Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Trojan


  • This topic is locked This topic is locked
22 replies to this topic

#1 lol999

lol999

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas, USA
  • Local time:12:30 PM

Posted 05 March 2009 - 12:03 AM

Hi, I was requested to post a HJT log in this forum. My original topic can be seen at http://www.bleepingcomputer.com/forums/t/208247/trojan/.

I have tried several scans with different programs, ESET NOD32, MBAM, and Ad-Aware, and the same infected files keep appearing. I'm running Windows XP Service Pack 3.

Other things which occur are redirects when using google. Computer sometimes freezes. Before scans random music would play but that has been fixed since the scans.

This is the Pseudo HJT log I did using DDS.

---------

DDS (Ver_09-02-01.01) - NTFSx86
Run by James at 22:47:38.21 on Wed 03/04/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1353 [GMT -6:00]

AV: Avira AntiVir PersonalEdition Premium *On-access scanning enabled* (Updated)
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
svchost.exe C:\WINDOWS\TEMP\VRT3.tmp
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\James\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SkyTel] SkyTel.EXE
mRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\adobe photoshop lightroom\apdproxy.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [NWEReboot]
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVFX Engine] c:\program files\creative\creative live! cam\videofx\StartFX.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [removecpl] RemoveCpl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\windows\installer\{90120000-0030-0000-0000-0000000ff1ce}\outicon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BBFD2D10-EC6E-4259-91D1-1E38C826E5E2} - hxxp://app.gomtv.com/gomtv/gomtvx.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
AppInit_DLLs: dqpich.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\james\applic~1\mozilla\firefox\profiles\cdlwskch.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\documents and settings\james\application data\mozilla\firefox\profiles\cdlwskch.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\james\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgopg.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPLV80Win32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPLV82Win32.dll
FF - plugin: c:\program files\octoshape streaming services\james\octoprogram-l03-nms0806110_sua_900\npoctoshape.dll
FF - plugin: c:\program files\octoshape streaming services\james\octoprogram-l03-nms0806260_sua_000\npoctoshape.dll

============= SERVICES / DRIVERS ===============

R1 DhaHelper;DhaHelper;c:\windows\system32\drivers\dhahelper.sys [2008-9-15 7168]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-8-18 34312]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
R2 nxsIO32;NextSensor Kernel I/O Driver;c:\windows\system32\drivers\nxsIO32.sys [2007-1-26 2208]
R2 softyinforwow1;.Freame Micer;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe [2004-8-4 65536]
S3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\blkwgd.sys --> c:\windows\system32\drivers\BLKWGD.sys [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2008-9-15 33792]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 TiglUsb;TiglUsb.sys TI-GRAPH / DIRECT LINK USB driver;c:\windows\system32\drivers\tiglusb.sys --> c:\windows\system32\drivers\TiglUsb.sys [?]
S3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.sys [2004-4-21 16384]
S3 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;\??\c:\windows\system32\zdcndis5.sys --> c:\windows\system32\ZDCndis5.SYS [?]
S3 ZY202_XP;ZyXEL 802.11g XG202 1211 Driver;c:\windows\system32\drivers\WlanUZXP.SYS [2008-6-2 437760]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-10-26 2799808]

=============== Created Last 30 ================

2009-03-04 22:40 40 a------- c:\windows\system32\6.tmp
2009-03-04 17:18 40 a------- c:\windows\system32\5.tmp
2009-03-04 13:40 40 a------- c:\windows\system32\3.tmp
2009-03-04 09:54 40 a------- c:\windows\system32\1C.tmp
2009-03-04 00:18 40 a------- c:\windows\system32\4.tmp
2009-03-03 00:58 90,112 a------- c:\windows\system32\200935847.dll
2009-03-03 00:58 77,824 a------- c:\windows\system32\u0396841.dll
2009-03-03 00:58 676,352 a------- c:\windows\system32\rtl60.bpl
2009-03-03 00:58 406,016 a------- c:\windows\system32\tmpxccacj0.exe
2009-03-03 00:58 76 a------- c:\windows\system32\xcchit32.ini
2009-03-03 00:57 0 a------- c:\windows\system32\3EA4.tmp
2009-03-03 00:57 104,900 a------- c:\windows\system32\3EA0.tmp
2009-03-03 00:57 40 a------- c:\windows\system32\3E9B.tmp
2009-03-03 00:57 559 a------- c:\windows\xccwinsys.ini
2009-03-03 00:57 --d----- c:\windows\system32\inf
2009-02-24 18:38 87,608 a------- c:\docume~1\james\applic~1\inst.exe
2009-02-24 18:38 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-02-24 18:38 47,360 a------- c:\docume~1\james\applic~1\pcouffin.sys
2009-02-24 18:38 --d----- c:\program files\DVDFab 5

==================== Find3M ====================

2009-03-03 02:32 138,464 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-03-03 02:32 111,928 a------- c:\windows\system32\PnkBstrB.exe
2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-14 09:48 0 a---h--- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-01-14 09:48 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-01-14 09:47 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-01-13 22:55 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-01-13 22:55 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-12-20 17:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-12 12:41 243,840 a------- c:\windows\system32\ZuneWlanCfgSvc.exe
2008-12-12 12:41 60,032 a------- c:\windows\system32\ZuneBusEnum.exe
2008-11-13 18:06 22,328 ac------ c:\docume~1\james\applic~1\PnkBstrK.sys
2007-05-08 13:11 90,396 ac------ c:\docume~1\alluse~1\applic~1\firstlsp.reg.dat
2008-09-03 15:53 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090320080904\index.dat

============= FINISH: 22:48:05.20 ===============
----------

Also I have added the Attach.txt. Any help would be greatly appreciated.

Attached Files



BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:30 PM

Posted 18 March 2009 - 11:11 AM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. Please download Trend Micro - HijackThis. Do a new scan with Trend Micro - HijackThis and post it in your next reply.] Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 lol999

lol999
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas, USA
  • Local time:12:30 PM

Posted 18 March 2009 - 01:09 PM

Thank you for replying.

Here is the HJT log:

---------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:05:22 PM, on 3/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Documents and Settings\James\reader_s.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\acs.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\excel.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\makehm.exe,C:\WINDOWS\system32\pdbcopy.exe,C:\WINDOWS\system32\actcontroller.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\James\reader_s.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\WINDOWS\system32\config\systemprofile\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office Outlook 2007.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {BBFD2D10-EC6E-4259-91D1-1E38C826E5E2} (Launcher Class) - http://app.gomtv.com/gomtv/gomtvx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: dqpich.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 11254 bytes

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:30 PM

Posted 19 March 2009 - 08:50 AM

Please see this link for information regarding PnkBstrA.exe and/or PnkBstrB.exe. and this thread in the Punkbuster Forums. If you have a version older than PB Client version 1.700, then the components could be causing a problem.

Are the new components optional?

Starting with PB Client version 1.700, the new components are required. Uninstalling and/or disabling the new components will cause PunkBuster to stop working correctly and will cause frequent kicking from PunkBuster enabled servers.
  • If you have a version older than PB Client version 1.700, then the files, PnkBstrA.exe and/or PnkBstrB.exe, could be causing a problem.
  • If you wish to uninstall the two files, then please download the this application.
  • Open the program above and click the Uninstall button. This will remove the PnkBstrA.exe and PnkBstrB.exe service.
  • Some may need to remove the registry entries.
  • Go to START > RUN. Type regedit.
  • Search in these parts:

    HKEY_LOCAL_MACHINE\SYSTEM\Controlset001\Services look for PnkBstrA PnkBstrB and PnkBstrK .. just right click on the folder listed on the left and delete.
    HKEY_LOCAL_MACHINE\SYSTEM\Controlset003\Services look for PnkBstrA PnkBstrB and PnkBstrK .. just right click on the folder listed on the left and delete.

  • PnkBstrK.sys is located in C:\windows\system32\drivers and it is safe to delete.

This is the issue with infections in relation to PunkBuster:

You have installed gaming tools. Some of these, like PunkBuster, use spyware techniques to engage in the anti-piracy battle. In the process, they take control of much of your computer and they actually meet the definition of spyware/malware. They are sometimes designed to prevent orderly removal or modification. It is not likely that your computer could be cleaned without breaking or removing some of these programs, and this would result in not being able to play the associated games or worse.

Since we are dedicated to causing No Harm, normally, we will not work on computers with this type of program installed. If you want to continue using your computer in this way, you should consider using imaging software like Norton Ghost or Acronis or Terabyte Image which can put your entire C: drive back into an earlier state whenever the infections or malfunctions get too severe. If you really want to clean your computer, I will help, but if you so choose, understand there is NO assurance you will be able to do games afterwards.

Additional Information Regarding PunkBuster Enabled Games
  • PunkBuster is not considered to be overtly malicious, but it is totally self-serving, even at the expense of user safety, and the risks and tactics that come with its use are not revealed in an open manner.
  • PunkBuster is tracking software which installs a server on the user's computer, establishes unique GUIDs, phones home, and sends screenshots.
  • Permission for PunkBuster to install and perform the tracking is assumed by them to be implicit in any associated gaming software installation. (Automatic installation during a request for something else.) This is characteristic of trojans.
  • PunkBuster appears to install itself secretly without warning on any computer that attempts to play certain online games.
  • There is no regular uninstaller. Why not? (There IS a special uninstaller-see link below.)
  • Some do not view the whole picture as healthy for anything but the game promoters.
  • PunkBuster requires elevated privileges to run on Vista.
  • The PunkBuster home site routinely suggests that users who have problems disable the antivirus applications and firewalls and change settings on their routers.
  • PunkBuster installs a kernel driver. Once you let that happen, the software could do anything it wants.
  • If this software were an application for any other purpose, it would be called unstable and unacceptable (maybe an alpha release?).
  • From a random infection victim, you certainly will never know how many system instabilities have been introduced by the victim's attempts to run PunkBuster games.
  • It is quite clear that some of our tools are not likely to run while PunkBuster is present on the computer. It conflicts with kernel level debuggers and says so.
  • The attitude that the computer should be modified in whatever manner necessary to get PunkBuster to run is not consistent with our site's "Do No Harm" policy.
  • The lack of transparency about how the services and kernel driver work may be necessary for PunkBuster, but it also creates potential difficulty for infections removal.
Some posts from the EvenBalance/PunkBuster home site:

My computer locks up or "chugs" sometimes while I'm playing PunkBuster Enabled, what can cause this?
PunkBuster "pushes" hardware and the Windows Operating System more than most software and uses functions in the Windows API (low level functions) that are not used by most other programs. As such, there are a few cases where using PB can actually expose flaky hardware or other situations that do not causes problems for other software. Here are a few things that have helped other users make these problems get better or go away completely:

  • Make sure you are using the latest version of BunkBuster (the latest version is always on our Download page) - also this link may help manually update your PunkBuster to the latest version when necessary. From the game's main screen, press the tilde key (the ~ key) to bring down the console and enter the following line, /pb_system1.
  • Never close other programs from your Windows Task Manager before playing the game; either leave them running or close them through the proper interface - killing a process does not always work completely even if it stops showing in the Task Manager. Renegade threads seem to conflict with PunkBuster more than other programs that may be running in memory. There is a free utility that some players use called EndItAll2 to close all extra programs before they play to avoid software conflicts, crashes, and lockups.
  • Check the Add Or Remove Programs list in your Control Panel and uninstall any programs that you do not use or that you do not know what they are.
  • One program that seems to conflict with PunkBuster more than others is Norton Antivirus. If you have it installed, try uninstalling it to see if the lockups go away. Some players have reported that when this is the culprit, they can reinstall Norton Antivirus and the lockups do not come back.
  • Other background programs that seem to conflict with PunkBuster for some users are Sound Blaster Live software and helper programs that come with video cards, especially ATI keyboard shortcut programs.
  • Some players discovered that they had a computer virus and that the lockups vanished after it was fully removed.
  • Experiment with the pb_sleep setting, try setting it to 20, 250, or 500 to see if that affects your game performance. A few players have reported that all the problems go away when they "tweak" this setting.
  • In extreme cases, a few users have reported that replacing their RAM (memory) or video/sound cards fixed the problem.

How do I uninstall PunkBuster?
If you do not wish to use PunkBuster any longer, you may remove the entire "pb" folder inside your game folder. By removing this folder, the PunkBuster software will no longer be available. PunkBuster does not save information to other locations on your hard drive nor does it change your system registry. *NOTICE* Starting with PunkBuster client version 1.3000, our new Service components are kept in the Windows folder on the hard drive and they do store information in the registry. We offer a separate program called PBSVC with an uninstall option for our service components. It may be downloaded from here.

My game crashes with an error in pbcl.dll or a General Protection Fault. Why?
This issue can be from a program that conflicts with PunkBuster. There are a few known programs that cause this: [list]

  • Get Right
  • DU Super Controller
  • Macro Toolsworks
  • Girder 3.2
  • PRTG Traffic Grapher
  • CyberCorder: cybrcrdr.exe
  • Paessler Router Traffic Grapher: prtg4.exe
  • 3dnasys.exe
  • mIRCStats
  • Closing those programs or any like them that contain user or kernel level debuggers should stop the problem.

    Privacy Policy of Even Balance, Inc.
    Due to the unique nature of how PunkBuster software operates, we have developed this Statement to describe our Policy regarding the Privacy of the users of our software. The PunkBuster system is designed specifically to allow users to optionally hold themselves accountable by allowing our software to run in the background on their computer systems while they compete in various forms of multi-player events. Our software is designed to operate in typical client / server fashion using the common Tcp/lp (Internet)protocol. Our software inspects the displayed screen, processes, and files associated with each computer system on which it is running for the purpose of authenticating those systems for play in a "cheat free" environment. The primary purpose of the scanning procedures is to inspect for the purpose of authenticating honest users who wish to compete fairly together. Our inspection procedures consists of three types: 1) validating that only non-hacked original software is being used during multi-player competition. 2) examining files that match the profile (or signature) of known cheating programs, and 3) sending screen captures during game-play. Our software does not, nor will it ever, without the explicit consent of users, make changes to any non-PunkBuster files on users' systems (such consent would be received through a confirmation action within the PunkBuster software and not as part of our Software Terms.) Furthermore, our software will not perform "hard disk scans" looking through large portions of users' directories and/or file systems. Private data is not transmitted by PunkBuster from a user's system to a PunkBuster server - all transmissions from users' systems will be encrypted using randomized keys that are meaningful within the context of providing a mutually agreeable "cheat free" online environment. Screenshots of game-play are not considered private data by PunkBuster. The PunkBuster anti-cheat system will not attempt to permanently retain information about users' systems other than standard logging of connection and authentication / inspection activities. We encourage any and all auditing or monitoring of the activity of our system for the purpose of verifying that our software performs according to this Policy Statement. We will cooperate fully with any party who believes that they have found any case where our system is being or could be used to breach the privacy of the users of our software.

    The primary purpose... What could be a secondary purpose?
    The fact that information sent back to servers is encrypted has nothing to do with Private data being sent.
    You don't stop laughing when you get old; you get old when you stop laughing.
    A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
    Malware Removal University Masters Graduate

    Posted Image
    Join The Fight Against Malware
    No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

    #5 lol999

    lol999
    • Topic Starter

    • Members
    • 30 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Texas, USA
    • Local time:12:30 PM

    Posted 23 March 2009 - 12:10 PM

    Sorry for the delay to respond. But I have decided to remove Punkbuster and followed all the steps.

    #6 suebaby41

    suebaby41

      W.A.M. (Women Against Malware)


    • Malware Response Team
    • 6,248 posts
    • OFFLINE
    •  
    • Gender:Female
    • Location:South Carolina, USA
    • Local time:01:30 PM

    Posted 23 March 2009 - 07:12 PM

    Please post a new HijackThis log. Thanks.
    You don't stop laughing when you get old; you get old when you stop laughing.
    A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
    Malware Removal University Masters Graduate

    Posted Image
    Join The Fight Against Malware
    No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

    #7 lol999

    lol999
    • Topic Starter

    • Members
    • 30 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Texas, USA
    • Local time:12:30 PM

    Posted 23 March 2009 - 07:28 PM

    Here's the new HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:27:33 PM, on 3/23/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\acs.exe
    C:\WINDOWS\system32\afisicx.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
    C:\WINDOWS\system32\lkcitdl.exe
    C:\WINDOWS\system32\lkads.exe
    C:\WINDOWS\system32\lktsrv.exe
    C:\WINDOWS\system32\mabidwe.exe
    C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\Program Files\MATLAB71\bin\win32\MATLAB.exe
    C:\Program Files\National Instruments\MAX\nimxs.exe
    C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
    C:\WINDOWS\system32\nisvcloc.exe
    C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\sopidkc.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\tdctxte.exe
    c:\WINDOWS\system32\ZuneBusEnum.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\WINDOWS\System32\reader_s.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\PeerGuardian2\pg2.exe
    C:\Documents and Settings\James\reader_s.exe
    C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\WINDOWS\System32\wudfhost.exe
    C:\Program Files\Zune\Zune.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\excel.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\makehm.exe,C:\WINDOWS\system32\pdbcopy.exe,C:\WINDOWS\system32\actcontroller.exe,C:\WINDOWS\system32\twext.exe,
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
    O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
    O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
    O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\James\reader_s.exe
    O4 - HKCU\..\Run: [services] C:\WINDOWS\services.exe
    O4 - HKLM\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe
    O4 - HKCU\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\WINDOWS\system32\config\systemprofile\reader_s.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [services] C:\WINDOWS\services.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'Default user')
    O4 - Global Startup: Microsoft Office Outlook 2007.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {BBFD2D10-EC6E-4259-91D1-1E38C826E5E2} (Launcher Class) - http://app.gomtv.com/gomtv/gomtvx.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O20 - AppInit_DLLs: dqpich.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
    O23 - Service: afisicx Service (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
    O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
    O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
    O23 - Service: mabidwe Service (mabidwe) - Unknown owner - C:\WINDOWS\system32\mabidwe.exe
    O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
    O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
    O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
    O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
    O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
    O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: sopidkc Service (sopidkc) - Unknown owner - C:\WINDOWS\system32\sopidkc.exe
    O23 - Service: tdctxte Service (tdctxte) - Unknown owner - C:\WINDOWS\system32\tdctxte.exe

    --
    End of file - 12674 bytes

    #8 suebaby41

    suebaby41

      W.A.M. (Women Against Malware)


    • Malware Response Team
    • 6,248 posts
    • OFFLINE
    •  
    • Gender:Female
    • Location:South Carolina, USA
    • Local time:01:30 PM

    Posted 24 March 2009 - 12:02 PM

    Your computer is seriously infected with trojans.

    I have some bad news for you.

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\makehm.exe,C:\WINDOWS\system32\pdbcopy.exe,C:\WINDOWS\system32\actcontroller.exe,C:\WINDOWS\system32\twext.exe,
    O23 - Service: tdctxte Service (tdctxte) - Unknown owner - C:\WINDOWS\system32\tdctxte.exe


    The entries above indicate your computer may be infected with backdoor trojans. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. These trojans leave a backdoor open on the system that can allow hacker total and complete access to your computer. Hackers can operate your computer just as if he were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs. Backdoor trojans send your identity information to a third party who may use that information for their own purposes such as identity theft, stolen bank funds, stealing credit card information etc.

    Before deciding whether your computer needs cleaning or reformatting, you need to ask yourself some very serious questions.

    Do you use your computer for any of the following?
    • Online banking/Business purposes
    • storing sensitive or very personal information
    If you answered yes to any of those questions, you should disconnect your computer from the Internet and do a complete format and reinstall. If you use online banking, then you should contact your bank and arrange to have your password changed immediately. You should change any other passwords you use as these may have been compromised.

    David Bach's Six Ways to Avoid Identity Theft

    Here are six things you need to know to fight back against identity theft:

    1. Keep your private information private.

    Half of all identity theft in which the thief is identified is committed by a friend, coworker, neighbor, in-home employee, or relative of the victim. So make it a habit not to leave things lying around at home or in the office -- specifically your wallet, checkbook, or anything else containing private or financial information, including your mail.

    Also, before you toss anything in the trash containing your private information, be sure to shred it. This isn't new advice, but I'd be remiss not to mention it.

    2. Get a copy of your credit reports.

    Often, victims of identity theft have no idea their credit is being used or destroyed until they apply for a loan and pull their credit score. So pull your credit report now, and make a plan to check it regularly.

    By law, you're entitled to a free credit report from each of the three major credit bureaus -- Equifax, Experian, and TransUnion -- once every year. Go to AnnualCreditReport.com and stagger your requests so that you'll receive one report from each credit bureau every four months. Put the dates on your calendar so you don't forget. Keep in mind that this is for your free credit report only, not your credit score.

    For your credit score, you'll need to go to myFICO. While you're there, you may want to check out their Identity Theft Security Deluxe product, which monitors your credit score and credit report automatically for $49.95 a year.

    3. Find out if your state has a credit freeze law.

    Here's a virtually foolproof way to prevent a thief from stealing your identity and using your personal data to get approved for credit. With this new law you're able to block ("freeze") all access to your credit report and credit score.

    It's not necessarily the most convenient solution to protect yourself from fraud. Anytime you need to have your credit checked -- for instance, if you're buying a car or cell phone or even interviewing for a job -- you'll need to lift the block ("thaw" your record), which takes about three days. But if you have real concerns about identity theft or perhaps are already a victim, this is an option you may want to consider.

    Some states will only grant a credit freeze if you're already a victim of identity theft. Find out if your state has a credit freeze law, including what it costs, by visiting FinancialPrivacyNow.org.

    4. Check your bank statements weekly.

    One of the great things about online banking is that you can log on and check your account at any time. Make a point of checking your bank statement weekly to be sure there aren't any red flags.

    The same goes for your credit card statements. In fact, you may want to consider canceling your paper statements altogether and opting for online statements. After all, you're more likely to have personal information stolen from your mail than from the Internet.

    That said, be sure to always use a secure computer. Using a public computer, like one at your local library, is risky due to tracking software that thieves can use to steal your passwords.

    5. Be computer savvy.

    Even though a relatively small percentage of identity theft occurs online, you should still take necessary precautions.

    In addition to being careful about surfing the web on public computers, you should also be aware of the risks involved when using a wireless connection. Wi-Fi and Bluetooth are becoming increasingly popular, and as a result, there is bound to be an increase in wireless hacking.

    Wireless connectivity is the perfect platform for thieves to get your personal data. If you have a wireless network at home or work, make sure you are incorporating password-protection and encryption. When accessing public hotspots, use a personal firewall.

    Also, keep your computer safe by updating your antivirus and anti-spyware programs regularly. Use passwords so that others can't log on to your computer, laptop, or even your PDA, and be sure to change your passwords often.

    Be smart about phishing scams, too. That's when you're sent an email that requests your personal or financial information, or that prompts you to click a link to provide your personal or financial information. If you're unsure of the legitimacy of such a request, call the company that it was supposedly sent from. If an email seems suspicious, it usually is.

    6. Be aware of "deleted" data.

    The Washington Post recently ran an article on mobile phones -- specifically "smartphones" like the Palm Treo and BlackBerry -- that was quite an eye-opener.

    According to the story, resetting your phone to wipe out personal data doesn't exactly delete information. It turns out that your phone's operating system never actually deletes data, only the pointers to where the data is located. Anyone with the right software can recover information that was stored on your phone once you sell or discard it

    You need to do is contact the device manufacturer for complete instructions on what to do to wipe your data clean. You can also visit WirelessRecycling.com for instructions. And think twice about what information you store on your device in case it's ever lost or stolen.

    If Your Identity Is Stolen

    Take the above steps and -- should you ever find yourself in the unfortunate position of having had your identity stolen -- you'll commend yourself for being proactive enough to identify a problem before too much damage was done.

    Don't waste a minute once you've discovered suspicious activity -- go directly to the website of the Federal Trade Commission to file a complaint and access their comprehensive guide on the steps you'll need to follow to resolve the situation.

    I recommend backing up your important files and reinstalling everything from scratch. There are so many changes that could have been done if that backdoor was used. Even if we cleaned the infections, it would not help to recover the information that has been compromised and there is no guarantee that your computer would be safe to use. Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is another hidden piece of malware which has not been detected by your security tools that protects malicious files and registry keys (which have been detected) so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum.

    If you only use your computer for music/games etc, your better option would be to clean it of infections rather than do a reformat. The decision must be made by you.

    Here are some informative links to use to help you make a decision:

    Danger: Remote Access Trojans

    Consumers – Identity Theft

    When should I re-format? How should I reinstall?

    How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

    Rootkits: The Obscure Hacker Attack

    Help: I Got Hacked. Now What Do I Do?

    Microsoft Says Recovery from Malware Becoming Impossible

    How to report ID theft, fraud, drive-by installs, hijacking and malware? (#10451)

    However, if you do not have the resources to reformat your computer and reinstall your operating system and programs, I will be happy to attempt to clean it.

    Should you have any questions, please feel free to ask.

    Please let me know what you have decided to do in your next post.
    You don't stop laughing when you get old; you get old when you stop laughing.
    A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
    Malware Removal University Masters Graduate

    Posted Image
    Join The Fight Against Malware
    No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

    #9 lol999

    lol999
    • Topic Starter

    • Members
    • 30 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Texas, USA
    • Local time:12:30 PM

    Posted 24 March 2009 - 12:20 PM

    I would like to proceed with the disinfection.

    #10 suebaby41

    suebaby41

      W.A.M. (Women Against Malware)


    • Malware Response Team
    • 6,248 posts
    • OFFLINE
    •  
    • Gender:Female
    • Location:South Carolina, USA
    • Local time:01:30 PM

    Posted 24 March 2009 - 12:34 PM

    OK, we can try to clean your computer as long as you realize that there is no guarantee that your computer is safe. There is no way of telling what damage has been done.

    Please download ComboFix.
    Alternate Link 1
    Alternate Link 2

    * IMPORTANT !!! Save ComboFix.exe to your Desktop.
    • Double click on ComboFix and follow the prompts.
    • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.
    • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

      The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware.
      Click 'No' to exit.

    • Click Yes, to continue scanning for malware.
    • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
    • Notes:
    • Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    • ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
    • ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
    • ComboFix disconnects your machine from the Internet. The connection is automatically restored before ComboFix completes its run. If ComboFix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Please post:
    • C:\ComboFix.txt (the log from ComboFix)
    • a new HijackThis log

    You don't stop laughing when you get old; you get old when you stop laughing.
    A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
    Malware Removal University Masters Graduate

    Posted Image
    Join The Fight Against Malware
    No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

    #11 lol999

    lol999
    • Topic Starter

    • Members
    • 30 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Texas, USA
    • Local time:12:30 PM

    Posted 24 March 2009 - 01:23 PM

    Alright, I did the Combo Fix scan and went ahead and ran it with Avira Antivir still actived from what Combo Fix was saying. However I do not have Avira Antivir installed, there's probably some files left behind of it from uninstalling it. So here are the Combo Fix and HJT logs

    ------------------------------------
    ComboFix 09-03-23.01 - James 2009-03-24 12:58:42.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1526 [GMT -5:00]
    Running from: c:\documents and settings\James\Desktop\ComboFix.exe
    AV: Avira AntiVir PersonalEdition Premium *On-access scanning enabled* (Updated)
    AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Outdated)
    * Created a new restore point
    * Resident AV is active

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\James\Application Data\inst.exe
    c:\documents and settings\James\reader_s.exe
    c:\windows\Install.txt
    c:\windows\system32\200935847.dll
    c:\windows\system32\6.tmp
    c:\windows\system32\7.tmp
    c:\windows\system32\8.tmp
    c:\windows\system32\9.tmp
    c:\windows\system32\A.tmp
    c:\windows\system32\afisicx.exe
    c:\windows\system32\comsa32.sys
    c:\windows\system32\config\systemprofile\reader_s.exe
    c:\windows\system32\D.tmp
    c:\windows\system32\drivers\ntndis.sys
    c:\windows\system32\dxonool32.sys
    c:\windows\system32\F.tmp
    c:\windows\system32\Install.txt
    c:\windows\system32\mabidwe.exe
    c:\windows\system32\nvxdmguv.ini
    c:\windows\system32\reader_s.exe
    c:\windows\system32\sopidkc.exe
    c:\windows\system32\tmpxccacj0.exe
    c:\windows\system32\tpszxyd.sys
    c:\windows\system32\twain_32
    c:\windows\system32\twain_32\local.ds
    c:\windows\system32\twain_32\user.ds
    c:\windows\system32\twain_32\user.ds.cla
    c:\windows\system32\twext.exe
    c:\windows\system32\xcchit32.ini
    c:\windows\xccwinsys.ini

    c:\windows\system32\userinit.exe . . . is infected!!

    c:\windows\system32\svchost.exe . . . is infected!!

    c:\windows\system32\spoolsv.exe . . . is infected!!

    c:\windows\explorer.exe . . . is infected!!

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_AFISICX
    -------\Legacy_DEFAULTLIB
    -------\Legacy_MABIDWE
    -------\Legacy_SOFTYINFORWOW1
    -------\Legacy_SOPIDKC
    -------\Service_afisicx
    -------\Service_mabidwe
    -------\Service_restore
    -------\Service_seneka
    -------\Service_softyinforwow1
    -------\Service_sopidkc


    ((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 )))))))))))))))))))))))))))))))
    .

    2009-03-24 12:58 . 2009-03-24 12:58 0 --a------ c:\windows\system32\46.tmp
    2009-03-24 12:10 . 2009-03-24 12:10 43,520 --a------ c:\windows\Uyosin.dll
    2009-03-24 12:10 . 2009-03-24 12:10 43,520 --a------ c:\windows\system32\47.tmp
    2009-03-24 12:10 . 2009-03-24 12:10 84 --a------ c:\windows\system32\43.tmp
    2009-03-24 12:10 . 2009-03-24 12:10 1 --a------ c:\windows\system32\45.tmp
    2009-03-23 23:25 . 2009-03-23 23:26 70,449 --a------ c:\windows\system32\40.tmp
    2009-03-23 23:25 . 2009-03-23 23:25 40 --a------ c:\windows\system32\3.tmp
    2009-03-23 19:42 . 2009-03-23 19:42 69,861 --a------ c:\windows\system32\41.tmp
    2009-03-23 19:42 . 2009-03-23 19:42 40 --a------ c:\windows\system32\3F.tmp
    2009-03-23 15:43 . 2009-03-23 15:43 72,192 --a------ c:\windows\system32\44.tmp
    2009-03-23 15:43 . 2009-03-23 15:43 84 --a------ c:\windows\system32\3D.tmp
    2009-03-23 15:43 . 2009-03-23 15:43 1 --a------ c:\windows\system32\42.tmp
    2009-03-23 12:27 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys
    2009-03-23 12:25 . 2009-03-23 12:32 <DIR> d-------- c:\documents and settings\James\Application Data\HouseCall 6.6
    2009-03-23 12:02 . 2009-03-23 12:02 70,449 --a------ c:\windows\system32\3E.tmp
    2009-03-23 12:02 . 2009-03-23 12:02 40 --a------ c:\windows\system32\3C.tmp
    2009-03-23 00:16 . 2009-03-23 00:16 69,861 --a------ c:\windows\system32\BAC.tmp
    2009-03-23 00:16 . 2009-03-23 00:16 40 --a------ c:\windows\system32\BAA.tmp
    2009-03-22 19:20 . 2009-03-22 19:21 69,861 --a------ c:\windows\system32\3A.tmp
    2009-03-22 19:20 . 2009-03-22 19:20 40 --a------ c:\windows\system32\38.tmp
    2009-03-18 16:39 . 2009-03-18 16:40 89,662 --a------ c:\windows\system32\3B.tmp
    2009-03-18 16:39 . 2009-03-18 16:39 124 --a------ c:\windows\system32\36.tmp
    2009-03-18 13:01 . 2009-03-18 13:03 89,662 --a------ c:\windows\system32\39.tmp
    2009-03-18 13:01 . 2009-03-18 13:01 31,744 --a------ c:\windows\system32\35.tmp
    2009-03-18 13:01 . 2009-03-18 13:01 124 --a------ c:\windows\system32\33.tmp
    2009-03-18 02:47 . 2009-03-18 02:48 89,662 --a------ c:\windows\system32\37.tmp
    2009-03-18 02:47 . 2009-03-18 02:47 28,672 --a------ c:\windows\system32\34.tmp
    2009-03-18 02:47 . 2009-03-18 02:47 124 --a------ c:\windows\system32\32.tmp
    2009-03-17 23:06 . 2009-03-17 23:07 89,662 --a------ c:\windows\system32\31.tmp
    2009-03-17 23:06 . 2009-03-17 23:06 28,672 --a------ c:\windows\system32\30.tmp
    2009-03-17 23:05 . 2009-03-17 23:06 124 --a------ c:\windows\system32\2E.tmp
    2009-03-17 20:22 . 2009-03-17 20:24 89,662 --a------ c:\windows\system32\2F.tmp
    2009-03-17 20:22 . 2009-03-17 20:22 28,672 --a------ c:\windows\system32\2D.tmp
    2009-03-17 20:22 . 2009-03-17 20:22 124 --a------ c:\windows\system32\2B.tmp
    2009-03-17 16:45 . 2009-03-17 16:46 89,662 --a------ c:\windows\system32\29.tmp
    2009-03-17 16:45 . 2009-03-17 16:45 124 --a------ c:\windows\system32\C.tmp
    2009-03-17 13:05 . 2009-03-17 13:05 124 --a------ c:\windows\system32\5.tmp
    2009-03-17 00:06 . 2009-03-18 16:39 11,450,853 --a------ c:\windows\services.ex_
    2009-03-17 00:06 . 2009-03-17 00:07 89,662 --a------ c:\windows\system32\2C.tmp
    2009-03-17 00:05 . 2009-03-17 00:06 31,744 --a------ c:\windows\system32\2A.tmp
    2009-03-17 00:05 . 2009-03-17 00:05 124 --a------ c:\windows\system32\28.tmp
    2009-03-16 17:03 . 2009-03-16 17:05 89,662 --a------ c:\windows\system32\27.tmp
    2009-03-16 17:03 . 2009-03-16 17:03 28,672 --a------ c:\windows\system32\26.tmp
    2009-03-16 17:03 . 2009-03-16 17:03 124 --a------ c:\windows\system32\24.tmp
    2009-03-15 13:02 . 2009-03-15 13:02 65,536 --a------ c:\windows\system32\25.tmp
    2009-03-15 13:02 . 2009-03-15 13:02 29,696 --a------ c:\windows\system32\23.tmp
    2009-03-15 13:02 . 2009-03-15 13:02 124 --a------ c:\windows\system32\E.tmp
    2009-03-13 05:28 . 2009-03-13 05:28 1 --a------ c:\windows\system32\B.tmp
    2009-03-13 00:19 . 2009-03-13 00:19 124 --a------ c:\windows\system32\4.tmp
    2009-03-12 14:51 . 2009-03-12 19:43 <DIR> d-------- c:\program files\PokerStars.NET
    2009-03-12 14:44 . 2009-03-12 19:43 <DIR> d-------- c:\program files\PokerStars
    2009-03-11 23:04 . 2009-03-11 23:07 6 --a------ c:\windows\_id.dat
    2009-03-11 17:11 . 2009-03-11 17:11 65,536 --a------ c:\windows\system32\22.tmp
    2009-03-11 17:11 . 2009-03-11 17:11 28,672 --a------ c:\windows\system32\21.tmp
    2009-03-11 17:11 . 2009-03-11 17:11 124 --a------ c:\windows\system32\10.tmp
    2009-03-11 11:47 . 2009-03-22 19:20 128 --a------ c:\windows\adobe.bat
    2009-03-11 11:46 . 2009-03-11 11:46 28,672 --a------ c:\windows\system32\1E.tmp
    2009-03-11 11:42 . 2009-03-11 11:42 65,536 --a------ c:\windows\system32\1D.tmp
    2009-03-11 11:42 . 2009-03-11 11:42 28,672 --a------ c:\windows\system32\20.tmp
    2009-03-11 11:42 . 2009-03-11 11:42 124 --a------ c:\windows\system32\1B.tmp
    2009-03-10 20:36 . 2009-03-10 20:36 182,656 --a--c--- c:\windows\system32\dllcache\ndis.sys
    2009-03-10 14:58 . 2009-03-10 14:59 28,672 --a------ c:\windows\system32\128.tmp
    2009-03-10 14:57 . 2009-03-10 14:58 65,536 --a------ c:\windows\system32\1A.tmp
    2009-03-10 14:57 . 2009-03-10 14:57 124 --a------ c:\windows\system32\18.tmp
    2009-03-10 13:41 . 2009-03-10 13:41 8,352 --a------ c:\windows\system32\drivers\EagleNT.sys
    2009-03-10 13:41 . 2009-03-10 13:41 1 --a------ c:\windows\system32\19.tmp
    2009-03-10 13:40 . 2009-03-10 13:41 84 --a------ c:\windows\system32\17.tmp
    2009-03-10 13:38 . 2009-03-10 13:38 8,352 --a------ c:\windows\system32\drivers\BLKWGD.sys
    2009-03-09 15:12 . 2009-03-09 15:12 40 --a------ c:\windows\system32\16.tmp
    2009-03-09 02:42 . 2009-03-09 02:42 40 --a------ c:\windows\system32\15.tmp
    2009-03-08 13:27 . 2009-03-08 13:27 40 --a------ c:\windows\system32\14.tmp
    2009-03-07 20:57 . 2009-03-07 20:57 40 --a------ c:\windows\system32\12.tmp
    2009-03-07 15:18 . 2009-03-07 15:18 104,900 --a------ c:\windows\system32\13.tmp
    2009-03-07 15:18 . 2009-03-07 15:18 40 --a------ c:\windows\system32\11.tmp
    2009-03-05 12:32 . 2009-03-05 12:32 40 --a------ c:\windows\system32\1F.tmp
    2009-03-05 02:01 . 2009-03-05 02:01 40 --a------ c:\windows\system32\180A.tmp
    2009-03-04 10:54 . 2009-03-04 10:54 40 --a------ c:\windows\system32\1C.tmp
    2009-03-03 01:58 . 2002-02-15 15:02 676,352 --a------ c:\windows\system32\rtl60.bpl
    2009-03-03 01:58 . 2009-03-03 01:58 77,824 --a------ c:\windows\system32\u0396841.dll
    2009-03-03 01:57 . 2009-03-03 02:21 <DIR> d-------- c:\windows\system32\inf
    2009-03-03 01:57 . 2009-03-03 01:57 104,900 --a------ c:\windows\system32\3EA0.tmp
    2009-03-03 01:57 . 2009-03-03 01:57 40 --a------ c:\windows\system32\3E9B.tmp
    2009-03-03 01:57 . 2009-03-03 01:57 0 --a------ c:\windows\system32\3EA4.tmp
    2009-02-24 19:38 . 2009-02-24 19:38 <DIR> d-------- c:\program files\DVDFab 5
    2009-02-24 19:38 . 2009-02-24 19:38 <DIR> d-------- c:\documents and settings\James\Application Data\Vso
    2009-02-24 19:38 . 2009-02-24 19:38 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
    2009-02-24 19:38 . 2009-02-24 19:38 47,360 --a------ c:\documents and settings\James\Application Data\pcouffin.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-13 00:57 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
    2009-03-13 00:56 --------- d-----w c:\program files\SpywareBlaster
    2009-03-11 03:15 --------- d-----w c:\program files\Winamp
    2009-03-11 01:36 182,656 ----a-w c:\windows\system32\drivers\ndis.sys
    2009-03-06 07:36 --------- d-----w c:\documents and settings\James\Application Data\Move Networks
    2009-03-04 06:11 --------- d-----w c:\program files\SUPERAntiSpyware
    2009-03-04 06:11 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
    2009-03-04 06:11 --------- d-----w c:\documents and settings\James\Application Data\SUPERAntiSpyware.com
    2009-03-03 21:59 --------- d-----w c:\program files\Starcraft
    2009-03-03 21:59 --------- d-----w c:\program files\QuickTime
    2009-03-03 21:52 --------- d-----w c:\program files\OrCAD_Demo
    2009-03-03 21:51 --------- d-----w c:\program files\Microsoft Visual Studio 8
    2009-03-03 21:40 --------- d-----w c:\program files\ItsDeductible2006
    2009-03-03 21:40 --------- d-----w c:\program files\Fraps
    2009-03-03 07:06 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
    2009-02-26 18:22 --------- d-----w c:\program files\Microsoft Silverlight
    2009-02-25 00:15 --------- d-----w c:\documents and settings\James\Application Data\dvdcss
    2009-02-12 07:43 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
    2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
    2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
    2008-11-14 00:06 22,328 -c--a-w c:\documents and settings\James\Application Data\PnkBstrK.sys
    2007-05-08 19:11 90,396 -c--a-w c:\documents and settings\All Users\Application Data\firstlsp.reg.dat
    2005-10-12 20:04 131,072 -c--a-w c:\program files\internet explorer\plugins\LV80ActiveXControl.dll
    2006-06-07 19:40 132,848 -c--a-w c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
    2008-09-03 21:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090320080904\index.dat
    .

    ------- Sigcheck -------

    2004-08-04 07:00 31744 753363315d9561d9bc9a1e0baae0721f c:\windows\$NtServicePackUninstall$\svchost.exe
    2008-04-13 19:12 31232 54c01c7170c51c0a15b0efb848f80806 c:\windows\ServicePackFiles\i386\svchost.exe
    2008-04-13 19:12 31232 c1796ef493f75f88838d286e54203d66 c:\windows\system32\svchost.exe

    2004-08-04 07:00 182912 1df7f42665c94b825322fae71721130d c:\windows\$NtServicePackUninstall$\ndis.sys
    2008-04-13 14:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
    2009-03-10 20:36 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\dllcache\ndis.sys
    2009-03-10 20:36 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys

    2008-04-13 19:12 1050624 aa2bc08d2bfd682507f6bc89b9e220b9 c:\windows\explorer.exe
    2007-06-13 06:26 1050112 71bac03c454779ac0a6f770f91519572 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
    2007-06-13 05:23 1050112 62bac6ea964441f65bb25c32f213b2e3 c:\windows\$NtServicePackUninstall$\explorer.exe
    2004-08-04 07:00 1049600 b8b52b849023fe93b94484018b862e7a c:\windows\$NtUninstallKB938828$\explorer.exe
    2008-04-13 19:12 1050624 5ea7aa378e065b33f1e79c9122b1ed34 c:\windows\ServicePackFiles\i386\explorer.exe

    2004-08-04 07:00 32256 e9696b9526b3e9e9cd13203aee3447c5 c:\windows\$NtServicePackUninstall$\ctfmon.exe
    2008-04-13 19:12 32256 bc8e26eafba2544e98bbfd45ae87ccf4 c:\windows\ServicePackFiles\i386\ctfmon.exe
    2008-04-13 19:12 32256 09ac4ae890aa5b6d5e4c49a51927f1fc c:\windows\system32\ctfmon.exe

    2005-06-10 19:17 74752 466401fd1ce3d722cc5edbaad59ea451 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
    2005-06-10 18:53 74752 3a787029f9beeb66db2c4ecdabeb1bb0 c:\windows\$NtServicePackUninstall$\spoolsv.exe
    2004-08-04 07:00 74752 6e150db85823d0849863e04a888de972 c:\windows\$NtUninstallKB896423$\spoolsv.exe
    2008-04-13 19:12 74752 39a177870016330a1945fe3d6a6468e7 c:\windows\ServicePackFiles\i386\spoolsv.exe
    2008-04-13 19:12 74752 abf3e94d3134f231412d4887beced7ef c:\windows\system32\spoolsv.exe

    2004-08-04 07:00 41984 769f6cbecadf5fc77c0053922b277930 c:\windows\$NtServicePackUninstall$\userinit.exe
    2008-04-13 19:12 43008 7a2836aef7efefd7122c81e1be375920 c:\windows\ServicePackFiles\i386\userinit.exe
    2008-04-13 19:12 43008 55313853588bb7e4c6746fb87a9f4cde c:\windows\system32\userinit.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 32256]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 114688]
    "MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
    "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-04-03 165784]
    "PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1438720]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
    "NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-01-08 102400]
    "Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe" [2007-02-06 81920]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 262144]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 176128]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 303104]
    "AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 45056]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-13 185896]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 102400]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-02-11 1293968]
    "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-08-18 1447168]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
    "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
    "Bnadobubobo"="c:\windows\Uyosin.dll" [2009-03-24 43520]
    "nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe]
    "SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
    "P17Helper"="P17.dll" [2005-05-02 c:\windows\system32\P17.dll]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
    "msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-04 235936]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office Outlook 2007.lnk - c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe [2008-09-18 845584]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\explorer.exe,"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"= dqpich.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "SENTINEL"= snti386.dll
    "msacm.divxa32"= msaud32_divx.acm

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless Utility.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Belkin Wireless Utility.lnk
    backup=c:\windows\pss\Belkin Wireless Utility.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Octoshape Streaming Services]
    --a------ 2008-05-22 08:59 156944 c:\program files\Octoshape Streaming Services\James\OctoshapeClient.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Octoshape Streaming Services\\James\\OctoshapeClient.exe"=
    "c:\\Program Files\\uTorrent\\utorrent.exe"=
    "c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Documents and Settings\\James\\My Documents\\Cod4MP\\The All-Seeing Eye\\eye.exe"=
    "c:\\Program Files\\National Instruments\\LabVIEW 8.2\\LabVIEW.exe"=
    "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\MSN Messenger\\livecall.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
    "c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
    "%windir%\\system32\\drivers\\svchost.exe"=

    R1 DhaHelper;DhaHelper;c:\windows\system32\drivers\dhahelper.sys [2008-09-15 7168]
    R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-08-18 34312]
    R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]
    R2 nxsIO32;NextSensor Kernel I/O Driver;c:\windows\system32\drivers\nxsIO32.sys [2007-01-27 2208]
    R2 tdctxte;tdctxte Service;c:\windows\system32\tdctxte.exe [2004-08-04 194048]
    S3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\BLKWGD.sys [2009-03-10 8352]
    S3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2008-09-15 33792]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
    S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
    S3 TiglUsb;TiglUsb.sys TI-GRAPH / DIRECT LINK USB driver;c:\windows\system32\Drivers\TiglUsb.sys --> c:\windows\system32\Drivers\TiglUsb.sys [?]
    S3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.sys [2004-04-21 16384]
    S3 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;\??\c:\windows\system32\ZDCndis5.SYS --> c:\windows\system32\ZDCndis5.SYS [?]
    S3 ZY202_XP;ZyXEL 802.11g XG202 1211 Driver;c:\windows\system32\drivers\WlanUZXP.SYS [2008-06-02 437760]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-10-26 2799808]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - PGFILTER

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
    \Shell\AutoRun\command - G:\LaunchU3.exe -a

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4bfd92c0-ed63-11dd-b64b-001617ef3ff9}]
    \Shell\AutoRun\command - G:\LaunchU3.exe -a

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{626901de-aaef-11dd-b609-001617ef3ff9}]
    \Shell\AutoRun\command - E:\LaunchU3.exe -a

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{815c276a-8e4f-11dd-b5d9-001617ef3ff9}]
    \Shell\AutoRun\command - G:\LaunchU3.exe -a

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3176a75-155a-11dd-b533-001617ef3ff9}]
    \Shell\AutoRun\command - G:\LaunchU3.exe -a
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-reader_s - c:\documents and settings\James\reader_s.exe
    HKCU-Run-services - c:\windows\services.exe
    HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
    HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe
    HKLM-Run-reader_s - c:\windows\System32\reader_s.exe
    HKLM-Run-NWEReboot - (no file)
    HKLM-Run-removecpl - RemoveCpl.exe
    HKU-Default-Run-reader_s - c:\windows\system32\config\systemprofile\reader_s.exe
    HKU-Default-Run-services - c:\windows\services.exe
    HKLM-Explorer_Run-services - c:\windows\services.exe
    HKCU-Explorer_Run-services - c:\windows\services.exe
    HKU-Default-Explorer_Run-services - c:\windows\services.exe


    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: turbotax.com
    DPF: {BBFD2D10-EC6E-4259-91D1-1E38C826E5E2} - hxxp://app.gomtv.com/gomtv/gomtvx.cab
    FF - ProfilePath - c:\documents and settings\James\Application Data\Mozilla\Firefox\Profiles\cdlwskch.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
    FF - plugin: c:\documents and settings\James\Application Data\Mozilla\Firefox\Profiles\cdlwskch.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
    FF - plugin: c:\documents and settings\James\Application Data\Mozilla\plugins\npoctoshape.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npgopg.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPLV80Win32.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPLV82Win32.dll
    FF - plugin: c:\program files\Octoshape Streaming Services\James\octoprogram-L03-NMS0806110_SUA_900\npoctoshape.dll
    FF - plugin: c:\program files\Octoshape Streaming Services\James\octoprogram-L03-NMS0806260_SUA_000\npoctoshape.dll
    .
    .
    ------- File Associations -------
    .
    txtfile="c:\windows\system32\nctedit.exe" "%1"
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-24 13:12:02
    Windows 5.1.2600 Service Pack 3 NTFS

    detected NTDLL code modification:
    ZwOpenFile

    scanning hidden processes ...

    ? [992]

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-602162358-823518204-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{68B5523E-C5CE-E0CF-BF86-6392BD9E6C2A}*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_USERS\S-1-5-21-602162358-823518204-725345543-1003\Software\SecuROM\License information*]
    "datasecu"=hex:31,9c,ea,45,4a,45,8d,0e,b2,b3,51,a1,86,ed,c2,6e,38,a1,6f,ff,26,
    f1,9e,ce,05,83,48,33,d5,4a,ec,0b,02,c4,4e,69,67,52,08,9a,b1,70,b9,86,8a,60,\
    "rkeysecu"=hex:8d,12,a4,bd,79,e0,cb,d8,b7,ba,bd,bf,07,f4,d2,7b
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Lavasoft\Ad-Aware\aawservice.exe
    c:\program files\Internet Explorer\iexplore.exe
    c:\windows\system32\acs.exe
    c:\program files\flexnet\i486_nt\obj\lmgrd.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\flexnet\i486_nt\obj\lmgrd.exe
    c:\windows\system32\lkcitdl.exe
    c:\windows\system32\lkads.exe
    c:\windows\system32\lktsrv.exe
    c:\program files\MATLAB71\webserver\bin\win32\matlabserver.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\MATLAB71\bin\win32\MATLAB.exe
    c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    c:\program files\National Instruments\MAX\nimxs.exe
    c:\program files\National Instruments\Shared\Security\nidmsrv.exe
    c:\windows\system32\nisvcloc.exe
    c:\program files\National Instruments\Shared\Tagger\tagsrv.exe
    c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\HPZipm12.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\windows\system32\ZuneBusEnum.exe
    c:\program files\Internet Explorer\iexplore.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Microsoft Office\Office12\OUTLOOK.EXE
    c:\program files\Internet Explorer\iexplore.exe
    .
    **************************************************************************
    .
    Completion time: 2009-03-24 13:18:31 - machine was rebooted [James]
    ComboFix-quarantined-files.txt 2009-03-24 18:18:28

    Pre-Run: 14,703,788,032 bytes free
    Post-Run: 15,041,220,608 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
    407 --- E O F --- 2009-02-26 09:00:26
    -------------------------------------------------------

    -------------------------------------------------------
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:20:53 PM, on 3/24/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\acs.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
    C:\WINDOWS\system32\lkcitdl.exe
    C:\WINDOWS\system32\lkads.exe
    C:\WINDOWS\system32\lktsrv.exe
    C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\National Instruments\MAX\nimxs.exe
    C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
    C:\WINDOWS\system32\nisvcloc.exe
    C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\tdctxte.exe
    c:\WINDOWS\system32\ZuneBusEnum.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\PeerGuardian2\pg2.exe
    C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\excel.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
    O4 - HKLM\..\Run: [Bnadobubobo] rundll32.exe "C:\WINDOWS\Uyosin.dll",e
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'Default user')
    O4 - Global Startup: Microsoft Office Outlook 2007.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {BBFD2D10-EC6E-4259-91D1-1E38C826E5E2} (Launcher Class) - http://app.gomtv.com/gomtv/gomtvx.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O20 - AppInit_DLLs: dqpich.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
    O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
    O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
    O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
    O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
    O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
    O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
    O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
    O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: tdctxte Service (tdctxte) - Unknown owner - C:\WINDOWS\system32\tdctxte.exe

    --
    End of file - 10913 bytes
    ----------------------------------------------------

    #12 suebaby41

    suebaby41

      W.A.M. (Women Against Malware)


    • Malware Response Team
    • 6,248 posts
    • OFFLINE
    •  
    • Gender:Female
    • Location:South Carolina, USA
    • Local time:01:30 PM

    Posted 24 March 2009 - 03:19 PM

    • Please download
      VundoFix by Atribune to your desktop.
    • Double-click VundoFix.exe to run it.
      You want to run the fix until you see all Vundo files say: "Has been deleted".
    • Click the Scan for Vundo button.
    • When VundoFix opens, click the Scan for Vundo button.
    • After scanning is completed, click the Fix Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES.
    • After you click Yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt and a new HijackThis log.
    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot. Follow the above instructions starting from Click the "Scan for Vundo button. when VundoFix appears at reboot.
    You don't stop laughing when you get old; you get old when you stop laughing.
    A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
    Malware Removal University Masters Graduate

    Posted Image
    Join The Fight Against Malware
    No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

    #13 lol999

    lol999
    • Topic Starter

    • Members
    • 30 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Texas, USA
    • Local time:12:30 PM

    Posted 24 March 2009 - 04:05 PM

    Already did 2 scans with VundoFix and no infected files were found. Anyhow here is a new HJT log.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:04:42 PM, on 3/24/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\PeerGuardian2\pg2.exe
    C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
    C:\WINDOWS\system32\acs.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
    C:\WINDOWS\system32\lkcitdl.exe
    C:\WINDOWS\system32\lkads.exe
    C:\WINDOWS\system32\lktsrv.exe
    C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\National Instruments\MAX\nimxs.exe
    C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
    C:\WINDOWS\system32\nisvcloc.exe
    C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\tdctxte.exe
    C:\WINDOWS\System32\svchost.exe
    c:\WINDOWS\system32\ZuneBusEnum.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\excel.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
    O4 - HKLM\..\Run: [Bnadobubobo] rundll32.exe "C:\WINDOWS\Uyosin.dll",e
    O4 - HKLM\..\Run: [Cdifibazukoho] rundll32.exe "C:\WINDOWS\opepimog.dll",e
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'Default user')
    O4 - Global Startup: Microsoft Office Outlook 2007.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {BBFD2D10-EC6E-4259-91D1-1E38C826E5E2} (Launcher Class) - http://app.gomtv.com/gomtv/gomtvx.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O20 - AppInit_DLLs: dqpich.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
    O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
    O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
    O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
    O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
    O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
    O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
    O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
    O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: tdctxte Service (tdctxte) - Unknown owner - C:\WINDOWS\system32\tdctxte.exe

    --
    End of file - 10963 bytes

    EDIT: Oh yeah here is what Vundofix.txt contains:
    ----------------------------

    VundoFix V7.0.6

    Scan started at 3:29:32 PM 3/24/2009

    Listing files found while scanning....

    No infected files were found.


    VundoFix V7.0.6

    Scan started at 3:45:35 PM 3/24/2009

    Listing files found while scanning....

    No infected files were found.
    ---------------------------------

    Edited by lol999, 24 March 2009 - 04:14 PM.


    #14 suebaby41

    suebaby41

      W.A.M. (Women Against Malware)


    • Malware Response Team
    • 6,248 posts
    • OFFLINE
    •  
    • Gender:Female
    • Location:South Carolina, USA
    • Local time:01:30 PM

    Posted 24 March 2009 - 04:50 PM

    Step 1
    • Please download SDFix and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to C:\SDFix.
    • Please then reboot your computer in Safe Mode by doing the following :
      • Restart your computer
      • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
      • Instead of Windows loading as normal, the Advanced Options Menu should appear;
      • Select the first option, to run Windows in Safe Mode, then press Enter.
      • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • When your computer restarts, the Fixtool will run again to complete the removal process.
    • When Finished is displayed, press any key to end the script and load your desktop icons.
    • After the desktop icons load, the SDFix report will open on screen and save into the SDFix folder as Report.txt. Report.txt will also be copied to Clipboard.
    • Paste the contents of the Report.txt with a new HijackThis log in your next reply.
    • If needed, see SDFix ReadMe.
    Step 2

    Please follow these steps to download and run the tool:
    • Please download FixVundo Tool
    • Save the file to a convenient location, such as your Windows desktop.
    • Close all the running programs.
    • If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
    • Locate the file that you just downloaded.
    • Double-click the FixVundo.exe file to start the removal tool.
    • Click Start to begin the process, and then allow the tool to run.
    • Restart the computer.
    • Run the removal tool again to ensure that the system is clean.
    • If you are running Windows Me/XP, then enable System Restore.
    • If you are on a network or if you have a full-time connection to the Internet, reconnect the computer to the network or to the Internet connection.
    When the tool has finished running, you will see a message indicating whether the threat has infected the computer. The tool displays results similar to the following:
    • Total number of the scanned files
    • Number of deleted files
    • Number of repaired files
    • Number of terminated viral processes
    • Number of fixed registry entries
    Step 3

    Please download a-squared Free.
    • Follow all the instructions given by the installer.
    • Once installed, the a-squared Updater will automatically start. Downloading updates will take some time.
    • Please go to Start > Programs > a-squared Free and click a-squared StartCenter.
    • Click Scan your computer for malware infections.
    • Make sure all three setting options are checked. Click Scan selected folders. The scan will start.
    • Click Save HTML-Report. Save the report to somewhere convenient for you to remember the location such as your desktop.
    • If malware is found, click the button Remove Selected Malware.
    To continue to use a-squared Free, you will need to use the a-squared Updator to manually update the program. Click Security Status > Update Now. The a-squared Free program contains only the basic scanner. Background Guard, Automatic Updates, Scheduled Scans and HiJackFree are only available with the a-squared Anti-Malware ("pay for use") software.

    Please post any logs produced by the programs and a new HijackThis log.
    You don't stop laughing when you get old; you get old when you stop laughing.
    A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
    Malware Removal University Masters Graduate

    Posted Image
    Join The Fight Against Malware
    No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

    #15 lol999

    lol999
    • Topic Starter

    • Members
    • 30 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Texas, USA
    • Local time:12:30 PM

    Posted 24 March 2009 - 10:13 PM

    Alright I did Step 1 and 2, having problems with Step 3. Step 1 went smooth (report is posted below). Step 2 however while scanning I got lots of Visual C++ Runtime Library errors, this occured while scanning sqlservr.exe, egui.exe and msnmsgr.exe; other than that it was smooth as well, ran it twice, and on the second scan it found no vundo infected files. However the 3rd step I can't find the a-squared startcenter. I downloaded a-squared Free 4.0, any help on this step would be greatly appreciated (I didn't do this step). However here is a new HJT log with the report from SDFix.

    SDFix Report:
    ----------------------------------------
    SDFix: Version 1.240
    Run by James on Tue 03/24/2009 at 05:24 PM

    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix

    Checking Services :

    Name :
    restore

    Path :
    \??\C:\WINDOWS\system32\drivers\restore.sys

    restore - Deleted



    Restoring Default Security Values
    Restoring Default Hosts File

    Rebooting

    Service restore - Deleted after Reboot

    Checking Files :

    Trojan Files Found:

    C:\WINDOWS\system32\2.tmp - Deleted
    C:\WINDOWS\system32\3.tmp - Deleted
    C:\WINDOWS\system32\4.tmp - Deleted
    C:\WINDOWS\system32\5.tmp - Deleted
    C:\WINDOWS\system32\6.tmp - Deleted
    C:\WINDOWS\system32\B.tmp - Deleted
    C:\WINDOWS\system32\C.tmp - Deleted
    C:\WINDOWS\system32\E.tmp - Deleted
    C:\WINDOWS\system32\F.tmp - Deleted
    C:\WINDOWS\system32\2.tmp - Deleted
    C:\WINDOWS\system32\20.tmp - Deleted
    C:\WINDOWS\system32\21.tmp - Deleted
    C:\WINDOWS\system32\22.tmp - Deleted
    C:\WINDOWS\system32\23.tmp - Deleted
    C:\WINDOWS\system32\24.tmp - Deleted
    C:\WINDOWS\system32\25.tmp - Deleted
    C:\WINDOWS\system32\26.tmp - Deleted
    C:\WINDOWS\system32\27.tmp - Deleted
    C:\WINDOWS\system32\28.tmp - Deleted
    C:\WINDOWS\system32\29.tmp - Deleted
    C:\WINDOWS\system32\2A.tmp - Deleted
    C:\WINDOWS\system32\2B.tmp - Deleted
    C:\WINDOWS\system32\2C.tmp - Deleted
    C:\WINDOWS\system32\2D.tmp - Deleted
    C:\WINDOWS\system32\2E.tmp - Deleted
    C:\WINDOWS\system32\2F.tmp - Deleted
    C:\WINDOWS\system32\10.tmp - Deleted
    C:\WINDOWS\system32\11.tmp - Deleted
    C:\WINDOWS\system32\12.tmp - Deleted
    C:\WINDOWS\system32\128.tmp - Deleted
    C:\WINDOWS\system32\13.tmp - Deleted
    C:\WINDOWS\system32\14.tmp - Deleted
    C:\WINDOWS\system32\15.tmp - Deleted
    C:\WINDOWS\system32\16.tmp - Deleted
    C:\WINDOWS\system32\17.tmp - Deleted
    C:\WINDOWS\system32\18.tmp - Deleted
    C:\WINDOWS\system32\19.tmp - Deleted
    C:\WINDOWS\system32\1A.tmp - Deleted
    C:\WINDOWS\system32\1B.tmp - Deleted
    C:\WINDOWS\system32\1C.tmp - Deleted
    C:\WINDOWS\system32\1D.tmp - Deleted
    C:\WINDOWS\system32\1E.tmp - Deleted
    C:\WINDOWS\system32\1F.tmp - Deleted
    C:\WINDOWS\system32\comsa32.sys - Deleted





    Removing Temp Files

    ADS Check :



    Final Check :

    catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-24 17:42:41
    Windows 5.1.2600 Service Pack 3 NTFS

    detected NTDLL code modification:
    ZwOpenFile

    scanning hidden processes ...

    scanning hidden services & system hive ...

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
    "p0"="C:\Program Files\DAEMON Tools\"
    "h0"=dword:00000000
    "khjeh"=hex:92,b8,bb,f9,ff,e7,a9,3c,76,7f,79,aa,b6,91,21,84,7e,70,57,91,fe,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
    "a0"=hex:20,01,00,00,8a,60,17,0c,13,34,cd,65,9e,0f,96,d8,7a,79,35,88,ac,..
    "khjeh"=hex:5e,b7,7f,49,c4,74,4f,4c,8e,e8,62,94,b1,f4,04,ff,90,a2,cf,e6,c9,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
    "khjeh"=hex:e6,8b,0b,ce,fc,35,08,6b,1b,09,44,48,23,97,1a,60,51,6e,5a,5c,3b,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
    "khjeh"=hex:b8,9c,c6,dc,74,6d,1a,b9,bc,c8,00,39,d4,a1,95,8a,4c,a0,98,9a,65,..
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
    "p0"="C:\Program Files\DAEMON Tools\"
    "h0"=dword:00000000
    "khjeh"=hex:92,b8,bb,f9,ff,e7,a9,3c,76,7f,79,aa,b6,91,21,84,7e,70,57,91,fe,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
    "a0"=hex:20,01,00,00,8a,60,17,0c,13,34,cd,65,9e,0f,96,d8,7a,79,35,88,ac,..
    "khjeh"=hex:5e,b7,7f,49,c4,74,4f,4c,8e,e8,62,94,b1,f4,04,ff,90,a2,cf,e6,c9,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
    "khjeh"=hex:f8,f7,5f,21,8a,a3,ca,dd,77,40,c4,79,55,48,ab,2c,5b,5e,5f,be,0b,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
    "khjeh"=hex:4e,4a,91,72,a2,3f,ab,0c,91,c6,df,00,63,d3,30,61,53,15,7c,cf,fd,..
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
    "p0"="C:\Program Files\DAEMON Tools\"
    "h0"=dword:00000000
    "khjeh"=hex:92,b8,bb,f9,ff,e7,a9,3c,76,7f,79,aa,b6,91,21,84,7e,70,57,91,fe,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
    "a0"=hex:20,01,00,00,8a,60,17,0c,13,34,cd,65,9e,0f,96,d8,7a,79,35,88,ac,..
    "khjeh"=hex:5e,b7,7f,49,c4,74,4f,4c,8e,e8,62,94,b1,f4,04,ff,90,a2,cf,e6,c9,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
    "khjeh"=hex:ed,b2,e2,64,9c,47,da,fb,2d,9e,c4,0b,07,b8,42,29,cf,80,62,db,f3,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
    "khjeh"=hex:64,da,c0,fc,36,e9,37,36,55,95,d3,db,76,91,7a,33,d9,79,4b,e4,06,..
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
    "p0"="C:\Program Files\DAEMON Tools\"
    "h0"=dword:00000000
    "khjeh"=hex:92,b8,bb,f9,ff,e7,a9,3c,76,7f,79,aa,b6,91,21,84,7e,70,57,91,fe,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
    "a0"=hex:20,01,00,00,8a,60,17,0c,13,34,cd,65,9e,0f,96,d8,7a,79,35,88,ac,..
    "khjeh"=hex:5e,b7,7f,49,c4,74,4f,4c,8e,e8,62,94,b1,f4,04,ff,90,a2,cf,e6,c9,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
    "khjeh"=hex:ed,b2,e2,64,9c,47,da,fb,2d,9e,c4,0b,07,b8,42,29,cf,80,62,db,f3,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
    "khjeh"=hex:64,da,c0,fc,36,e9,37,36,55,95,d3,db,76,91,7a,33,d9,79,4b,e4,06,..

    scanning hidden registry entries ...

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{68B5523E-C5CE-E0CF-BF86-6392BD9E6C2A}]

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services :




    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "C:\\Program Files\\Octoshape Streaming Services\\James\\OctoshapeClient.exe"="C:\\Program Files\\Octoshape Streaming Services\\James\\OctoshapeClient.exe:*:Enabled:OctoshapeClient"
    "C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
    "C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="C:\\Program Files\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVUPlayer Component"
    "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
    "C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
    "C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
    "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
    "C:\\Documents and Settings\\James\\My Documents\\Cod4MP\\The All-Seeing Eye\\eye.exe"="C:\\Documents and Settings\\James\\My Documents\\Cod4MP\\The All-Seeing Eye\\eye.exe:*:Enabled:Yahoo! All-Seeing Eye"
    "C:\\Program Files\\National Instruments\\LabVIEW 8.2\\LabVIEW.exe"="C:\\Program Files\\National Instruments\\LabVIEW 8.2\\LabVIEW.exe:*:Enabled:LabVIEW 8.2 Development System"
    "C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™ "
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
    "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
    "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
    "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
    "C:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"="C:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe:*:Enabled:Call of Duty® - World at War™"
    "C:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"="C:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe:*:Enabled:Call of Duty® - World at War™"
    "%windir%\\system32\\drivers\\svchost.exe"="%windir%\\system32\\drivers\\svchost.exe:*:Enabled:svchost"
    "\\??\\C:\\WINDOWS\\system32\\winlogon.exe"="\\??\\C:\\WINDOWS\\system32\\winlogon.exe:*:enabled:@shell32.dll,-1"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
    "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
    "%windir%\\system32\\drivers\\svchost.exe"="%windir%\\system32\\drivers\\svchost.exe:*:Enabled:svchost"

    Remaining Files :


    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes :

    Tue 30 Jan 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
    Wed 14 Jan 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
    Tue 18 Nov 2008 65,673,358 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\18747efdf3e3ba8f4180857f6841477d\BIT3F6.tmp"
    Mon 15 Sep 2008 444 ...HR --- "C:\Documents and Settings\James\Application Data\SecuROM\UserData\securom_v7_01.bak"
    Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\James\Application Data\U3\temp\Launchpad Removal.exe"
    Tue 30 Jan 2007 4,348 ...H. --- "C:\Documents and Settings\James\My Documents\My Music\License Backup\drmv1key.bak"
    Tue 6 Mar 2007 20 A..H. --- "C:\Documents and Settings\James\My Documents\My Music\License Backup\drmv1lic.bak"
    Fri 16 Feb 2007 400 ...H. --- "C:\Documents and Settings\James\My Documents\My Music\License Backup\drmv2key.bak"
    Tue 6 Mar 2007 1,536 A..H. --- "C:\Documents and Settings\James\My Documents\My Music\License Backup\drmv2lic.bak"
    Wed 22 Nov 2006 24,576 A..H. --- "C:\Documents and Settings\James\My Documents\School Work\UTPA\English\Essays\~WRL0002.tmp"
    Tue 21 Nov 2006 39,424 A..H. --- "C:\Documents and Settings\James\My Documents\School Work\UTPA\Physics II\James labs\~WRL0004.tmp"
    Tue 14 Nov 2006 43,520 A..H. --- "C:\Documents and Settings\James\My Documents\School Work\UTPA\Physics II\James labs\~WRL1178.tmp"
    Tue 14 Nov 2006 44,544 A..H. --- "C:\Documents and Settings\James\My Documents\School Work\UTPA\Physics II\James labs\~WRL2398.tmp"
    Tue 7 Nov 2006 40,960 A..H. --- "C:\Documents and Settings\James\My Documents\School Work\UTPA\Physics II\James labs\~WRL3298.tmp"
    Tue 21 Nov 2006 39,424 A..H. --- "C:\Documents and Settings\James\My Documents\School Work\UTPA\Physics II\James labs\~WRL3321.tmp"
    Tue 14 Nov 2006 44,544 A..H. --- "C:\Documents and Settings\James\My Documents\School Work\UTPA\Physics II\James labs\~WRL3423.tmp"

    Finished!
    ----------------------------------------------------------

    HJT log:
    -----------------------------------------------------------
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:05:59 PM, on 3/24/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\PeerGuardian2\pg2.exe
    C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\a-squared Free\a2service.exe
    C:\WINDOWS\system32\acs.exe
    C:\WINDOWS\system32\afisicx.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
    C:\WINDOWS\system32\lkcitdl.exe
    C:\WINDOWS\system32\lkads.exe
    C:\WINDOWS\system32\lktsrv.exe
    C:\WINDOWS\system32\mabidwe.exe
    C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\MATLAB71\bin\win32\MATLAB.exe
    c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\Program Files\National Instruments\MAX\nimxs.exe
    C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
    C:\WINDOWS\system32\nisvcloc.exe
    C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\sopidkc.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\tdctxte.exe
    c:\WINDOWS\system32\ZuneBusEnum.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\excel.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
    O4 - HKLM\..\Run: [Bnadobubobo] rundll32.exe "C:\WINDOWS\Uyosin.dll",e
    O4 - HKLM\..\Run: [Cdifibazukoho] rundll32.exe "C:\WINDOWS\opepimog.dll",e
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'Default user')
    O4 - Global Startup: Microsoft Office Outlook 2007.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {BBFD2D10-EC6E-4259-91D1-1E38C826E5E2} (Launcher Class) - http://app.gomtv.com/gomtv/gomtvx.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O20 - AppInit_DLLs: dqpich.dll
    O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
    O23 - Service: afisicx Service (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
    O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
    O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
    O23 - Service: mabidwe Service (mabidwe) - Unknown owner - C:\WINDOWS\system32\mabidwe.exe
    O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
    O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
    O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
    O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
    O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
    O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: sopidkc Service (sopidkc) - Unknown owner - C:\WINDOWS\system32\sopidkc.exe
    O23 - Service: tdctxte Service (tdctxte) - Unknown owner - C:\WINDOWS\system32\tdctxte.exe

    --
    End of file - 12030 bytes
    ------------------------------------------

    Edited by lol999, 24 March 2009 - 10:17 PM.





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users