Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware, many pop-ups, won't access Kaserskyp


  • This topic is locked This topic is locked
31 replies to this topic

#1 js74

js74

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 22 December 2008 - 10:42 AM

My PC has recently become infected with some pretty nasty things. I have tried on my own and with the help of some anti-virus and anti-malware applications to get rid of them, but to no avail. My PC crashes a lot at start-up of both regular windows and Safe-Mode Windows. When it does get started. I always get his error:

Error loading C:\WINDOWS\system32\vagiwara.dll. The specified module could not be found.

Although I have removed a bunch of mal-ware, I am still getting all of the fake anti-malware offers pop-up when on the Internet.

Windows Defender, Ad-Aware, and Spybot can’t connect to get updates.

When I use the Autoruns program the following keys keep reappearing in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry: BgMonitor, bofakidibe, Power2GoExpress, and prunnet. The .exe and dll files associated with these keys have been deleted. I have tried repeatedly to turn off and then delete these keys (In Autoruns and regedit) after a re-boot they are always back and checked.

I have tried to go to the Kaspersky site by manually typing in the address but I always get the “this page cannot be displayed screen”. When I try to access it through a Google or Yahoo search I always have some other advertisement site pop-up instead. I know the site is working because I can get to it on my laptop. The only way I think I am able to contact you are by my employer owned laptop. I really appreciate any help you can give me, this thing is really giving me fits!

Here are the logs:

Logfile of random's system information tool 1.05 (written by random/random)
Run by Owner at 2008-12-22 09:25:26
Microsoft Windows XP Professional Service Pack 3
System drive C: has 58 GB (39%) free of 147 GB
Total RAM: 446 MB (50% free)

HijackThis download failed

======Scheduled tasks folder======

C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\xbssfzcn.job
C:\WINDOWS\tasks\zddfgqfy.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\AutorunsDisabled]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-10 321120]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-08-05 64512]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-04-17 16143872]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"Acrobat Assistant 8.0"=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [2008-01-11 623992]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"CPM97f4074d"=c:\windows\system32\tigahifa.dll [2008-12-03 93749]
"CHotkey"=C:\WINDOWS\zHotkey.exe [2004-12-08 550912]
"avgnt"=C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-06-12 266497]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"=NA []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe []
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"prunnet"=C:\WINDOWS\system32\prunnet.exe []
"bofakidibe"=C:\WINDOWS\system32\vagiwara.dll []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe [2008-11-13 2356088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
C:\Program Files\dvd43\dvd43_tray.exe [2006-05-22 694272]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe [2005-03-08 1695744]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE -quiet []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2008-03-16 295606]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
C:\PROGRA~1\Adobe\ACROBA~2.0\Acrobat\ADOBEC~1.EXE [2007-05-10 738968]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner.FamilyRoom^Start Menu^Programs^Startup^Adobe Gamma.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [2005-03-16 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
AutorunsDisabled

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="c:\windows\system32\tigahifa.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2006-01-15 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqNDVmj]
urqNDVmj.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tigahifa.dll [2008-12-03 93749]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tigahifa.dll [2008-12-03 93749]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]
"{89FF7118-66BD-4506-A11E-30F7A60110EC}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\Program Files\Common Files\AOL\1159911348\EE\AOLServiceHost.exe"="C:\Program Files\Common Files\AOL\1159911348\EE\AOLServiceHost.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\System Information\sinf.exe"="C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe"="C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe"="C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe"="C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL"
"C:\Program Files\ABC\abc.exe"="C:\Program Files\ABC\abc.exe:*:Enabled:abc"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"J:\LimeWire\LimeWire.exe"="J:\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\QuickTime\QTTask.exe"="C:\Program Files\QuickTime\QTTask.exe:*:Enabled:QTTask"
"C:\WINDOWS\system32\lsass.exe"="C:\WINDOWS\system32\lsass.exe:*:Enabled:lsass"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\Program Files\Digital Media Reader\readericon45G.exe"="C:\Program Files\Digital Media Reader\readericon45G.exe:*:Enabled:readericon45G"
"C:\WINDOWS\system32\logonui.exe"="C:\WINDOWS\system32\logonui.exe:*:Enabled:logonui"
"C:\Program Files\McAfee.com\Agent\mcupdate.exe"="C:\Program Files\McAfee.com\Agent\mcupdate.exe:*:Enabled:McUpdate"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:rundll32"
"C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe"="C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe:*:Enabled:Ad-Aware"
"C:\Program Files\Lavasoft\Ad-Aware\lsupdatemanager.exe"="C:\Program Files\Lavasoft\Ad-Aware\lsupdatemanager.exe:*:Enabled:Software update"
"C:\Program Files\Windows Defender\MSASCui.exe"="C:\Program Files\Windows Defender\MSASCui.exe:*:Enabled:Windows Defender"
"C:\Program Files\sz8021\8021_6.exe"="C:\Program Files\sz8021\8021_6.exe:*:Enabled: FA Multiplication Division"
"C:\Program Files\Kazaa\kazaa.exe"="C:\Program Files\Kazaa\kazaa.exe:*:Disabled:Kazaa"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Disabled:McAfee Network Agent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{935b3331-5323-11db-8b52-806d6172696f}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480


======List of files/folders created in the last 1 months======

2008-12-22 09:25:27 ----D---- C:\Program Files\trend micro
2008-12-22 09:25:26 ----D---- C:\rsit
2008-12-21 20:01:50 ----D---- C:\Program Files\Lavasoft
2008-12-21 20:01:49 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-12-21 14:20:33 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-21 13:57:44 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-19 22:23:21 ----HD---- C:\WINDOWS\system32\GroupPolicy
2008-12-19 22:19:29 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-19 21:54:19 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-12-19 21:43:39 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-18 22:26:35 ----D---- C:\Program Files\Avira
2008-12-18 22:26:35 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2008-12-18 22:18:50 ----SHD---- C:\WINDOWS\CSC
2008-12-17 23:42:35 ----D---- C:\Program Files\CCleaner
2008-12-04 15:58:53 ----SH---- C:\WINDOWS\system32\ifufubaj.ini
2008-12-01 22:04:03 ----SH---- C:\WINDOWS\system32\onmmbqyg.ini
2008-12-01 22:00:58 ----ASH---- C:\WINDOWS\system32\XHRrCfhk.ini2
2008-12-01 22:00:58 ----ASH---- C:\WINDOWS\system32\XHRrCfhk.ini
2008-12-01 20:29:49 ----A---- C:\WINDOWS\system32\wertyu.dll
2008-12-01 20:29:33 ----A---- C:\WINDOWS\system32\getwn32.dll
2008-12-01 20:29:33 ----A---- C:\WINDOWS\system32\av.exe
2008-12-01 20:26:01 ----SH---- C:\WINDOWS\system32\cjeyvnby.ini
2008-12-01 20:22:50 ----ASH---- C:\WINDOWS\system32\AHNTstwa.ini2
2008-12-01 20:22:50 ----ASH---- C:\WINDOWS\system32\AHNTstwa.ini
2008-11-30 22:26:05 ----D---- C:\Program Files\Windows Defender
2008-11-30 15:49:37 ----A---- C:\WINDOWS\system32\g69.exe
2008-11-30 15:20:32 ----SH---- C:\WINDOWS\system32\ttottjpw.ini
2008-11-30 15:12:11 ----A---- C:\WINDOWS\system32\9fe4f0af-.txt
2008-11-30 15:10:33 ----ASH---- C:\WINDOWS\system32\jPXayccf.ini2
2008-11-30 15:10:32 ----ASH---- C:\WINDOWS\system32\jPXayccf.ini
2008-11-30 15:05:46 ----D---- C:\WINDOWS\system32\vi
2008-11-30 15:05:46 ----D---- C:\WINDOWS\system32\op8
2008-11-30 15:05:41 ----D---- C:\WINDOWS\system32\giv
2008-11-30 15:05:39 ----D---- C:\WINDOWS\system32\IN
2008-11-30 15:05:39 ----D---- C:\WINDOWS\system32\gi3
2008-11-30 15:05:37 ----D---- C:\WINDOWS\system32\TEC

======List of files/folders modified in the last 1 months======

2008-12-22 09:25:27 ----D---- C:\Program Files
2008-12-22 08:58:05 ----SD---- C:\WINDOWS\Tasks
2008-12-22 08:44:06 ----D---- C:\WINDOWS\Temp
2008-12-22 01:36:44 ----A---- C:\WINDOWS\ModemLog_PCI Soft Data Fax Modem with SmartCP.txt
2008-12-22 01:35:39 ----D---- C:\WINDOWS
2008-12-22 01:35:21 ----D---- C:\WINDOWS\Registration
2008-12-21 23:14:00 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-21 22:21:39 ----D---- C:\WINDOWS\Prefetch
2008-12-21 20:02:54 ----SHD---- C:\WINDOWS\Installer
2008-12-21 20:01:50 ----D---- C:\WINDOWS\system32\drivers
2008-12-21 20:01:50 ----D---- C:\WINDOWS\system32
2008-12-21 13:54:14 ----D---- C:\Program Files\LimeWire
2008-12-21 13:33:09 ----D---- C:\WINDOWS\system32\LogFiles
2008-12-21 13:33:08 ----D---- C:\WINDOWS\Debug
2008-12-21 13:33:04 ----D---- C:\WINDOWS\Minidump
2008-12-21 11:18:59 ----D---- C:\Program Files\WildTangent
2008-12-21 11:18:55 ----D---- C:\Documents and Settings\All Users\Application Data\WildTangent
2008-12-21 11:15:56 ----D---- C:\Program Files\Gateway Games
2008-12-21 11:15:28 ----D---- C:\Program Files\Common Files\Apple
2008-12-21 11:13:54 ----D---- C:\WINDOWS\system32\Restore
2008-12-21 11:00:01 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-12-19 22:19:29 ----D---- C:\Program Files\Common Files
2008-12-19 06:05:04 ----D---- C:\Program Files\Replay Music 2
2008-12-17 18:50:36 ----A---- C:\WINDOWS\win.ini
2008-12-03 15:53:17 ----ASH---- C:\WINDOWS\system32\jabufufi.dll
2008-12-03 15:53:16 ----ASH---- C:\WINDOWS\system32\rugahojo.dll
2008-12-03 15:53:16 ----ASH---- C:\WINDOWS\system32\kivagoyu.dll
2008-12-03 03:49:03 ----ASH---- C:\WINDOWS\system32\tigahifa.dll
2008-12-03 03:49:03 ----ASH---- C:\WINDOWS\system32\nuwuzeku.dll
2008-12-02 15:50:15 ----ASH---- C:\WINDOWS\system32\jehofoku.dll
2008-12-02 15:50:13 ----ASH---- C:\WINDOWS\system32\godidusa.dll
2008-12-01 21:56:59 ----ASH---- C:\WINDOWS\system32\bekehutu.dll
2008-11-30 22:26:12 ----HD---- C:\WINDOWS\inf
2008-11-30 22:26:06 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-11-30 21:24:37 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-11-30 21:24:31 ----D---- C:\Program Files\Internet Explorer
2008-11-30 16:12:31 ----HD---- C:\Program Files\InstallShield Installation Information
2008-11-30 16:11:51 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-11-30 16:09:54 ----D---- C:\Program Files\Common Files\Real
2008-11-30 16:09:50 ----D---- C:\Program Files\Real
2008-11-30 16:06:53 ----D---- C:\Program Files\Yahoo!
2008-11-30 16:01:19 ----RSD---- C:\WINDOWS\Fonts
2008-11-30 15:06:07 ----D---- C:\Temp
2008-11-25 10:30:35 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-11-25 10:30:34 ----D---- C:\WINDOWS\WinSxS

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2005-03-08 44288]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2005-03-08 24960]
R1 cdudf_xp;cdudf_xp; C:\WINDOWS\system32\drivers\cdudf_xp.sys [2005-03-08 291456]
R1 DVDVRRdr_xp;DVDVRRdr_xp; C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys [2005-03-08 141184]
R1 pwd_2k;pwd_2k; C:\WINDOWS\system32\drivers\pwd_2k.sys [2005-03-08 117760]
R1 UDFReadr;UDFReadr; C:\WINDOWS\system32\drivers\UDFReadr.sys [2005-03-08 202496]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-10 12032]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2006-01-18 80512]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys []
S1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2008-10-30 75072]
S1 Cinemsup;Cinemsup; C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 6656]
S1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2006-09-09 30988]
S1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-03-01 28352]
S2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
S3 61883;61883 Unit Device; C:\WINDOWS\system32\DRIVERS\61883.sys [2008-04-13 48128]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-01-15 1477632]
S3 Avc;AVC Device; C:\WINDOWS\system32\DRIVERS\avc.sys [2008-04-13 38912]
S3 avgntflt;avgntflt; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
S3 dvd_2K;dvd_2K; C:\WINDOWS\system32\drivers\dvd_2K.sys [2005-03-08 24064]
S3 dvd43llh;dvd43llh; C:\WINDOWS\System32\DRIVERS\dvd43llh.sys [2007-03-10 18816]
S3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2006-07-18 990592]
S3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2006-07-18 256128]
S3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-04-17 4262912]
S3 mfeavfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeavfk.sys [2006-12-22 71496]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 mmc_2K;mmc_2K; C:\WINDOWS\system32\drivers\mmc_2K.sys [2005-03-08 23808]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSDV;Microsoft DV Camera and VCR; C:\WINDOWS\system32\DRIVERS\msdv.sys [2008-04-13 51200]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 Pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\Pcouffin.sys [2007-03-10 47360]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-13 79232]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbbus;LGE CDMA Composite USB Device; C:\WINDOWS\system32\DRIVERS\lgusbbus.sys [2007-04-09 12672]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 UsbDiag;LGE CDMA USB Serial Port; C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys [2007-04-09 21248]
S3 USBModem;LGE CDMA USB Modem; C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys [2007-04-09 22912]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2006-07-18 728192]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 mfebopk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfebopk.sys [2006-12-22 34184]
S4 mfehidk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfehidk.sys [2006-12-22 170408]
S4 mferkdk;McAfee Inc.; C:\WINDOWS\system32\drivers\mferkdk.sys [2006-12-22 32008]
S4 mfesmfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfesmfk.sys [2006-12-22 37480]
S4 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2007-03-02 109608]
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler; C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-15 68865]
S2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard; C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-15 151297]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-01-15 405504]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2006-01-26 520192]
S2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2006-10-09 237568]
S2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
S2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
S2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
S2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2007-02-26 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-23 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-23 70144]
S3 Emproxy;McAfee E-mail Proxy; C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe [2007-01-12 341584]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2007-02-25 654848]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SolidWorks Licensing Service;SolidWorks Licensing Service; C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [2008-02-19 79360]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
S4 McAfee HackerWatch Service;McAfee HackerWatch Service; C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe [2007-02-13 540776]
S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-10-08 203280]
S4 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2008-01-09 767976]
S4 McNASvc;McAfee Network Agent; c:\program files\common files\mcafee\mna\mcnasvc.exe [2008-01-24 2458128]
S4 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2007-01-16 362064]
S4 McRedirector;McAfee Redirector Service; c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe [2007-03-08 256096]
S4 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2006-12-22 144960]
S4 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2007-01-25 643664]
S4 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2007-03-09 841256]
S4 MskService;McAfee SpamKiller Server; C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe [2005-07-12 963072]
S4 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe []
S4 PrismXL;PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [2006-10-03 172032]

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.05 2008-12-22 09:25:32

======Uninstall list======

-->c:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /appid=MSK /uninstall=1 /interact=1 /script_proactive=0 /start="c:\PROGRA~1\mcafee.com\agent\uninst\mskremui.dll::uninstall.htm"
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {637099FB-45FD-4BC7-9651-6FB540DBB749}
-->MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
-->MsiExec.exe /I{26792CA7-D87A-4DBE-896B-C2F66B344511}
-->MsiExec.exe /I{637099FB-45FD-4BC7-9651-6FB540DBB749}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
1Click DVD Copy 5.1.1.5-->"C:\Program Files\LG Software Innovations\1Click DVD Copy 5\unins000.exe"
ABC (remove only)-->C:\Program Files\ABC\Uninstall.exe
AC-3 ACM Codec-->C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\AC3ACM.inf
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 8.1.2 Professional-->msiexec /I {AC76BA86-1033-F400-7760-000000000003}
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Bridge 1.0-->MsiExec.exe /I{AE3D38A6-13B1-40B3-9423-D1FA9982FB6A}
Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5102}
Adobe Help Center 2.0-->MsiExec.exe /I{8FFC924C-ED06-44CB-8867-3CA778ECE903}
Adobe Photoshop CS2-->msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Premiere Pro 2.0-->msiexec /I {FA17A726-B229-4116-B793-A2AB1A4EAE2E}
Adobe Reader 7.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos 1.0-->MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Adobe Stock Photos 1.0-->MsiExec.exe /I{786C5747-1437-443D-B06E-79A00FE45110}
Apple Mobile Device Support-->MsiExec.exe /I{AA9768AA-FF0B-4C66-A085-31E934F77841}
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Auto Gordian Knot 2.45-->C:\Program Files\AutoGK\uninst.exe
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir PersonalEdition Classic\setup.exe /REMOVE
AviSynth 2.5-->"C:\Program Files\AviSynth 2.5\Uninstall.exe"
BigFix-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll"
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Data Doctor Recovery NTFS 3.0.1.5-->C:\Program Files\Data Doctor Recovery NTFS\Uninstall.exe
Digital Media Reader-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875} /l1033
DVD Decrypter (Remove Only)-->"C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Solution-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
DVD X Copy Platinum 5.0.0-->"C:\Program Files\DVDXCopyInternational\Platinum\uninstall.exe"
DVD43 v3.9.0-->"C:\Program Files\dvd43\unins000.exe"
J2SE Runtime Environment 5.0 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Java DB 10.3.1.4-->MsiExec.exe /X{CD49361E-3FE6-457E-90A1-9C59E29B5D02}
Java™ 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Java™ SE Development Kit 6 Update 5-->MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160050}
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
McAfee Uninstall Wizard-->C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /uninstall=1 /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\comrem.dll::uninstall.htm
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Digital Image Starter Edition 2006-->"C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=TRIAL VERSION=11
Microsoft Money 2006-->"C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mp3 To Wave Converter PLUS 2.08-->C:\PROGRA~1\ACOUST~1\UNWISE.EXE C:\PROGRA~1\ACOUST~1\INSTALL.LOG
MPEG AVI DVD Cutter 1-->C:\WINDOWS\cadkasdeinst01e.exe "C:\Program Files\MPEG AVI DVD Cutter 1\"
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 4.0 SP2 (KB925672)-->MsiExec.exe /I{A9CF9052-F4A0-475D-A00F-A8388C62DD63}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Multimedia Keyboard Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6E66ECBD-FCA7-4AE1-A8C5-1CA78BEEB057}\Setup.exe" -l0x9
Napster Burn Engine-->MsiExec.exe /I{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}
Power2Go 4.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerISO-->"C:\Program Files\PowerISO\uninstall.exe"
REALTEK GbE & FE Ethernet PCI NIC Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}\setup.exe" -l0x9 -removeonly
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Replay Music 2.51-->C:\WINDOWS\iun6002.exe "C:\Program Files\Replay Music 2\irunin.ini"
Rhapsody Player Engine-->MsiExec.exe /I{8A62A068-3FD6-495A-9F66-26FE94F32EC9}
Roxio Easy Media Creator 7-->MsiExec.exe /I{A99C6296-A311-4D6C-9602-53B4241921D5}
Security Update for Windows XP (KB913433)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB913433.inf
Sesame Street Elmo's Art Workshop-->C:\CWONDERS\ELMOSAW\CWRUN.EXE ElmosArtWorkshop UninstallExe
Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F40&SUBSYS_200014F1\HXFSETUP.EXE -U -IPDBRYCM5K.inf
Sonic Encoders-->MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Spybot - Search & Destroy-->"K:\Spybot - Search & Destroy\unins000.exe"
Total Video Converter 3.11-->"C:\Program Files\Total Video Converter\unins000.exe"
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
VobSub v2.23 (Remove Only)-->"C:\Program Files\Gabest\VobSub\uninstall.exe"
Windows Defender-->MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Essentials Media Codec Pack 1.0-->C:\Program Files\Essentials Codec Pack\uninst.exe
Windows Installer Clean Up-->MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinZip 11.2-->MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B6}
XviD MPEG4 Video Codec (remove only)-->"C:\WINDOWS\system32\xvid-uninstall.exe"

======Security center information======

AV: Avira AntiVir PersonalEdition (outdated)
AV: McAfee VirusScan (disabled) (outdated)
FW: McAfee Personal Firewall (disabled)

System event log

Computer Name: FAMILYROOM
Event Code: 7036
Message: The IMAPI CD-Burning COM Service service entered the running state.

Record Number: 2119
Source Name: Service Control Manager
Time Written: 20081201221644.000000-360
Event Type: information
User:

Computer Name: FAMILYROOM
Event Code: 7035
Message: The IMAPI CD-Burning COM Service service was successfully sent a start control.

Record Number: 2118
Source Name: Service Control Manager
Time Written: 20081201221644.000000-360
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: FAMILYROOM
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.

For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=370...threatid=132419

Scan ID: {49F8423D-F8A9-488C-8943-1A6E20078192}

User: FAMILYROOM\Owner

Name: Trojan:Win32/Vundo.gen!AE

ID: 132419

Severity: Severe

Category: Trojan

Path Found: clsid:HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C};regkey:HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C};file:C:\WINDOWS\system32\urqNDVmj.dll

Alert Type: Spyware or other potentially unwanted software

Detection Type: Generic

Record Number: 2117
Source Name: WinDefend
Time Written: 20081201221641.000000-360
Event Type: warning
User:

Computer Name: FAMILYROOM
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.

For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=370...threatid=132419

Scan ID: {C9C72C52-1AC7-4425-BB3F-5F0CCFA35650}

User: FAMILYROOM\Owner

Name: Trojan:Win32/Vundo.gen!AE

ID: 132419

Severity: Severe

Category: Trojan

Path Found: clsid:HKLM\SOFTWARE\CLASSES\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C};regkey:HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C};regkey:HKLM\SOFTWARE\CLASSES\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C};bho:HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C};file:C:\WINDOWS\system32\urqNDVmj.dll

Alert Type: Spyware or other potentially unwanted software

Detection Type: Generic

Record Number: 2116
Source Name: WinDefend
Time Written: 20081201221640.000000-360
Event Type: warning
User:

Computer Name: FAMILYROOM
Event Code: 3006
Message: Windows Defender Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software.

For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=370...threatid=132419

Scan ID: {10AAAAB6-A216-4325-8A38-BD32132E0DBC}

User: FAMILYROOM\Owner

Name: Trojan:Win32/Vundo.gen!AE

ID: 132419

Severity: Severe

Category: Trojan

Path:

Alert Type: Spyware or other potentially unwanted software

Action: Remove

Error Code: 0x80508022

Error description: To finish removing spyware and other potentially unwanted software, restart the computer.

Record Number: 2115
Source Name: WinDefend
Time Written: 20081201221636.000000-360
Event Type: error
User:

Application event log

Computer Name: FAMILYROOM
Event Code: 5000
Message: McShield service started.

Engine version : 5100.0194

DAT version : 5035.0000



Number of signatures in EXTRA.DAT : None

Names of threats that EXTRA.DAT can detect : None

Record Number: 5
Source Name: McLogEvent
Time Written: 20081204190451.000000-360
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: FAMILYROOM
Event Code: 0
Message:
Record Number: 4
Source Name: McAfee SiteAdvisor Service
Time Written: 20081204190443.000000-360
Event Type: information
User:

Computer Name: FAMILYROOM
Event Code: 0
Message:
Record Number: 3
Source Name: McAfee HackerWatch Service
Time Written: 20081204190443.000000-360
Event Type: information
User:

Computer Name: FAMILYROOM
Event Code: 1
Message:
Record Number: 2
Source Name: Bonjour Service
Time Written: 20081204190440.000000-360
Event Type: information
User:

Computer Name: FAMILYROOM
Event Code: 105
Message: The service was started.

Record Number: 1
Source Name: ATI Smart
Time Written: 20081204190438.000000-360
Event Type: information
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\Common Files\Roxio Shared\DLLShared\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0407
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"SAFEBOOT_OPTION"=NETWORK

-----------------EOF-----------------

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 AM

Posted 31 December 2008 - 01:55 AM

Hello js74,

Posted Image

Sorry about the delay.:thumbsup: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 js74

js74
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 31 December 2008 - 10:17 AM

I haven't turned on the computer since I posted the Hijackthis post, So I don't think it would have changed. I really appreciate your help and look forward to your information.

Thanks

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 AM

Posted 31 December 2008 - 01:12 PM

Hello,

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 js74

js74
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 01 January 2009 - 01:19 PM

Ok, I am mostly working from my laptop because the infected PC is such a pain to even get started up. I currently have the network cable disconnected from the infected PC. I downloaded Combofix to my flashdrive from the BleepingComputer site, and then I finally got the infected PC started up in safemode. I tried to open Combofix from the flashdrive, the hourglass poped up for a few second then it went away and nothing else happened. No prompt, nothing. I the Windows Task Manager, under the processes tab, ComboFix.exe is shown and it is using 0 of the cpu. Since that didn’t work, I copied Combofix over to the desktop and tried to open it with the same effect. Also, I tried downloading ComboFix from the other sites with the same effect. Am I doing something wrong?

#6 js74

js74
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 01 January 2009 - 03:08 PM

Since I have nothing else to do today, I was able to get my PC to open up in non-safe mode. I tried to get ComboFix to work with the same effect. I even connected the network cable, still no luck. I tried to type in the addresses you gave me for the downloads and I get “the page cannot be displayed” Screen on each of them. I tried to access Bleepingcomputer.com forum, same thing. Finally, I tried to type in the address from my forum topic; it will not load up either. I can access my yahoo email and some other stuff, but not anything to do with ComboFix or bleepingcomputer.

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 AM

Posted 01 January 2009 - 03:22 PM

Looks like you've been trying for sure......this stuff is just nasty. :) Did you try to rename ComboFix? If not, please do and see if that works. :thumbsup:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 js74

js74
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 01 January 2009 - 05:58 PM

I renamed it, copied it over to the desktop, and opened it. It started to do its thing. I got the warning on this attachment when I believe it was backing up the registry. Please advise.

Thanks!

Attached Files



#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 AM

Posted 02 January 2009 - 06:37 PM

Hi,

If it will let you run it anyway, then let it run. We can manually back the registry up very easily, like this:

Click Start->Run, enter regedit and click OK. With the cursor on 'My Computer' in regedit, right-click and select Export. Save the file as saved.reg and then exit from regedit.

Let me know! :thumbsup:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 js74

js74
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 02 January 2009 - 11:29 PM

I ran ComboFix and let it install the windows recovery console as it suggested. ComboFix restarted the PC and ComboFix restarted saying “preparing Log Report, “Do not run any programs until ComboFix has finished.” It worked for a little while then in the blue window it said: “FINDSTR: Cannot open temp01” Then after a little while longer a window poped up. The window has “Windows-No Disk” in the header and “Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c” with the red circle with the “X” in the middle of it in its main body. It gives me the options of, Cancel, Try Again, or Continue. I’m not sure what to do now, as it appears ComboFix has stalled out and I don’t yet have a log?

Thanks!

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 AM

Posted 02 January 2009 - 11:48 PM

Hi,

Close it out if it hasn't finished yet, then reboot if it hasn't already. When you log back on opent he ComboFix folder and see if there's a .txt file in there. That should be the log I need to see, so please copy and paste it here. :thumbsup:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 js74

js74
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 03 January 2009 - 12:19 AM

Here is the log. Thanks for your continued help!

ComboFix 08-12-31.01 - Owner 2009-01-02 21:46:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.104 [GMT -6:00]
Running from: c:\documents and settings\Owner.FamilyRoom\Desktop\thundercat.exe
AV: McAfee VirusScan *On-access scanning disabled* (Outdated)
FW: McAfee Personal Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Jennifer\Local Settings\Temporary Internet Files\fbk.sts
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\DIV55
c:\temp\DIV55\xDb.log
c:\temp\tn3
c:\windows\Downloaded Program Files\setup.inf
c:\windows\Fonts\acrsecB.fon
c:\windows\Fonts\acrsecI.fon
c:\windows\smdat32a.sys
c:\windows\smdat32m.sys
c:\windows\system32\AdCache
c:\windows\system32\AHNTstwa.ini
c:\windows\system32\AHNTstwa.ini2
c:\windows\system32\av.exe
c:\windows\system32\bekehutu.dll
c:\windows\system32\cache329
c:\windows\system32\cjeyvnby.ini
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\drivers\TDSSpaxt.sys
c:\windows\system32\eybcbuql.ini
c:\windows\system32\getwn32.dll
c:\windows\system32\gi3
c:\windows\system32\giv
c:\windows\system32\giv\TNK53C0.exe
c:\windows\system32\godidusa.dll
c:\windows\system32\ifufubaj.ini
c:\windows\system32\IN
c:\windows\system32\jehofoku.dll
c:\windows\system32\jPXayccf.ini
c:\windows\system32\jPXayccf.ini2
c:\windows\system32\kivagoyu.dll
c:\windows\system32\lisabavo.dll
c:\windows\system32\lmllm.ini
c:\windows\system32\mavehoya.dll
c:\windows\system32\msnav32.ax
c:\windows\system32\nuwuzeku.dll
c:\windows\system32\oiulkqqh.ini
c:\windows\system32\onmmbqyg.ini
c:\windows\system32\op8
c:\windows\system32\ourmlufe.ini
c:\windows\system32\rntqburm.ini
c:\windows\system32\rqtss.bak1
c:\windows\system32\rqtss.bak2
c:\windows\system32\rqtss.ini
c:\windows\system32\rqtss.ini2
c:\windows\system32\rqtss.tmp
c:\windows\system32\rugahojo.dll
c:\windows\system32\somipeso.dll
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\TEC
c:\windows\system32\ttottjpw.ini
c:\windows\system32\vi
c:\windows\system32\wertyu.dll
c:\windows\system32\winpfz33.sys
c:\windows\system32\XHRrCfhk.ini
c:\windows\system32\XHRrCfhk.ini2
c:\windows\system32\zxdnt3d.cfg
c:\windows\Tasks\xbssfzcn.job
c:\windows\Tasks\zddfgqfy.job
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2008-12-22 09:25 . 2008-12-22 09:25 <DIR> d-------- C:\rsit
2008-12-22 09:25 . 2008-12-22 09:25 <DIR> d-------- c:\program files\trend micro
2008-12-21 20:01 . 2008-12-21 20:01 <DIR> d-------- c:\program files\Lavasoft
2008-12-21 20:01 . 2008-12-21 20:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-20 22:41 . 2008-12-20 22:41 552 --a------ c:\windows\system32\d3d8caps.dat
2008-12-19 22:23 . 2008-12-19 22:23 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-12-19 22:19 . 2008-12-19 22:19 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-19 21:54 . 2008-12-19 22:12 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-19 21:43 . 2008-12-21 23:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-18 22:26 . 2008-12-18 22:26 <DIR> d-------- c:\program files\Avira
2008-12-18 22:26 . 2008-12-18 22:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-17 23:42 . 2008-12-17 23:42 <DIR> d-------- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 19:54 --------- d-----w c:\program files\LimeWire
2008-12-21 17:18 --------- d-----w c:\program files\WildTangent
2008-12-21 17:18 --------- d-----w c:\documents and settings\All Users\Application Data\WildTangent
2008-12-21 17:15 --------- d-----w c:\program files\Gateway Games
2008-12-21 17:15 --------- d-----w c:\program files\Common Files\Apple
2008-12-19 12:05 --------- d-----w c:\program files\Replay Music 2
2008-12-07 15:16 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-12-01 04:26 --------- d-----w c:\program files\Windows Defender
2008-11-30 22:12 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-30 22:11 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-11-30 22:09 --------- d-----w c:\program files\Real
2008-11-30 22:09 --------- d-----w c:\program files\Common Files\Real
2008-11-30 22:06 --------- d-----w c:\program files\Yahoo!
2008-11-30 21:58 --------- d-----w c:\documents and settings\Jennifer\Application Data\AdobeUM
2008-11-30 21:12 374 ----a-w c:\documents and settings\Jennifer\Application Data\internaldb6334.dat
2008-11-30 21:11 18,432 ----a-w c:\documents and settings\Jennifer\Application Data\internaldb41.dat
2008-11-30 21:09 555 ----a-w c:\documents and settings\Jennifer\Application Data\internaldb8467.dat
2008-11-21 17:05 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-21 02:17 --------- d-----w c:\program files\LG Electronics
2008-11-21 01:26 --------- d-----w c:\documents and settings\Madison\Application Data\LimeWire
2008-11-21 01:05 --------- d-----w c:\documents and settings\Madison\Application Data\Roxio
2008-11-20 22:23 --------- d-----w c:\documents and settings\Jennifer\Application Data\LimeWire
2008-11-15 04:38 --------- d-----w c:\documents and settings\Owner.FamilyRoom\Application Data\LimeWire
2007-03-10 17:08 87,608 -c--a-w c:\documents and settings\Owner.FamilyRoom\Application Data\ezpinst.exe
2007-03-10 17:08 47,360 -c--a-w c:\documents and settings\Owner.FamilyRoom\Application Data\pcouffin.sys
2007-02-25 17:59 6 -c--a-w c:\program files\Beizhu.TXT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 c:\windows\RTHDCPL.exe]
"CHotkey"="zHotkey.exe" [2004-12-08 c:\windows\zHotkey.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-10-03 2168360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\tigahifa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"mixer"= APTRRNTm.dll
"wave"= APTRRNTm.dll
"vidc.dvsd"= pdvcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ c:\windows\system32\gplgcwuh.exe c:\windows\system32\gplgcwuh.exe:changelist\0c:\windows\system32\hhvtipsd.exe c:\windows\system32\hhvtipsd.exe:changelist\0c:\windows\system32\sdubamzt.exe c:\windows\system32\sdubamzt.exe:changelist\0c:\windows\system32\fvrzfpcb.exe c:\windows\system32\fvrzfpcb.exe:changelist\0autocheck autochk *\0lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner.FamilyRoom^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Owner.FamilyRoom\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-13 21:59 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a--c--- 2006-05-22 12:26 694272 c:\program files\dvd43\DVD43_Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a--c--- 2005-03-08 19:13 1695744 c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\ABC\\abc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Digital Media Reader\\readericon45G.exe"=
"c:\\Program Files\\McAfee.com\\Agent\\mcupdate.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\lsupdatemanager.exe"=
"c:\\Program Files\\Windows Defender\\MSASCui.exe"=
"c:\\Program Files\\sz8021\\8021_6.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\Cinemsup.sys [2003-12-19 6656]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{935b3331-5323-11db-8b52-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-12-18 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 11:32]

2008-12-18 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 11:32]

2009-01-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKCU-Run-bofakidibe - c:\windows\system32\vagiwara.dll
HKLM-Run-CPM97f4074d - c:\windows\system32\tigahifa.dll
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
ShellExecuteHooks-{89FF7118-66BD-4506-A11E-30F7A60110EC} - (no file)
Notify-urqNDVmj - urqNDVmj.dll
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
MSConfigStartUp-Yahoo! Pager - c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5216
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 21:59:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*NULL*Version]
@Security="Inherited"
"Version"=hex:13,24,c3,84,8f,d1,b4,d3,d1,ff,f5,09,6a,e5,04,83,9b,23,56,5c,e1,\
6f,cc,c9,26,d3,4d,9f,71,b8,32,24,2b,99,6c,63,8c,f2,55,7f,cd,39,0c,3a,58,b6,\
03,36,3c,dc,5e,63,56,0b,aa,8a,35,5e,1b,67,f9,17,72,be,c3,fc,a4,30,44,15,4d,\
94,f8,b8,2e,ad,92,29,9d,fc,2f,44,ed,d1,45,42,4b,af,a4,2f,25,63,0e,5f,df,f0,\
0b,23,2d,f9,19,6a,33,e6,18,b7,34,40,75,a1,4a,cd,77,f9,9d,74,10,83,da,a2,6a,\
11,e0,38,6a,be,db,0f,3a,f1,45,04,07,c9,63,29,5e,af,83,2f,24,bd,53,ac,c8,23,\
cf,04,bb,04,33,9e,10,97,19,50,32,68,f5,ec,7a,d4,5f,b2,94,e2,f2,1e,2c,76,23,\
28,4e,de,59,f2,54,1d,f8,cb,32,ff,75,14,b6,59,64,e0,1d,bd,a4,6b,39,74,95,a5,\
37,d2,1e,66,16,4a,f9,cf,ea,92,3d,08,a7,9c,1d,49,77,d2,02,57,fd,56,08,2e,f7,\
a3,5d,a2,58,38,2f,26,82,0b,4f,b5,e7,6d,88,68,c3,0a,79,3d,a0,ec,b9,54,06,52,\
aa,a9,fd,0b,da,92,88,8a,7d,02,80,00,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\*NULL*u |·*NULL*]
@Security=(SE_DACL_PRESENT SE_SACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL @SACL)
@Owner=Administrator
@SACL=
"DisplayName"="?\11"
"DeviceDesc"="?\11"
"ProviderName"="?\11???\11\08"
"MFG"="??\09"
"ReinstallString"="8.22.0.0"
"DeviceInstanceIds"=multi:"d:\\i386\\apps\\app32421\\driver\\2kxp_inf\\cx_31138.inf\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\
 € À]
@Security=(SE_DACL_PRESENT SE_SACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL @SACL)
@Owner=Administrator
@SACL=
"DisplayName"="????\01"
"DeviceDesc"="????\01"
"ProviderName"="?\11???\11\08"
"MFG"="?"
"ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\?\11??\\DriverFiles\\.INF"
"DeviceInstanceIds"=multi:"d:\\i386\\apps\\app32749\\smbus\\smbusati.inf\00"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*NULL*Version]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-3822432871-2916185198-988597572-1006
@Allowed: (Full) (Everyone)
"Version"=hex:b6,80,af,a9,48,ed,18,5b,28,38,8f,2f,cf,b1,1c,61,69,35,bb,05,f5,\
0d,53,c4,8d,97,ea,28,7c,53,fb,77,0e,dd,b4,1f,81,8d,e2,8b,7b,6b,bc,f7,8b,45,\
71,1b,df,e8,c3,d8,86,34,98,c5,a6,f2,bb,40,d4,30,52,89,09,df,99,6a,23,79,c3,\
b0,85,aa,95,97,5b,66,b9,87,60,7e,fc,a6,a9,0e,7c,95,e5,f8,15,58,25,37,3e,a9,\
3b,7f,e6,de,19,7d,dc,eb,a1,53,14,3a,1b,88,9d,d7,10,94,1e,67,dc,1e,05,09,8a,\
4a,68,8b,c5,2e,5d,f3,d0,b8,75,9b,76,76,6c,28,5a,21,f4,a7,d9,82,86,76,f5,1e,\
65,61,e5,83,81,b6,a6,2c,28,63,18,a7,02,34,53,0f,a3,4f,d0,34,4a,bd,ee,98,66,\
91,5f,2c,43,97,8a,cd,17,8e,33,cb,7d,58,b0,08,a7,7c,1e,5c,e8,9b,51,8f,c1,06,\
ef,76,bf,9f,5f,a7,99,93,f6,97,da,82,a8,f3,76,75,26,b6,af,b3,42,28,4c,0d,85,\
4c,49,50,c0,cc,b3,75,a8,17,d6,6d,ae,16,72,cf,c0,05,52,ef,8c,ee,15,8e,e5,67,\
cd,bb,9e,66,ca,07,25,13,98,52,80,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Windows Defender\MsMpEng.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\ati2evxx.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-01-02 23:13:22 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2009-01-03 05:13:15

Pre-Run: 60,356,857,856 bytes free
Post-Run: 61,414,912,000 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

382 --- E O F --- 2009-01-03 05:12:46

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 AM

Posted 03 January 2009 - 12:22 AM

Hi there,

You're welcome. :thumbsup: Could I see a new HijackThis log as well please? How is it running now?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 js74

js74
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 03 January 2009 - 01:03 AM

It seems to be working much better! I am currently installing some windows updates that seemed to have been block by the Malware for awhile. So, should this thing still work well when one of my other family members is signed in? Here is the HijackThis log. If you need anything else, let me know. Thanks!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:47 PM, on 1/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
K:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T5216
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O20 - AppInit_DLLs: c:\windows\system32\tigahifa.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 6771 bytes

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 AM

Posted 03 January 2009 - 01:35 AM

Hello,

If you clean this from an admin account, which I know you have, it will work when other sign in to their respective accounts. :thumbsup: I'm glad it's better, and you're welcome. :)

One more scanner, then we'll see what might be left. You had a nasty rootkit!

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users