Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Self Generating VUNDO from ragezone.com


  • This topic is locked This topic is locked
8 replies to this topic

#1 Zanthiel

Zanthiel

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 11 February 2009 - 01:57 AM

Help with self generating Vundo virus I got from forum.ragezone.com. for information on MMORPG.

I cleaned it literally over 10 times, in normal window and safe mode.

I run the latest update of Malewarebytes and S&D and the latest HIJACK files.

Thank you in advanced!



Malwarebytes' Anti-Malware 1.33
Database version: 1744
Windows 5.1.2600 Service Pack 2

2/10/2009 10:52:25 PM
mbam-log-2009-02-10 (22-52-25).txt

Scan type: Quick Scan
Objects scanned: 50974
Time elapsed: 3 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0f2afbc7-8874-4e5d-901e-596aecebc366} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qtxrflkc (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0f2afbc7-8874-4e5d-901e-596aecebc366} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\windows\system32\qhiotpq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:33 PM, on 2/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\HIJACKTHIS\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\Documents and Settings\Admin\tqisc.exe \s,
O2 - BHO: (no name) - {0F2AFBC7-8874-4E5D-901E-596AECEBC366} - c:\windows\system32\qhiotpq.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O20 - Winlogon Notify: qtxrflkc - C:\WINDOWS\SYSTEM32\qhiotpq.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4432 bytes

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 11 February 2009 - 03:28 AM

Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


Post me these logs in your next reply.. Post each log in separate post..

1. RSIT log.txt
2. RSIT info.txt
3. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Zanthiel

Zanthiel
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 11 February 2009 - 01:27 PM

fenzodahl512,

I woke up did what you requested and download all the required programs. When I got to gmer.exe, my computer went crazy and locked up and would not run the gmer.exe to get its log. I log on to another computer to post the require document you wanted.

So I posted the log.text and info.text from RSIT, sorry this the best I can do. I'll keep trying to get it, but the computer continue to excute cmd.exe command to bog down the computer.

Logfile of random's system information tool 1.05 (written by random/random)
Run by Admin at 2009-02-11 09:48:36
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 46 GB (69%) free of 67 GB
Total RAM: 511 MB (22% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:39 AM, on 2/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\services.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\Documents and Settings\Admin\Desktop\RSIT.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\netsh.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\netsh.exe
C:\Program Files\HIJACKTHIS\Admin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\Documents and Settings\Admin\tqisc.exe \s,
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ntoayldz.exe] C:\WINDOWS\ntoayldz.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntoayldz.exe] C:\WINDOWS\ntoayldz.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9475 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-22 7700480]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMCTray.dll [2006-10-22 86016]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2005-08-17 110592]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"itype"=c:\Program Files\Microsoft IntelliType Pro\itype.exe [2008-06-10 1442888]
"IntelliPoint"=C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2005-12-04 461584]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-10-30 136600]
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 176128]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-10-14 69632]
"hpqSRMon"=C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [2007-08-22 97792]
"services"=C:\WINDOWS\services.exe [2009-02-11 55809]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 32256]
"Aim6"= []
"PowerBar"= []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\mlJAsPjh

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\fmrxzpwi.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\isiyjlee.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winav20.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\zvfthryx.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\fmrxzpwi.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\isiyjlee.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winav20.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\zvfthryx.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe"="C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"\??\C:\WINDOWS\system32\winlogon.exe"="\??\C:\WINDOWS\system32\winlogon.exe:*:enabled:@shell32.dll,-1"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{909f3aa1-96df-11dc-b4f7-806d6172696f}]
shell\AutoRun\command - F:\setup.exe


======List of files/folders created in the last 3 months======

2009-02-11 09:28:02 ----D---- C:\rsit
2009-02-11 09:08:29 ----A---- C:\WINDOWS\system32\4.tmp
2009-02-11 09:08:29 ----A---- C:\WINDOWS\system32\3.tmp
2009-02-11 07:46:56 ----A---- C:\WINDOWS\system32\75.tmp
2009-02-11 07:00:26 ----A---- C:\WINDOWS\system32\5F.tmp
2009-02-11 06:34:30 ----A---- C:\WINDOWS\ntoayldz.exe
2009-02-11 06:31:50 ----A---- C:\WINDOWS\system32\4D.tmp
2009-02-11 06:31:45 ----A---- C:\WINDOWS\services.exe
2009-02-11 06:31:44 ----A---- C:\WINDOWS\file.bat
2009-02-11 06:31:37 ----A---- C:\WINDOWS\system32\48.tmp
2009-02-10 21:33:59 ----D---- C:\Program Files\HIJACKTHIS
2009-02-10 21:33:09 ----A---- C:\WINDOWS\system32\24.tmp
2009-02-10 21:33:08 ----A---- C:\WINDOWS\system32\23.tmp
2009-02-10 21:17:45 ----A---- C:\WINDOWS\system32\1F.tmp
2009-02-10 21:17:44 ----A---- C:\WINDOWS\system32\1E.tmp
2009-02-10 17:18:43 ----A---- C:\WINDOWS\wininit.ini
2009-02-10 15:12:48 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-02-10 15:12:48 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-10 15:01:42 ----A---- C:\WINDOWS\system32\15F.tmp
2009-02-10 15:01:41 ----A---- C:\WINDOWS\system32\15E.tmp
2009-02-10 14:11:28 ----D---- C:\WINDOWS\Minidump
2009-02-10 12:03:16 ----D---- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2009-02-10 12:03:11 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-02-10 12:03:10 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-02-10 11:35:55 ----D---- C:\WINDOWS\pss
2009-02-10 11:34:49 ----A---- C:\WINDOWS\system32\182.tmp
2009-02-10 11:34:49 ----A---- C:\WINDOWS\system32\181.tmp
2009-02-10 11:32:15 ----A---- C:\WINDOWS\system32\17A.tmp
2009-02-10 11:32:14 ----A---- C:\WINDOWS\system32\179.tmp
2009-02-10 11:32:10 ----D---- C:\Program Files\system
2009-02-10 11:29:24 ----A---- C:\WINDOWS\system32\hgwghd.dll
2009-02-10 11:29:22 ----A---- C:\WINDOWS\system32\kooopymf.dll
2009-02-10 11:29:20 ----A---- C:\WINDOWS\system32\0f703ead-.txt
2009-02-10 11:28:37 ----A---- C:\WINDOWS\system32\mlJAsPjh.dll.vir
2009-02-10 11:02:04 ----D---- C:\Program Files\Common Files\INCA Shared
2009-02-10 08:58:04 ----D---- C:\Program Files\Lineage II
2009-02-10 08:57:32 ----D---- C:\Documents and Settings\Admin\Application Data\InstallShield
2009-02-02 22:02:04 ----A---- C:\WINDOWS\system32\CmdLineExt.dll
2009-02-02 21:55:15 ----D---- C:\Program Files\Firaxis Games
2009-01-17 14:48:37 ----D---- C:\Documents and Settings\Admin\Application Data\U3
2008-12-11 22:10:12 ----D---- C:\Documents and Settings\Admin\Application Data\HPAppData
2008-12-10 20:16:52 ----D---- C:\Documents and Settings\Admin\Application Data\HP
2008-12-10 20:16:19 ----D---- C:\Documents and Settings\All Users\Application Data\WEBREG
2008-12-10 20:13:19 ----D---- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-12-10 20:13:19 ----D---- C:\Documents and Settings\All Users\Application Data\HP
2008-12-10 20:13:01 ----D---- C:\Program Files\Hewlett-Packard
2008-12-10 20:12:57 ----D---- C:\Program Files\Common Files\Hewlett-Packard
2008-12-10 20:12:44 ----D---- C:\Program Files\Common Files\HP
2008-12-10 20:12:07 ----D---- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-12-10 20:11:58 ----RA---- C:\WINDOWS\system32\hpzids01.dll
2008-12-10 20:11:57 ----A---- C:\WINDOWS\system32\hpzll5mu.dll
2008-12-10 20:11:06 ----RA---- C:\WINDOWS\system32\hppldcoi.dll
2008-12-10 20:11:06 ----RA---- C:\WINDOWS\system32\hpowiax7.dll
2008-12-10 20:11:06 ----RA---- C:\WINDOWS\system32\hpovst15.dll
2008-12-10 20:11:06 ----RA---- C:\WINDOWS\system32\hpotscl6.dll
2008-12-10 20:11:06 ----RA---- C:\WINDOWS\system32\difxapi.dll
2008-12-10 20:09:43 ----D---- C:\Program Files\HP
2008-12-10 20:05:57 ----A---- C:\WINDOWS\lexstat.ini
2008-12-10 14:09:47 ----D---- C:\LXKZ11
2008-12-01 20:33:17 ----D---- C:\Documents and Settings\Admin\Application Data\MGForex
2008-11-17 20:33:40 ----D---- C:\Program Files\Audacity
2008-11-17 17:54:14 ----D---- C:\Program Files\QuickTime
2008-11-17 17:54:05 ----D---- C:\Program Files\Xilisoft
2008-11-17 14:33:00 ----D---- C:\Documents and Settings\Admin\Application Data\Arctic
2008-11-17 14:32:58 ----D---- C:\Program Files\Arctic
2008-11-17 13:32:42 ----D---- C:\Documents and Settings\Admin\Application Data\vlc
2008-11-17 13:31:53 ----D---- C:\Documents and Settings\Admin\Application Data\dvdcss
2008-11-17 13:29:30 ----D---- C:\Program Files\VideoLAN
2008-11-14 03:05:03 ----D---- C:\Documents and Settings\Admin\Application Data\DivX
2008-11-14 03:00:26 ----A---- C:\WINDOWS\system32\vxblock.dll
2008-11-14 03:00:26 ----A---- C:\WINDOWS\system32\pxwave.dll
2008-11-14 03:00:26 ----A---- C:\WINDOWS\system32\pxsfs.dll
2008-11-14 03:00:26 ----A---- C:\WINDOWS\system32\pxmas.dll
2008-11-14 03:00:26 ----A---- C:\WINDOWS\system32\pxinsi64.exe
2008-11-14 03:00:26 ----A---- C:\WINDOWS\system32\pxinsa64.exe
2008-11-14 03:00:26 ----A---- C:\WINDOWS\system32\pxhpinst.exe
2008-11-14 03:00:26 ----A---- C:\WINDOWS\system32\pxdrv.dll
2008-11-14 03:00:26 ----A---- C:\WINDOWS\system32\pxcpyi64.exe
2008-11-14 03:00:26 ----A---- C:\WINDOWS\system32\pxcpya64.exe
2008-11-14 03:00:26 ----A---- C:\WINDOWS\system32\pxafs.dll
2008-11-14 03:00:26 ----A---- C:\WINDOWS\system32\px.dll
2008-11-14 03:00:14 ----D---- C:\Program Files\DivX
2008-11-14 02:53:46 ----D---- C:\Program Files\Xvid
2008-11-14 02:53:46 ----A---- C:\WINDOWS\system32\xvidvfw.dll
2008-11-14 02:53:46 ----A---- C:\WINDOWS\system32\xvidcore.dll
2008-11-13 02:30:53 ----D---- C:\Documents and Settings\Admin\Application Data\Ahead
2008-11-13 01:51:15 ----D---- C:\Ripped DVD
2008-11-13 01:50:46 ----A---- C:\WINDOWS\system32\WNASPI32.DLL
2008-11-13 01:44:10 ----D---- C:\Documents and Settings\Admin\Application Data\CyberLink
2008-11-13 01:42:26 ----D---- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-11-13 01:42:23 ----D---- C:\Program Files\CyberLink
2008-11-13 01:42:15 ----D---- C:\Program Files\CyberLink DVD Solution
2008-11-13 01:32:58 ----RA---- C:\WINDOWS\system32\picn20.dll
2008-11-13 01:32:56 ----RA---- C:\WINDOWS\system32\ImagXpr5.dll
2008-11-13 01:32:56 ----RA---- C:\WINDOWS\system32\imagx5.dll
2008-11-13 01:32:56 ----RA---- C:\WINDOWS\system32\imagr5.dll
2008-11-13 01:32:53 ----RA---- C:\WINDOWS\system32\NeroCheck.exe
2008-11-13 01:32:53 ----D---- C:\Program Files\Common Files\Ahead
2008-11-13 01:32:49 ----D---- C:\Program Files\Ahead

======List of files/folders modified in the last 3 months======

2009-02-11 09:44:16 ----AD---- C:\WINDOWS\Temp
2009-02-11 09:42:56 ----D---- C:\WINDOWS
2009-02-11 09:41:52 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-02-11 09:17:16 ----D---- C:\WINDOWS\system32\CatRoot2
2009-02-11 09:15:10 ----D---- C:\Program Files\Mozilla Firefox
2009-02-11 09:08:59 ----D---- C:\WINDOWS\system32
2009-02-11 08:35:41 ----D---- C:\WINDOWS\Prefetch
2009-02-11 06:34:32 ----D---- C:\WINDOWS\system32\drivers
2009-02-10 22:39:16 ----SHD---- C:\System Volume Information
2009-02-10 22:39:16 ----D---- C:\WINDOWS\system32\Restore
2009-02-10 22:38:21 ----SD---- C:\WINDOWS\Tasks
2009-02-10 22:30:01 ----RD---- C:\Program Files
2009-02-10 22:29:25 ----A---- C:\WINDOWS\ntbtlog.txt
2009-02-10 22:10:28 ----SHD---- C:\RECYCLER
2009-02-10 20:23:17 ----D---- C:\Program Files\Microsoft IntelliPoint
2009-02-10 16:56:37 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-02-10 15:00:48 ----HD---- C:\WINDOWS\inf
2009-02-10 11:17:00 ----D---- C:\WINDOWS\Registration
2009-02-10 11:02:04 ----D---- C:\Program Files\Common Files
2009-02-10 08:58:03 ----HD---- C:\Program Files\InstallShield Installation Information
2009-02-02 21:59:31 ----SHD---- C:\WINDOWS\Installer
2009-02-02 21:54:54 ----D---- C:\Program Files\Common Files\InstallShield
2009-01-16 22:38:18 ----D---- C:\WINDOWS\SoftwareDistribution
2009-01-14 23:27:06 ----D---- C:\WINDOWS\Help
2008-12-21 22:10:44 ----SD---- C:\Documents and Settings\Admin\Application Data\Microsoft
2008-12-15 10:44:20 ----D---- C:\Documents and Settings\Admin\Application Data\Adobe
2008-12-12 10:37:13 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-10 20:16:01 ----A---- C:\WINDOWS\win.ini
2008-12-10 20:14:03 ----D---- C:\WINDOWS\WinSxS
2008-12-10 20:13:08 ----D---- C:\WINDOWS\twain_32
2008-12-10 20:10:12 ----DC---- C:\WINDOWS\system32\DRVSTORE

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R2 Aspi32;Aspi32; C:\WINDOWS\System32\drivers\aspi32.sys [2007-09-17 16512]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-08-19 3644800]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-04 9600]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2007-10-30 49920]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2007-10-30 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2007-10-30 21568]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-10-22 3994624]
R3 Passthru;Service; C:\WINDOWS\system32\DRIVERS\ndisio.sys [2009-02-10 53248]
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys [2005-12-01 21760]
R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys [2005-03-04 74496]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S1 ethvgreg;ethvgreg; C:\WINDOWS\system32\drivers\ethvgreg.sys [2009-02-11 137632]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S1 seneka;seneka; C:\WINDOWS\system32\drivers\senekakyarwipx.sys []
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
S3 ASPI;Advanced SCSI Programming Interface Driver; \??\C:\WINDOWS\System32\DRIVERS\ASPI32.sys []
S3 dump_wmimmc;dump_wmimmc; \??\C:\Program Files\Lineage II\system\GameGuard\dump_wmimmc.sys []
S3 E1000;Intel® PRO/1000 Adapter Driver; C:\WINDOWS\system32\DRIVERS\e1000325.sys [2003-08-13 125952]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
S3 npkcrypt;npkcrypt; \??\C:\Program Files\Lineage II\system\npkcrypt.sys []
S3 NPPTNT2;NPPTNT2; \??\C:\WINDOWS\system32\npptNT2.sys []
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-03 168432]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\WINDOWS\system32\svchost.exe [2004-08-04 31232]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-30 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2001-02-23 290816]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-04 31232]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-22 180290]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-04 31232]
R3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2004-08-04 31232]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2004-08-04 31232]
S4 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 45132]

-----------------EOF-----------------

Edited by Zanthiel, 11 February 2009 - 04:37 PM.


#4 Zanthiel

Zanthiel
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 11 February 2009 - 04:38 PM

Here are the info.txt

info.txt logfile of random's system information tool 1.05 2009-02-11 09:28:13

======Uninstall list======

-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
32 Bit HP CIO Components Installer-->MsiExec.exe /I{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}
7-Zip 4.57-->"C:\Program Files\7-Zip\Uninstall.exe"
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Ahead Nero Burning ROM-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
AIM 6-->C:\Program Files\AIM6\uninst.exe
Arctic Torrent 1.2.3-->"C:\Program Files\Arctic\unins000.exe"
Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"
Civilization III-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2157961D-0507-44A8-BCF2-1EE2D439E8DF}
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Solution-->"C:\Program Files\Uninstall_CDS.exe"
Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HijackThis 2.0.2-->"C:\HijackThis.exe" /uninstall
HP Customer Participation Program 10.0-->C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Deskjet F2200 All-In-One Driver Software 10.0 Rel .3-->C:\Program Files\HP\Digital Imaging\{D77D43B5-ED55-426b-B67B-E21F804F6102}\setup\hpzscr01.exe -datfile hposcr27.dat -onestop
HP Imaging Device Functions 10.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Essential 2.5-->C:\Program Files\HP\Digital Imaging\PhotoSmartEssential\hpzscr01.exe -datfile hpqbud13.dat
HP Smart Web Printing-->C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpzscr01.exe -datfile hpqbud15.dat
HP Solution Center 10.0-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update-->MsiExec.exe /X{11B83AD3-7A46-4C2E-A568-9505981D4C6F}
Intel® PRO Network Adapters and Drivers-->Prounstl.exe
Java™ 6 Update 10-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
Khmer Unicode 1.2.5-->C:\Program Files\Khmer Unicode 1.2\Uninstal.exe
Khmer Unicode Keyboard (NIDA 1.0)-->MsiExec.exe /I{C5C0DE57-0BB6-4B40-8FDC-BC7FA8EE087A}
Lexmark 3100 Series-->C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBRUN5C.EXE -dLexmark 3100 Series
Lineage II-->C:\Program Files\InstallShield Installation Information\{430B1017-1B12-420C-8F27-05D0EC2995E0}\setup.exe -runfromtemp -l0x0009 -removeonly
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Mozilla Firefox (3.0.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSUlvc06 Lossless Video Codec 0.6.0 (Remove Only)-->RunDLL32.exe advpack.dll,LaunchINFSection msulvc06.INF, DefaultUnInstall
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Multimedia Launcher-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OCR Software by I.R.I.S. 10.0-->C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
REALTEK Gigabit and Fast Ethernet NIC Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x9 REMOVE
Shop for HP Supplies-->C:\Program Files\HP\Digital Imaging\HPSSupply\hpzscr01.exe -datfile hpqbud16.dat
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
VLC media player 0.9.6-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Xilisoft DVD Ripper Ultimate-->C:\Program Files\Xilisoft\DVD Ripper Ultimate 5\Uninstall.exe
Xvid 1.1.3 final uninstall-->"C:\Program Files\Xvid\unins000.exe"

=====HijackThis Backups=====

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O2 - BHO: (no name) - {0F2AFBC7-8874-4E5D-901E-596AECEBC366} - c:\windows\system32\pkwopmq.dll
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7070
O20 - Winlogon Notify: qtxrflkc - C:\WINDOWS\SYSTEM32\pkwopmq.dll
O20 - AppInit_DLLs: hgwghd.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Admin\pkknelh.exe \s
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O20 - Winlogon Notify: qtxrflkc - C:\WINDOWS\SYSTEM32\pkwopmq.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O2 - BHO: (no name) - {0F2AFBC7-8874-4E5D-901E-596AECEBC366} - c:\windows\system32\pkwopmq.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\Documents and Settings\Admin\vfb.exe \s

======Hosts File======

192.168.2.3 L2authd.lineage2.com

System event log

Computer Name: ZION
Event Code: 7035
Message: The Background Intelligent Transfer Service service was successfully sent a start control.

Record Number: 18735
Source Name: Service Control Manager
Time Written: 20090112220625.000000-480
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: ZION
Event Code: 7036
Message: The IMAPI CD-Burning COM Service service entered the stopped state.

Record Number: 18734
Source Name: Service Control Manager
Time Written: 20090112220302.000000-480
Event Type: information
User:

Computer Name: ZION
Event Code: 7036
Message: The Remote Access Connection Manager service entered the running state.

Record Number: 18733
Source Name: Service Control Manager
Time Written: 20090112220257.000000-480
Event Type: information
User:

Computer Name: ZION
Event Code: 7036
Message: The Application Layer Gateway Service service entered the running state.

Record Number: 18732
Source Name: Service Control Manager
Time Written: 20090112220257.000000-480
Event Type: information
User:

Computer Name: ZION
Event Code: 7035
Message: The Application Layer Gateway Service service was successfully sent a start control.

Record Number: 18731
Source Name: Service Control Manager
Time Written: 20090112220257.000000-480
Event Type: information
User: NT AUTHORITY\SYSTEM

Application event log

Computer Name: ZION
Event Code: 100
Message: wuauclt (1644) The database engine 5.01.2600.2180 started.

Record Number: 520
Source Name: ESENT
Time Written: 20081114025107.000000-480
Event Type: information
User:

Computer Name: ZION
Event Code: 1800
Message: The Windows Security Center Service has started.

Record Number: 519
Source Name: SecurityCenter
Time Written: 20081114025022.000000-480
Event Type: information
User:

Computer Name: ZION
Event Code: 0
Message:
Record Number: 518
Source Name: Viewpoint Manager Service
Time Written: 20081114025022.000000-480
Event Type: information
User:

Computer Name: ZION
Event Code: 0
Message:
Record Number: 517
Source Name: gusvc
Time Written: 20081114025022.000000-480
Event Type: information
User:

Computer Name: ZION
Event Code: 1000
Message: Faulting application dvdx.exe, version 2.10.0.240, faulting module dvdx.exe, version 2.10.0.240, fault address 0x001c194b.

Record Number: 516
Source Name: Application Error
Time Written: 20081114024829.000000-480
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 3 Stepping 3, GenuineIntel
"PROCESSOR_REVISION"=0303
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 11 February 2009 - 10:18 PM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#6 Zanthiel

Zanthiel
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 12 February 2009 - 12:13 AM

This was intense to get ComboFix up and running, it manage to download the recovery console. The computer was forced to restart and it won't let it finished the process, but slowly combofix was deleting files after files when it was able to run and lo and behold the computer became stable enough to produce the Log. :thumbup2:

Thank you so much, I feel so relieved now.

ComboFix 09-02-11.02 - Admin 2009-02-11 20:43:37.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.288 [GMT -8:00]
Running from: c:\documents and settings\Admin\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\services.exe
c:\windows\system32\9.tmp
c:\windows\system32\C.tmp
c:\windows\system32\E.tmp
.
---- Previous Run -------
.
c:\documents and settings\Admin\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\system\smss.exe.assembly
c:\windows\services.exe
c:\windows\system32\_pkwopmq.dll
c:\windows\system32\9.tmp
c:\windows\system32\C.tmp
c:\windows\system32\drivers\senekakyarwipx.sys
c:\windows\system32\drivers\UACwbnripmp.sys
c:\windows\system32\E.tmp
c:\windows\system32\hgwghd.dll
c:\windows\system32\kooopymf.dll
c:\windows\system32\senekaapydoulh.dat
c:\windows\system32\senekadqpqmoij.dat
c:\windows\system32\senekasnqvvrvk.dll
c:\windows\system32\senekathkdpamt.dll
c:\windows\system32\senekawqomlhlt.dll
c:\windows\system32\UACbgrqhcty.log
c:\windows\system32\UACbqpabuxn.dat
c:\windows\system32\UACfkkkjtxh.log
c:\windows\system32\UACkppbomya.dll
c:\windows\system32\UACoyfvmevf.dll
c:\windows\system32\UACruxdkbyu.dll
c:\windows\system32\UACwghylkse.dll
c:\windows\system32\UACwpbnjqgm.log

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\svchost.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Service_SENEKA
-------\Legacy_LOGICAL_DISK_MANAGER_(NDIS)
-------\Legacy_NFR.SYS
-------\Service_Passthru


((((((((((((((((((((((((( Files Created from 2009-01-12 to 2009-02-12 )))))))))))))))))))))))))))))))
.

2009-02-11 20:39 . 2009-02-11 20:39 11,264 --ah----- c:\documents and settings\Admin\utk.exe
2009-02-11 20:33 . 2009-02-11 20:33 162,980 --a------ c:\windows\system32\14.tmp
2009-02-11 20:33 . 2009-02-11 20:33 31,744 --ah----- c:\documents and settings\Admin\ssle.exe
2009-02-11 20:33 . 2009-02-11 20:33 25,601 --a------ c:\windows\system32\15.tmp
2009-02-11 20:33 . 2009-02-11 20:33 128 --a------ c:\windows\system32\2.tmp
2009-02-11 20:14 . 2009-02-11 20:14 162,980 --a------ c:\windows\system32\11.tmp
2009-02-11 20:14 . 2009-02-11 20:14 31,744 --ah----- c:\documents and settings\Admin\wfmyvke.exe
2009-02-11 20:14 . 2009-02-11 20:14 25,601 --a------ c:\windows\system32\13.tmp
2009-02-11 20:14 . 2009-02-11 20:14 128 --a------ c:\windows\system32\F.tmp
2009-02-11 20:12 . 2009-02-11 20:12 25,601 --a------ c:\windows\system32\12.tmp
2009-02-11 20:12 . 2009-02-11 20:12 3,584 --a------ c:\windows\hdletoil.exe
2009-02-11 20:10 . 2009-02-11 20:10 128 --a------ c:\windows\system32\D.tmp
2009-02-11 17:44 . 2009-02-11 17:45 25,601 --a------ c:\windows\system32\10.tmp
2009-02-11 17:44 . 2009-02-11 17:44 3,584 --a------ c:\windows\fprurxsr.exe
2009-02-11 17:42 . 2009-02-11 17:42 128 --a------ c:\windows\system32\B.tmp
2009-02-11 10:16 . 2009-02-11 10:16 60,253 --a------ c:\windows\system32\A.tmp
2009-02-11 10:11 . 2009-02-11 10:11 22,813 --a------ c:\windows\system32\8.tmp
2009-02-11 10:11 . 2009-02-11 10:11 132 --a------ c:\windows\system32\7.tmp
2009-02-11 10:08 . 2009-02-11 10:08 19,933 --a------ c:\windows\system32\6.tmp
2009-02-11 10:08 . 2009-02-11 10:08 132 --a------ c:\windows\system32\5.tmp
2009-02-11 09:41 . 2008-04-17 21:13 831,488 --a------ c:\documents and settings\Admin\gmer.exe
2009-02-11 09:28 . 2009-02-11 09:48 <DIR> d-------- C:\rsit
2009-02-11 09:08 . 2009-02-11 09:08 175,453 --a------ c:\windows\system32\4.tmp
2009-02-11 09:08 . 2009-02-11 09:08 132 --a------ c:\windows\system32\3.tmp
2009-02-11 07:46 . 2009-02-11 07:46 0 --a------ c:\windows\system32\75.tmp
2009-02-11 07:00 . 2009-02-11 07:00 0 --a------ c:\windows\system32\5F.tmp
2009-02-11 06:34 . 2009-02-11 20:12 137,632 --a------ c:\windows\system32\drivers\ethvgreg.sys
2009-02-11 06:34 . 2009-02-11 06:34 3,584 --a------ c:\windows\ntoayldz.exe
2009-02-11 06:32 . 2009-02-11 06:32 5,004 --a------ c:\windows\system32\uacinit.dll
2009-02-11 06:31 . 2009-02-11 06:34 162,980 --a------ c:\windows\system32\4D.tmp
2009-02-11 06:31 . 2009-02-11 06:31 128 --a------ c:\windows\system32\48.tmp
2009-02-11 05:13 . 2009-02-11 05:13 33,920 --a------ c:\windows\system32\drivers\zvfthryx.sys
2009-02-10 22:23 . 2009-02-10 22:23 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-10 21:33 . 2009-02-10 21:33 162,816 --a------ c:\windows\system32\24.tmp
2009-02-10 21:33 . 2009-02-10 21:33 88 --a------ c:\windows\system32\23.tmp
2009-02-10 21:17 . 2009-02-10 21:17 162,816 --a------ c:\windows\system32\1F.tmp
2009-02-10 21:17 . 2009-02-10 21:17 88 --a------ c:\windows\system32\1E.tmp
2009-02-10 17:18 . 2009-02-10 18:10 155 --a------ c:\windows\wininit.ini
2009-02-10 15:12 . 2009-02-10 15:12 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-10 15:12 . 2009-02-10 15:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-10 15:01 . 2009-02-10 15:01 162,816 --a------ c:\windows\system32\15F.tmp
2009-02-10 15:01 . 2009-02-10 15:01 88 --a------ c:\windows\system32\15E.tmp
2009-02-10 15:00 . 2009-02-11 20:39 67,072 ---h----- c:\windows\system32\secupdat.dat
2009-02-10 15:00 . 2009-02-11 20:39 53,248 --a------ c:\windows\system32\drivers\ndisio.sys
2009-02-10 12:03 . 2009-02-10 12:03 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-10 12:03 . 2009-02-10 12:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-10 12:03 . 2009-02-10 12:03 <DIR> d-------- c:\documents and settings\Admin\Application Data\Malwarebytes
2009-02-10 12:03 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-10 12:03 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-10 11:34 . 2009-02-10 11:34 0 --a------ c:\windows\system32\182.tmp
2009-02-10 11:34 . 2009-02-10 11:34 0 --a------ c:\windows\system32\181.tmp
2009-02-10 11:32 . 2009-02-11 20:37 <DIR> d-------- c:\program files\system
2009-02-10 11:32 . 2009-02-10 11:34 131,905 --a------ c:\windows\system32\17A.tmp
2009-02-10 11:32 . 2009-02-10 11:32 128 --a------ c:\windows\system32\179.tmp
2009-02-10 11:28 . 2009-02-10 11:28 301,568 --a------ c:\windows\system32\mlJAsPjh.dll.vir
2009-02-10 11:28 . 2009-02-10 13:14 1,104 --a------ c:\windows\fygwoeyb
2009-02-10 11:02 . 2009-02-10 11:02 <DIR> d-------- c:\program files\Common Files\INCA Shared
2009-02-10 09:36 . 2008-04-10 11:52 5,174 --a------ c:\windows\system32\nppt9x.vxd
2009-02-10 09:36 . 2008-04-10 11:52 4,682 --a------ c:\windows\system32\npptNT2.sys
2009-02-10 08:58 . 2009-02-10 10:24 <DIR> d-------- c:\program files\Lineage II
2009-02-10 08:57 . 2009-02-10 08:57 <DIR> d-------- c:\documents and settings\Admin\Application Data\InstallShield
2009-02-02 22:02 . 2009-02-02 22:02 98,304 --a------ c:\windows\system32\CmdLineExt.dll
2009-02-02 21:55 . 2009-02-02 21:55 <DIR> d-------- c:\program files\Firaxis Games
2009-01-17 14:48 . 2009-01-17 14:48 <DIR> d-------- c:\documents and settings\Admin\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-11 04:23 --------- d-----w c:\program files\Microsoft IntelliPoint
2009-02-11 00:56 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-10 19:20 --------- d-----w c:\documents and settings\Admin\Application Data\HPAppData
2009-02-10 16:58 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-08 02:08 --------- d-----w c:\documents and settings\Admin\Application Data\dvdcss
2009-02-03 05:54 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-14 20:33 23,704 ----a-w c:\documents and settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

2004-08-04 04:00 31232 f6445cba4533ab0aba385aa1a9045587 c:\windows\system32\svchost.exe
2004-08-04 04:00 31232 cb9f4c65a9f13e58e7cadc1858520cb3 c:\windows\system32\dllcache\svchost.exe

2007-11-19 22:56 502272 6225f14b8ce08ccba8b25ad27843c674 c:\windows\system32\winlogon.exe

2004-08-04 04:00 1049088 35f8fdd7d0155a8a359177fec95acee0 c:\windows\explorer.exe
2004-08-04 04:00 1049088 4573ee36de24af39f14e81f3ca769032 c:\windows\system32\dllcache\explorer.exe

2004-08-04 04:00 32256 950facb6ad14100f8fdc35e2275c66fe c:\windows\system32\ctfmon.exe
2004-08-04 04:00 32256 f13e3b8b8c4e2c869c7baf8156d2f3c2 c:\windows\system32\dllcache\ctfmon.exe

2004-08-04 04:00 74752 1fcab75a36c5b95ba25c7fa41e15ad0b c:\windows\system32\spoolsv.exe
2004-08-04 04:00 75264 efdd22ba2ecb9f934d13ec2473dd4fdd c:\windows\system32\dllcache\spoolsv.exe

2004-08-04 04:00 128000 85a9f58608bcfded33cf8fb4ee7a33ed c:\windows\system32\wuauclt.exe
2004-08-04 04:00 128000 dfcc5fd38ceaa89ca5665cba377fa41c c:\windows\system32\dllcache\wuauclt.exe

2004-08-04 04:00 41984 6de7143feed974410aae4c7b71f5533d c:\windows\system32\userinit.exe
2004-08-04 04:00 41472 93a5f7ebf15f725d6ea28f39c0d2d8b7 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 32256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-30 136600]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 176128]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 69632]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 97792]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 c:\windows\system32\nvmctray.dll]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 c:\windows\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"fprurxsr.exe"="c:\windows\fprurxsr.exe" [2009-02-11 3584]
"hdletoil.exe"="c:\windows\hdletoil.exe" [2009-02-11 3584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MSUD"= msulvc06.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\zvfthryx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

R0 zvfthryx;zvfthryx;c:\windows\system32\drivers\zvfthryx.sys [2009-02-11 33920]
S1 ethvgreg;ethvgreg;c:\windows\system32\drivers\ethvgreg.sys [2009-02-11 137632]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-11-13 16512]
S3 dump_wmimmc;dump_wmimmc;\??\c:\program files\Lineage II\system\GameGuard\dump_wmimmc.sys --> c:\program files\Lineage II\system\GameGuard\dump_wmimmc.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2004-01-07 45132]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
dfzktbgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{909f3aa1-96df-11dc-b4f7-806d6172696f}]
\Shell\AutoRun\command - F:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-11 c:\windows\Tasks\At1.job
- c:\windows\system32\pkwopmq.dll []

2009-02-11 c:\windows\Tasks\At2.job
- c:\windows\system32\pkwopmq.dll []

2009-02-11 c:\windows\Tasks\At3.job
- c:\windows\system32\pkwopmq.dll []

2009-02-11 c:\windows\Tasks\At4.job
- c:\windows\system32\pkwopmq.dll []

2009-02-11 c:\windows\Tasks\At5.job
- c:\windows\system32\pkwopmq.dll []

2009-02-11 c:\windows\Tasks\At6.job
- c:\windows\system32\qhiotpq.dll []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKCU-Run-PowerBar - (no file)
SafeBoot-fmrxzpwi.sys
SafeBoot-isiyjlee.sys
SafeBoot-Winav20.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\hz2lwf5o.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-11 20:46:10
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2009-02-11 20:47:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-12 04:47:47

Pre-Run: 48,469,348,352 bytes free
Post-Run: 48,419,192,832 bytes free

264

#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 12 February 2009 - 12:33 AM

Delete your version of ComboFix from your computer..

Ok.. Looking at ComboFix log, I would advised you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installer and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files... We are looking for possible Virut infection, and if it is.. Then you might have to wipe the machine clean..


But lets do this first.. (after you backup all important stuff)...



IMPORTANT! Disconnect your infected computer from the internet. We have to transfer ALL logs via cd/pendrive. Make sure that cd/pendrive is empty as we don't want the baddies infected another clean computer.. Just logs in form of textfile (.txt/notepad) inside that cd/pendrive..


Go to another clean computer and download these programs to the Desktop.

Dr.Web CureIt
ComboFix

After that, rename launch.exe (or cureit.exe) into lunch.exe and ComboFix.exe into Combo-Fix.exe

Burn both of them to a cd (don't use pendrive.. I will need you to burn it on a cd)


Go to your computer and run both tool directly from the cd..


1. Dr.Web CureIt step
  • Double-click the lunch.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, please do a re-scan.. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Move incurable
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv and post DrWeb.csv in your next reply (Open it as Notepad)



2. Combo-Fix step

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running Combo-Fix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Double click combofix.exe and follow the prompts. Make sure you install Recovery Console if asked.
When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply

Note: DON'T do anything with your computer while ComboFix is running.. Lets ComboFix finishes its job..



Now, find a pendrive, format it first (make sure there's no other file inside that pendrive) and copy these files into that pendrive..

1. DrWeb.csv
2. C:\combofix.txt
3. C:\Program Files\Trend Micro\HijackThis\HijackThis.txt



Go to another computer and post these logs in your next reply..

1. Dr.Web CureIt!
2. ComboFix
3. A fresh HijackThis log (after ComboFix step)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 Zanthiel

Zanthiel
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 13 February 2009 - 03:09 PM

Thank you Fenzodahl512,

I started backing up all my important data, took all day long. I realized that I dreaded the idea of backing up my file which keep me from doing a fresh install.

After it was all and done with, I decide why not just do a fresh install and format the hard disk. Ran malewarebyte with clean log and even the back up data.


Thank you again for all your help.

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 13 February 2009 - 03:43 PM

Thank you Fenzodahl512,

I started backing up all my important data, took all day long. I realized that I dreaded the idea of backing up my file which keep me from doing a fresh install.

After it was all and done with, I decide why not just do a fresh install and format the hard disk. Ran malewarebyte with clean log and even the back up data.


Thank you again for all your help.



Thank you for notify us.. I will now close this topic.. Please pm any Moderator or HJT Team should you need to re-open this topic..


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users