Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware.Trace and Trojan.Vundo


  • This topic is locked This topic is locked
15 replies to this topic

#1 Hugh_DaMann

Hugh_DaMann

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 31 January 2009 - 11:00 AM

I have been unsuccessful in trying to remove the malware in the title and would appreciate any help that is offered. I have run Malwarebytes several times and these two keep coming back. I tried running VundoFix and it did not find anything.

Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:48 AM, on 1/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINXP\system32\rundll32.exe
C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINXP\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINXP\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINXP\system32\nvsvc32.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINXP\system32\rundll32.exe
C:\WINXP\system32\NOTEPAD.EXE
C:\WINXP\system32\msiexec.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINXP\UpdReg.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1232833369312
O20 - AppInit_DLLs: nwpidk.dll C:\WINXP\system32\guard32.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINXP\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINXP\system32\HPZipm12.exe

--
End of file - 7424 bytes

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 2

1/31/2009 10:26:31 AM
mbam-log-2009-01-31 (10-26-31).txt

Scan type: Quick Scan
Objects scanned: 70097
Time elapsed: 5 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 05 February 2009 - 11:36 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Hugh_DaMann

Hugh_DaMann
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 05 February 2009 - 11:08 PM

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 2

2/5/2009 10:59:23 PM
mbam-log-2009-02-05 (22-59-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 374982
Time elapsed: 2 hour(s), 31 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 Hugh_DaMann

Hugh_DaMann
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 05 February 2009 - 11:09 PM

Logfile of random's system information tool 1.05 (written by random/random)
Run by Joe at 2009-02-05 23:00:50
Microsoft Windows XP Professional Service Pack 2
System drive C: has 24 GB (21%) free of 114 GB
Total RAM: 511 MB (46% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:57 PM, on 2/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINXP\system32\rundll32.exe
C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINXP\system32\RUNDLL32.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\WINXP\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINXP\system32\nvsvc32.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINXP\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Joe.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINXP\UpdReg.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1232833369312
O20 - AppInit_DLLs: nwpidk.dll C:\WINXP\system32\guard32.dll csmjnu.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINXP\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINXP\system32\HPZipm12.exe

--
End of file - 7364 bytes

======Scheduled tasks folder======

C:\WINXP\tasks\AppleSoftwareUpdate.job
C:\WINXP\tasks\jtpepdht.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-11-10 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-10 321120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-11-10 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-11-10 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-10 321120]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"diagent"=C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe [2002-04-03 135264]
"UpdReg"=C:\WINXP\UpdReg.EXE [2000-05-11 90112]
"Acrobat Assistant 8.0"=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [2008-10-14 623992]
""= []
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-10-01 111936]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-12-02 185872]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"BluetoothAuthenticationAgent"=C:\WINXP\system32\bthprops.cpl [2004-08-04 110592]
"HPDJ Taskbar Utility"=C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb09.exe [2005-07-07 176128]
"NvCplDaemon"=C:\WINXP\system32\NvCpl.dll [2003-10-06 5058560]
"nwiz"=nwiz.exe /install []
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-11-10 136600]
"COMODO Internet Security"=C:\Program Files\COMODO\COMODO Internet Security\cfp.exe [2009-01-26 1797880]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-08-04 1667584]
"NvMediaCenter"=C:\WINXP\system32\NVMCTRAY.DLL [2003-10-06 49152]

C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Monitor.lnk - C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe

C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="nwpidk.dll C:\WINXP\system32\guard32.dll csmjnu.dll"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
""=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Robotics Academy\ROBOTC for Mindstorms\RobotC.exe"="C:\Program Files\Robotics Academy\ROBOTC for Mindstorms\RobotC.exe:*:Enabled:ROBOTC for Mindstorms"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Real\RealPlayer\realplayer.exe"="C:\Program Files\Real\RealPlayer\realplayer.exe:*:Enabled:realplayer"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:realplay"
"C:\Program Files\FlightGear\bin\win32\fgfs.exe"="C:\Program Files\FlightGear\bin\win32\fgfs.exe:*:Enabled:fgfs"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Sun\SDK\jdk\bin\java.exe"="C:\Sun\SDK\jdk\bin\java.exe:*:Enabled:Java™ Platform SE binary"
"C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Local Settings\Temp\java_ee_sdk-5_01-windows.exe2\package\jre\bin\javaw.exe"="C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Local Settings\Temp\java_ee_sdk-5_01-windows.exe2\package\jre\bin\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
shell\AutoRun\command - M:\LaunchU3.exe -a


======List of files/folders created in the last 3 months======

2009-02-03 15:46:58 ----N---- C:\WINXP\system32\clickfile.exe
2009-01-31 11:41:53 ----D---- C:\rsit
2009-01-31 10:38:55 ----D---- C:\VundoFix Backups
2009-01-31 10:38:55 ----A---- C:\VundoFix.txt
2009-01-28 19:59:41 ----D---- C:\WINXP\ERDNT
2009-01-28 19:58:40 ----D---- C:\Program Files\ERUNT
2009-01-26 20:50:47 ----D---- C:\Documents and Settings\All Users.WINXP\Application Data\TEMP
2009-01-26 20:39:10 ----D---- C:\Documents and Settings\All Users.WINXP\Application Data\comodo
2009-01-26 20:39:10 ----A---- C:\WINXP\system32\guard32.dll
2009-01-26 20:39:07 ----D---- C:\Program Files\COMODO
2009-01-25 18:23:55 ----D---- C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Application Data\Malwarebytes
2009-01-25 18:23:45 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-25 18:23:45 ----D---- C:\Documents and Settings\All Users.WINXP\Application Data\Malwarebytes
2009-01-25 18:18:54 ----D---- C:\Program Files\Trend Micro
2009-01-25 11:01:00 ----D---- C:\Program Files\a-squared Anti-Malware
2009-01-24 17:34:16 ----D---- C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Application Data\Canon
2009-01-24 16:52:17 ----A---- C:\WINXP\system32\MRT.exe
2009-01-24 15:36:33 ----A---- C:\WINXP\system32\nwpidk.dll
2009-01-24 15:33:33 ----A---- C:\WINXP\system32\acksnkpf.dll
2009-01-23 15:35:49 ----SH---- C:\WINXP\system32\grwiabyh.ini
2009-01-22 15:33:41 ----SH---- C:\WINXP\system32\ewmpbykg.ini
2009-01-21 17:44:53 ----D---- C:\WINXP\system32\LogFiles
2009-01-21 17:42:51 ----D---- C:\WINXP\Minidump
2009-01-21 16:03:54 ----D---- C:\WINXP\qwkq
2009-01-21 16:03:54 ----D---- C:\Program Files\Common Files\qwkq
2009-01-21 15:43:43 ----D---- C:\Program Files\WebShow
2009-01-21 15:28:03 ----SH---- C:\WINXP\system32\aacminjs.ini
2009-01-20 15:31:51 ----A---- C:\WINXP\system32\geBuRJby.dll
2009-01-20 15:25:52 ----A---- C:\WINXP\system32\ddcDwxya.dll
2009-01-20 15:24:09 ----SH---- C:\WINXP\system32\njvgvvde.ini
2009-01-20 15:23:37 ----A---- C:\WINXP\system32\7b1e51ab-.txt
2009-01-20 15:17:26 ----A---- C:\WINXP\system32\khfExutr.dll
2009-01-10 13:22:54 ----D---- C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Application Data\Download Manager
2009-01-09 17:06:27 ----D---- C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Application Data\Helios
2009-01-09 17:06:13 ----D---- C:\Program Files\TextPad 5
2009-01-09 14:58:32 ----A---- C:\WINXP\system32\javaws.exe
2009-01-09 14:58:32 ----A---- C:\WINXP\system32\javaw.exe
2009-01-09 14:58:32 ----A---- C:\WINXP\system32\java.exe
2009-01-07 21:28:05 ----D---- C:\Python26
2009-01-03 11:08:06 ----D---- C:\Program Files\DB Maker
2009-01-01 10:34:35 ----D---- C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Application Data\ZoomBrowser EX
2009-01-01 10:30:04 ----D---- C:\Documents and Settings\All Users.WINXP\Application Data\ZoomBrowser
2009-01-01 10:25:51 ----RSD---- C:\WINXP\assembly
2009-01-01 10:22:50 ----D---- C:\WINXP\Microsoft.NET
2009-01-01 10:00:25 ----D---- C:\Program Files\Common Files\Canon
2009-01-01 09:51:55 ----A---- C:\WINXP\system32\nvudisp.exe
2009-01-01 09:51:54 ----D---- C:\WINXP\nview
2008-12-31 10:30:17 ----D---- C:\Program Files\Common Files\Adobe AIR
2008-12-25 14:16:51 ----D---- C:\WINXP\system32\appmgmt
2008-12-25 11:49:04 ----D---- C:\WINXP\5D946D0D94374E15AC1FF9BCF0B32561.TMP
2008-12-25 11:45:51 ----D---- C:\Program Files\LeapFrog
2008-12-22 19:15:43 ----D---- C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Application Data\JoCar Consulting
2008-12-22 19:15:18 ----D---- C:\Program Files\BricxCC
2008-12-22 19:14:51 ----A---- C:\WINXP\GPInstall.exe
2008-12-22 19:12:09 ----D---- C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Application Data\Help
2008-12-22 19:08:39 ----D---- C:\Program Files\PRO-BOT2000
2008-12-22 19:08:39 ----A---- C:\WINXP\system32\PHANTOM.DLL
2008-12-22 18:28:23 ----D---- C:\Program Files\Free iPod Video Converter
2008-12-21 20:39:09 ----A---- C:\WINXP\system32\HPZisn12.dll
2008-12-21 20:39:09 ----A---- C:\WINXP\system32\HPZipt12.dll
2008-12-21 20:39:09 ----A---- C:\WINXP\system32\HPZipr12.dll
2008-12-21 20:39:09 ----A---- C:\WINXP\system32\HPZipm12.exe
2008-12-21 20:39:09 ----A---- C:\WINXP\system32\HPZinw12.exe
2008-12-21 20:39:09 ----A---- C:\WINXP\system32\HPZidr12.dll
2008-12-21 20:35:10 ----A---- C:\WINXP\system32\hphmon05.exe
2008-12-21 20:35:09 ----A---- C:\WINXP\system32\hphped05.exe
2008-12-21 20:35:03 ----A---- C:\WINXP\system32\hpzcon09.dll
2008-12-21 20:35:02 ----A---- C:\WINXP\system32\hpzlnt09.dll
2008-12-21 20:35:02 ----A---- C:\WINXP\system32\hpzcoi09.dll
2008-12-19 15:08:25 ----D---- C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Application Data\Amazon
2008-12-19 15:06:55 ----D---- C:\Program Files\Amazon
2008-12-12 09:26:39 ----A---- C:\WINXP\system32\wshirda.dll
2008-12-12 09:26:39 ----A---- C:\WINXP\system32\irmon.dll
2008-12-12 09:26:39 ----A---- C:\WINXP\system32\irftp.exe
2008-12-10 18:30:28 ----D---- C:\Program Files\Citrix
2008-12-10 17:58:38 ----D---- C:\WINXP\system32\Adobe
2008-12-07 12:34:18 ----A---- C:\WINXP\IsUninst.exe
2008-12-05 20:09:01 ----D---- C:\Documents and Settings\All Users.WINXP\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-05 19:33:15 ----D---- C:\WINXP\system32\ReinstallBackups
2008-12-04 16:52:20 ----A---- C:\WINXP\system32\python26.dll
2008-12-03 19:02:11 ----D---- C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Application Data\flightgear.org
2008-12-03 19:00:04 ----D---- C:\Program Files\FlightGear
2008-12-02 21:55:34 ----A---- C:\WINXP\system32\rmoc3260.dll
2008-12-02 21:55:24 ----A---- C:\WINXP\system32\pndx5032.dll
2008-12-02 21:55:24 ----A---- C:\WINXP\system32\pndx5016.dll
2008-12-02 21:55:21 ----A---- C:\WINXP\system32\pncrt.dll
2008-12-02 21:55:09 ----D---- C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Application Data\Real
2008-11-29 11:33:10 ----D---- C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Application Data\U3
2008-11-27 14:31:46 ----D---- C:\WINXP\Sun
2008-11-27 14:29:53 ----A---- C:\WINXP\system32\deploytk.dll
2008-11-27 14:28:48 ----D---- C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Application Data\Sun

======List of files/folders modified in the last 3 months======

2009-02-05 22:59:42 ----D---- C:\Program Files\Mozilla Firefox
2009-02-05 20:02:56 ----D---- C:\WINXP\Prefetch
2009-02-05 19:21:25 ----D---- C:\WINXP\Temp
2009-02-05 19:19:57 ----A---- C:\WINXP\SchedLgU.Txt
2009-02-05 19:10:59 ----D---- C:\WINXP\system32
2009-02-03 19:09:29 ----RAD---- C:\Program Files
2009-02-03 19:09:29 ----D---- C:\WINXP\system32\drivers
2009-01-31 18:03:05 ----D---- C:\WINXP
2009-01-31 10:30:41 ----SHD---- C:\WINXP\Installer
2009-01-31 10:30:41 ----SHD---- C:\Config.Msi
2009-01-28 16:30:56 ----A---- C:\WINXP\system32\PerfStringBackup.INI
2009-01-28 16:29:56 ----RSHDC---- C:\WINXP\system32\dllcache
2009-01-28 16:29:45 ----D---- C:\WINXP\system32\CatRoot2
2009-01-26 20:54:59 ----D---- C:\Program Files\SpywareBlaster
2009-01-25 18:16:43 ----HD---- C:\WINXP\inf
2009-01-24 17:16:20 ----D---- C:\WINXP\Registration
2009-01-24 16:52:19 ----D---- C:\WINXP\Debug
2009-01-24 16:42:54 ----SD---- C:\WINXP\Downloaded Program Files
2009-01-21 16:03:54 ----AD---- C:\Program Files\Common Files
2009-01-20 15:17:52 ----SD---- C:\WINXP\Tasks
2009-01-13 15:04:42 ----D---- C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Application Data\Move Networks
2009-01-09 14:58:29 ----D---- C:\Program Files\Java
2009-01-08 14:49:15 ----D---- C:\WINXP\WinSxS
2009-01-08 14:49:14 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-01-05 22:40:51 ----SD---- C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Application Data\Microsoft
2009-01-01 10:31:26 ----D---- C:\Program Files\Canon
2009-01-01 10:12:17 ----D---- C:\WINXP\pchealth
2009-01-01 09:51:54 ----D---- C:\WINXP\Help
2008-12-31 10:39:25 ----D---- C:\Program Files\Adobe
2008-12-31 10:39:21 ----D---- C:\Program Files\Common Files\Adobe
2008-12-25 11:46:27 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-21 20:40:47 ----D---- C:\WINXP\system32\NtmsData
2008-12-21 20:39:09 ----D---- C:\Program Files\HP
2008-12-21 20:36:15 ----D---- C:\Program Files\Hewlett-Packard
2008-12-21 15:46:43 ----D---- C:\Documents and Settings\All Users.WINXP\Application Data\FLEXnet
2008-12-14 00:10:10 ----D---- C:\WINXP\security
2008-12-10 17:59:34 ----D---- C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Application Data\Adobe
2008-12-05 20:13:39 ----D---- C:\Program Files\QuickTime
2008-12-05 20:09:38 ----DC---- C:\WINXP\system32\DRVSTORE
2008-12-05 20:09:38 ----D---- C:\Program Files\iTunes
2008-12-05 20:09:11 ----D---- C:\Program Files\iPod
2008-12-05 20:09:10 ----D---- C:\Program Files\Common Files\Apple
2008-12-05 19:31:08 ----D---- C:\Program Files\Safari
2008-12-02 21:55:22 ----A---- C:\WINXP\system32\msvcp71.dll
2008-11-26 12:56:34 ----A---- C:\WINXP\win.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 cmdGuard;COMODO Internet Security Sandbox Driver; C:\WINXP\System32\DRIVERS\cmdguard.sys [2009-01-26 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver; C:\WINXP\System32\DRIVERS\cmdhlp.sys [2009-01-26 31504]
R1 intelppm;Intel Processor Driver; C:\WINXP\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 OMCI;OMCI; C:\WINXP\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R2 mdmxsdk;mdmxsdk; C:\WINXP\system32\DRIVERS\mdmxsdk.sys [2004-08-03 11868]
R2 PfModNT;PfModNT; \??\C:\WINXP\system32\PfModNT.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINXP\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HSF_DP;HSF_DP; C:\WINXP\system32\DRIVERS\HSFDPSP2.sys [2004-08-03 1041536]
R3 HSFHWBS2;HSFHWBS2; C:\WINXP\system32\DRIVERS\HSFBS2S2.sys [2004-08-03 220032]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINXP\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 nv;nv; C:\WINXP\system32\DRIVERS\nv4_mini.sys [2003-10-06 1550043]
R3 P16X;Creative SB Live! Series (WDM); C:\WINXP\system32\drivers\P16X.sys [2002-08-30 1293440]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINXP\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINXP\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINXP\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbstor;USB Mass Storage Driver; C:\WINXP\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINXP\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 winachsf;winachsf; C:\WINXP\system32\DRIVERS\HSFCXTS2.sys [2004-08-03 685056]
S1 seneka;seneka; C:\WINXP\system32\drivers\senekactjlatve.sys []
S3 BthEnum;Bluetooth Request Block Driver; C:\WINXP\system32\DRIVERS\BthEnum.sys [2004-08-03 17024]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\WINXP\system32\DRIVERS\bthpan.sys [2004-08-03 100992]
S3 BTHPORT;Bluetooth Port Driver; C:\WINXP\System32\Drivers\BTHport.sys [2008-06-13 272128]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\WINXP\System32\Drivers\BTHUSB.sys [2004-08-03 18944]
S3 dot4;MS IEEE-1284.4 Driver; C:\WINXP\system32\DRIVERS\Dot4.sys [2004-08-03 207360]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINXP\system32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\WINXP\system32\DRIVERS\dot4usb.sys [2001-08-17 23808]
S3 FANTOM;LEGO MINDSTORMS NXT Driver; C:\WINXP\system32\DRIVERS\fantom.sys [2007-05-30 39424]
S3 HidUsb;Microsoft HID Class Driver; C:\WINXP\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINXP\system32\DRIVERS\HPZid412.sys [2005-07-07 51088]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINXP\system32\DRIVERS\HPZipr12.sys [2005-07-07 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINXP\system32\DRIVERS\HPZius12.sys [2005-10-22 21568]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINXP\system32\DRIVERS\rfcomm.sys [2004-08-03 59648]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINXP\System32\Drivers\usbaapl.sys [2008-10-01 32000]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINXP\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINXP\system32\DRIVERS\usbprint.sys [2004-08-03 25856]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 BthServ;Bluetooth Support Service; C:\WINXP\system32\svchost.exe [2004-08-04 14336]
R2 CCALib8;Canon Camera Access Library 8; C:\Program Files\Canon\CAL\CALMAIN.exe [2007-01-31 96370]
R2 cmdAgent;COMODO Internet Security Helper Service; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [2009-01-26 618232]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINXP\system32\CTsvcCDA.exe [1999-12-13 44032]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-11-10 152984]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINXP\system32\nvsvc32.exe [2003-10-06 81920]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINXP\system32\MsPMSPSv.exe [2000-06-26 53520]
R3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-08-31 654848]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 aspnet_state;ASP.NET State Service; C:\WINXP\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINXP\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINXP\system32\HPZipm12.exe [2004-03-18 65536]

-----------------EOF-----------------

#5 Hugh_DaMann

Hugh_DaMann
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 05 February 2009 - 11:16 PM

info.txt logfile of random's system information tool 1.05 2009-01-31 11:42:04

======Uninstall list======

-->"C:\Program Files\Creative\SBLive\Program\Ctzapxx.EXE" /X /U /S /R
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51F5239C-197B-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51F5239C-197B-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINXP\INF\PCHealth.inf
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe Acrobat 8.1.3 Professional-->msiexec /I {AC76BA86-1033-0000-7760-000000000003}
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings-->C:\Program Files\Common Files\Adobe\Installers\6c8e2cb4fd241c55406016127a6ab2e\Setup.exe
Adobe Color Common Settings-->MsiExec.exe /I{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}
Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2-->C:\Program Files\Common Files\Adobe\Installers\3e054d2218e7aa282c2369d939e58ff\Setup.exe
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}
Adobe Flash Player ActiveX-->C:\WINXP\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\WINXP\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3-->C:\Program Files\Common Files\Adobe\Installers\719d6f144d0c086a0dfa7ff76bb9ac1\Setup.exe
Adobe Photoshop CS3-->MsiExec.exe /I{3D7E3EC9-46CF-4359-9289-39CE01DFB82F}
Adobe Photoshop Elements 2.0-->C:\WINXP\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop Elements 2\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop Elements 2\Uninst.dll"
Adobe Setup-->MsiExec.exe /I{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}
Adobe Setup-->MsiExec.exe /I{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}
Adobe Setup-->MsiExec.exe /I{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C}
Adobe Shockwave Player 11-->C:\WINXP\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINXP\system32\Adobe\SHOCKW~1\Install.log
Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Amazon MP3 Downloader 1.0.3-->C:\Program Files\Amazon\MP3 Downloader\Uninstall.exe
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
Bricx Command Center-->C:\WINXP\GPInstall.exe "/UNINST=C:\Program Files\BricxCC\UnInst.log" "/APPNAME=Bricx Command Center"
Canon Camera Access Library-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon EOS 5D WIA Driver-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BB3AB664-D92B-4CB5-8B3E-D841841F4E68} /l1033
Canon RAW Image Task for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Utilities CameraWindow-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowLauncher\Uninst.ini"
Canon Utilities Digital Photo Professional 3.3-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\Digital Photo Professional\Uninst.ini"
Canon Utilities EOS Utility-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities MyCamera-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\MyCamera\Uninst.ini"
Canon Utilities Original Data Security Tools-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\Original Data Security Tools\Uninst.ini"
Canon Utilities PhotoStitch-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities Picture Style Editor-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\Picture Style Editor\Uninst.ini"
Canon Utilities RemoteCapture Task for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities WFT-E1/E2/E3 Utility-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\WFT Utility\Uninst.ini"
Canon Utilities ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
Canon ZoomBrowser EX Memory Card Utility-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX MCU\Uninst.ini"
COMODO Internet Security-->C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe -u
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
DB Maker-->C:\Program Files\DB Maker\uninstall.exe
Dell ResourceCD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
Free iPod Video Converter 1.34-->"C:\Program Files\Free iPod Video Converter\unins000.exe"
Google SketchUp 6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98736A65-3C79-49EC-B7E9-A3C77774B0E6}\setup.exe" -l0x9 -removeonly
Google SketchUp 6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"C:\WINXP\$NtUninstallKB952287$\spuninst\spuninst.exe"
iTunes-->MsiExec.exe /I{318AB667-3230-41B5-A617-CB3BF748D371}
Java™ 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
LEGO MINDSTORMS Edu NXT - English Language Pack-->MsiExec.exe /X{1461AA33-AB75-4E27-A832-CA0328AD7FAA}
LEGO MINDSTORMS Edu NXT Software v1.1-->MsiExec.exe /X{32C7D34A-4ADF-46F1-9E75-A3E446A76D10}
LEGO MINDSTORMS NXT - English Language Pack-->MsiExec.exe /X{D2B8DB3C-E5F0-48CA-810E-87DFD5603DC2}
LEGO MINDSTORMS NXT Driver-->MsiExec.exe /I{99B66D96-5BB2-42DF-BF7C-432285A1E5A5}
LEGO MINDSTORMS NXT Edu Migration Package-->MsiExec.exe /X{E9AF380B-40FA-4D83-A5C7-A80D9BB8E566}
LEGO MINDSTORMS NXT Migration Package-->MsiExec.exe /X{6C1D47CC-682C-4673-8CA8-DEE659628599}
LEGO MINDSTORMS NXT Software v1.1-->MsiExec.exe /X{CDE4B478-F489-444D-900C-A9812569E6D2}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0-->C:\WINXP\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Project Professional 2003-->MsiExec.exe /I{903B0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Word Viewer 2003-->MsiExec.exe /I{90850409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729-->MsiExec.exe /X{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}
MobileMe Control Panel-->MsiExec.exe /I{2604C0F9-BFD3-4BA0-9EB5-22537C648F03}
Mozilla Firefox (3.0.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Display Driver-->C:\WINXP\system32\nvudisp.exe Uninstall C:\WINXP\system32\nvdisp.nvu,NVIDIA Display Driver
PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Photosmart 140,240,7200,7600,7700,7900 Series-->C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\setup\hpzscr01.exe -datfile hphscr01.dat
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
PRO-BOT2000 (C:\Program Files\PRO-BOT2000\)-->C:\WINXP\ST5UNST.EXE -n "C:\Program Files\PRO-BOT2000\ST5UNST.000"
PRO-BOT2000-->C:\WINXP\ST5UNST.EXE -n "C:\Program Files\PRO-BOT2000\ST5UNST.LOG"
Python 2.6.1-->MsiExec.exe /I{9CC89170-000B-457D-91F1-53691F85B223}
QuickTime-->MsiExec.exe /I{F958CA02-BB40-4007-894B-258729456EE4}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
ROBOTC for Mindstorms 1.43 - BETA 1-->MsiExec.exe /I{02CA8DB2-CB9A-4EC3-8A09-16207C7148BE}
Safari-->MsiExec.exe /I{582D2A53-F426-4C5E-A2E6-43C1AB36B907}
SanDisk TransferMate-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{601C6E14-DF1E-4113-A8C8-F9DB90CB0D88}\Setup.exe" -l0x9
Security Update for Windows XP (KB923789)-->C:\WINXP\system32\MacroMed\Flash\genuinst.exe C:\WINXP\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB929123)-->"C:\WINXP\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944338-v2)-->"C:\WINXP\$NtUninstallKB944338-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINXP\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"C:\WINXP\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINXP\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINXP\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINXP\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINXP\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINXP\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINXP\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINXP\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINXP\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINXP\$NtUninstallKB953839$\spuninst\spuninst.exe"
Sound Blaster Live!-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{96E16100-A77F-4B31-B9AD-FFBA040EE1BD}\SETUP.EXE" -l0x9
SpywareBlaster 4.1-->"C:\Program Files\SpywareBlaster\unins000.exe"
TextPad 5-->MsiExec.exe /X{B6EC7388-E277-4A5B-8C8F-71067A41BA64}
Update for Windows XP (KB898461)-->"C:\WINXP\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB908531)-->"C:\WINXP\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINXP\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINXP\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"

======Security center information======

FW: COMODO Firewall

System event log

Computer Name: JU-9FD65CF29BBF
Event Code: 7036
Message: The Application Management service entered the running state.

Record Number: 5125
Source Name: Service Control Manager
Time Written: 20081225141648.000000-300
Event Type: information
User:

Computer Name: JU-9FD65CF29BBF
Event Code: 7035
Message: The Application Management service was successfully sent a start control.

Record Number: 5124
Source Name: Service Control Manager
Time Written: 20081225141648.000000-300
Event Type: information
User: JU-9FD65CF29BBF\Joe

Computer Name: JU-9FD65CF29BBF
Event Code: 7036
Message: The Windows Image Acquisition (WIA) service entered the running state.

Record Number: 5123
Source Name: Service Control Manager
Time Written: 20081225141422.000000-300
Event Type: information
User:

Computer Name: JU-9FD65CF29BBF
Event Code: 7035
Message: The Windows Image Acquisition (WIA) service was successfully sent a start control.

Record Number: 5122
Source Name: Service Control Manager
Time Written: 20081225141422.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: JU-9FD65CF29BBF
Event Code: 7036
Message: The Windows Installer service entered the running state.

Record Number: 5121
Source Name: Service Control Manager
Time Written: 20081225141329.000000-300
Event Type: information
User:

Application event log

Computer Name: JU-9FD65CF29BBF
Event Code: 105
Message: The service was started.

Record Number: 1645
Source Name: Creative Service for CDROM Access
Time Written: 20090125105124.000000-300
Event Type: information
User:

Computer Name: JU-9FD65CF29BBF
Event Code: 1
Message:
Record Number: 1644
Source Name: Bonjour Service
Time Written: 20090125105123.000000-300
Event Type: information
User:

Computer Name: JU-9FD65CF29BBF
Event Code: 1000
Message: Faulting application iexplore.exe, version 6.0.2900.2180, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x0001142e.

Record Number: 1643
Source Name: Application Error
Time Written: 20090124181101.000000-300
Event Type: error
User:

Computer Name: JU-9FD65CF29BBF
Event Code: 0
Message:
Record Number: 1642
Source Name: iPod Service
Time Written: 20090124172235.000000-300
Event Type: information
User:

Computer Name: JU-9FD65CF29BBF
Event Code: 105
Message: The service was started.

Record Number: 1641
Source Name: WMDM PMSP Service
Time Written: 20090124172210.000000-300
Event Type: information
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\VXIPNP\WinNT\Bin;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0207
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"VXIPNPPATH"=C:\VXIPNP\
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

#6 Hugh_DaMann

Hugh_DaMann
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 05 February 2009 - 11:18 PM

Computer reboots before completion of GMER. Have tried running it twice and got same result.

Is there something running that conflicts with it?

#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 06 February 2009 - 03:43 AM

Hmm.. Lets do this....



Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 Hugh_DaMann

Hugh_DaMann
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 06 February 2009 - 05:30 PM

ComboFix 09-02-06.01 - Joe 2009-02-06 16:49:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.353 [GMT -5:00]
Running from: c:\documents and settings\Joe.JU-9FD65CF29BBF\Desktop\Combo-Fix.exe
FW: COMODO Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\JOE~1.JU-\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\Joe.JU-9FD65CF29BBF\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Joe.JU-9FD65CF29BBF\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\INSTALL.LOG
c:\winxp\system32\aacminjs.ini
c:\winxp\system32\acksnkpf.dll
c:\winxp\system32\drivers\seneka.sys
c:\winxp\system32\drivers\senekactjlatve.sys
c:\winxp\system32\drivers\senekawxdqwmny.sys
c:\winxp\system32\ewmpbykg.ini
c:\winxp\system32\grwiabyh.ini
c:\winxp\system32\njvgvvde.ini
c:\winxp\system32\nwpidk.dll
c:\winxp\system32\senekaemqximbe.dat
c:\winxp\system32\senekagratykdi.dll
c:\winxp\system32\senekaiwexvkbl.dat
c:\winxp\system32\senekakmxbfxwn.dat
c:\winxp\system32\senekaqxjkvdno.dll
c:\winxp\system32\senekartlwbwex.dat
c:\winxp\system32\senekaswkkllus.dll
c:\winxp\system32\senekatymeuhxs.dll
c:\winxp\Tasks\jtpepdht.job
F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))
.

2009-02-05 23:01 . 2009-02-05 23:10 250 --a------ c:\winxp\gmer.ini
2009-02-03 15:46 . 2009-02-03 15:46 45,568 --------- c:\winxp\system32\clickfile.exe
2009-01-31 11:41 . 2009-01-31 11:42 <DIR> d-------- C:\rsit
2009-01-31 10:38 . 2009-01-31 10:38 <DIR> d-------- C:\VundoFix Backups
2009-01-28 19:58 . 2009-01-28 19:58 <DIR> d-------- c:\program files\ERUNT
2009-01-28 16:29 . 2001-08-17 14:02 9,600 --a------ c:\winxp\system32\drivers\hidusb.sys
2009-01-28 16:29 . 2001-08-17 14:02 9,600 --a--c--- c:\winxp\system32\dllcache\hidusb.sys
2009-01-26 20:50 . 2009-01-26 20:50 <DIR> d-------- c:\documents and settings\All Users.WINXP\Application Data\TEMP
2009-01-26 20:39 . 2009-01-26 20:39 <DIR> d-------- c:\program files\COMODO
2009-01-26 20:39 . 2009-01-26 20:44 <DIR> d-------- c:\documents and settings\All Users.WINXP\Application Data\comodo
2009-01-26 20:39 . 2009-01-26 20:39 147,192 --a------ c:\winxp\system32\guard32.dll
2009-01-26 20:39 . 2009-01-26 20:39 101,776 --a------ c:\winxp\system32\drivers\cmdguard.sys
2009-01-26 20:39 . 2009-01-26 20:39 31,504 --a------ c:\winxp\system32\drivers\cmdhlp.sys
2009-01-25 18:23 . 2009-01-25 18:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 18:23 . 2009-01-25 18:23 <DIR> d-------- c:\documents and settings\Joe.JU-9FD65CF29BBF\Application Data\Malwarebytes
2009-01-25 18:23 . 2009-01-25 18:23 <DIR> d-------- c:\documents and settings\All Users.WINXP\Application Data\Malwarebytes
2009-01-25 18:23 . 2009-01-14 16:11 38,496 --a------ c:\winxp\system32\drivers\mbamswissarmy.sys
2009-01-25 18:23 . 2009-01-14 16:11 15,504 --a------ c:\winxp\system32\drivers\mbam.sys
2009-01-25 18:18 . 2009-01-25 18:18 <DIR> d-------- c:\program files\Trend Micro
2009-01-25 11:01 . 2009-01-26 19:57 <DIR> d-------- c:\program files\a-squared Anti-Malware
2009-01-24 17:34 . 2009-01-24 17:34 <DIR> d-------- c:\documents and settings\Joe.JU-9FD65CF29BBF\Application Data\Canon
2009-01-21 22:58 . 2009-02-06 16:58 4 --a------ c:\winxp\yapgvgbw
2009-01-21 17:44 . 2009-01-21 17:44 <DIR> d-------- c:\winxp\system32\LogFiles
2009-01-21 16:05 . 2009-01-21 16:05 <DIR> d-------- c:\documents and settings\Joe.JU-9FD65CF29BBF\cs
2009-01-21 16:03 . 2009-01-21 16:03 <DIR> d-------- c:\winxp\qwkq
2009-01-21 16:03 . 2009-01-25 18:11 <DIR> d-------- c:\program files\Common Files\qwkq
2009-01-21 15:43 . 2009-01-25 18:41 <DIR> d-------- c:\program files\WebShow
2009-01-20 15:31 . 2009-01-20 15:31 48,640 --a------ c:\winxp\system32\geBuRJby.dll
2009-01-20 15:25 . 2009-01-20 15:25 48,640 --a------ c:\winxp\system32\ddcDwxya.dll
2009-01-20 15:22 . 2009-01-20 16:59 1,780 --a------ c:\winxp\cfhhmmxs
2009-01-20 15:17 . 2009-01-20 15:17 48,640 --a------ c:\winxp\system32\khfExutr.dll
2009-01-10 13:22 . 2009-01-10 13:31 <DIR> d-------- c:\documents and settings\Joe.JU-9FD65CF29BBF\Application Data\Download Manager
2009-01-09 17:06 . 2009-01-09 17:06 <DIR> d-------- c:\program files\TextPad 5
2009-01-09 17:06 . 2009-01-09 17:06 <DIR> d-------- c:\documents and settings\Joe.JU-9FD65CF29BBF\Application Data\Helios
2009-01-07 21:28 . 2009-01-07 21:28 <DIR> d-------- C:\Python26
2009-01-06 21:50 . 2009-01-09 17:43 <DIR> d-------- c:\documents and settings\Joe.JU-9FD65CF29BBF\.SunDownloadManager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"NvMediaCenter"="c:\winxp\system32\NVMCTRAY.DLL" [2003-10-06 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"UpdReg"="c:\winxp\UpdReg.EXE" [2000-05-11 90112]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-02 185872]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"HPDJ Taskbar Utility"="c:\winxp\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-07 176128]
"NvCplDaemon"="c:\winxp\system32\NvCpl.dll" [2003-10-06 5058560]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-01-26 1797880]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\winxp\system32\bthprops.cpl]
"nwiz"="nwiz.exe" [2003-10-06 c:\winxp\system32\nwiz.exe]

c:\documents and settings\Joe.JU-9FD65CF29BBF\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users.WINXP\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-12-07 113664]
Monitor.lnk - c:\program files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2008-09-06 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\winxp\system32\ctmp3.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Robotics Academy\\ROBOTC for Mindstorms\\RobotC.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplayer.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\winxp\system32\drivers\cmdguard.sys [2009-01-26 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\winxp\system32\drivers\cmdhlp.sys [2009-01-26 31504]
S0 aylnlfdx;aylnlfdx;c:\winxp\system32\drivers\phqghume.sys --> c:\winxp\system32\drivers\phqghume.sys [?]
S0 cfhhmmxs;cfhhmmxs;c:\winxp\system32\drivers\jmtwldsp.sys --> c:\winxp\system32\drivers\jmtwldsp.sys [?]
S0 yapgvgbw;yapgvgbw;c:\winxp\system32\drivers\udqiabbq.sys []
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\winxp\system32\drivers\fantom.sys [2007-05-30 39424]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
\Shell\AutoRun\command - M:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-31 c:\winxp\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Joe.JU-9FD65CF29BBF\Application Data\Mozilla\Firefox\Profiles\lbc0h4r4.default\
FF - plugin: c:\documents and settings\Joe.JU-9FD65CF29BBF\Application Data\Mozilla\Firefox\Profiles\lbc0h4r4.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsaix.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-06 17:12:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\winxp\system32\drivers\udqiabbq.sys 25088 bytes executable
c:\docume~1\JOE~1.JU-\LOCALS~1\Temp\Acrobat Distiller 8\00000820\dirlock.tmp 0 bytes
c:\docume~1\JOE~1.JU-\LOCALS~1\Temp\Acrobat Distiller 8\00000820\Temp.msg 164 bytes
c:\winxp\system32\mucltui.dll 268648 bytes executable
c:\winxp\system32\mucltui.dll.mui 27496 bytes executable

scan completed successfully
hidden files: 5

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\winxp\system32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\winxp\system32\nvsvc32.exe
c:\winxp\system32\MsPMSPSv.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\winxp\system32\rundll32.exe
c:\winxp\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************

.
Completion time: 2009-02-06 17:21:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-06 22:21:37

Pre-Run: 25,610,932,224 bytes free
Post-Run: 25,605,844,992 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINXP
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINXP="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

194 --- E O F --- 2009-01-01 14:52:00

Edited by Hugh_DaMann, 06 February 2009 - 05:32 PM.


#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 07 February 2009 - 01:15 AM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
aylnlfdx
cfhhmmxs
yapgvgbw

Rootkit::
c:\winxp\system32\drivers\phqghume.sys
c:\winxp\system32\drivers\jmtwldsp.sys
c:\winxp\system32\drivers\udqiabbq.sys

File::
c:\winxp\yapgvgbw
c:\winxp\system32\geBuRJby.dll
c:\winxp\system32\ddcDwxya.dll
c:\winxp\cfhhmmxs
c:\winxp\system32\khfExutr.dll
c:\winxp\system32\drivers\phqghume.sys
c:\winxp\system32\drivers\jmtwldsp.sys
c:\winxp\system32\drivers\udqiabbq.sys

Folder::
c:\winxp\qwkq
c:\program files\Common Files\qwkq
c:\program files\WebShow

DirLook::
c:\winxp\system32\LogFiles
c:\documents and settings\Joe.JU-9FD65CF29BBF\cs

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 Hugh_DaMann

Hugh_DaMann
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 07 February 2009 - 11:24 AM

It's looking better...

ComboFix 09-02-06.01 - Joe 2009-02-07 10:18:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.279 [GMT -5:00]
Running from: C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Desktop\CFScript.txt
FW: COMODO Firewall *enabled*
* Created a new restore point

FILE ::
c:\winxp\cfhhmmxs
c:\winxp\system32\ddcDwxya.dll
c:\winxp\system32\drivers\jmtwldsp.sys
c:\winxp\system32\drivers\phqghume.sys
c:\winxp\system32\drivers\udqiabbq.sys
c:\winxp\system32\geBuRJby.dll
c:\winxp\system32\khfExutr.dll
c:\winxp\yapgvgbw
.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22, on 2009-02-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINXP\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINXP\system32\nvsvc32.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINXP\system32\rundll32.exe
C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINXP\system32\RUNDLL32.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINXP\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINXP\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINXP\UpdReg.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1232833369312
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINXP\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINXP\system32\HPZipm12.exe

--
End of file - 7465 bytes

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 08 February 2009 - 12:24 PM

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Run ComboFix once again (double-click it)

Post these logs in your next reply..

1. ESET Online Scanner
2. ComboFix (fresh scan)
3. How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 Hugh_DaMann

Hugh_DaMann
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 08 February 2009 - 05:55 PM

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3836 (20090207)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=2a1c0a4279c5f94d970249c88b2a4de7
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-02-08 09:53:06
# local_time=2009-02-08 04:53:06 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=1004670
# found=31
# scan_time=11075
C:\Documents and Settings\becca usoff\Application Data\Mozilla\Firefox\Profiles\default.epw\Cache\B750ACA1d01 Win32/Adware.WBug.A application (deleted) 00000000000000000000000000000000
C:\Documents and Settings\becca usoff\Application Data\Mozilla\Firefox\Profiles\default.epw\Cache\B750ACA1d01 »WISE »WxBug.EXE Win32/Adware.WBug.A application (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\becca usoff\Application Data\Mozilla\Firefox\Profiles\default.epw\Cache\B750ACA1d01 »WISE »WxBug.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\becca usoff\My Documents\Adobe\stuf\apc.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\becca usoff\My Documents\Adobe\stuf\apc.exe »WISE »msbb.exe Win32/Adware.180Solutions application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\becca usoff\My Documents\Adobe\stuf\apc.exe »WISE »aaaP026.exe Win32/Igetnet.A trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\becca usoff\My Documents\Adobe\stuf\apc.exe »WISE »bolae9in3l.exe a variant of Win32/Adware.F1Organizer application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\becca usoff\My Documents\Adobe\stuf\apc.zip multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\becca usoff\My Documents\Adobe\stuf\apc.zip »ZIP »apc.exe multiple infiltrations (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\becca usoff\My Documents\Adobe\stuf\apc.zip »ZIP »apc.exe »WISE »msbb.exe Win32/Adware.180Solutions application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\becca usoff\My Documents\Adobe\stuf\apc.zip »ZIP »apc.exe »WISE »aaaP026.exe Win32/Igetnet.A trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\becca usoff\My Documents\Adobe\stuf\apc.zip »ZIP »apc.exe »WISE »bolae9in3l.exe a variant of Win32/Adware.F1Organizer application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Desktop\Cathy\Local Settings\Temp\temp.cab a variant of Win32/Adware.Websearch application (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Desktop\Cathy\Local Settings\Temp\temp.cab »CAB »toolbar.dll a variant of Win32/Adware.Websearch application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Desktop\Joe\Local Settings\Temp\temp.cab a variant of Win32/Adware.Websearch application (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Joe.JU-9FD65CF29BBF\Desktop\Joe\Local Settings\Temp\temp.cab »CAB »toolbar.dll a variant of Win32/Adware.Websearch application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application (deleted) 00000000000000000000000000000000
C:\Program Files\AIM\Sysfiles\WxBug.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll Win32/Adware.WBug.A application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Mozilla Firefox\plugins\npsaix.dll Win32/Adware.180Solutions application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{0AFBEF27-5648-484C-B1E2-5DC77F8163F4}\RP176\A0007827.exe Win32/Adware.WBug.A application (deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{0AFBEF27-5648-484C-B1E2-5DC77F8163F4}\RP176\A0007827.exe »WISE »WxBug.EXE Win32/Adware.WBug.A application (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\System Volume Information\_restore{0AFBEF27-5648-484C-B1E2-5DC77F8163F4}\RP176\A0007827.exe »WISE »WxBug.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\System Volume Information\_restore{0AFBEF27-5648-484C-B1E2-5DC77F8163F4}\RP178\A0007943.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{0AFBEF27-5648-484C-B1E2-5DC77F8163F4}\RP178\A0007943.exe »WISE »msbb.exe Win32/Adware.180Solutions application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\System Volume Information\_restore{0AFBEF27-5648-484C-B1E2-5DC77F8163F4}\RP178\A0007943.exe »WISE »aaaP026.exe Win32/Igetnet.A trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\System Volume Information\_restore{0AFBEF27-5648-484C-B1E2-5DC77F8163F4}\RP178\A0007943.exe »WISE »bolae9in3l.exe a variant of Win32/Adware.F1Organizer application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\System Volume Information\_restore{0AFBEF27-5648-484C-B1E2-5DC77F8163F4}\RP178\A0007944.EXE Win32/Adware.WBug.A application (deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{0AFBEF27-5648-484C-B1E2-5DC77F8163F4}\RP178\A0007944.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\System Volume Information\_restore{0AFBEF27-5648-484C-B1E2-5DC77F8163F4}\RP178\A0007945.dll Win32/Adware.WBug.A application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{0AFBEF27-5648-484C-B1E2-5DC77F8163F4}\RP178\A0007946.dll Win32/Adware.180Solutions application (unable to clean - deleted) 00000000000000000000000000000000


ComboFix 09-02-06.01 - Joe 2009-02-08 17:32:33.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.203 [GMT -5:00]
Running from: c:\documents and settings\Joe.JU-9FD65CF29BBF\Desktop\Combo-Fix.exe
FW: COMODO Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files\Common Files\qwkq
c:\program files\Common Files\qwkq\qwkqa.lck
c:\program files\Common Files\qwkq\qwkqd\class-barrel
c:\program files\Common Files\qwkq\qwkqh
c:\program files\Common Files\qwkq\qwkql.lck
c:\program files\Common Files\qwkq\qwkqm.lck
c:\program files\WebShow
c:\winxp\cfhhmmxs
c:\winxp\qwkq
c:\winxp\qwkq\qwkq.dat
c:\winxp\qwkq\wu
c:\winxp\system32\ddcDwxya.dll
c:\winxp\system32\geBuRJby.dll
c:\winxp\system32\khfExutr.dll
c:\winxp\yapgvgbw

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CFHHMMXS
-------\Legacy_YAPGVGBW
-------\Service_aylnlfdx
-------\Service_cfhhmmxs
-------\Service_yapgvgbw


((((((((((((((((((((((((( Files Created from 2009-01-08 to 2009-02-08 )))))))))))))))))))))))))))))))
.

2009-02-08 17:31 . 2009-02-08 17:31 <DIR> d-------- C:\32788R22FWJFW
2009-02-08 13:47 . 2009-02-08 16:53 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-02-06 17:15 . 2008-10-16 14:06 268,648 --a------ c:\winxp\system32\mucltui.dll
2009-02-06 17:15 . 2008-10-16 14:06 27,496 --a------ c:\winxp\system32\mucltui.dll.mui
2009-02-05 23:01 . 2009-02-05 23:10 250 --a------ c:\winxp\gmer.ini
2009-02-03 15:46 . 2009-02-03 15:46 45,568 --------- c:\winxp\system32\clickfile.exe
2009-01-31 11:41 . 2009-01-31 11:42 <DIR> d-------- C:\rsit
2009-01-31 10:38 . 2009-01-31 10:38 <DIR> d-------- C:\VundoFix Backups
2009-01-28 19:58 . 2009-01-28 19:58 <DIR> d-------- c:\program files\ERUNT
2009-01-28 16:29 . 2001-08-17 14:02 9,600 --a------ c:\winxp\system32\drivers\hidusb.sys
2009-01-26 20:50 . 2009-01-26 20:50 <DIR> d-------- c:\documents and settings\All Users.WINXP\Application Data\TEMP
2009-01-26 20:39 . 2009-01-26 20:39 <DIR> d-------- c:\program files\COMODO
2009-01-26 20:39 . 2009-01-26 20:44 <DIR> d-------- c:\documents and settings\All Users.WINXP\Application Data\comodo
2009-01-26 20:39 . 2009-01-26 20:39 147,192 --a------ c:\winxp\system32\guard32.dll
2009-01-26 20:39 . 2009-01-26 20:39 101,776 --a------ c:\winxp\system32\drivers\cmdguard.sys
2009-01-26 20:39 . 2009-01-26 20:39 31,504 --a------ c:\winxp\system32\drivers\cmdhlp.sys
2009-01-25 18:23 . 2009-01-25 18:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 18:23 . 2009-01-25 18:23 <DIR> d-------- c:\documents and settings\Joe.JU-9FD65CF29BBF\Application Data\Malwarebytes
2009-01-25 18:23 . 2009-01-25 18:23 <DIR> d-------- c:\documents and settings\All Users.WINXP\Application Data\Malwarebytes
2009-01-25 18:23 . 2009-01-14 16:11 38,496 --a------ c:\winxp\system32\drivers\mbamswissarmy.sys
2009-01-25 18:23 . 2009-01-14 16:11 15,504 --a------ c:\winxp\system32\drivers\mbam.sys
2009-01-25 18:18 . 2009-01-25 18:18 <DIR> d-------- c:\program files\Trend Micro
2009-01-25 11:01 . 2009-01-26 19:57 <DIR> d-------- c:\program files\a-squared Anti-Malware
2009-01-24 17:34 . 2009-01-24 17:34 <DIR> d-------- c:\documents and settings\Joe.JU-9FD65CF29BBF\Application Data\Canon
2009-01-21 17:44 . 2009-01-21 17:44 <DIR> d-------- c:\winxp\system32\LogFiles
2009-01-21 16:05 . 2009-01-21 16:05 <DIR> d-------- c:\documents and settings\Joe.JU-9FD65CF29BBF\cs
2009-01-10 13:22 . 2009-01-10 13:31 <DIR> d-------- c:\documents and settings\Joe.JU-9FD65CF29BBF\Application Data\Download Manager
2009-01-09 17:06 . 2009-01-09 17:06 <DIR> d-------- c:\program files\TextPad 5
2009-01-09 17:06 . 2009-01-09 17:06 <DIR> d-------- c:\documents and settings\Joe.JU-9FD65CF29BBF\Application Data\Helios

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-08 16:38 --------- d-----w c:\documents and settings\Joe.JU-9FD65CF29BBF\Application Data\ZoomBrowser EX
2009-02-08 15:40 --------- d-----w c:\documents and settings\All Users.WINXP\Application Data\ZoomBrowser
2009-01-27 01:54 --------- d-----w c:\program files\SpywareBlaster
2009-01-22 20:09 --------- d-----w c:\program files\FlightGear
2009-01-13 20:04 --------- d-----w c:\documents and settings\Joe.JU-9FD65CF29BBF\Application Data\Move Networks
2009-01-09 19:58 --------- d-----w c:\program files\Java
2009-01-03 16:08 --------- d-----w c:\program files\DB Maker
2009-01-01 15:31 --------- d-----w c:\program files\Canon
2009-01-01 15:00 --------- d-----w c:\program files\Common Files\Canon
2008-12-31 15:39 --------- d-----w c:\program files\Common Files\Adobe
2008-12-31 15:30 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-12-25 16:46 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-25 16:45 --------- d-----w c:\program files\LeapFrog
2008-12-23 00:15 --------- d-----w c:\program files\BricxCC
2008-12-23 00:15 --------- d-----w c:\documents and settings\Joe.JU-9FD65CF29BBF\Application Data\JoCar Consulting
2008-12-23 00:14 796,672 ----a-w c:\winxp\GPInstall.exe
2008-12-23 00:12 --------- d-----w c:\program files\PRO-BOT2000
2008-12-22 23:28 --------- d-----w c:\program files\Free iPod Video Converter
2008-12-22 01:39 --------- d-----w c:\program files\HP
2008-12-22 01:36 --------- d-----w c:\program files\Hewlett-Packard
2008-12-21 20:46 --------- d-----w c:\documents and settings\All Users.WINXP\Application Data\FLEXnet
2008-12-19 20:08 --------- d-----w c:\documents and settings\Joe.JU-9FD65CF29BBF\Application Data\Amazon
2008-12-19 20:06 --------- d-----w c:\program files\Amazon
2008-12-10 23:30 --------- d-----w c:\program files\Citrix
2008-12-04 21:52 2,131,968 ----a-w c:\winxp\system32\python26.dll
2008-12-03 02:55 499,712 ----a-w c:\winxp\system32\msvcp71.dll
2008-11-10 10:43 410,984 ----a-w c:\winxp\system32\deploytk.dll
2007-07-03 15:47 626,688 ----a-w c:\program files\Common Files\sapconsaccess.dll
2007-07-03 15:47 40,960 ----a-w c:\program files\Common Files\DigitalSignature.ocx
2007-07-03 15:47 3,100,672 ----a-w c:\program files\Common Files\sapxlhelper.dll
2007-07-03 15:47 192,512 ----a-w c:\program files\Common Files\sapconsr3.dll
2007-07-03 15:47 1,129,984 ----a-w c:\program files\Common Files\SAPActiveXL.xlt
2007-07-03 15:47 1,124,864 ----a-w c:\program files\Common Files\SAPActiveXL_nosig.xlt
2004-12-10 02:49 82,032 ----a-w c:\documents and settings\becca usoff\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-02-06_17.20.06.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 17:02:28 163,328 ----a-w c:\winxp\ERDNT\AutoBackup\2-7-2009\ERDNT.EXE
+ 2009-02-07 15:11:02 5,226,496 ----a-w c:\winxp\ERDNT\AutoBackup\2-7-2009\Users\00000001\NTUSER.DAT
+ 2009-02-07 15:11:03 270,336 ----a-w c:\winxp\ERDNT\AutoBackup\2-7-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\winxp\ERDNT\AutoBackup\2009-02-06\ERDNT.EXE
+ 2009-02-06 22:13:47 5,218,304 ----a-w c:\winxp\ERDNT\AutoBackup\2009-02-06\Users\00000001\NTUSER.DAT
+ 2009-02-06 22:13:49 270,336 ----a-w c:\winxp\ERDNT\AutoBackup\2009-02-06\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\winxp\ERDNT\AutoBackup\2009-02-07\ERDNT.EXE
+ 2009-02-07 15:28:10 5,234,688 ----a-w c:\winxp\ERDNT\AutoBackup\2009-02-07\Users\00000001\NTUSER.DAT
+ 2009-02-07 15:28:10 270,336 ----a-w c:\winxp\ERDNT\AutoBackup\2009-02-07\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\winxp\ERDNT\AutoBackup\2009-02-08\ERDNT.EXE
+ 2009-02-08 14:30:12 5,234,688 ----a-w c:\winxp\ERDNT\AutoBackup\2009-02-08\Users\00000001\NTUSER.DAT
+ 2009-02-08 14:30:13 270,336 ----a-w c:\winxp\ERDNT\AutoBackup\2009-02-08\Users\00000002\UsrClass.dat
+ 2007-07-27 19:49:02 196,683 ----a-w c:\winxp\system32\lnod32apiA.dll
+ 2007-07-27 19:49:02 225,355 ----a-w c:\winxp\system32\lnod32apiW.dll
+ 2005-12-06 00:25:22 139,264 ----a-w c:\winxp\system32\lnod32umc.dll
+ 2005-12-05 17:37:10 106,496 ----a-w c:\winxp\system32\lnod32upd.dll
+ 2008-02-11 14:39:26 253,952 ----a-w c:\winxp\system32\OnlineScannerDLLA.dll
+ 2008-02-11 14:39:18 237,568 ----a-w c:\winxp\system32\OnlineScannerDLLW.dll
+ 2008-02-08 18:53:46 110,592 ----a-w c:\winxp\system32\OnlineScannerLang.dll
+ 2008-02-05 13:48:04 77,824 ----a-w c:\winxp\system32\OnlineScannerUninstaller.exe
+ 2004-12-07 15:11:34 258,352 ----a-w c:\winxp\system32\unicows.dll
+ 2009-02-08 14:30:27 16,384 ----atw c:\winxp\temp\Perflib_Perfdata_220.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"NvMediaCenter"="c:\winxp\system32\NVMCTRAY.DLL" [2003-10-06 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"UpdReg"="c:\winxp\UpdReg.EXE" [2000-05-11 90112]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-02 185872]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"HPDJ Taskbar Utility"="c:\winxp\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-07 176128]
"NvCplDaemon"="c:\winxp\system32\NvCpl.dll" [2003-10-06 5058560]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-01-26 1797880]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\winxp\system32\bthprops.cpl]
"nwiz"="nwiz.exe" [2003-10-06 c:\winxp\system32\nwiz.exe]

c:\documents and settings\Joe.JU-9FD65CF29BBF\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users.WINXP\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-12-07 113664]
Monitor.lnk - c:\program files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2008-09-06 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\winxp\system32\ctmp3.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Robotics Academy\\ROBOTC for Mindstorms\\RobotC.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplayer.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\winxp\system32\drivers\cmdguard.sys [2009-01-26 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\winxp\system32\drivers\cmdhlp.sys [2009-01-26 31504]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\winxp\system32\drivers\fantom.sys [2007-05-30 39424]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
\Shell\AutoRun\command - M:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-07 c:\winxp\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Joe.JU-9FD65CF29BBF\Application Data\Mozilla\Firefox\Profiles\lbc0h4r4.default\
FF - plugin: c:\documents and settings\Joe.JU-9FD65CF29BBF\Application Data\Mozilla\Firefox\Profiles\lbc0h4r4.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-08 17:38:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-08 17:48:36
ComboFix-quarantined-files.txt 2009-02-08 22:48:33
ComboFix2.txt 2009-02-06 22:21:46

Pre-Run: 25,699,119,104 bytes free
Post-Run: 25,695,379,456 bytes free

209 --- E O F --- 2009-01-01 14:52:00

#13 Hugh_DaMann

Hugh_DaMann
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 08 February 2009 - 05:59 PM

Thank you again for all of your assistance. It is greatly appreciated. The computer appears to be running much better now.

I see that I now have a ton of updates to run. I have held off on running them until we were through, but I will go back and do those as soon as we are through.

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 08 February 2009 - 10:28 PM

Looks good to me.. Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbup2:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 Hugh_DaMann

Hugh_DaMann
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 08 February 2009 - 11:23 PM

I ran OTCleanIt and everything appears to be working fine.
At the outset of this, I was seeing Firefox windows appearing with addresses of a variety of companies, most of which I had never heard of before. I tried several things to remove whatever malware was present but it kept reappearing. This is no longer occurring and everything appears to be cleaned up.

Thanks fenzodahl512.
You da Man. :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users