edcdf-.txt
2008-11-29 15:25:01 ----ASH---- C:WINDOWSsystem32YIjQtBeg.ini2
2008-11-29 15:25:01 ----ASH---- C:WINDOWSsystem32YIjQtBeg.ini
2008-11-29 15:24:04 ----A---- C:ruldmeb.exe
2008-11-29 15:23:32 ----RSHD---- C:RECYCLER
2008-11-29 15:22:36 ----A---- C:ptbbw.exe
2008-11-29 15:21:44 ----A---- C:arjdhgx.exe
2008-11-29 15:20:42 ----A---- C:Documents and SettingsAll UsersApplication Datawinlogon.exe
2008-11-29 15:20:16 ----A---- C:WINDOWSsystem32gs73gfidgf.dll
2008-11-29 15:20:08 ----D---- C:Program FilesMicrosoft Common
2008-11-29 15:19:19 ----A---- C:khrwa.exe
2008-11-29 15:17:12 ----A---- C:iiduqaah.exe
2008-11-29 15:16:11 ----A---- C:WINDOWSsystem32ssqPjkLe.dll
2008-11-17 14:50:03 ----HD---- C:WINDOWS$NtUninstallWdf01005$
2008-11-12 15:59:58 ----HD---- C:WINDOWS$NtUninstallKB957097$
2008-11-12 15:59:53 ----HD---- C:WINDOWS$NtUninstallKB954459$
2008-11-12 15:59:35 ----HD---- C:WINDOWS$NtUninstallKB955069$

======List of files/folders modified in the last 1 months======

2008-12-04 14:05:02 ----A---- C:WINDOWSModemLog_SoftV92 Data Fax Modem with SmartCP.txt
2008-12-04 14:03:48 ----A---- C:WINDOWSSchedLgU.Txt
2008-12-04 13:46:08 ----RASH---- C:BOOT.INI
2008-12-04 13:46:08 ----A---- C:WINDOWSwin.ini
2008-12-04 13:46:08 ----A---- C:WINDOWSsystem.ini
2008-12-04 12:52:48 ----ASH---- C:WINDOWSsystem32tusihivi.dll
2008-12-04 12:52:46 ----ASH---- C:WINDOWSsystem32viveveno.dll
2008-12-04 12:52:46 ----ASH---- C:WINDOWSsystem32todorulo.dll
2008-12-03 18:13:30 ----ASH---- C:WINDOWSsystem32yokanate.dll
2008-12-03 17:13:16 ----ASH---- C:WINDOWSsystem32petemowa.dll
2008-12-03 15:37:16 ----A---- C:WINDOWSDUMP82a8.tmp
2008-12-03 03:49:16 ----A---- C:WINDOWSDUMP9153.tmp
2008-12-03 01:25:24 ----A---- C:WINDOWSDUMP3950.tmp
2008-12-03 01:06:12 ----A---- C:WINDOWSsystem32eRLog.ini
2008-11-29 16:45:26 ----A---- C:WINDOWSDUMP6d7e.tmp
2008-11-29 15:59:40 ----A---- C:WINDOWSDUMP394f.tmp
2008-11-29 15:54:50 ----A---- C:WINDOWSDUMP3963.tmp

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:WINDOWSSystem32Driversavgldx86.sys [2008-12-03 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:WINDOWSSystem32Driversavgmfx86.sys [2008-12-03 26824]
R1 intelppm;Intel Processor Driver; C:WINDOWSsystem32DRIVERSintelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:WINDOWSsystem32DRIVERSkbdhid.sys [2008-04-13 14592]
R1 SASDIFSV;SASDIFSV; ??C:Program FilesSUPERAntiSpywareSASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; ??C:Program FilesSUPERAntiSpywareSASKUTIL.sys []
R1 SMBHC;Microsoft SM Bus Host Controller Driver; C:WINDOWSsystem32DRIVERSSMBHC.sys [2001-08-17 6784]
R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:WINDOWSsystem32DRIVERStcpip6.sys [2008-06-20 225856]
R2 AvgTdiX;AVG Free8 Network Redirector; C:WINDOWSSystem32Driversavgtdix.sys [2008-12-03 76040]
R2 EpmPsd;Acer EPM Power Scheme Driver; ??C:WINDOWSsystem32driversepm-psd.sys []
R2 EpmShd;Acer EPM System Hardware Driver; ??C:WINDOWSsystem32driversepm-shd.sys []
R2 irda;IrDA Protocol; C:WINDOWSsystem32DRIVERSirda.sys [2008-04-13 88192]
R2 mdmxsdk;mdmxsdk; C:WINDOWSsystem32DRIVERSmdmxsdk.sys [2003-04-10 11043]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:WINDOWSsystem32DRIVERSnwlnkipx.sys [2008-04-13 88320]
R2 NwlnkNb;NWLink NetBIOS; C:WINDOWSsystem32DRIVERSnwlnknb.sys [2004-08-04 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:WINDOWSsystem32DRIVERSnwlnkspx.sys [2004-08-04 55936]
R2 osaio;osaio; C:WINDOWSsystem32driversosaio.sys [2004-06-01 10594]
R2 osanbm;osanbm; C:WINDOWSsystem32driversosanbm.sys [2004-06-01 4054]
R3 Arp1394;1394 ARP Client Protocol; C:WINDOWSsystem32DRIVERSarp1394.sys [2008-04-13 60800]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:WINDOWSsystem32DRIVERSbcm4sbxp.sys [2003-09-27 44032]
R3 CAMCAUD;Conexant AMC Audio; C:WINDOWSsystem32driverscamcaud.sys [2004-04-30 292352]
R3 CAMCHALA;CAMCHALA; C:WINDOWSsystem32driverscamchal.sys [2004-04-30 274688]
R3 dvd43llh;dvd43llh; C:WINDOWSSystem32DRIVERSdvd43llh.sys [2007-08-17 18816]
R3 GcKernel;Microsoft SideWinder Value Add - Filter Driver; C:WINDOWSsystem32DRIVERSGcKernel.sys [2008-04-13 59136]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:WINDOWSSystem32DriversGEARAspiWDM.sys [2008-04-17 15464]
R3 HIDSwvd;Microsoft SideWinder Virtual HID Device Mini-Driver; C:WINDOWSsystem32DRIVERSHIDSwvd.sys [2001-08-17 2688]
R3 HidUsb;Microsoft HID Class Driver; C:WINDOWSsystem32DRIVERShidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:WINDOWSsystem32DRIVERSHSF_DP.sys [2004-03-11 1041536]
R3 HSFHWICH;HSFHWICH; C:WINDOWSsystem32DRIVERSHSFHWICH.sys [2004-03-11 199552]
R3 ialm;ialm; C:WINDOWSsystem32DRIVERSialmnt5.sys [2004-02-11 681469]
R3 mouhid;Mouse HID Driver; C:WINDOWSsystem32DRIVERSmouhid.sys [2001-08-17 12160]
R3 NTIDrvr;Upper Class Filter Driver; C:WINDOWSsystem32DRIVERSNTIDrvr.sys [2005-11-27 6144]
R3 Rasirda;WAN Miniport (IrDA); C:WINDOWSsystem32DRIVERSrasirda.sys [2001-08-17 19584]
R3 SMBBATT;Microsoft Smart Battery Driver; C:WINDOWSsystem32DRIVERSSMBBATT.sys [2008-04-13 16000]
R3 SynTP;Synaptics TouchPad Driver; C:WINDOWSsystem32DRIVERSSynTP.sys [2004-05-20 184768]
R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:WINDOWSsystem32DRIVERStunmp.sys [2008-04-13 12288]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:WINDOWSsystem32DRIVERSusbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:WINDOWSsystem32DRIVERSusbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:WINDOWSsystem32DRIVERSusbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:WINDOWSsystem32DRIVERSusbuhci.sys [2008-04-13 20608]
R3 w29n51;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows XP; C:WINDOWSsystem32DRIVERSw29n51.sys [2004-08-20 3210496]
R3 winachsf;winachsf; C:WINDOWSsystem32DRIVERSHSF_CNXT.sys [2004-03-11 682624]
S3 ati2mtag;ati2mtag; C:WINDOWSsystem32DRIVERSati2mtag.sys [2004-05-15 745984]
S3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:WINDOWSsystem32DRIVERSb57xp32.sys [2003-05-23 175360]
S3 BthEnum;Bluetooth Enumerator Service; C:WINDOWSsystem32DRIVERSBthEnum.sys [2008-04-13 17024]
S3 BthPan;Bluetooth Device (Personal Area Network); C:WINDOWSsystem32DRIVERSbthpan.sys [2008-04-13 101120]
S3 BTHPORT;Bluetooth Port Driver; C:WINDOWSSystem32DriversBTHport.sys [2008-06-13 272128]
S3 BTHUSB;Bluetooth Radio USB Driver; C:WINDOWSSystem32DriversBTHUSB.sys [2008-04-13 18944]
S3 int15.sys;int15.sys; ??C:Program FilesacereRecoveryint15.sys []
S3 MotDev;Motorola Inc. USB Device; C:WINDOWSsystem32DRIVERSmotodrv.sys [2007-10-10 42112]
S3 motmodem;Motorola USB CDC ACM Driver; C:WINDOWSsystem32DRIVERSmotmodem.sys [2007-06-18 23680]
S3 NIC1394;1394 Net Driver; C:WINDOWSsystem32DRIVERSnic1394.sys [2008-04-13 61824]
S3 NSCIRDA;NSC Infrared Device Driver; C:WINDOWSsystem32DRIVERSnscirda.sys [2008-04-13 28672]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:WINDOWSsystem32DRIVERSrfcomm.sys [2008-04-13 59136]
S3 SASENUM;SASENUM; ??C:Program FilesSUPERAntiSpywareSASENUM.SYS []
S3 tifm21;tifm21; C:WINDOWSsystem32driverstifm21.sys [2004-05-26 67584]
S3 usb_rndisx;USB RNDIS Adapter; C:WINDOWSsystem32DRIVERSusb8023x.sys [2008-04-13 12800]
S3 usbprint;Microsoft USB PRINTER Class; C:WINDOWSsystem32DRIVERSusbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB Mass Storage Driver; C:WINDOWSsystem32DRIVERSUSBSTOR.SYS [2008-04-13 26368]
S3 Wdf01000;Wdf01000; C:WINDOWSsystem32DRIVERSWdf01000.sys [2006-11-02 492000]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:WINDOWSsystem32DRIVERSWudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:WINDOWSsystem32DRIVERSwudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 6to4;IPv6 Helper Service; C:WINDOWSsystem32svchost.exe [2008-04-13 14336]
R2 BthServ;Bluetooth Support Service; C:WINDOWSsystem32svchost.exe [2008-04-13 14336]
R2 Irmon;Infrared Monitor; C:WINDOWSsystem32svchost.exe [2008-04-13 14336]
S2 Fax;Fax; C:WINDOWSsystem32fxssvc.exe [2008-04-13 267776]
S3 aspnet_state;ASP.NET State Service; C:WINDOWSMicrosoft.NETFrameworkv2.0.50727aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:WINDOWSMicrosoft.NETFrameworkv2.0.50727mscorsvw.exe [2007-10-24 70144]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:Program FilesWindows Media PlayerWMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:WINDOWSsystem32svchost.exe [2008-04-13 14336]
S4 anbmService;Notebook Manager Service; C:AcereManageranbmServ.exe [2004-08-16 1287168]
S4 Apple Mobile Device;Apple Mobile Device; C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe [2008-10-01 116040]
S4 Ati HotKey Poller;Ati HotKey Poller; C:WINDOWSsystem32Ati2evxx.exe [2004-05-15 376832]
S4 avg8emc;AVG Free8 E-mail Scanner; C:PROGRA~1AVGAVG8avgemc.exe [2008-12-03 875288]
S4 avg8wd;AVG Free8 WatchDog; C:PROGRA~1AVGAVG8avgwdsvc.exe [2008-12-03 231704]
S4 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245; C:Program FilesGoogleGoogle Desktop SearchGoogleDesktop.exe [2008-08-21 29744]
S4 IDriverT;InstallDriver Table Manager; C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe [2005-04-04 69632]
S4 iPod Service;iPod Service; C:Program FilesiPodbiniPodService.exe [2008-10-01 536872]
S4 MDM;Machine Debug Manager; C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE [2003-06-19 322120]
S4 ose;Office Source Engine; C:Program FilesCommon FilesMicrosoft SharedSource EngineOSE.EXE [2003-07-28 89136]

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.04 2008-12-04 14:19:17

======Uninstall list======

-->C:Program FilesCommon FilesRealUpdate_OBr1puninst.exe RealNetworks|RealPlayer|6.0
-->C:Program FilesDivXConverterUninstall.exe /CONVERTER
-->C:WINDOWSIsUninst.exe -f"C:Program FilesAcer Inc.Acer English Online Help CreatorUninst.isu"
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:WINDOWSINFPCHealth.inf
Acer eManager for Notebook-->C:Program FilesCommon FilesInstallShieldDriver8Intel 32IDriver.exe /M{827289F5-B44F-4E49-9993-840741585A62}
Acer ePowerManagement-->RunDll32 C:PROGRA~1COMMON~1INSTAL~1PROFES~1RunTime701Intel32Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{58E5844B-7CE2-413D-83D1-99294BF6C74F}Setup.exe" -l0x9
Acer GridVista-->C:WINDOWSUnInst32.exe GridV.UNI
Adobe Flash Player 10 Plugin-->C:WINDOWSsystem32MacromedFlashuninstall_plugin.exe
Adobe Flash Player ActiveX-->C:WINDOWSsystem32MacromedFlashuninstall_activeX.exe
Adobe Reader 7.1.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
AI RoboForm (All Users)-->"C:Program FilesSiber SystemsAI RoboFormrfwipeout.exe"
Apple Mobile Device Support-->MsiExec.exe /I{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
AVG Free 8.0-->C:Program FilesAVGAVG8setup.exe /UNINSTALL
Azureus Vuze-->C:Program FilesAzureusuninstall.exe
CCleaner (remove only)-->"C:Program FilesCCleaneruninst.exe"
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant AC-Link Audio-->CIAunwdm.exe
dBpowerAMP Mp4 Codec-->"C:WINDOWSsystem32SpoonUninstall.exe" <uninstall>C:WINDOWSsystem32SpoonUninstall-dBpowerAMP Mp4 Codec.dat
DivX Codec-->C:Program FilesDivXDivXCodecUninstall.exe /CODEC
DivX Content Uploader-->C:Program FilesDivXDivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter-->C:Program FilesDivXConverterUninstall.exe /CONVERTER
DivX Player-->C:Program FilesDivXDivXPlayerUninstall.exe /PLAYER
DVD43 v3.9.0-->"C:Program Filesdvd43unins000.exe"
FrostWire 4.17.0-->C:Program FilesFrostWireUninstall.exe
Google Desktop-->C:Program FilesGoogleGoogle Desktop SearchGoogleDesktopSetup.exe -uninstall
Google Talk (remove only)-->"C:Program FilesGoogleGoogle Talkuninstall.exe"
Google Toolbar for Firefox-->MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F}
Handbrake-->MsiExec.exe /I{223879E4-BE04-4E3A-9F8B-303152E3AF55}
HijackThis 2.0.2-->"C:Program FilesTrend MicroHijackThisHijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:WINDOWSie7updatesKB947864-IE7spuninstspuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:WINDOWS$NtUninstallKB929399$spuninstspuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:WINDOWS$NtUninstallKB939683$spuninstspuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:WINDOWS$NtUninstallKB952287$spuninstspuninst.exe"
Intel® Extreme Graphics 2 Driver-->RUNDLL32.EXE C:WINDOWSsystem32ialmrem.dll,UninstallW2KIGfx PCIVEN_8086&DEV_3582
iTunes-->MsiExec.exe /I{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}
Java™ 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Medieval CUE Splitter-->MsiExec.exe /I{E9A5B341-167D-4042-8854-46F671F94049}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft ActiveSync-->MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:WINDOWS$NtUninstallMSCompPackV1$spuninstspuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:WINDOWS$NtServicePackUninstallIDNMitigationAPIs$spuninstspuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:WINDOWS$NtUninstallWdf01005$spuninstspuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:WINDOWS$NtServicePackUninstallNLSDownlevelMapping$spuninstspuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:WINDOWS$NtUninstallWudf01000$spuninstspuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MobileMe Control Panel-->MsiExec.exe /I{2604C0F9-BFD3-4BA0-9EB5-22537C648F03}
Motorola Software Update-->MsiExec.exe /I{9396EFA9-05C0-4DCF-ABE8-FB5B2A397450}
Mozilla Firefox (3.0.4)-->C:Program FilesMozilla Firefoxuninstallhelper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
NTI Backup NOW! 3-->C:PROGRA~1COMMON~1INSTAL~1Driver7INTEL3~1IDriver.exe /M{4E68EAA3-775A-4542-A08A-47DB8E8E74A6} /l1033 BUNText
Project64 1.6-->MsiExec.exe /X{9559F7CA-5E34-4237-A2D9-D856464AD727}
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
RealPlayer-->C:Program FilesCommon FilesRealUpdate_OBr1puninst.exe RealNetworks|RealPlayer|6.0
RSDLite 4.1-->C:Program FilesMotorolaRSD LiteUninstall.exe
Samsung USB Driver (MCCI 4.16)-->C:Program FilesCommon FilesInstallShieldDriver8Intel 32IDriver.exe /M{1485ABFA-12D7-4107-9148-54EE30CDBA67}
Security Task Manager 1.7-->C:Program FilesSecurity Task ManagerUninstal.exe "C:Documents and SettingsAll UsersStart MenuProgramsSecurity Task Manager"
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:WINDOWSie7updatesKB928090-IE7spuninstspuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:WINDOWSie7updatesKB929969spuninstspuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:WINDOWSie7updatesKB931768-IE7spuninstspuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:WINDOWSie7updatesKB933566-IE7spuninstspuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:WINDOWSie7updatesKB937143-IE7spuninstspuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:WINDOWSie7updatesKB938127-IE7spuninstspuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:WINDOWSie7updatesKB939653-IE7spuninstspuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:WINDOWSie7updatesKB942615-IE7spuninstspuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:WINDOWSie7updatesKB944533-IE7spuninstspuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:WINDOWSie7updatesKB950759-IE7spuninstspuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:WINDOWSie7updatesKB953838-IE7spuninstspuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:WINDOWSie7updatesKB956390-IE7spuninstspuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:WINDOWS$NtUninstallKB917734_WMP10$spuninstspuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:WINDOWS$NtUninstallKB936782_WMP11$spuninstspuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:WINDOWS$NtUninstallKB954154_WM11$spuninstspuninst.exe"
Security Update for Windows XP (KB938464)-->"C:WINDOWS$NtUninstallKB938464$spuninstspuninst.exe"
Security Update for Windows XP (KB941569)-->"C:WINDOWS$NtUninstallKB941569$spuninstspuninst.exe"
Security Update for Windows XP (KB946648)-->"C:WINDOWS$NtUninstallKB946648$spuninstspuninst.exe"
Security Update for Windows XP (KB950760)-->"C:WINDOWS$NtUninstallKB950760$spuninstspuninst.exe"
Security Update for Windows XP (KB950762)-->"C:WINDOWS$NtUninstallKB950762$spuninstspuninst.exe"
Security Update for Windows XP (KB950974)-->"C:WINDOWS$NtUninstallKB950974$spuninstspuninst.exe"
Security Update for Windows XP (KB951066)-->"C:WINDOWS$NtUninstallKB951066$spuninstspuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:WINDOWS$NtUninstallKB951376-v2$spuninstspuninst.exe"
Security Update for Windows XP (KB951698)-->"C:WINDOWS$NtUninstallKB951698$spuninstspuninst.exe"
Security Update for Windows XP (KB951748)-->"C:WINDOWS$NtUninstallKB951748$spuninstspuninst.exe"
Security Update for Windows XP (KB952954)-->"C:WINDOWS$NtUninstallKB952954$spuninstspuninst.exe"
Security Update for Windows XP (KB953839)-->"C:WINDOWS$NtUninstallKB953839$spuninstspuninst.exe"
Security Update for Windows XP (KB954211)-->"C:WINDOWS$NtUninstallKB954211$spuninstspuninst.exe"
Security Update for Windows XP (KB954459)-->"C:WINDOWS$NtUninstallKB954459$spuninstspuninst.exe"
Security Update for Windows XP (KB955069)-->"C:WINDOWS$NtUninstallKB955069$spuninstspuninst.exe"
Security Update for Windows XP (KB956391)-->"C:WINDOWS$NtUninstallKB956391$spuninstspuninst.exe"
Security Update for Windows XP (KB956803)-->"C:WINDOWS$NtUninstallKB956803$spuninstspuninst.exe"
Security Update for Windows XP (KB956841)-->"C:WINDOWS$NtUninstallKB956841$spuninstspuninst.exe"
Security Update for Windows XP (KB957095)-->"C:WINDOWS$NtUninstallKB957095$spuninstspuninst.exe"
Security Update for Windows XP (KB957097)-->"C:WINDOWS$NtUninstallKB957097$spuninstspuninst.exe"
Security Update for Windows XP (KB958644)-->"C:WINDOWS$NtUninstallKB958644$spuninstspuninst.exe"
Sid Meier's Civilization 4-->RunDll32 C:PROGRA~1COMMON~1INSTAL~1PROFES~1RunTime110Intel32Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}setup.exe" -l0x9 -removeonly
SoftV92 Data Fax Modem with SmartCP-->C:Program FilesCONEXANTCNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_00641025HXFSETUP.EXE -U -Iqta00645.inf
SopCast 3.0.1-->C:Program FilesSopCastuninst.exe
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Synaptics Pointing Device Driver-->rundll32.exe "C:Program FilesSynapticsSynTPSynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515 drivers.-->C:PROGRA~1COMMON~1INSTAL~1Driver7INTEL3~1IDriver.exe /M{23C7348E-131C-4BFF-9763-2C804D6B87AE}
TUGZip 3.5-->"C:Program FilesTUGZipunins000.exe"
TVAnts 1.0-->C:PROGRA~1TVANTSUNWISE.EXE C:PROGRA~1TVANTSINSTALL.LOG
Update for Windows XP (KB951072-v2)-->"C:WINDOWS$NtUninstallKB951072-v2$spuninstspuninst.exe"
Update for Windows XP (KB951978)-->"C:WINDOWS$NtUninstallKB951978$spuninstspuninst.exe"
VideoLAN VLC media player 0.8.6f-->C:Program FilesVideoLANVLCuninstall.exe
Windows Media Format 11 runtime-->"C:Program FilesWindows Media Playerwmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:WINDOWS$NtUninstallWMFDist11$spuninstspuninst.exe"
Windows Media Player 11-->"C:Program FilesWindows Media PlayerSetup_wm.exe" /Uninstall
Windows Media Player 11-->"C:WINDOWS$NtUninstallwmp11$spuninstspuninst.exe"

=====HijackThis Backups=====

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM..Run: [Hsekihumevixi] rundll32.exe "C:WINDOWSKmasirumecahal.dll",e
O4 - HKLM..Run: [epm-dm] c:acerepmepm-dm.exe
O4 - HKLM..Run: [Uyotuhe] rundll32.exe "C:WINDOWSefizuyocadi.dll",e
O4 - HKLM..Run: [AVG8_TRAY] C:PROGRA~1AVGAVG8avgtray.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [svschost.exe] C:WINDOWSsystem32svschost.exe -check
O7 - HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem, DisableRegedit=1
O4 - HKLM..Run: [MSConfig] C:WINDOWSPCHealthHelpCtrBinariesMSConfig.exe /auto
O4 - HKLM..Run: [Uyotuhe] rundll32.exe "C:WINDOWSefizuyocadi.dll",e
O4 - HKLM..Run: [Uyotuhe] rundll32.exe "C:WINDOWSefizuyocadi.dll",e
O4 - HKLM..Run: [Uyotuhe] rundll32.exe "C:WINDOWSefizuyocadi.dll",e
O4 - HKLM..Run: [Uyotuhe] rundll32.exe "C:WINDOWSefizuyocadi.dll",e
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM..Run: [Uyotuhe] rundll32.exe "C:WINDOWSefizuyocadi.dll",e
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O2 - BHO: (no name) - {0d09e7b0-b55b-4e18-a1dd-5d85924e3194} - C:WINDOWSsystem32funugipi.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG8avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_07binssv.dll
O4 - HKLM..Run: [rirawapola] Rundll32.exe "C:WINDOWSsystem32wurajobi.dll",s
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKLM..Run: [rirawapola] Rundll32.exe "C:WINDOWSsystem32wurajobi.dll",s
O4 - HKUSS-1-5-19..Run: [rirawapola] Rundll32.exe "C:WINDOWSsystem32wurajobi.dll",s (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [rirawapola] Rundll32.exe "C:WINDOWSsystem32wurajobi.dll",s (User 'NETWORK SERVICE')
O4 - HKLM..Run: [MSConfig] C:WINDOWSPCHealthHelpCtrBinariesMSConfig.exe /auto
O4 - HKLM..Run: [rirawapola] Rundll32.exe "C:WINDOWSsystem32wurajobi.dll",s
O4 - HKUSS-1-5-20..Run: [rirawapola] Rundll32.exe "C:WINDOWSsystem32wurajobi.dll",s (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-19..Run: [rirawapola] Rundll32.exe "C:WINDOWSsystem32wurajobi.dll",s (User 'LOCAL SERVICE')
O4 - HKLM..Run: [rirawapola] Rundll32.exe "C:WINDOWSsystem32wurajobi.dll",s
O2 - BHO: (no name) - {0d09e7b0-b55b-4e18-a1dd-5d85924e3194} - C:WINDOWSsystem32funugipi.dll (file missing)
O4 - HKLM..Run: [320d18a1] rundll32.exe "C:WINDOWSsystem32yokanate.dll",b
O4 - HKLM..Run: [CPM313e2b3d] Rundll32.exe "c:windowssystem32kuwotevi.dll",a
O4 - HKLM..Run: [rirawapola] Rundll32.exe "C:WINDOWSsystem32wurajobi.dll",s
O4 - HKUSS-1-5-19..Run: [rirawapola] Rundll32.exe "C:WINDOWSsystem32wurajobi.dll",s (User '?')
O4 - HKUSS-1-5-20..Run: [rirawapola] Rundll32.exe "C:WINDOWSsystem32wurajobi.dll",s (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~3OFFICE11EXCEL.EXE/3000
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:windowssystem32kuwotevi.dll
O4 - HKLM..Run: [CPM313e2b3d] Rundll32.exe "C:WINDOWSsystem32kuwotevi.dll",a
O20 - AppInit_DLLs: C:PROGRA~1GoogleGOOGLE~3GOEC62~1.DLL itxsbj.dll avgrsstx.dll c:windowssystem32kuwotevi.dll C:WINDOWSsystem32fiyamepe.dll c:windowssystem32tusihivi.dll
O4 - HKLM..Run: [rirawapola] Rundll32.exe "C:WINDOWSsystem32telopezo.dll",s
O4 - HKLM..Run: [CPM313e2b3d] Rundll32.exe "c:windowssystem32tusihivi.dll",a
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKUSS-1-5-21-4176711928-3286990816-867413009-1005..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe (User '?')
O4 - HKLM..Run: [CPM313e2b3d] Rundll32.exe "c:windowssystem32tusihivi.dll",a
O2 - BHO: (no name) - {0d09e7b0-b55b-4e18-a1dd-5d85924e3194} - C:WINDOWSsystem32mafopiwo.dll

======Security center information======

AV: AVG Anti-Virus Free (outdated)

======Environment variables======

"ComSpec"=%SystemRoot%system32cmd.exe
"Path"=%SystemRoot%system32;%SystemRoot%;%SystemRoot%System32Wbem;C:Program FilesQuickTimeQTSystem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=0d06
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%TEMP
"TMP"=%SystemRoot%TEMP
"CLASSPATH"=.;C:Program FilesJavajre1.6.0_07libextQTJava.zip
"QTJAVA"=C:Program FilesJavajre1.6.0_07libextQTJava.zip

-----------------EOF-----------------

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:32 PM

Posted 05 December 2008 - 11:22 AM

Hi MBA_Ty,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.


Your log(s) show that you are using so called peer-to-peer or file-sharing programs (in your case Azureus, LimeWire, BitTorrent, eMule). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions

Note: The logs are all missing the \ separator and not readable. Lets try this:
  • When the first log opens go to Format menu and make sure Wordwrap is Unchecked.
  • Go to Edit -> Select All.....Edit -> Copy
  • Then log into this thread by using the Add Reply and paste the reply.
  • Open notepad (start-all programs-accessories-notepad). Copy and paste the text in the code box into the notepad.

    @ECHO OFF
    attrib -h -r -s C:\WINDOWS\tasks\qlrumtmj.job
    del C:\WINDOWS\tasks\qlrumtmj.job
    del remove.bat
    • Select save in:desktop
    • Fill in File name: remove.bat
    • Save as type: All file types (*.*)
    • Click Save and close the Notepad.
    • Double-click remove.bat on the desktop.
  • Open a notepad (Start > Run and type in Notepad ) make sure the wordwrap under Format menu is not selected.
    Copy and paste the text in code box into it.

    REGEDIT4 
    
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
    "Notification Packages"=hex(7):73,63,65,63,6C,69,00,00
    • Save the file to the desktop as regfix.reg
    • Make sure the Save as type field says All files.
    • Locate regfix.reg on the desktop and double-click on it and confirm.
    • A window pops up asking if you are sure to add the file to the registry. Click Yes.
    • You get another window popup saying that regfix.reg successfully added to the registry.
    Note: You have to turn off any registry protector software you have in order the changes to be taken place.

  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Please copy/paste in your next reply:
  • The log of MBAM.
  • The Combofix log.
  • Any comment or feedback about how it went.


#3 MBA_Ty

MBA_Ty
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 05 December 2008 - 03:16 PM

Thanks for the prompt reply. I don't know what the issue was with the slashes in the previous post, but it is fixed now. Anyway, I downloaded the 2 .exe files as specified (combofix, mbam_setup) and attempted to run them. The programs will begin to run, and will show in the 'processes' tray in the Task Manager, but nothing happens.


Logfile of random's system information tool 1.04 (written by random/random)
Run by Ty at 2008-12-05 14:59:56
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 4 GB (16%) free of 27 GB
Total RAM: 1006 MB (59% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:57 PM, on 12/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Ty\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Ty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy.umflint.edu:8080
O2 - BHO: (no name) - {0d09e7b0-b55b-4e18-a1dd-5d85924e3194} - C:\WINDOWS\system32\fahapera.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [320d18a1] rundll32.exe "C:\WINDOWS\system32\kozodobe.dll",b
O4 - HKLM\..\Run: [rirawapola] Rundll32.exe "C:\WINDOWS\system32\ruwiraje.dll",s
O4 - HKLM\..\Run: [CPM313e2b3d] Rundll32.exe "c:\windows\system32\nogorike.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [rirawapola] Rundll32.exe "C:\WINDOWS\system32\ruwiraje.dll",s (User 'NETWORK SERVICE')
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\kakekuze.dll c:\windows\system32\nogorike.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nogorike.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nogorike.dll
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4954 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\GoogleUpdateTaskUser.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0d09e7b0-b55b-4e18-a1dd-5d85924e3194}]
C:\WINDOWS\system32\fahapera.dll [2008-09-05 63732]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{724d43a0-0d85-11d4-9908-00400523e39a} - &RoboForm - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2008-10-05 5759816]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [2008-04-13 169984]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-09-06 413696]
"320d18a1"=C:\WINDOWS\system32\kozodobe.dll [2008-12-05 88867]
"rirawapola"=C:\WINDOWS\system32\ruwiraje.dll [2008-09-05 63732]
"CPM313e2b3d"=c:\windows\system32\nogorike.dll [2008-12-05 93322]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\320d18a1]
C:\WINDOWS\system32\xmfmbljm.dll [2008-12-02 70656]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-10-01 111936]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
C:\WINDOWS\system32\bthprops.cpl [2008-04-13 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPM313e2b3d]
c:\windows\system32\tusihivi.dll []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTEMON.EXE]
/h []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
C:\Program Files\dvd43\dvd43_tray.exe [2006-05-22 694272]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPM-DM]
c:\acer\epm\epm-dm.exe [2005-06-10 196608]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePowerManagement]
C:\Acer\ePM\ePM.exe [2005-03-15 2893824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
C:\Windows\System32\Check.exe [2005-03-23 245760]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-21 29744]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
C:\Documents and Settings\Ty\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe [2007-01-01 3739648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe [2004-02-11 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hsekihumevixi]
C:\WINDOWS\Kmasirumecahal.dll []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe [2004-02-11 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2006-07-07 600896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
C:\Program Files\Microsoft IntelliType Pro\itype.exe [2006-07-07 576320]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jnskdfmf9eldfd]
C:\DOCUME~1\Ty\LOCALS~1\Temp\csrssc.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [2004-08-04 59392]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando]
C:\Program Files\Pando Networks\Pando\Pando.exe /Minimized []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rirawapola]
C:\WINDOWS\system32\telopezo.dll []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe [2008-10-05 160592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\d92635c8-b86e-4dca-aa86-f7af214c85bd.exe [2008-11-17 1805552]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svschost.exe]
C:\WINDOWS\system32\svschost.exe -check []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2004-05-20 532480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2004-05-20 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-02-17 185896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uyotuhe]
C:\WINDOWS\efizuyocadi.dll []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xsjfn83jkemfofght]
C:\DOCUME~1\Ty\LOCALS~1\Temp\winlogin.exe [2008-11-29 15000]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RSDLUpdater.exe.lnk]
C:\WINDOWS\WINDOWS\RSDLUP~1.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3
"MDM"=2
"iPod Service"=3
"IDriverT"=3
"GoogleDesktopManager-061008-081103"=3
"avg8wd"=2
"avg8emc"=2
"Ati HotKey Poller"=2
"Apple Mobile Device"=2
"anbmService"=2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\kakekuze.dll c:\windows\system32\nogorike.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-07-23 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-02-11 339968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nogorike.dll [2008-12-05 93322]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nogorike.dll [2008-12-05 93322]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINDOWS\system32\kakekuze.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Soulseek\slsk.exe"="C:\Program Files\Soulseek\slsk.exe:*:Enabled:SoulSeek"
"C:\Program Files\Trillian\trillian.exe"="C:\Program Files\Trillian\trillian.exe:*:Enabled:Trillian"
"C:\StubInstaller.exe"="C:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Pando Networks\Pando\Pando.exe"="C:\Program Files\Pando Networks\Pando\Pando.exe:*:Enabled:pando"
"C:\Program Files\eMule\emule.exe"="C:\Program Files\eMule\emule.exe:*:Enabled:eMule"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe"="C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\Program Files\Azureus\Azureus.exe"="C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\SopCast\adv\SopAdver.exe"="C:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\Program Files\SopCast\SopCast.exe"="C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\Program Files\TVAnts\Tvants.exe"="C:\Program Files\TVAnts\Tvants.exe:*:Enabled:TVAnts"
"C:\Program Files\VideoLAN\VLC\vlc.exe"="C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player"
"C:\Program Files\FrostWire\FrostWire.exe"="C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire"
"C:\Program Files\Google\Google Talk\googletalk.exe"="C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\Program Files\Motorola\Software Update\msu.exe"="C:\Program Files\Motorola\Software Update\msu.exe:*:Enabled:msu"
"C:\Documents and Settings\Ty\Local Settings\Application Data\Google\Chrome\Application\chrome.exe"="C:\Documents and Settings\Ty\Local Settings\Application Data\Google\Chrome\Application\chrome.exe:*:Enabled:Google Chrome"
"C:\Program Files\Motorola\RSD Lite\SDL.exe"="C:\Program Files\Motorola\RSD Lite\SDL.exe:*:Enabled:SDL"
"C:\WINDOWS\System32\NOTEPAD.EXE"="C:\WINDOWS\System32\NOTEPAD.EXE:*:Disabled:Notepad"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\WINDOWS\EXPLORER.EXE"="C:\WINDOWS\EXPLORER.EXE:*:Enabled:Explorer"
"C:\WINDOWS\System32\logonui.exe"="C:\WINDOWS\System32\logonui.exe:*:Enabled:logonui"
"C:\WINDOWS\System32\WINLOGON.EXE"="C:\WINDOWS\System32\WINLOGON.EXE:*:Enabled:winlogon"
"C:\WINDOWS\System32\rundll32.exe"="C:\WINDOWS\System32\rundll32.exe:*:Enabled:rundll32"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

======List of files/folders created in the last 1 months======

2008-12-05 00:53:01 ----SH---- C:\WINDOWS\system32\ebodozok.ini
2008-12-04 14:19:10 ----D---- C:\rsit
2008-12-04 12:52:49 ----SH---- C:\WINDOWS\system32\olurodot.ini
2008-12-03 18:13:34 ----SH---- C:\WINDOWS\system32\etanakoy.ini
2008-12-03 17:07:26 ----A---- C:\WINDOWS\system32\~.exe
2008-12-03 02:54:37 ----D---- C:\!KillBox
2008-12-03 02:43:39 ----D---- C:\Program Files\Trend Micro
2008-12-03 02:33:19 ----HD---- C:\$AVG8.VAULT$
2008-12-03 02:26:41 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2008-12-03 02:26:25 ----D---- C:\Program Files\AVG
2008-12-03 02:26:25 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2008-12-03 02:23:35 ----A---- C:\WINDOWS\system32\.tmp
2008-12-02 20:42:16 ----ASH---- C:\WINDOWS\system32\mjlbmfmx.ini
2008-12-02 20:10:27 ----SH---- C:\WINDOWS\system32\mjlbmfmx.ini2
2008-12-02 20:05:27 ----SH---- C:\WINDOWS\system32\mjlbmfmx.tmp
2008-12-02 20:02:18 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-02 20:01:01 ----A---- C:\WINDOWS\unuwiqin.dll
2008-12-02 19:58:12 ----D---- C:\Program Files\SUPERAntiSpyware
2008-12-02 19:58:12 ----D---- C:\Documents and Settings\Ty\Application Data\SUPERAntiSpyware.com
2008-12-02 19:57:50 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-02 19:54:40 ----A---- C:\WINDOWS\system32\xmfmbljm.dll
2008-12-02 19:51:45 ----N---- C:\WINDOWS\system32\ixfikfmj.dll
2008-12-02 19:51:45 ----N---- C:\WINDOWS\system32\itxsbj.dll
2008-11-29 15:45:23 ----A---- C:\WINDOWS\erapafiq.dll
2008-11-29 15:28:39 ----D---- C:\WINDOWS\Minidump
2008-11-29 15:25:36 ----A---- C:\WINDOWS\system32\392edcdf-.txt
2008-11-29 15:25:01 ----ASH---- C:\WINDOWS\system32\YIjQtBeg.ini2
2008-11-29 15:25:01 ----ASH---- C:\WINDOWS\system32\YIjQtBeg.ini
2008-11-29 15:24:04 ----A---- C:\ruldmeb.exe
2008-11-29 15:23:32 ----RSHD---- C:\RECYCLER
2008-11-29 15:22:36 ----A---- C:\ptbbw.exe
2008-11-29 15:21:44 ----A---- C:\arjdhgx.exe
2008-11-29 15:20:42 ----A---- C:\Documents and Settings\All Users\Application Data\winlogon.exe
2008-11-29 15:20:16 ----A---- C:\WINDOWS\system32\gs73gfidgf.dll
2008-11-29 15:20:08 ----D---- C:\Program Files\Microsoft Common
2008-11-29 15:19:19 ----A---- C:\khrwa.exe
2008-11-29 15:17:12 ----A---- C:\iiduqaah.exe
2008-11-29 15:16:11 ----A---- C:\WINDOWS\system32\ssqPjkLe.dll
2008-11-17 14:50:03 ----HD---- C:\WINDOWS\$NtUninstallWdf01005$
2008-11-12 15:59:58 ----HD---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-12 15:59:53 ----HD---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-12 15:59:35 ----HD---- C:\WINDOWS\$NtUninstallKB955069$

======List of files/folders modified in the last 1 months======

2008-12-05 14:06:36 ----ASH---- C:\WINDOWS\system32\sizehawi.dll
2008-12-05 14:06:36 ----ASH---- C:\WINDOWS\system32\nogorike.dll
2008-12-05 14:06:00 ----A---- C:\WINDOWS\ModemLog_SoftV92 Data Fax Modem with SmartCP.txt
2008-12-05 03:39:08 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-05 00:53:00 ----ASH---- C:\WINDOWS\system32\zadimeve.dll
2008-12-05 00:53:00 ----ASH---- C:\WINDOWS\system32\kozodobe.dll
2008-12-04 13:46:08 ----RASH---- C:\BOOT.INI
2008-12-04 13:46:08 ----A---- C:\WINDOWS\win.ini
2008-12-04 13:46:08 ----A---- C:\WINDOWS\system.ini
2008-12-04 12:52:46 ----ASH---- C:\WINDOWS\system32\viveveno.dll
2008-12-04 12:52:46 ----ASH---- C:\WINDOWS\system32\todorulo.dll
2008-12-03 18:13:30 ----ASH---- C:\WINDOWS\system32\yokanate.dll
2008-12-03 17:13:16 ----ASH---- C:\WINDOWS\system32\petemowa.dll
2008-12-03 15:37:16 ----A---- C:\WINDOWS\DUMP82a8.tmp
2008-12-03 03:49:16 ----A---- C:\WINDOWS\DUMP9153.tmp
2008-12-03 01:25:24 ----A---- C:\WINDOWS\DUMP3950.tmp
2008-12-03 01:06:12 ----A---- C:\WINDOWS\system32\eRLog.ini
2008-11-29 16:45:26 ----A---- C:\WINDOWS\DUMP6d7e.tmp
2008-11-29 15:59:40 ----A---- C:\WINDOWS\DUMP394f.tmp
2008-11-29 15:54:50 ----A---- C:\WINDOWS\DUMP3963.tmp

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-12-03 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-12-03 26824]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 SMBHC;Microsoft SM Bus Host Controller Driver; C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 6784]
R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:\WINDOWS\system32\DRIVERS\tcpip6.sys [2008-06-20 225856]
R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-12-03 76040]
R2 EpmPsd;Acer EPM Power Scheme Driver; \??\C:\WINDOWS\system32\drivers\epm-psd.sys []
R2 EpmShd;Acer EPM System Hardware Driver; \??\C:\WINDOWS\system32\drivers\epm-shd.sys []
R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2008-04-13 88192]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-10 11043]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-13 88320]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2004-08-04 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2004-08-04 55936]
R2 osaio;osaio; C:\WINDOWS\system32\drivers\osaio.sys [2004-06-01 10594]
R2 osanbm;osanbm; C:\WINDOWS\system32\drivers\osanbm.sys [2004-06-01 4054]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2003-09-27 44032]
R3 CAMCAUD;Conexant AMC Audio; C:\WINDOWS\system32\drivers\camcaud.sys [2004-04-30 292352]
R3 CAMCHALA;CAMCHALA; C:\WINDOWS\system32\drivers\camchal.sys [2004-04-30 274688]
R3 dvd43llh;dvd43llh; C:\WINDOWS\System32\DRIVERS\dvd43llh.sys [2007-08-17 18816]
R3 GcKernel;Microsoft SideWinder Value Add - Filter Driver; C:\WINDOWS\system32\DRIVERS\GcKernel.sys [2008-04-13 59136]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HIDSwvd;Microsoft SideWinder Virtual HID Device Mini-Driver; C:\WINDOWS\system32\DRIVERS\HIDSwvd.sys [2001-08-17 2688]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-03-11 1041536]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys [2004-03-11 199552]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2004-02-11 681469]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NTIDrvr;Upper Class Filter Driver; C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys [2005-11-27 6144]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 SMBBATT;Microsoft Smart Battery Driver; C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2008-04-13 16000]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2004-05-20 184768]
R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:\WINDOWS\system32\DRIVERS\tunmp.sys [2008-04-13 12288]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 w29n51;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2004-08-20 3210496]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-03-11 682624]
S3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2004-05-15 745984]
S3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2003-05-23 175360]
S3 BthEnum;Bluetooth Enumerator Service; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2008-04-13 17024]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2008-04-13 101120]
S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-06-13 272128]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2008-04-13 18944]
S3 int15.sys;int15.sys; \??\C:\Program Files\acer\eRecovery\int15.sys []
S3 MotDev;Motorola Inc. USB Device; C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-10-10 42112]
S3 motmodem;Motorola USB CDC ACM Driver; C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-06-18 23680]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 NSCIRDA;NSC Infrared Device Driver; C:\WINDOWS\system32\DRIVERS\nscirda.sys [2008-04-13 28672]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2008-04-13 59136]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2004-05-26 67584]
S3 usb_rndisx;USB RNDIS Adapter; C:\WINDOWS\system32\DRIVERS\usb8023x.sys [2008-04-13 12800]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 6to4;IPv6 Helper Service; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 anbmService;Notebook Manager Service; C:\Acer\eManager\anbmServ.exe [2004-08-16 1287168]
S4 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
S4 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2004-05-15 376832]
S4 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-12-03 875288]
S4 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-12-03 231704]
S4 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-21 29744]
S4 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S4 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
S4 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

-----------------EOF-----------------

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:32 PM

Posted 05 December 2008 - 03:21 PM

Is this the only computer you have?

#5 MBA_Ty

MBA_Ty
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 05 December 2008 - 03:37 PM

Is this the only computer you have?


Yes it is.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:32 PM

Posted 05 December 2008 - 03:46 PM

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.
  • Please download SDFix by AndyManchesta and save it to your desktop.
    When using this tool, you must use the Administrator's account or an account with "Administrative rights"
    • Double click SDFix.exe and it will extract the files to %systemdrive%
    • (this is the drive that contains the Windows Directory, typically C:\SDFix).
    • DO NOT use it just yet.
  • Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O2 - BHO: (no name) - {0d09e7b0-b55b-4e18-a1dd-5d85924e3194} - C:\WINDOWS\system32\fahapera.dll
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [320d18a1] rundll32.exe "C:\WINDOWS\system32\kozodobe.dll",b
    O4 - HKLM\..\Run: [rirawapola] Rundll32.exe "C:\WINDOWS\system32\ruwiraje.dll",s
    O4 - HKLM\..\Run: [CPM313e2b3d] Rundll32.exe "c:\windows\system32\nogorike.dll",a
    O4 - HKUS\S-1-5-20\..\Run: [rirawapola] Rundll32.exe "C:\WINDOWS\system32\ruwiraje.dll",s (User 'NETWORK SERVICE')
    O20 - AppInit_DLLs: C:\WINDOWS\system32\kakekuze.dll c:\windows\system32\nogorike.dll
    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nogorike.dll
    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nogorike.dll


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Locate regfix.reg on the desktop and double-click on it and confirm.

  • Open the SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
    • Copy and paste the contents of the results file Report.txt in your next reply.
  • After SDFix rebooted and finished with a log, try to install MBAM once more and proceed with it as instructed. You don't have to run Combofix now. First finish these steps and post the logs.

  • Please run RSIT, set the list of Files/Folders created to 2 Months and copy/paste the content of log.txt to your reply (this time RSIT creates just one log).
Please copy/paste in your next reply:
  • The SDFix log.
  • The log of MBAM.
  • The RSIT log.
  • Any comment or feedback about how it went.


#7 MBA_Ty

MBA_Ty
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 05 December 2008 - 04:35 PM

Oh boy. We go deeper into the wormhole. Safe mode WILL NOT load. The last file listed is agp440.sys, then no further files are loaded, the computer appears to be attempting to load more files, then Blue Screen of Death (BSOD).

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:32 PM

Posted 05 December 2008 - 04:57 PM

Yes the computer is heavily infected. But no panic. Do this one and then proceed with the steps in Safe Mode:

To repair Safe Mode.
  • Please download SafeBootKeyRepair.exe by sUBs to your desktop from her: http://download.bleepingcomputer.com/sUBs/...otKeyRepair.exe.
  • Close all programs/windows so that you have nothing open and are at your Desktop.
  • Double-click the SafeBootKeyRepair.exe file.
  • When finished, it shall produce a log for you.
  • Copy and paste the entire contents of C:\SafeBoot_Repair.txt in your next reply.


#9 MBA_Ty

MBA_Ty
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 05 December 2008 - 06:04 PM

Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\nm]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\nm.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================

Edited by MBA_Ty, 05 December 2008 - 07:02 PM.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:32 PM

Posted 05 December 2008 - 06:38 PM

The log is again distorted. Could you please try to get to Safe Mode once more. If you couldn't post a new log please.

#11 MBA_Ty

MBA_Ty
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 05 December 2008 - 07:05 PM

The log is again distorted. Could you please try to get to Safe Mode once more. If you couldn't post a new log please.



Sorry about that. I think the particular proxy I was behind was causing the issue with modifying what I posted. I will attempt to restart in safe mode and resume where we were before this and post the results.

#12 MBA_Ty

MBA_Ty
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 05 December 2008 - 07:22 PM

I attempted to restart the computer in safe mode and I got the same result: BSOD.


Also, If you look above, I have corrected the problem with the logfile.

Edited by MBA_Ty, 05 December 2008 - 07:23 PM.


#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:32 PM

Posted 05 December 2008 - 08:34 PM

  • Your log shows that you have used MSConfig to disable some startup items. But one of the items is needed to run.

    Please click on start, then run, and type msconfig and then press enter. When the window opens click on the Startup tab and make sure there are checkmark in the box next to ePowerManagement. It is under Command pointing to: C:\Acer\ePM\ePM.exe. If it asks to reboot, select not reboot.

  • You have used also HJT to remove some items. One of them is related to AVG and is needed to be restored.
    Open HijackThis, and click on "View the list of Backups".
    Place a check mark next to the following:

    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

    Click Restore, then click Yes

  • If you can not find the following files make sure that you can view all hidden and system files. Instructions on how to do this can be found here: How to see hidden files in Windows

    Please click this link--> virustotal
    • Click the browse button and navigate to the files listed below in bold, then click Send File. You will only be able to have one file scanned at a time.

      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\userinit.exe
    • If the file is analyzed before click Reanalyse file now button.
    • Wait until the file is analyzed. Please post back the results of the scan in your next post.
  • Perform the step# 3 from post#6 with Hijackthis in normal mode.

  • Download gmer.zip and save to your desktop.
    alternate download site 1
    alternate download site 2
    • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
    • When you have done this, disconnect from the Internet and close all running programs.
      There is a small chance this application may crash your computer so save any work you have open.
    • Double-click on Gmer.exe to start the program.
    • Allow the gmer.sys driver to load if asked.
    • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
    • Click on "Settings", then check the first five settings:
      *System Protection and Tracing
      *Processes
      *Save created processes to the log
      *Drivers
      *Save loaded drivers to the log
    • You will be prompted to restart your computer. Please do so.
  • Run Gmer again and click on the Rootkit tab.
    • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
    • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
    • Click on the "Scan" and wait for the scan to finish.
      Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
    • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
    • Note: If you have any problems, try running GMER in SAFE MODE"
    Important! Please do not select the "Show all" checkbox during the scan..

  • Try once more the Safe Mode and note down the error/stop message you get.

  • Please run RSIT, set the list of Files/Folders created to 3 Months and copy/paste the content of log.txt to your reply (this time RSIT creates just one log).


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:32 PM

Posted 11 December 2008 - 02:13 AM

Its been 5 days without a reply, seems there is no interest in the topic any more. I'll wait another day before closing it.

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:32 PM

Posted 12 December 2008 - 08:51 AM

This thread will now be closed due to lack of feedback.

If you need this topic reopened, please send me a PM within a couple of days and I will reopen it for you. Include the address of this thread in your request.

Otherwise start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users