Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log for XP with bolenja, bolenjx?


  • This topic is locked This topic is locked
31 replies to this topic

#1 GRBrown

GRBrown

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 14 January 2009 - 01:47 AM

Hi Everyone,

First of all let me extend my gratitude for any assistance, or for that matter any attempts at providing assistance, that those on this forum provide. It is most definitely appreciated in the extreme. Secondly, let me apologize in advance if I somehow misstep and don't follow the correct protocols for an initial post. The computer that is having difficulties is actually my Back of House Computer for a store that I own, and I just happened to have HijackThis with me, so I ran it, copied the log, and am now posting what I've got. If more information is needed just let me know and I will gladly provide it. So, without further adieu, the problems I'm having:

Windows XP Computer
This is the Back of House computer for my store which Runs the AlohaQS Software (Basically a Cash Register Program) for my actual front cash register.
Definite Uglies on the Computer are Bolenja.exe and Bolenjx.exe... there may very well be others.
Some industrious employee got on the computer when it wasn't locked down and managed to mess things up pretty thoroughly.
In addition to the distinct Spyware items, there are also a number of misguided attempts to perhaps fix what they broke.
Record/Logs with names like Spy-Rid, spyguard.exe,

Also when the computer boots up into Windows XP it pops up and error message that reads the following:

C:\WINDOWS\shell.exe Windows cannot find C:\WINDOWS\shell.exe. Make sure you type the name correctly and then try again.

I close this window out and then I have access to my files and folders, but cannot access the Control Panel (it's not even listed) and periodically I get an error message that inidicates that access to the Registry Editor (or regedit) has been disabled by the administrator. Or something to that effect.

Well those are the basics and here is the HiJackThis log for my computer as well as the startuplist. Any help would be great. Thanks again in advance. Sincerely G.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:52 PM, on 1/13/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\lsass.exe
C:\WINDOWS\System32\ctfmon.exe
C:\AlohaQS\bin\CTLSVR.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Alohboh\Desktop\HJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: (no name) - {06DBC41D-B12E-4133-876A-64E0C8FDD1D3} - C:\WINDOWS\System32\APPHEL.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\Helper\Helper8.dll
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINDOWS\system32\ssqqpqo.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\lsass.exe
O4 - HKLM\..\Run: [bolenja] bolenja.exe
O4 - HKLM\..\Run: [bolenjx] bolenjx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-21-2248645817-3289682256-113954702-1009\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User '?')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted IP range: http://192.168.2.1
O15 - Trusted IP range: http://192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C8379DF-D0D2-4C2E-999C-F03572DBA64A}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{4C8379DF-D0D2-4C2E-999C-F03572DBA64A}: NameServer = 192.168.0.1
O20 - AppInit_DLLs: C:\WINDOWS\system32\kus109.dat
O20 - Winlogon Notify: csfdll - C:\WINDOWS\Media\smartwarxyu.dll
O20 - Winlogon Notify: ssqqpqo - C:\WINDOWS\SYSTEM32\ssqqpqo.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VHJvcGljYWwgU21vb3RoaWUgVHJvcGljYWwgUw\command.exe (file missing)
O23 - Service: CtlSvr - Ibertech, Inc - C:\AlohaQS\bin\CTLSVR.EXE
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6390 bytes

And then here is the startuplist....

StartupList report, 1/13/2009, 11:13:56 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Alohboh\Desktop\HJackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\lsass.exe
C:\WINDOWS\System32\ctfmon.exe
C:\AlohaQS\bin\CTLSVR.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Alohboh\Desktop\HJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
IntelMeM = C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
SoundMAXPnP = C:\Program Files\Analog Devices\Core\smax4pnp.exe
lsass = C:\WINDOWS\lsass.exe
bolenja = bolenja.exe
bolenjx = bolenjx.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:\WINDOWS\system32\kus109.dat

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe C:\WINDOWS\shell.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\SS3DFO.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\System32\APPHEL.dll - {06DBC41D-B12E-4133-876A-64E0C8FDD1D3}
e404 helper - C:\Program Files\Helper\Helper8.dll - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB}
(no name) - C:\WINDOWS\system32\ssqqpqo.dll - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856}

--------------------------------------------------

Enumerating Task Scheduler jobs:

At1.job
At2.job
At3.job
At4.job
At5.job
At6.job
At7.job
At8.job
ISP signup reminder 1.job
Norton AntiVirus - Scan my computer - Alohboh.job
PCA.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8204.5217939815

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash9d.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: c:\windows\system32\multikz.exe||C:\Documents and Settings\Alohboh\Application Data\xvvid.nsf||C:\Documents and Settings\Alohboh\Application Data\xvvid.nsf|||n

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 6,334 bytes
Report generated in 0.062 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Any thoughts? :thumbsup:

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 14 January 2009 - 05:03 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 GRBrown

GRBrown
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 14 January 2009 - 06:43 PM

Hey Fenzodahl,

Thank you very much for the guidance thus far. Here's where I am at regarding the directions you provided.

First, Malwarebytes would not install with a normal bootup. Each Time I tried it got cut off, often before the actual installation even began. Even changing the name of the executable file did not change this behavior (I tried this because it was required for getting HijackThis to run originally). So ultimately I rebooted into Safe Mode on Windows XP and I was finally able to install Malwarebytes; but as such MalwareBytes was run with windows in Safe Mode (I'm just not sure if that affects the results).

Malwarebytes was run successfully, and I followed your procedures exactly. It seems most of the files it tagged were quarantine as oppossed to deleted, but perhaps this is the norm. Upon reboot it did do an additional chkdsk scan and some other exciting stuff before loading windows... which I assume was simply apart of the "deleteing files that have to be deleted on reboot" process that Malwarebytes prompted me on.

Once the computer finished the "extra procedures" and fully booted into windows, I noticed that I still do not have a Control Panel Option.

I then installed and ran both RSIT and GMER, which installed without difficulty and ran fine with a normal Windows XP bootup.

The only other quirk is the following "Warning Message" popped up at various times (which was present before, and I assume is a portion of the Malware on the computer).

It said:

Windows Security Alert

Warning! Potential Spyware Operation! Your computer is making unauthorised copies of your system and Internet files. Run full scan now to prevent any unauthorised access to your files! Click YES to download Spyware Remover ...

It only allowed a Yes or No option, as the close (X) option was greyed out.

Well that gives you all the details of the procedures you outline, so as you requested I will now post the logs from each of the steps you requested in their own sections.

Thanks again for all the help and I look forward to your next suggestions.

Sincerely,

GRBrown

#4 GRBrown

GRBrown
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 14 January 2009 - 06:45 PM

Here is the Malwarebytes Log:


Malwarebytes' Anti-Malware 1.32
Database version: 1653
Windows 5.1.2600 Service Pack 1

1/14/2009 5:16:16 PM
mbam-log-2009-01-14 (17-16-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 339339
Time elapsed: 34 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 126
Registry Values Infected: 10
Registry Data Items Infected: 8
Folders Infected: 8
Files Infected: 132

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\ddccc.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\ssqqpqo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\xlibgfl254.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7c58094f-50e6-44bb-b816-b1bf6a5aff3e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7c58094f-50e6-44bb-b816-b1bf6a5aff3e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a397109a-f3bb-4b2e-87c8-d1371cd4ea05} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a397109a-f3bb-4b2e-87c8-d1371cd4ea05} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ff64059d-4d2a-4d6b-aa0f-2ee4a2fe3856} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqqpqo (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ff64059d-4d2a-4d6b-aa0f-2ee4a2fe3856} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06dbc41d-b12e-4133-876a-64e0c8fdd1d3} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{06dbc41d-b12e-4133-876a-64e0c8fdd1d3} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\e404.e404mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f10587e9-0e47-4cbe-84ae-7dd20b8684bb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f10587e9-0e47-4cbe-84ae-7dd20b8684bb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\e404.e404mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popupblocker.iegpb (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popupblocker.iegpb.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sbiebho.iefw (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sbiebho.iefw.2 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0037f041-5ec7-46aa-be24-6b4e01215611} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{01181392-ea52-4aef-88fa-1cbcd8de6825} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{012c872d-6d66-499a-b69d-4a9c63690262} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07a25120-a92b-4baa-a514-eed6667d6d83} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07c02614-ef46-41a4-88c9-2a867848b31d} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{102c560b-d15c-4ba1-b163-7bb4acd26c34} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{12c7b02f-145d-46a4-b2e8-4255b601230a} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{13c1e692-405a-430c-9ac7-3c274369ff71} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{15e0b9d1-6869-4b44-b64d-f60a350e725c} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{165bc2ec-0b03-4bd6-9e60-6323427b01ed} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1690de52-5b60-42ca-9688-16b1a233094c} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{170b0977-27ea-426e-9b38-febab1724a1f} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1a8af5b9-87c4-454a-965f-8b1e00a51d93} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1b01b4f2-4cc1-4154-ab18-20a0bc553d24} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1bc793ee-2447-4034-858a-de65d6d2bec9} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f5cf3c9-f384-4bce-b9a1-c5a00c6f2872} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{26ab4ac4-23d3-4004-b9d8-bff54166503c} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2b68f0b9-3294-4e83-b026-d30894a6b062} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{354242fc-4dde-48fd-9960-8801b4cf5cf4} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{36d8eec8-86fe-41ab-917d-b1db221347fc} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{39038d48-70ac-4b19-beb8-88cad47f2deb} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4689349f-0b3a-4698-a404-2e81c9b05acc} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4d56ddff-895a-438f-9b16-54618b3a47f7} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4e30c4b0-1fb1-427d-90b3-be85c877b236} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4f3145e3-67de-4654-9eaf-d72133fe65e7} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4fb926ad-73e7-4bf5-bbf1-58a8f3eeb289} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{59da55f2-d42c-492e-8cee-897717d47877} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{605196d3-a6cc-43ac-8104-e8cdca25ef58} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{627fb506-61e4-4d02-bdaf-bfd38c75e43f} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{65b96902-f3e3-4391-a523-848f1d30b12b} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6fe6d492-28b1-4a8d-88e9-22e1e3530da0} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{76e3de06-3f95-4b6e-91b4-710498e437f4} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{89107b18-d3d4-46cb-8045-1af57b8c4535} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8c4e45a4-fdbc-4de0-8d1f-4ec38d4f3023} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8ed41818-1cb1-4d9e-8a21-4f7edf9b59c3} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{957de9d3-6ca7-4e7e-aa1d-3d13eb7cf99b} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a914b7cf-086d-4fe0-9108-3d72b97e5c2c} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a9e3320e-52a9-4cb1-892f-ae8088d68a8e} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aa958db8-1102-4091-ac05-ecbc7b2e426d} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ad33aad5-f364-430f-8e2d-ce034150afdf} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ae539347-f840-4c45-83d2-6e9225a3ec62} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ae57830d-be33-4935-9d91-62f2eb0e8be3} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b6a908fa-6237-4791-ac61-8b6a28add9b6} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c7eb7da1-0b05-40d5-b73a-4b5ea77e7d67} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ca27a95a-2b8c-478d-af5e-2e1761467eb4} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cb32d487-2bdb-49ed-8b75-8ebfe6b0990b} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cc789624-c0d2-469b-a34b-fc32117194e9} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cda873d3-a380-4b32-b4b7-a25d2e63cdba} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf612595-40eb-443d-9bc2-2165aba6352f} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{dcd09900-b1db-4855-a41a-6245c1b2bcba} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e2e7d7e7-ea40-4cc3-89fb-fc6c43c8ca77} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e3cd3689-b032-4d47-8d5f-d886628914a6} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4fb5b1d-83e5-4df3-892d-1a0e48f91e75} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e52bddde-b92c-4174-8247-21d9118fa036} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e5a292c6-2ce5-4702-b1fc-1f9d5f7f810d} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e691676d-381a-4fa2-8188-f8597aa5e789} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e6c3097f-1cf8-4563-8318-d25ccaaa1191} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e779dc78-51e9-4630-a8d4-c9ae3548c6c7} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e8e367a1-57d1-49cb-b1b0-192b95bd5e6a} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e9c36375-c7a5-45f7-8b78-ad56965903e7} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ebeabc4b-ae96-45cf-b5c8-fef6364a6d41} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ef9aa426-50f9-4d27-94ba-8844a165ddd5} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f084f574-f1b6-4e2b-9338-b321082693fc} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f4d40fe2-8fef-45b0-8ddc-8fbd080e6a37} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f6185cf5-6a50-4be8-8f13-c4b8a13641f9} (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fecb6f44-0b53-43c3-b5e8-aa03ece60aa9} (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d2436533-33f9-495c-9cd9-daf21e67ffeb} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/webinst.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{ea7522f6-87cf-411e-8a55-19ee4344b676} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be} (Trojan.Network.Monitor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{80cc53df-d8b9-44b1-8c3c-20fac46265d0} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8d25bb2a-dd6e-4244-89ed-9fe0628e852a} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e28b42f8-56a7-4828-8a74-002f4177204d} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e0dca13e-41d3-5d2f-895d-3be6738708ec} (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dhlp (Rogue.PCSecureSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\dhlp (Rogue.PCSecureSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dhlp (Rogue.PCSecureSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\secdrv (Rootkit.Agents) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\secdrv (Rootkit.Agents) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\secdrv (Rootkit.Agents) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ultra soft (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\aldd (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\webinst.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\InfeStop (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\pblock.DLL (Rogue.PCSecureSystem) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WinAble (Trojan.Adloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WebBuying (Adware.WebBuying) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService (Adware.CommAd) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\core (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor (Trojan.Service) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\core (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\core (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0c8d6e0c (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{ff64059d-4d2a-4d6b-aa0f-2ee4a2fe3856} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\webinst.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ADP (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.starsdoor.com (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\ddccc -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ddccc -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Vundo) -> Data: xlibgfl254.dll -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe C:\WINDOWS\shell.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Network Monitor (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\NI.UGA6P_0001_N122M2210 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMon (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMon\Data (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully.
C:\SpyGuardPro (Rogue.SpyGuardPro) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Application Data\ultra (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\rkyseb.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ddccc.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\cccdd.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\cccdd.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ssqqpqo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\kckryigt.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tgiyrkck.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\nktfpuil.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\liupftkn.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\norbtymc.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\cmytbron.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ybokoqwl.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lwqokoby.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\APPHEL.dll (Trojan.BHO.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\xlibgfl254.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\Helper\Helper8.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\webinst.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\wsusupd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Application Data\nvsvc1024.dll (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Desktop\From Program Files\3269.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Desktop\From Program Files\ucleaner_setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Desktop\Temp probably spyware pulled from docnsettings alohaboh appdata\sysfixer.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\!update.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\.tt301.tmp (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\16power.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\3264.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\32look.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\32mon.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\32win.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\6464.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\64win.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\agent16.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\agentpower.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\agentsyn.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\agentsys.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\agentwin.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\host32.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\hostagent.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\hostpower.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\hostsys.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\hostwin.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\lookhost.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\looksv.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\mon32.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\monlook.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\monsyn.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\powerhost.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\powerlook.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\powersv.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\powerwin.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\serverhost.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\serverpower.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\svsys.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\syn16.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\synsv.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\synsyn.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\sys64.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\sysagent.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\sysserver.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\syssyn.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\syswin.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\winhost.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\winserver.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\winsyn.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\winsys.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\Temporary Internet Files\Content.IE5\8XYROPMB\3269[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\Temporary Internet Files\Content.IE5\8XYROPMB\spoolsv[1].exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temporary Internet Files\Content.IE5\HR1KCDWF\CAH8IHTB (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temporary Internet Files\Content.IE5\HR1KCDWF\CAIFWPIV (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temporary Internet Files\Content.IE5\I12RSBID\!update-4495[1].0000 (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temporary Internet Files\Content.IE5\I12RSBID\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temporary Internet Files\Content.IE5\P80STL4W\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\spoolsv.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Program Files\TTC.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Program Files\MSN\niqyrezim4444.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\MSN\niqyrezim83122.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP238\A0770145.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP244\A0800289.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP244\A0800290.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}(2)\RP226(2)\snapshot(2)\MFEX-6020.DAT (Trojan.Fakealert) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\hgghghe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\iifghge.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mkpiffi.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\qomkifg.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rqrpolk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tuvstsq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vdqrnjiw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wlcq.dll (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\abc2\bmbrpl2.exe (Trojan.ZQuest) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\dhlp.sys (Rogue.PCSecureSystem) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\SECDRV.SYS (Rootkit.Agents) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\hel9\pozpwb23.exe (Adware.WebBuying) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\oc9\qopre83122.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\NI.UGA6P_0001_N122M2210\settings.ini (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\NI.UGA6P_0001_N122M2210\setup.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\NI.UGA6P_0001_N122M2210\setup.len (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Application Data\ultra\uninstall.bat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\snapsnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\yazzsnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\BEEP.SYS (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DLLCACHE\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Local Settings\Temp\wavvsnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Media\temp.bat (Spyware.Delf) -> Quarantined and deleted successfully.
C:\WINDOWS\17PHolmes572.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\INF\ultra.inf (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\INF\ultra.PNF (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bolenja.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\spoolvs.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\printer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\users32.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wowfx.dll (Trojan.QHost) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Application Data\Microsoft\Internet Explorer\Quick Launch\InfeStop.lnk (Rogue.InfeStopRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Application Data\Microsoft\Internet Explorer\Quick Launch\Spy-Rid remover.lnk (Rogue.Spy-Rid) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Application Data\Microsoft\Internet Explorer\Quick Launch\Easy Spyware Cleaner.lnk (Rogue.EasySpywareCleaner) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\WINDOWS\b122.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\mgrs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Spyware Remover.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Casino.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Free Online Dating.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alohboh\Application Data\printer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Program Files\smss.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\core.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

#5 GRBrown

GRBrown
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 14 January 2009 - 06:46 PM

Here is the RSIT LOG.TXT file:


Logfile of random's system information tool 1.05 (written by random/random)
Run by Alohboh at 2009-01-14 17:28:01
Microsoft Windows XP Home Edition Service Pack 1
System drive C: has 65 GB (85%) free of 76 GB
Total RAM: 510 MB (59% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:28:18 PM, on 1/14/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\bolenja.exe
C:\WINDOWS\bolenjx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\AlohaQS\bin\CTLSVR.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Alohboh\Desktop\RSIT.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\Program Files\trend micro\Alohboh.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {06DBC41D-B12E-4133-876A-64E0C8FDD1D3} - C:\WINDOWS\System32\APPHEL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [bolenja] bolenja.exe
O4 - HKLM\..\Run: [bolenjx] bolenjx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted IP range: http://192.168.2.1
O15 - Trusted IP range: http://192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C8379DF-D0D2-4C2E-999C-F03572DBA64A}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{4C8379DF-D0D2-4C2E-999C-F03572DBA64A}: NameServer = 192.168.0.1
O20 - AppInit_DLLs: C:\WINDOWS\system32\kus109.dat
O20 - Winlogon Notify: csfdll - C:\WINDOWS\Media\smartwarxyu.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CtlSvr - Ibertech, Inc - C:\AlohaQS\bin\CTLSVR.EXE
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6142 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Alohboh.job
C:\WINDOWS\tasks\PCA.job
C:\WINDOWS\tasks\Symantec NetDetect.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06DBC41D-B12E-4133-876A-64E0C8FDD1D3}]
C:\WINDOWS\System32\APPHEL.dll [2002-08-29 84480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio - C:\WINDOWS\System32\msdxm.ocx [2003-09-17 844048]
{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - Norton Internet Security - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll [2004-10-28 103568]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Norton AntiVirus - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll [2005-01-10 218736]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\System32\igfxtray.exe [2008-01-21 155648]
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe []
"IntelMeM"=C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe [2008-01-21 221184]
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe []
"HPDJ Taskbar Utility"=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe [2008-01-21 172032]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2008-01-21 1404928]
"bolenja"=C:\WINDOWS\bolenja.exe [2009-01-14 5120]
"bolenjx"=C:\WINDOWS\bolenjx.exe [2009-01-14 14336]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\System32\ctfmon.exe [2002-08-29 13312]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-10-10 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bolenja]
C:\WINDOWS\bolenja.exe [2009-01-14 5120]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bolenjx]
C:\WINDOWS\bolenjx.exe [2009-01-14 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2005-03-23 58992]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2008-01-21 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe [2008-01-21 218240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe [2008-01-21 100056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\kus109.dat"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csfdll]
C:\WINDOWS\Media\smartwarxyu.dll [2007-12-21 51712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2003-04-07 315392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify]
C:\WINDOWS\system32\PCANotify.dll [2003-10-31 8704]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=1
"DisableTaskMgr"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableRegistryTools"=1
"DisableTaskMgr"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoControlPanel"=1
"NoWindowsUpdate"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Documents and Settings\Alohboh\Application Data\printer.exe"="C:\Documents and Settings\Alohboh\Application Data\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\System32\printer.exe"="C:\WINDOWS\System32\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\System32\spoolvs.exe"="C:\WINDOWS\System32\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\shell.exe"="C:\WINDOWS\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Alohboh\Start Menu\Programs\Startup\findfast.exe"="C:\Documents and Settings\Alohboh\Start Menu\Programs\Startup\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe"="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\system32\winav.exe"="%windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Alohboh\Application Data\mcrupdate.exe"="C:\Documents and Settings\Alohboh\Application Data\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Alohboh\Application Data\pcant.exe"="C:\Documents and Settings\Alohboh\Application Data\pcant.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Alohboh\Application Data\sysfixer.exe"="C:\Documents and Settings\Alohboh\Application Data\sysfixer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Alohboh\Application Data\pcpriv.exe"="C:\Documents and Settings\Alohboh\Application Data\pcpriv.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Alohboh\Application Data\trant.exe"="C:\Documents and Settings\Alohboh\Application Data\trant.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Alohboh\Application Data\avsyscare.exe"="C:\Documents and Settings\Alohboh\Application Data\avsyscare.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\Documents and Settings\Alohboh\Application Data\printer.exe"="C:\Documents and Settings\Alohboh\Application Data\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\System32\printer.exe"="C:\WINDOWS\System32\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\System32\spoolvs.exe"="C:\WINDOWS\System32\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\shell.exe"="C:\WINDOWS\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Alohboh\Start Menu\Programs\Startup\findfast.exe"="C:\Documents and Settings\Alohboh\Start Menu\Programs\Startup\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe"="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\system32\winav.exe"="%windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Alohboh\Application Data\mcrupdate.exe"="C:\Documents and Settings\Alohboh\Application Data\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Alohboh\Application Data\pcant.exe"="C:\Documents and Settings\Alohboh\Application Data\pcant.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Alohboh\Application Data\sysfixer.exe"="C:\Documents and Settings\Alohboh\Application Data\sysfixer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Alohboh\Application Data\pcpriv.exe"="C:\Documents and Settings\Alohboh\Application Data\pcpriv.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Alohboh\Application Data\trant.exe"="C:\Documents and Settings\Alohboh\Application Data\trant.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Alohboh\Application Data\avsyscare.exe"="C:\Documents and Settings\Alohboh\Application Data\avsyscare.exe:*:Enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 3 months======

2009-01-14 17:28:01 ----D---- C:\rsit
2009-01-14 17:28:01 ----D---- C:\Program Files\trend micro
2009-01-14 17:24:00 ----A---- C:\WINDOWS\System32\multikz.exe
2009-01-14 16:38:39 ----D---- C:\Documents and Settings\Alohboh\Application Data\Malwarebytes
2009-01-14 16:28:42 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-14 16:28:42 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-14 13:01:29 ----A---- C:\WINDOWS\bolenjx.exe
2009-01-07 15:45:22 ----A---- C:\WINDOWS\bolenja.exe
2009-01-07 14:00:42 ----D---- C:\WINDOWS\pss
2008-12-29 05:34:02 ----A---- C:\WINDOWS\System32\07aeaa72-.txt
2008-12-29 05:33:49 ----ASH---- C:\WINDOWS\System32\llkkj.ini

======List of files/folders modified in the last 3 months======

2009-01-14 17:28:01 ----RD---- C:\Program Files
2009-01-14 17:24:53 ----D---- C:\WINDOWS\Temp
2009-01-14 17:24:26 ----A---- C:\WINDOWS\ModemLog_BCM V.90 56K Modem.txt
2009-01-14 17:24:19 ----D---- C:\WINDOWS\Debug
2009-01-14 17:24:00 ----D---- C:\WINDOWS\SYSTEM32
2009-01-14 17:23:56 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-01-14 17:18:18 ----D---- C:\WINDOWS\System32\DRIVERS
2009-01-14 17:18:18 ----D---- C:\WINDOWS
2009-01-14 17:17:29 ----A---- C:\WINDOWS\ntbtlog.txt
2009-01-14 17:16:15 ----D---- C:\WINDOWS\System32\oc9
2009-01-14 17:16:15 ----D---- C:\WINDOWS\System32\hel9
2009-01-14 17:16:15 ----D---- C:\WINDOWS\System32\abc2
2009-01-14 17:16:14 ----D---- C:\Program Files\Helper
2009-01-14 16:31:30 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-14 16:27:25 ----D---- C:\WINDOWS\Prefetch
2009-01-14 13:03:25 ----D---- C:\AlohaQS
2009-01-12 10:18:09 ----A---- C:\WINDOWS\WIN.INI
2009-01-07 15:47:13 ----RASH---- C:\BOOT.INI
2009-01-07 15:47:13 ----A---- C:\WINDOWS\SYSTEM.INI
2009-01-07 15:35:31 ----RD---- C:\WINDOWS\Web
2009-01-07 15:35:00 ----A---- C:\WINDOWS\System32\bolenjcfa.txt
2009-01-05 14:36:05 ----D---- C:\WINDOWS\System32\CatRoot2

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AW_HOST;AW_HOST; C:\WINDOWS\system32\drivers\aw_host5.sys [2003-10-23 16984]
R1 awlegacy;awlegacy; C:\WINDOWS\System32\Drivers\awlegacy.sys [2003-04-21 10901]
R1 omci;OMCI WDM Device Driver; C:\WINDOWS\System32\DRIVERS\omci.sys [2002-11-08 17217]
R1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRTPEL.SYS []
R1 ShldDrv;Panda File Shield Driver; C:\WINDOWS\System32\DRIVERS\ShlDrv51.sys [2007-05-23 38968]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2004-01-14 5621]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2004-01-14 23219]
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2005-04-05 267192]
R2 ASCTRM;ASCTRM; C:\WINDOWS\System32\drivers\ASCTRM.sys [2004-06-23 8552]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2004-02-27 40480]
R2 hardlock;hardlock; \??\C:\WINDOWS\System32\drivers\hardlock.sys []
R2 Haspnt;Haspnt; \??\C:\WINDOWS\System32\drivers\Haspnt.sys []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R2 PavProc;Panda Process Protection Driver; \??\C:\WINDOWS\System32\DRIVERS\PavProc.sys []
R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\System32\drivers\symlcbrd.sys []
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2004-03-15 25685]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2004-03-15 34837]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2004-03-15 4117]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2004-03-15 2233]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2004-03-15 85972]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2004-03-15 14229]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2004-03-15 6357]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2004-03-15 98580]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2004-03-15 100597]
R3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-04-15 113504]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-04-15 78752]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2003-05-23 43136]
R3 BCMModem;BCM V.90 56K Modem; C:\WINDOWS\System32\DRIVERS\BCMDM.sys [2001-08-17 871388]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [2005-10-21 49920]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [2005-10-21 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [2005-10-21 21568]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2003-04-15 90907]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050615.008\NAVENG.Sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050615.008\NavEx15.Sys []
R3 SAVRT;SAVRT; \??\C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRT.SYS []
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-11-18 591808]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2005-04-05 17976]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2003-08-02 28160]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2003-08-02 25216]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2003-08-02 53120]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2002-08-29 24960]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2002-08-29 14208]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2002-08-29 21760]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2003-08-02 19328]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\System32\DRIVERS\p3.sys [2002-08-29 37504]
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\System32\drivers\bvrp_pci.sys []
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2004-02-10 154112]
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\System32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\HSF_DP.sys [2003-11-17 1042432]
S3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys [2003-11-17 212224]
S3 i81x;i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [2001-08-17 138240]
S3 iAimFP0;iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [2001-08-17 12672]
S3 iAimFP1;iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [2001-08-17 12288]
S3 iAimFP2;iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [2001-08-17 12032]
S3 iAimFP3;iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [2001-08-17 12160]
S3 iAimFP4;iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [2001-08-17 18688]
S3 iAimTV0;iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [2001-08-17 29440]
S3 iAimTV1;iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [2001-08-17 19456]
S3 iAimTV2;iAimTV2; C:\WINDOWS\System32\DRIVERS\wATV03nt.sys [2001-08-17 44928]
S3 iAimTV3;iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [2001-08-17 31104]
S3 iAimTV4;iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [2001-08-17 23680]
S3 IntelC51;IntelC51; C:\WINDOWS\System32\DRIVERS\IntelC51.sys [2004-03-05 1233525]
S3 IntelC52;IntelC52; C:\WINDOWS\System32\DRIVERS\IntelC52.sys [2004-03-05 647929]
S3 IntelC53;IntelC53; C:\WINDOWS\System32\DRIVERS\IntelC53.sys [2004-03-05 60949]
S3 mohfilt;mohfilt; C:\WINDOWS\System32\DRIVERS\mohfilt.sys [2004-03-05 37048]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2002-08-28 891711]
S3 senfilt;senfilt; C:\WINDOWS\system32\drivers\senfilt.sys [2004-09-17 732928]
S3 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
S3 SYMDNS;SYMDNS; C:\WINDOWS\System32\Drivers\SYMDNS.SYS [2005-04-05 11512]
S3 SYMFW;SYMFW; C:\WINDOWS\System32\Drivers\SYMFW.SYS [2005-04-05 173208]
S3 SYMIDS;SYMIDS; C:\WINDOWS\System32\Drivers\SYMIDS.SYS [2005-04-05 36984]
S3 SYMIDSCO;SYMIDSCO; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20050512.030\symidsco.sys []
S3 SYMNDIS;SYMNDIS; C:\WINDOWS\System32\Drivers\SYMNDIS.SYS [2005-04-05 47192]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2003-11-17 680704]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agp440.sys [2001-08-17 25472]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agpCPQ.sys [2001-08-17 29056]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\alim1541.sys [2001-08-17 27648]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\System32\DRIVERS\amdagp.sys [2001-08-17 27648]
S4 cbidf;cbidf; C:\WINDOWS\System32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\System32\DRIVERS\intelide.sys [2002-08-29 4736]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\sisagp.sys [2001-08-17 26112]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\viaagp.sys [2001-08-17 27392]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2005-03-23 198256]
R2 ccProxy;Symantec Network Proxy; C:\Program Files\Common Files\Symantec Shared\ccProxy.exe [2005-03-23 235120]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2005-03-23 165488]
R2 CtlSvr;CtlSvr; C:\AlohaQS\bin\CTLSVR.EXE [2002-02-24 1703936]
R2 ISSVC;ISSvc; C:\Program Files\Norton Internet Security\ISSVC.exe [2005-04-18 83584]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 MSSQL$MICROSOFTBCM;MSSQL$MICROSOFTBCM; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe [2003-05-31 7544916]
R2 navapsvc;Norton AntiVirus Auto-Protect Service; C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe [2005-01-10 177264]
R2 PavPrSrv;Panda Process Protection Service; C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe [2007-06-14 63024]
R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2005-05-06 822424]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2002-08-29 250368]
S2 SBService;ScriptBlocking Service; C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe [2005-01-10 67184]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 awhost32;pcAnywhere Host Service; C:\Program Files\Symantec\pcAnywhere\awhost32.exe [2003-10-31 106496]
S3 ccPwdSvc;Symantec Password Validation; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2005-03-23 79472]
S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2002-12-17 66112]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SAVScan;SAVScan; C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe [2005-03-07 198368]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2005-04-05 206552]
S3 SPBBCSvc;Symantec SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2004-07-21 173160]
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE [2002-12-17 311872]

-----------------EOF-----------------

#6 GRBrown

GRBrown
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 14 January 2009 - 06:48 PM

Here is the RSIT INFO.TXT file:


info.txt logfile of random's system information tool 1.05 2009-01-14 17:28:28

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
-->C:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\System32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player 9 ActiveX-->MsiExec.exe /X{685A56F8-75B6-44AD-B3DA-FB0A3266B47C}
Adobe Reader 8.1.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Broadcom Management Programs-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{89EE857B-8970-4F9F-AB58-A1C873AC72B3} /l1033
Business Contact Manager for Outlook 2003-->MsiExec.exe /I{66563AD8-637B-407F-BCA7-0233A16891AB}
CC_ccProxyExt-->MsiExec.exe /I{DA42FDCA-7C5A-43EF-9A05-CCE148ADF919}
ccCommon-->MsiExec.exe /I{DC367608-64A7-4BF7-92F4-8BAA25BA02DB}
ccPxyCore-->MsiExec.exe /I{FC08587A-4F01-4188-819F-F55880022917}
Conexant D850 56K V.9x DFVc Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Dell Digital Jukebox Driver-->C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Solution Center-->MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Dell Support-->MsiExec.exe /X{43FCA273-9534-40DB-B7C5-D7758875616A}
DirectX 9 Hotfix - KB839643-->C:\WINDOWS\$NtUninstallKB839643-DirectX9$\spuninst\spuninst.exe
HASP Device Driver-->C:\WINDOWS\System32\UNWISE.EXE C:\WINDOWS\System32\hdd32.log
HijackThis 2.0.2-->"C:\Documents and Settings\Alohboh\Desktop\HijackThis.exe" /uninstall
HP PSC & Officejet 4.2 Corporate Edition-->"C:\Program Files\HP\Digital Imaging\{AC1314E7-D28C-40A1-B322-80D2868D35CE}\setup\hpzscr01.exe" -datfile hposcr04.dat
Intel® 537EP V9x DF PCI Modem-->rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem"
Intel® Extreme Graphics Driver-->RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Intel® PRO Network Adapters and Drivers-->Prounstl.exe
Internet Explorer Default Page-->MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
Jasc Paint Shop Photo Album-->MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}
Jasc Paint Shop Pro 8 Dell Edition-->MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java 2 Runtime Environment, SE v1.4.2-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Learn2 Player (Uninstall Only)-->C:\Program Files\Learn2.com\StRunner\stuninst.exe
LiveReg (Symantec Corporation)-->C:\Program Files\Common Files\Symantec Shared\LiveReg\VCSetup.exe /REMOVE
LiveUpdate 2.6 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins004.exe"
Microsoft .NET Framework 1.1 Hotfix (KB886903)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M886903\M886903Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Data Access Components KB870669-->C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office Small Business Edition 2003-->MsiExec.exe /I{91CA0409-6000-11D3-8CFE-0150048383C9}
Modem Event Monitor-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}\setup.exe" -l0x9
Modem Helper-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Modem On Hold-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
MSRedist-->MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
Norton AntiSpam-->MsiExec.exe /I{3B29A786-5803-4e9e-9B58-3014A5B4E519}
Norton AntiSpam-->MsiExec.exe /I{5677563D-0CB1-485f-9E18-C5025306BB3F}
Norton AntiVirus 2005-->MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B}
Norton Internet Security 2005 (Symantec Corporation)-->C:\Program Files\Common Files\Symantec Shared\SymSetup\{A93C9E60-29B6-49da-BA21-F70AC6AADE20}.exe /X
Norton Internet Security-->MsiExec.exe /I{12E2B9E9-05B1-407d-B0FD-B5F350535125}
Norton Internet Security-->MsiExec.exe /I{449F3A9E-9903-4a0d-A209-08030D45A935}
Norton Internet Security-->MsiExec.exe /I{48185814-A224-447a-81DA-71BD20580E1B}
Norton Internet Security-->MsiExec.exe /I{526AD5DC-CFC4-4f2a-8442-C84CC91D6C7F}
Norton Internet Security-->MsiExec.exe /I{A93C9E60-29B6-49da-BA21-F70AC6AADE20}
Norton Internet Security-->MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Internet Security-->MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Internet Security-->MsiExec.exe /I{FC2C0536-583C-46c0-844A-62CECAE01F22}
Norton WMI Update-->MsiExec.exe /X{E85FA9A1-C241-4698-893B-DD99509B8DB0}
Norton WMI Update-->MsiExec.exe /X{F64306A5-4C32-41bb-B153-53986527FAB4}
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RealPlayer Basic-->C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893066)-->"C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896426)-->"C:\WINDOWS\$NtUninstallKB896426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Sonic DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow!-->MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager-->MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
SPBBC-->MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Symantec pcAnywhere-->MsiExec.exe /I{F05E8183-866A-11D3-97DF-0000F8D8F2E9}
Symantec Script Blocking Installer-->MsiExec.exe /I{D327AFC9-7BAA-473A-8319-6EB7A0D40138}
SymNet-->MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Ultr@VNC Release 1.0.0 RC 18 - Win32-->"C:\Program Files\UltraVNC\unins000.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Player Hotfix [See Q828026 for more information]-->C:\WINDOWS\$NtUninstallQ828026$\spuninst\spuninst.exe
Windows XP Hotfix - KB824105-->C:\WINDOWS\$NtUninstallKB824105$\spuninst\spuninst.exe
Windows XP Hotfix - KB824141-->C:\WINDOWS\$NtUninstallKB824141$\spuninst\spuninst.exe
Windows XP Hotfix - KB833407-->C:\WINDOWS\$NtUninstallKB833407$\spuninst\spuninst.exe
Windows XP Hotfix - KB833987-->C:\WINDOWS\$NtUninstallKB833987$\spuninst\spuninst.exe
Windows XP Hotfix - KB837001-->C:\WINDOWS\$NtUninstallKB837001$\spuninst\spuninst.exe
Windows XP Hotfix - KB839645-->C:\WINDOWS\$NtUninstallKB839645$\spuninst\spuninst.exe
Windows XP Hotfix - KB840315-->C:\WINDOWS\$NtUninstallKB840315$\spuninst\spuninst.exe
Windows XP Hotfix - KB840374-->C:\WINDOWS\$NtUninstallKB840374$\spuninst\spuninst.exe
Windows XP Hotfix - KB841356-->C:\WINDOWS\$NtUninstallKB841356$\spuninst\spuninst.exe
Windows XP Hotfix - KB841873-->C:\WINDOWS\$NtUninstallKB841873$\spuninst\spuninst.exe
Windows XP Hotfix - KB842773-->C:\WINDOWS\$NtUninstallKB842773$\spuninst\spuninst.exe
Windows XP Hotfix - KB867282-->C:\WINDOWS\$NtUninstallKB867282-IE6SP1-20050127.163319$\spuninst\spuninst.exe
Windows XP Hotfix - KB871250-->C:\WINDOWS\$NtUninstallKB871250$\spuninst\spuninst.exe
Windows XP Hotfix - KB873333-->C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB883939-->"C:\WINDOWS\$NtUninstallKB883939-IE6SP1-20050428.125228$\spuninst\spuninst.exe"
Windows XP Hotfix - KB885250-->C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890047-->C:\WINDOWS\$NtUninstallKB890047$\spuninst\spuninst.exe
Windows XP Hotfix - KB890175-->C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891711-->C:\WINDOWS\$NtUninstallKB891711$\spuninst\spuninst.exe
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB893086-->"C:\WINDOWS\$NtUninstallKB893086$\spuninst\spuninst.exe"
Windows XP Hotfix - KB897715-->"C:\WINDOWS\$NtUninstallKB897715-OE6SP1-20050503.210336$\spuninst\spuninst.exe"

System event log

Computer Name: ALOHABOH
Event Code: 26
Message: Application popup: regsvr32.exe - Application Error : The instruction at "0x7474ca0c" referenced memory at "0x00851004". The memory could not be "read".

Click on OK to terminate the program

Record Number: 825
Source Name: Application Popup
Time Written: 20081122200340.000000-300
Event Type: information
User:

Computer Name: ALOHABOH
Event Code: 26
Message: Application popup: regsvr32.exe - Application Error : The instruction at "0x7474ca0c" referenced memory at "0x00851004". The memory could not be "read".

Click on OK to terminate the program

Record Number: 824
Source Name: Application Popup
Time Written: 20081122200229.000000-300
Event Type: information
User:

Computer Name: ALOHABOH
Event Code: 26
Message: Application popup: regsvr32.exe - Application Error : The instruction at "0x7474ca0c" referenced memory at "0x00851004". The memory could not be "read".

Click on OK to terminate the program

Record Number: 823
Source Name: Application Popup
Time Written: 20081122200119.000000-300
Event Type: information
User:

Computer Name: ALOHABOH
Event Code: 29
Message: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 239 minutes.
NtpClient has no source of accurate time.

Record Number: 822
Source Name: W32Time
Time Written: 20081122181251.000000-300
Event Type: error
User:

Computer Name: ALOHABOH
Event Code: 17
Message: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 240
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Record Number: 821
Source Name: W32Time
Time Written: 20081122181251.000000-300
Event Type: error
User:

Application event log

Computer Name: ALOHABOH
Event Code: 26
Message: Application starting

Record Number: 5
Source Name: ccEvtMgr
Time Written: 20080111070209.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: ALOHABOH
Event Code: 1
Message: Application started

Record Number: 4
Source Name: ccSetMgr
Time Written: 20080111070209.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: ALOHABOH
Event Code: 26
Message:
Record Number: 3
Source Name: ISService
Time Written: 20080111070209.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: ALOHABOH
Event Code: 26
Message: Application starting

Record Number: 2
Source Name: ccSetMgr
Time Written: 20080111070209.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: ALOHABOH
Event Code: 26
Message: Application starting

Record Number: 1
Source Name: ccProxy
Time Written: 20080111070209.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"IBERDIR"=C:\AlohaQS
"IBERROOT"=AlohaQS
"NUMBER_OF_PROCESSORS"=1
"NUMTERMS"=2
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Microsoft Office\OFFICE11\Business Contact Manager\IM;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Microsoft Office\OFFICE11\Business Contact Manager\;C:\Program Files\Symantec\pcAnywhere\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 7, GenuineIntel
"PROCESSOR_LEVEL"=15
"PROCESSOR_REVISION"=0207
"ROBUST"=TRUE
"SERVER"=ALOHABOH
"TEMP"=%SystemRoot%\TEMP
"TERMSTR"=TERM
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%

-----------------EOF-----------------

#7 GRBrown

GRBrown
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 14 January 2009 - 06:49 PM

And Finally, here are the GMER scan results:


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-14 17:45:31
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.14 ----

SSDT 822E7F98 ZwConnectPort

INT 0x06 \??\C:\WINDOWS\System32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) EF6AF16D
INT 0x0E \??\C:\WINDOWS\System32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) EF6AEFC2

Code rxnskyhv.dat ObOpenObjectByName

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntoskrnl.exe!ObOpenObjectByName 805556C9 6 Bytes JMP F87B8312 rxnskyhv.dat
? rxnskyhv.dat The system cannot find the file specified. !
.text ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00380429

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[212] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00910429
.text C:\WINDOWS\system32\winlogon.exe[456] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00490429
.text C:\WINDOWS\system32\winlogon.exe[456] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 004905D0
.text C:\WINDOWS\system32\winlogon.exe[456] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 00490526
.text C:\WINDOWS\system32\winlogon.exe[456] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 00490543
.text C:\WINDOWS\system32\services.exe[504] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00520429
.text C:\WINDOWS\system32\services.exe[504] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 005205D0
.text C:\WINDOWS\system32\services.exe[504] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 00520526
.text C:\WINDOWS\system32\services.exe[504] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 00520543
.text C:\WINDOWS\system32\lsass.exe[516] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00500429
.text C:\WINDOWS\system32\lsass.exe[516] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 005005D0
.text C:\WINDOWS\system32\lsass.exe[516] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 00500526
.text C:\WINDOWS\system32\lsass.exe[516] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 00500543
.text C:\AlohaQS\bin\CTLSVR.EXE[600] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 003A0429
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[660] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00890429
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[712] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 003C0429
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[712] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 003C05D0
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[712] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 003C0526
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[712] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 003C0543
.text C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe[880] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 005F0429
.text C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe[880] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 005F05D0
.text C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe[880] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 005F0526
.text C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe[880] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 005F0543
.text C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe[956] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00840429
.text C:\WINDOWS\System32\svchost.exe[1148] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00560429
.text C:\WINDOWS\System32\svchost.exe[1148] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 005605D0
.text C:\WINDOWS\System32\svchost.exe[1148] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 00560526
.text C:\WINDOWS\System32\svchost.exe[1148] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 00560543
.text C:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00560429
.text C:\WINDOWS\system32\svchost.exe[1288] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 005605D0
.text C:\WINDOWS\system32\svchost.exe[1288] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 00560526
.text C:\WINDOWS\system32\svchost.exe[1288] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 00560543
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1344] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 003C0429
.text C:\WINDOWS\bolenja.exe[1352] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00370429
.text C:\WINDOWS\bolenjx.exe[1360] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00850429
.text C:\WINDOWS\System32\ctfmon.exe[1368] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00380429
.text C:\WINDOWS\System32\svchost.exe[1384] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00500429
.text C:\WINDOWS\System32\svchost.exe[1384] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 005005D0
.text C:\WINDOWS\System32\svchost.exe[1384] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 00500526
.text C:\WINDOWS\System32\svchost.exe[1384] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 00500543
.text C:\WINDOWS\System32\svchost.exe[1472] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00560429
.text C:\WINDOWS\System32\svchost.exe[1472] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 005605D0
.text C:\WINDOWS\System32\svchost.exe[1472] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 00560526
.text C:\WINDOWS\System32\svchost.exe[1472] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 00560543
.text C:\WINDOWS\System32\svchost.exe[1516] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00500429
.text C:\WINDOWS\System32\svchost.exe[1516] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 005005D0
.text C:\WINDOWS\System32\svchost.exe[1516] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 00500526
.text C:\WINDOWS\System32\svchost.exe[1516] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 00500543
.text C:\WINDOWS\system32\spoolsv.exe[1736] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 007A0429
.text C:\WINDOWS\system32\spoolsv.exe[1736] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 007A05D0
.text C:\WINDOWS\system32\spoolsv.exe[1736] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 007A0526
.text C:\WINDOWS\system32\spoolsv.exe[1736] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 007A0543
.text C:\WINDOWS\Explorer.EXE[1868] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 007B0429
.text C:\WINDOWS\Explorer.EXE[1868] ntdll.dll!NtQueryDirectoryFile 77F5BD48 6 Bytes PUSH 131451AC; RET
.text C:\WINDOWS\Explorer.EXE[1868] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 007B05D0
.text C:\WINDOWS\Explorer.EXE[1868] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 007B0526
.text C:\WINDOWS\Explorer.EXE[1868] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 007B0543
.text C:\Program Files\Common Files\Symantec Shared\ccProxy.exe[1880] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00380429
.text C:\Program Files\Common Files\Symantec Shared\ccProxy.exe[1880] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 003805D0
.text C:\Program Files\Common Files\Symantec Shared\ccProxy.exe[1880] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 00380526
.text C:\Program Files\Common Files\Symantec Shared\ccProxy.exe[1880] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 00380543
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1968] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 005F0429
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1968] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 005F05D0
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1968] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 005F0526
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1968] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 005F0543
.text C:\Program Files\Norton Internet Security\ISSVC.exe[1984] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 005E0429
.text C:\Program Files\Norton Internet Security\ISSVC.exe[1984] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 005E05D0
.text C:\Program Files\Norton Internet Security\ISSVC.exe[1984] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 005E0526
.text C:\Program Files\Norton Internet Security\ISSVC.exe[1984] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 005E0543
.text C:\Documents and Settings\Alohboh\Desktop\gmer\gmer.exe[2012] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 00380429
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2044] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 005F0429
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2044] WS2_32.dll!send 71AB1AF4 5 Bytes JMP 005F05D0
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2044] WS2_32.dll!connect 71AB3E5D 5 Bytes JMP 005F0526
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2044] WS2_32.dll!WSAConnect 71ABF6AF 5 Bytes JMP 005F0543

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [0A93A9B0] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [0A93A800] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [0A93A890] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [0A93AB10] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [0A93A9B0] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [0A93A800] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!FreeLibrary] [0A93AB10] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [0A93A890] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [0A93A9B0] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [0A93A890] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!FreeLibrary] [0A93AB10] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [0A93A800] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [0A93A800] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [0A93A890] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [0A93AB10] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\System32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [0A93A890] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\System32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [0A93A800] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\System32\NETAPI32.dll [KERNEL32.dll!FreeLibrary] [0A93AB10] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] [0A93A9B0] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\OLE32.DLL [KERNEL32.dll!FreeLibraryAndExitThread] [0A93AB40] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] [0A93A800] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\OLE32.DLL [KERNEL32.dll!FreeLibrary] [0A93AB10] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] [0A93A890] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [0A93A800] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [0A93A890] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [0A93A920] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [0A93A9B0] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [0A93AB10] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [0A93A920] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [0A93A9B0] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [0A93A890] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibrary] [0A93AB10] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [0A93AB40] C:\AlohaQS\bin\SHW32.dll
IAT C:\AlohaQS\bin\CTLSVR.EXE[600] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [0A93A800] C:\AlohaQS\bin\SHW32.dll

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs ShlDrv51.sys (PandaShield driver/Panda Software)

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Fastfat \FatCdrom ShlDrv51.sys (PandaShield driver/Panda Software)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\Fastfat \Fat ShlDrv51.sys (PandaShield driver/Panda Software)

AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Services - GMER 1.0.14 ----

Service system32\drivers\rxnskyhv.dat (*** hidden *** ) [BOOT] eljalihj <-- ROOTKIT !!!

---- EOF - GMER 1.0.14 ----

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 15 January 2009 - 03:32 AM

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 GRBrown

GRBrown
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 16 January 2009 - 01:08 AM

Hey Wan,

I did as you instructed and ran Combo-Fix, however I did encounter a couple of hiccups along the way and unfortunately your instructions did not provide specific information about how to deal with the occurences that arose. Here's what happened:

Ran the renamed Combo-Fix from the desktop.

It started fine, but then fairly quickly it told me that I did not have the "Windows Recovery Console" installed on my computer, and then asked me (with strong encouragements) whether I would like to download and install it now. Since I didn't have any specific feedback within your instructions I selected "No". Was this the correct thing to do, or should I have first downloaded and installed the Windows Recovery Console as Combo-Fix recommended?
*Please keep in mind, as a relative newb when it comes to these particular procedures for malware removal I feel like I'm on very uncertain ground. Therefore, because your instructions said to "close any open browsers" and that "Combofix will disconnect your machine from the Internet as soon as it starts" and "Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished", I took the more conservative/cautious approach and avoided deviating from what your instructions told me to do. As such I might recommend that in the future when you are giving instructions related to Combo-Fix that you specifically address this prompt about the Windows Recovery Console and what the person should do when prompted to download it... that will just give newbs greater confidence about the process. :thumbsup:

After answering "No" to the WRC download question Combo-Fix ran smoothly and went through it's different stages just fine.

Then Combo-Fix said that it was now going to "reboot windows"! Well it sat, and sat, and sat, and sat, and after 30 minutes it still had not rebooted windows. So, not knowing any better, I went ahead and did a manual reboot.

Upon the reboot everything loaded up basically fine, so I relauched Combo-Fix and ran it again (figuring it had stalled). Again I was prompted about the WRC download... I said No, and again it completed all it's stages, and then once more it announced that Combo-Fix was going to "reboot windows", only this time it finished the message and said.. "DO NOT Manually reboot the computer". [It did not say this the first time]

In any event this time it rebooted after about only 2 or 3 minutes, created the log, and everything ended fine.

I copied the log, ran HijackThis again, copied those logs and here we are.

So, to summarize and clarify, the first time I ran Combo-Fix it got all the way to the rebooting stage, but never completed the process and never created a log. It only fully ran correctly and produced a log on the SECOND running of Combo-Fix and that is what I am posting below. Also, I ran HijackThis with the default settings, and I also ran the startuplist portion but both of the boxes next to the run button for that startuplog were left "unchecked" [in case that matters].

Oh, and after successfully running all of this when I would reboot the computer it would load up Windows fine, but it would run sluggishly... then after 3-5 minutes the desktop would sort of "refresh/reload" and then it would respond more quickly? Don't know if that means something or not.

My last little tidbit before posting the logs would only be a little suggestion for the future: Maybe include in your instructions specific guidance on whether or not to download and install the Windows Recovery Console when prompted. And, approximately how many stages there are so people don't panic when it takes awhile. And finally, notify them that Combo-Fix will "reboot windows" part way through the process and let them know how long this should take. [And while we are on it, how long should it take for this to happen? Should I have waited longer than the 30 minutes? Just curious] Anyway, those are my suggestions that might make things clearer for me, or people like me, when working through these procedures. That's just my 2 cents.

Now let me state very clearly that I am extremely pleased and thankful for your assistance, I feel like we've made solid progress for which I am truly grateful. My comments above are only designed to be constructive feedback on how you can give greater guidance, and in turn greater confidence, when dealing with people who are pretty unfamiliar with this process and the programs involved.

Once more thank you very much for you time and assistance Wan, it is very much appreciated!!! :)

Now then, the logs are listed below in their own posts.

I look forward to your next suggestions.

Sincerely,
G

#10 GRBrown

GRBrown
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 16 January 2009 - 01:11 AM

Combo-Fix Log [Remember, this is the log from what as technically the second running of Combo-Fiz]


ComboFix 09-01-13.04 - Alohboh 2009-01-15 21:32:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.510.303 [GMT -5:00]
Running from: c:\documents and settings\Alohboh\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\ini.ini\
c:\windows\system32\gehmyyxb.ini
c:\windows\system32\kus109.dat
c:\windows\system32\llkkj.ini
.
---- Previous Run -------
.
c:\documents and settings\Alohboh\Application Data\YSTEM3~1
c:\documents and settings\Alohboh\Application Data\YSTEM3~1\d?dplay.exe
c:\documents and settings\Alohboh\ResErrors.log
c:\program files\Common Files\scurit~1
c:\program files\Common Files\scurit~1\dvdplay.ex_
c:\program files\Common Files\scurit~1\s?curity\
c:\program files\Helper
c:\program files\Helper\ifastseek.dll
c:\program files\ini.ini\
c:\temp\tn3
c:\windows\bolenja.exe
c:\windows\bolenjx.exe
c:\windows\Downloaded Program Files\setup.inf
c:\windows\icroso~1.net
c:\windows\icroso~1.net\?icrosoft.NET\
c:\windows\IE4 Error Log.txt
c:\windows\kus109.dat
c:\windows\Media\F2233warxy11.dll
c:\windows\Media\smartwarxyu.dll
c:\windows\system32\abc2
c:\windows\system32\drivers\fad.sys
c:\windows\system32\ex1
c:\windows\SYSTEM32\fhkmp.ini
c:\windows\SYSTEM32\fhkmp.ini2
c:\windows\system32\idcfap.bmp
c:\windows\system32\ineWc01
c:\windows\system32\ineWc01\ineWc011065.exe
c:\windows\system32\kus109.dat
c:\windows\system32\multikz.exe
c:\windows\system32\oc9
c:\windows\SYSTEM32\stvwa.ini
c:\windows\SYSTEM32\stvwa.ini2
c:\windows\system32\users32.dat
c:\windows\system32\wtsisvcc32.exe
c:\windows\SYSTEM32\ybeeg.ini
c:\windows\SYSTEM32\ybeeg.ini2
c:\windows\SYSTEM32\yycdd.ini
c:\windows\SYSTEM32\yycdd.ini2
c:\windows\Web\default.htt
c:\windows\Web\DESKMOVR.HTT
c:\windows\Web\SAFEMODE.HTT

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CORE
-------\Legacy_DHLP


((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
.

2009-01-14 17:31 . 2009-01-14 17:31 250 --a------ c:\windows\gmer.ini
2009-01-14 17:28 . 2009-01-14 17:28 <DIR> d-------- C:\rsit
2009-01-14 17:28 . 2009-01-14 17:28 <DIR> d-------- c:\program files\trend micro
2009-01-14 16:38 . 2009-01-14 16:38 <DIR> d-------- c:\documents and settings\Alohboh\Application Data\Malwarebytes
2009-01-14 16:38 . 2009-01-04 18:38 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-14 16:28 . 2009-01-14 16:38 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-14 16:28 . 2009-01-14 16:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-14 16:28 . 2009-01-04 18:38 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-16 02:37 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-01-22 14:23 0 ----a-w c:\documents and settings\Alohboh\del.bat
2008-01-21 15:32 246 ----a-w c:\program files\Common Files\rycil844
2008-01-20 18:12 61 ----a-w c:\program files\ini.ini
2007-07-28 09:06 135 ----a-w c:\program files\Common Files\viloz.html
.
Files Infected - Patched
c:\program files\QuickTime\qttask.exe
c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
c:\progra~1\SYMNET~1\SNDMon.exe
c:\windows\System32\igfxtray.exe
c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
c:\windows\System32\spool\drivers\w32x86\3\hpztsb10.exe
c:\program files\Analog Devices\Core\smax4pnp.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06DBC41D-B12E-4133-876A-64E0C8FDD1D3}]
2002-08-29 05:00 84480 --a------ c:\windows\System32\APPHEL.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2008-01-21 155648]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2008-01-21 221184]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb10.exe" [2008-01-21 172032]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-01-21 1404928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-10-31 11:01 8704 c:\windows\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 c:\program files\Adobe\Reader 8.0\Reader\Reader_SL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2005-03-23 14:34 58992 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-21 10:33 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
--a------ 2008-01-21 10:33 218240 c:\program files\Common Files\Symantec Shared\Security Center\usrprmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2008-01-21 10:33 100056 c:\progra~1\SYMNET~1\sndmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntivirusOverride"=dword:00000001

R0 eljalihj;eljalihj;c:\windows\System32\drivers\rxnskyhv.dat --> c:\windows\System32\drivers\rxnskyhv.dat [?]
R1 ShldDrv;Panda File Shield Driver;c:\windows\SYSTEM32\DRIVERS\ShlDrv51.sys [2008-01-22 38968]
R4 PavProc;Panda Process Protection Driver;c:\windows\SYSTEM32\DRIVERS\PavProc.sys [2008-01-22 178872]
S0 sipuf;sipuf;c:\windows\System32\drivers\gviteepr.sys --> c:\windows\System32\drivers\gviteepr.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - ccSetMgr
*Deregistered* - CryptSvc
*Deregistered* - CtlSvr
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fax
*Deregistered* - helpsvc
*Deregistered* - ImapiService
*Deregistered* - ISSVC
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MDM
*Deregistered* - MSSQL$MICROSOFTBCM
*Deregistered* - navapsvc
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PavPrSrv
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SBService
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - Symantec Core LC
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - uploadmgr
*Deregistered* - w32time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2009-01-15 c:\windows\Tasks\At1.job
- c:\b50\AlohaPoll.bat [2005-05-18 14:06]

2009-01-15 c:\windows\Tasks\At2.job
- c:\b50\AlohaPoll.bat [2005-05-18 14:06]

2009-01-15 c:\windows\Tasks\At3.job
- c:\b50\AlohaPoll.bat [2005-05-18 14:06]

2009-01-15 c:\windows\Tasks\At4.job
- c:\b50\AlohaPoll.bat [2005-05-18 14:06]

2009-01-15 c:\windows\Tasks\At5.job
- c:\b50\AlohaPoll.bat [2005-05-18 14:06]

2009-01-15 c:\windows\Tasks\At6.job
- c:\b50\AlohaPoll.bat [2005-05-18 14:06]

2009-01-15 c:\windows\Tasks\At7.job
- c:\b50\AlohaPoll.bat [2005-05-18 14:06]

2009-01-15 c:\windows\Tasks\At8.job
- c:\b50\AlohaPoll.bat [2005-05-18 14:06]

2005-03-24 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 05:00]

2009-01-03 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Alohboh.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-01-10 11:20]

2009-01-16 c:\windows\Tasks\PCA.job
- c:\b50\StopStartpcA.bat [2005-05-20 15:37]

2009-01-16 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 12:24]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HotKeysCmds - c:\windows\System32\hkcmd.exe
HKLM-Run-dla - c:\windows\system32\dla\tfswctrl.exe
MSConfigStartUp-bolenja - bolenja.exe
MSConfigStartUp-bolenjx - bolenjx.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
Trusted Zone: www.google.com
Trusted Zone: *.microsoft.com
TCP: {4C8379DF-D0D2-4C2E-999C-F03572DBA64A} = 192.168.0.1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 21:38:27
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\eljalihj]
"ImagePath"="system32\drivers\rxnskyhv.dat"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(452)
c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(1100)
c:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCPROXY.EXE
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Norton Internet Security\ISSVC.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\alohaqs\BIN\CTLSVR.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\program files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
c:\program files\Common Files\Panda Software\PavShld\PavPrSrv.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
.
**************************************************************************
.
Completion time: 2009-01-15 21:42:25 - machine was rebooted [Alohboh]
ComboFix-quarantined-files.txt 2009-01-16 02:42:21

Pre-Run: 68,268,875,776 bytes free
Post-Run: 68,192,821,248 bytes free

250

#11 GRBrown

GRBrown
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 16 January 2009 - 01:13 AM

Here are the HijackThis Log AND the startuplist logs that were created after running Combo-Fix successfully the second time.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:57 PM, on 1/15/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\AlohaQS\bin\CTLSVR.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Alohboh\Desktop\HJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {06DBC41D-B12E-4133-876A-64E0C8FDD1D3} - C:\WINDOWS\System32\APPHEL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted IP range: http://192.168.2.1
O15 - Trusted IP range: http://192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C8379DF-D0D2-4C2E-999C-F03572DBA64A}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{4C8379DF-D0D2-4C2E-999C-F03572DBA64A}: NameServer = 192.168.0.1
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CtlSvr - Ibertech, Inc - C:\AlohaQS\bin\CTLSVR.EXE
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 5788 bytes




StartupList report, 1/15/2009, 9:52:16 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Alohboh\Desktop\HJackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\AlohaQS\bin\CTLSVR.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Alohboh\Desktop\HJackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IgfxTray = C:\WINDOWS\System32\igfxtray.exe
IntelMeM = C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
SoundMAXPnP = C:\Program Files\Analog Devices\Core\smax4pnp.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\System32\APPHEL.dll - {06DBC41D-B12E-4133-876A-64E0C8FDD1D3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

At1.job
At2.job
At3.job
At4.job
At5.job
At6.job
At7.job
At8.job
ISP signup reminder 1.job
Norton AntiVirus - Scan my computer - Alohboh.job
PCA.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8204.5217939815

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash9d.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 4,702 bytes
Report generated in 0.047 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 16 January 2009 - 01:40 AM

Hello... Delete your version of Combo-Fix and download a fresh one from below.. This time, please install Recovery Console and please just say Yes to everything that ComboFix wants to do :thumbsup:

Link 1
Link 2
Link 3



As usual, run it and post the log here :)

Edited by fenzodahl512, 16 January 2009 - 01:41 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 GRBrown

GRBrown
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 16 January 2009 - 02:55 AM

Hey Wan,

Thanks for the feedback and the clarification! :thumbsup: I'll make sure to re-download and re-run Combo-Fix again, and select Yes for the Recovery Console download.

Just out of curiosity though, did the logs tell you much of anything?

Did the initial first running, and then the complete second running of Combo-Fix that I did earlier (and that was fully successful), achieve any desired results... even though I did not install the Console?

How about the most recent HijackThis Log? Any progress?

It does seem like the computer is running better.

Finally, are there any other steps that you can reasonably give me to do after re-running Combo-Fix? I ask only because it seems the timing of our schedules is a little off (your messages tend to post fairly late at night, btw 1 am and 5 am my time), and since the computer I'm working on is 30 minutes away at my store, it means that I really only get one swipe at it per day. So, if there are any other steps that you can reasonably speculate would be worth doing after the next Combo-Fix run (with the Console being installed of course), then that would be great. If however you really need to see the next Combo-Fix Log before you give any additional steps, that's cool too... I figured it was worth checking, just in case it might save us both some time. :) But it's all good. Thanks again for the great feedback.

G

P.S. I just recalled one other oddity during the first running of Combo-Fix. As Combo-Fix did it's thing, deleting stuff or whatever, periodically windows would open dialog boxes that announced programs were shutting down unexpectedly (looked like it was probably malware junk that was running in the background that Combo-Fix was attacking)... anyway, Windows of course prompted me to send error reports to microsoft along the way. When these prompts were present it seemed that Combo-Fix paused until you answered the windows request for error reporting. I of course selected Don't Send for each prompt to keep it from connecting to the internet. But that was another little tidbit in the process that was weird... it really seemed like Combo-Fix could not proceed until those prompts were answered. Just thought you should know. Thanks again Wan. Sincerely, G.

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 16 January 2009 - 03:59 AM

Just out of curiosity though, did the logs tell you much of anything?


Pretty much, everything that we need to know..

Did the initial first running, and then the complete second running of Combo-Fix that I did earlier (and that was fully successful), achieve any desired results... even though I did not install the Console?


I can see it delete some files.. But we need to install RC

How about the most recent HijackThis Log? Any progress?


I prefer to see other logs..

(your messages tend to post fairly late at night, btw 1 am and 5 am my time)


I'm from Malaysia.. My timeline is GMT +8.. When I type this msg, I just returned from my class

If however you really need to see the next Combo-Fix Log before you give any additional steps, that's cool too...


I will need to see it :thumbsup:

it really seemed like Combo-Fix could not proceed until those prompts were answered.


What prompt?.. Can you give me the details?.. Screenshot would be very nice :)


Waiting for latest ComboFix log :)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 GRBrown

GRBrown
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 16 January 2009 - 04:21 AM

Hey Wan,

That's cool, like I said it was worth checking to see if there might be some extra steps that I could go ahead a take. But I'll get you the the new Combo-Fix log and then we can take it from there.

Interestingly I'm in Florida, so we are technically on almost opposite schedules. Fortunately I'm a bit of a night owl so I'm often up late (too late for my own good even). In fact I'm headed to bed after this post, and right now as I type this it is 4:20 am my time, and from the world clock it appears to be 5:20 pm in Malaysia. So when I get up in 7 hours, it will already be a little past midnight your time. Crazy. But heh, it's working my friend, and I truly appreciate you taking the time to help out. Well that's probably it for me right now. Have a nice evening, and I'll catch up with you, later today my time, and tomorrow your time. :thumbsup:

G




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users