Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malware affecting google


  • This topic is locked This topic is locked
29 replies to this topic

#1 joeanonymous

joeanonymous

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 21 March 2009 - 11:25 PM

I have some type of malware or virus that is affecting google. Clicking on a google result will direct me to a total different website. Programs also seem to be slow to load. I downloaded Malwarebytes' Anti-Malware but it will not run on my computer. I try launching it but nothing happens. I do not know if the malware/virus is stopping it from running. The same thing happens with Spybot Search and Destroy. I can download it but nothing happens when I launch it. I was able to download and run Lavasoft Ad-Aware. It indicated I had some malware on my computer but couldn't remove it. The notes said it may have to be removed by hand and it tried to quarantee it. However, Ad-Aware keeps popping up and finding the same thing even though it quaranteed it before. I finally had to close Ad-Aware to stop the never ending loop.

As per your tutorial for HijackThis, I downloaded DDS and ran (which also took a while to run, much longer than the indicated three minutes. Wonder if the malware/virus was affecting it.) Below is the contents of the file DDS.txt. I have also attached the file attach.txt.

Just a quick note. My affected computer is my home computer. A few months ago I had a problem with my work computer (not exactly the same problem but similar). Bleeping Computer was very helpful and I was able to fix the problem with your instructions. I was and continue to be very grateful. I hope you can also help me solve my current home computer problem.

I appreciate your assistance and thank you in advance.

Joe Anonymous



DDS (Ver_09-03-16.01) - NTFSx86
Run by Del Real at 20:57:38.85 on Sat 03/21/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.235 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Del Real\Local Settings\Temporary Internet Files\Content.IE5\V8C4BN2M\dds[1].scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twext.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {0c0ef78e-65af-40fc-b4a6-8582f0bc6660} - c:\windows\system32\cmcfg3.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\datavi~1.lnk - c:\windows\dvzcommon\DvzMsgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {01111F00-3E00-11D2-8470-0060089874ED} - hxxp://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://www.webpcfos.com/webpcfos/Citrix/wficat.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {413D6754-BFD4-47FE-9346-319559290BFA} - hxxps://www.webpcfos.com/webpcfos/websabre/HTEweb.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/17ffd68521fc200a1101/netzip/RdxIE601.cab
DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} - hxxp://office.microsoft.com/productupdates/content/opuc.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37624.7028009259
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-21 64160]
R0 paypmoum;paypmoum;c:\windows\system32\drivers\paypmoum.sys [2002-8-29 23424]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;c:\windows\system32\drivers\m4cxw2k3.sys [2008-3-7 227584]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]

=============== Created Last 30 ================

2009-03-21 20:57 21,622 a------- c:\windows\system32\AAWService_2009_03_21_20_57_18.dmp
2009-03-21 20:51 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-21 20:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-21 20:28 154 a---h--- C:\aaw7boot.cmd
2009-03-21 18:57 21,622 a------- c:\windows\system32\AAWService_2009_03_21_18_57_12.dmp
2009-03-21 18:24 24,869 a------- c:\windows\system32\AAWService_2009_03_21_18_24_56.dmp
2009-03-21 18:23 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-21 18:08 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-21 18:06 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-21 18:06 <DIR> --d----- c:\program files\Lavasoft
2009-03-21 15:41 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-21 15:41 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-21 15:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-21 14:12 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-20 18:16 96,256 a------- c:\windows\system32\cmcfg3.dll

==================== Find3M ====================

2009-03-20 17:29 1,744 a------- c:\windows\system32\d3d9caps.dat
2009-03-10 18:25 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-10-03 21:05 23 a--sh--- c:\windows\system32\ffbdafcd8_g.dll
2008-08-26 20:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082620080827\index.dat

============= FINISH: 21:00:15.18 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:28 PM

Posted 30 March 2009 - 02:32 PM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 joeanonymous

joeanonymous
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 30 March 2009 - 07:46 PM

Hi suebaby41,

Thanks for getting back to me. I sincerely appreciate it.

I downloaded and ran RSIT as instructed. You requested I post the contents of log.txt, which I have below. RSIT also produced the file info.txt. I didn't know if you also needed this file. I also posted it below just in case, below log.txt. I made a note where each file begins.

I don't know it this helps but I wanted to give you more info just in case it helps with my problem. My computer has been displaying more symptoms than the original google results redirect symptom. A second symptom is that my browser (IE7) will suddenly shut down as if I closed it while I am browsing other websites. This is happening periodically. A third symptom is that periodically an audio file will suddenly begin playing thru my speakers. This has happened several times and it is always a different audio file. There is no way to stop the audio file from playing other than shutting down my computer. No file or application is shown as being launched when the audio file is playing. Nothing shows up on task manager either. A fourth symptom is that a second browser tab will appear when I am browsing websites. This typically appears when I am accessing my work email remotely. This second browser tab is nothing but a bunch of random text.

As I mentioned on my first post, I tried downloading Malwarebytes' Anti-Malware, Lavasoft Ad-Aware, Spybot Search and Destroy, and Lavasoft Ad-Aware. Ad-Aware automatically launches everytime I start my computer to begin a scan. It always comes up that it found malware and lists the two files "Win32Ro\.\Podnuha" and "Win32Rootkit.TOSS" but it can never get rid of them as I mentioned in my first post. Even though I cannot run a Spybot scan (or a Malwarebyte scan), Spybot shows that it is running in the background. Before running RSIT, I shut down both Ad-Aware and Spybot. Hope this was the right thing to do. Should I delete these programs or will they interfere with your fix? Just let me know what to do.

Thank you so much for your assistance. Below are the two files log.txt and info.txt.

Joe Anonymous

Here is log.txt:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Del Real at 2009-03-30 17:17:06
Microsoft Windows XP Professional Service Pack 3
System drive C: has 9 GB (23%) free of 38 GB
Total RAM: 511 MB (57% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:17:23 PM, on 3/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Del Real\Desktop\RSIT.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\trend micro\Del Real.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C0EF78E-65AF-40FC-B4A6-8582F0BC6660} - C:\WINDOWS\system32\cmcfg3.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://www.webpcfos.com/webpcfos/Citrix/wficat.cab
O16 - DPF: {413D6754-BFD4-47FE-9346-319559290BFA} (HTECtrl Class) - https://www.webpcfos.com/webpcfos/websabre/HTEweb.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17ffd68521fc20...ip/RdxIE601.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6841 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Del Real.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0C0EF78E-65AF-40FC-B4A6-8582F0BC6660}]
C:\WINDOWS\system32\cmcfg3.dll [2008-04-13 96256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-10 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-10 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\System32\NvCpl.dll [2003-05-02 4640768]
"nwiz"=nwiz.exe /install []
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2007-02-02 180269]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-09-06 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-10 148888]
"Ad-Watch"=C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe [2009-03-09 515416]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"NvMediaCenter"=C:\WINDOWS\System32\NVMCTRAY.DLL [2003-05-02 49152]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-01-26 2144088]
"AdobeUpdater"=C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe [2008-09-26 2356088]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Dataviz Messenger.lnk - C:\WINDOWS\DvzCommon\DvzMsgr.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-06 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WINDOW~4\MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Palm\HOTSYNC.EXE"="C:\Program Files\Palm\HOTSYNC.EXE:*:Disabled:HotSync® Manager Application"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Disabled:Internet Explorer"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-03-30 17:17:06 ----D---- C:\rsit
2009-03-21 20:51:06 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-03-21 20:51:06 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-21 18:23:06 ----A---- C:\WINDOWS\system32\lsdelete.exe
2009-03-21 18:06:43 ----HDC---- C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-21 18:06:19 ----D---- C:\Program Files\Lavasoft
2009-03-21 18:06:19 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-03-21 15:41:47 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-03-21 14:12:58 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-03-20 18:16:17 ----A---- C:\WINDOWS\system32\cmcfg3.dll
2009-03-10 22:58:51 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-03-10 22:58:36 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-03-10 18:25:30 ----A---- C:\WINDOWS\system32\javaws.exe
2009-03-10 18:25:30 ----A---- C:\WINDOWS\system32\javaw.exe
2009-03-10 18:25:30 ----A---- C:\WINDOWS\system32\java.exe

======List of files/folders modified in the last 1 months======

2009-03-30 17:17:23 ----D---- C:\Program Files\Trend Micro
2009-03-30 17:17:17 ----D---- C:\WINDOWS\Temp
2009-03-30 16:04:10 ----D---- C:\WINDOWS\system32
2009-03-30 16:01:21 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-30 16:01:17 ----SD---- C:\WINDOWS\Tasks
2009-03-29 18:10:52 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-28 18:09:19 ----D---- C:\WINDOWS\Prefetch
2009-03-21 20:51:06 ----D---- C:\Program Files
2009-03-21 18:11:54 ----D---- C:\WINDOWS
2009-03-21 18:09:13 ----D---- C:\WINDOWS\system32\drivers
2009-03-21 18:09:12 ----HD---- C:\WINDOWS\inf
2009-03-21 18:08:26 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-03-21 18:06:43 ----SHD---- C:\WINDOWS\Installer
2009-03-21 18:06:11 ----D---- C:\WINDOWS\WinSxS
2009-03-21 15:31:26 ----D---- C:\Program Files\XoftSpy
2009-03-10 22:58:54 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-03-10 22:58:44 ----A---- C:\WINDOWS\imsins.BAK
2009-03-10 18:25:09 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-03-10 18:25:03 ----D---- C:\Program Files\Java
2009-03-10 18:18:00 ----HD---- C:\WINDOWS\$hf_mig$
2009-03-08 10:55:06 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R3 ctljystk;Creative SBLive! Gameport; C:\WINDOWS\System32\DRIVERS\ctljystk.sys [2001-08-17 3712]
R3 emu10k;Creative SB Live! (WDM); C:\WINDOWS\system32\drivers\emu10k1m.sys [2001-08-17 283904]
R3 emu10k1;Creative Interface Manager Driver (WDM); C:\WINDOWS\system32\drivers\ctlfacem.sys [2001-08-17 6912]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller; C:\WINDOWS\system32\DRIVERS\m4cxw2k3.sys [2006-03-16 227584]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2003-05-02 1312555]
R3 sfman;Creative SoundFont Manager Driver (WDM); C:\WINDOWS\system32\drivers\sfmanm.sys [2001-08-17 36480]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter; C:\WINDOWS\System32\DRIVERS\AN983.sys [2002-08-28 36224]
S3 PalmUSBD;PalmUSBD; C:\WINDOWS\system32\drivers\PalmUSBD.sys []
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\System32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-10 152984]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2003-05-02 69632]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]

-----------------EOF-----------------


Here is info.txt:


info.txt logfile of random's system information tool 1.06 2009-03-30 17:17:38

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware-->"C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
Allied Schools' Salesperson Prep-->C:\PROGRA~1\Allied\UNWISE.EXE C:\PROGRA~1\Allied\INSTALL.LOG
Apple Mobile Device Support-->MsiExec.exe /I{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Bazooka Scanner-->"C:\Program Files\Bazooka Scanner\Uninstall.exe" "C:\Program Files\Bazooka Scanner\install.log"
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
Celestia 1.3.2-->"C:\Program Files\Celestia\unins000.exe"
Citrix ICA Web Client-->RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wficat.inf,DefaultUninstall
Documents To Go-->MsiExec.exe /X{4E7E8E6A-15F1-4E26-9352-26AD235131E9}
Forté Agent-->C:\PROGRA~1\Agent\UNWISE.EXE C:\PROGRA~1\Agent\INSTALL.LOG "Uninstall Forté Agent"
GetDataBack for NTFS-->C:\WINDOWS\uninst.exe -f"C:\Program Files\Runtime Software\GetDataBack for NTFS\DeIsL1.isu" -c"C:\Program Files\Runtime Software\GetDataBack for NTFS\_ISREG32.DLL"
Google Earth-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
iTunes-->MsiExec.exe /I{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}
J2SE Runtime Environment 5.0 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Java™ 6 Update 12-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
Java™ 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Macromedia Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Data Access Components KB870669-->C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2000 SR-1 Disc 2-->MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 SR-1 Premium-->MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
NVIDIA Windows 2000/XP Display Drivers-->rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nv4_disp.inf
OLYMPUS CAMEDIA Master 4.2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{30BB4D60-81DB-11D5-BB77-00400536ABAC}\setup.exe" CAMEDIA Master 4.2
OpenOffice.org Installer 1.0-->MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RegSupreme-->"C:\Program Files\RegSupreme\unins000.exe"
Rhapsody Player Engine-->MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Safari-->MsiExec.exe /I{C9D96682-5A4D-45FA-BA3E-DDCB2B0CB868}
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
Windows Defender Signatures-->MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Defender-->MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

======System event log======

Computer Name: P-IV-1400MHZ
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 53830
Source Name: W32Time
Time Written: 20090116233510.000000-480
Event Type: warning
User:

Computer Name: P-IV-1400MHZ
Event Code: 1007
Message: Your computer has automatically configured the IP address for the Network
Card with network address 001CF091CA50. The IP address being used is 169.254.204.129.

Record Number: 53724
Source Name: Dhcp
Time Written: 20090112183447.000000-480
Event Type: warning
User:

Computer Name: P-IV-1400MHZ
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 53719
Source Name: Tcpip
Time Written: 20090111132427.000000-480
Event Type: warning
User:

Computer Name: P-IV-1400MHZ
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 53488
Source Name: Tcpip
Time Written: 20081229184449.000000-480
Event Type: warning
User:

Computer Name: P-IV-1400MHZ
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 53444
Source Name: W32Time
Time Written: 20081227234554.000000-480
Event Type: warning
User:

=====Application event log=====

Computer Name: P-IV-1400MHZ
Event Code: 1524
Message: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



Record Number: 17609
Source Name: Userenv
Time Written: 20080723225326.000000-420
Event Type: warning
User: P-IV-1400MHZ\Del Real

Computer Name: P-IV-1400MHZ
Event Code: 1517
Message: Windows saved user P-IV-1400MHZ\Del Real registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 17584
Source Name: Userenv
Time Written: 20080722225013.000000-420
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: P-IV-1400MHZ
Event Code: 1524
Message: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



Record Number: 17583
Source Name: Userenv
Time Written: 20080722225011.000000-420
Event Type: warning
User: P-IV-1400MHZ\Del Real

Computer Name: P-IV-1400MHZ
Event Code: 1517
Message: Windows saved user P-IV-1400MHZ\Del Real registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 17558
Source Name: Userenv
Time Written: 20080721223212.000000-420
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: P-IV-1400MHZ
Event Code: 1524
Message: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



Record Number: 17557
Source Name: Userenv
Time Written: 20080721223209.000000-420
Event Type: warning
User: P-IV-1400MHZ\Del Real

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 1 Stepping 2, GenuineIntel
"PROCESSOR_REVISION"=0102
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

-----------------EOF-----------------

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:28 PM

Posted 02 April 2009 - 08:25 AM

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe
Identified as a variant of PWS-Zbot which is a Trojan that steals online banking credentials and eventually sends them to a remote server.

Step 1

You may want to print this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step 2

Ensure that you have the latest version of Adobe® Reader®. If you do not have the latest version, you may want to download the latest version, Adobe® Reader® 9.

Step 3

Let’s run ATF-Cleaner to ensure no malware is hiding in temporary folders and for general computer cleanup to free space on your computer.
  • Please download the ATF-Cleaner by Atribune.
  • Double-click ATF-Cleaner.exe to run the program.
  • Check the boxes to the left of:
    • Windows Temp
    • Current User Temp
    • All Users Temp
    • Temporary Internet Files
    • Prefetch (Windows XP) only
    • Java Cache
  • The rest are optional - if you want to remove them all, check Select All.
  • Click the Empty Selected button.
  • When you get the Done Cleaning message, click OK.
  • Follow the same steps for Firefox or Opera. You have the option of checking No if you want to save your passwords.
  • Click Exit on the Main menu to close the program.
Step 4

In Normal Mode, run an online malware check from at least two and preferably three (one may catch something that another one may not) of the following sites
BitDefender
Kaspersky Online Virus Scanner
McAfee FreeScan
Panda's ActiveScan
Trend Micro™ HouseCall
Windows Live Safety Center Free Online Scan
WindowSecurity.com TrojanScan
When you have completed the scans, if you get a report of files that cannot be cleaned / deleted, make a note of the file location of anything that cannot be cleaned / deleted. Please edit the log(s) and remove:
  • items listed as "Object is locked skipped"
  • items reported that are in a quarantine folder
Please post the edited list in your next reply.

Step 5

I recommend using Spyware Blaster.
  • Please download SpywareBlaster and save it to your desktop.
  • Double click on it to install the program.
  • Follow the prompts and choose the default locations when installing the program.
  • When the program is installed, it will place an icon on your desktop.
  • Double click on the SpywareBlaster icon and you will be presented with a brief tutorial. On the first page of this tutorial, you will see some of the SpywareBlaster features
  • Click on the Next button to proceed to the second page of the tutorial.
  • If you want to purchase the software, then you should select Automatic Updating. If you do not plan on purchasing the software, then you should select the option for Manual Updating. Press the Next button.
  • At the next screen, click Finish.
  • At the next screen, Protection Status, click Enable All Protection.
  • Click Download Latest Protection Updates. This will ensure that SpywareBlaster has the latest definitions so that it can protect your browser more efficiently. You should update SpywareBlaster regularly, as much as every few days, in order to provide the best protection. Each time you update, be sure to click Enable All Protection.
Step 6

Malwarebytes' Anti-Malware is FREEWARE, however you may upgrade to the PRO version which contains realtime protection, scheduled scanning and updating.
  • Please download Malwarebytes Anti-Malware (MBAM). Alternate download link
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing scan. If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from the Malware Bytes Web site. Scroll down the page until you see Latest Database; click Download from GT500.org
  • Double-click on mbam-rules.exe to install.
  • On the Scanner tab, make sure the Perform Quick Scan option is selected.
  • Click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and Scan in progress will show at the top. It may take some time to complete; please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully.
  • At the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
  • Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Step 7
  • Please download SUPERAntiSpyware (SAS) - SUPERAntiSpyware Free Version For Home Users
  • Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options, make sure the following are checked:
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
  • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software, click Scan your computer.
  • On the left, check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
  • To retrieve the removal information, please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Please highlight everything in the notepad, then right-click and choose Copy.
    • Click Close and Close again to exit the program.
  • Please post that information with a new HijackThis log.
Step 8

Check your computer with anti-rootkit applications. I recommend avast! antirootkit or Trend Micro RootkitBuster.

Step 9

Check to see if you have insecure applications with
Secunia Software Inspector. Secunia Software Inspector:
  • Detects insecure versions of common/popular programs installed on your computer.
  • Verifies that all Microsoft patches are applied.
  • Assists you in updating, patching, and protecting your computer.
  • Activates additional security features in Sun Java.
  • Runs through your browser. No installation or download is required.
Step 10
  • According to your Internet connection, please disconnect from the Internet. Close ALL browser windows (including this one).
    • Physically remove the cable for your broadband Internet service “Always On” Connection from your computer.
    • Turn your modem off.
    • Disconnect your modem cable from your computer.
  • Turn the device off for Hand-held wireless connections.
  • Exit all processes and items in your System tray.
Step 11

During the process of removing malware from your computer, there are times you may need to use specialized fix tools. Certain embedded files that are part of these specialized fix tools may be detected by your antivirus or anti-malware scanner as a RiskTool, Hacking tool, Potentially unwanted tool, a virus or a Trojan when that is not the case.
These tools have been carefully created and tested by security experts so if your antivirus or anti-malware program flags them as malware, then it is a False Positive. Antivirus scanners cannot distinguish between good and malicious use of such programs; therefore, they may alert you or even automatically remove them. In these cases, the removal of these files can have unpredictable results and unintentional results.
To avoid any problems while using a specialized fix tool, it is very important that you temporarily disable your antivirus and/or anti-malware programs before using the specialized fix tool.
When your system has been cleaned, it is important that you enable your security programs to avoid reinfection.
Please disable the following program(s):

Windows Defender
  • Click Start > Programs > Windows Defender or launch from the system tray icon.
  • Click on Tools
  • Click on General Settings
  • Scroll down to Real-time protection options
  • Uncheck Turn on Real-time protection (recommended)
  • Click Save
  • Go to Start > Control Panel > Security > Windows Defender, at the bottom of the Window Defender's page, uncheck under Administrator Options, use Windows Defender and then Save.
  • Exit the program.
Note: After all of the fixes are complete, it is very important that you enable Real-time Protection again.

SUPERAntiSpyware

We need to disable SUPERAntiSpyware as it may interfere with the fixes that we need to make.
  • Right click on the icon in your System Tray.
  • Click Exit
  • Make sure that the program, SUPERAntiSpyware itself, is also closed/not running.
Now we will address the HijackThis fixes.

Spybot - S&D TeaTimer

We need to disable Spybot TeaTimer as it may interfere with the cleaning.
Please do not enable it until I tell you that your HijackThis log is clean.

Step A
  • Right-click the Spybot icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now unchecked. The Spybot icon in the System Tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident.
Step B

Second step, For Either Version :
  • Open Spybot S&D.
  • Click Mode, choose Advanced Mode.
  • Go To the bottom of the vertical Panel on the Left, Click Tools.
  • In left panel, click Resident (shows a red/white shield).
  • If your firewall raises a question, say OK.
  • In the Resident protection status frame, uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active.
  • OK any prompts.
  • Use File > Exit to terminate Spybot.
  • Reboot your machine for the changes to take effect.
    Don't forget to restart Spybot - Search and Destroy's Teatimer when your machine is clean and undo the changes above.
Step 12

Please run HijackThis and click Scan. Place checks next to the following entries (make sure not to miss any):

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,
O2 - BHO: (no name) - {0C0EF78E-65AF-40FC-B4A6-8582F0BC6660} - C:\WINDOWS\system32\cmcfg3.dll


Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.

Step 13

Optional Fixes is the name that we use for fixes for unnecessary programs that load during startup and run in the background. These programs are not required to start automatically as you can start them manually if you need them. You would be removing the program from your startup but you would not be removing the program itself.

Your computer may be sluggish due to the many programs loading during startup and running in the background that are not necessary. Windows has a facility for starting programs at startup time. Some of these programs are required for your computer and the applications installed on it to run correctly. A good example of such a program is a virus-checking application that must always run, constantly checking for and isolating or removing files with viruses. Other such programs are not strictly required, or are optional. In some cases, you can gain significant performance enhancements by disabling the automatic startup of these programs. In many cases, the functionality offered by the programs is still available by starting the programs manually by, for example, starting the program from the Windows Start->Programs menu. Media players and instant messaging programs often fall into this category. In fact, it is common for many modern software applications, when installed, to add programs at startup that add items to the system tray or shortcut (context) menus in Windows Explorer to provide quick access to the features and functions of these applications. While they may be useful, they do increase boot time and consume system resources. It is advised that you disable these programs so that they do not take up necessary resources or slow the boot time.

Other than ScanRegistry, SystemTray, StateMgr, antivirus program entries, and firewall program entries, very few others need to load and run.

Read the articles below to see if it applies to your computer problem with being slow to respond.
Slow_Computer_Check_here_first_it_may_not_be_malware.
Help! My computer is slow!
50 Tips for a Super Fast PC
4 Ways to Speed Up Your Computer's Performance
It's not always malware: How to fix the top 10 Internet Explorer issues

If you decide that you want to stop the Optional Fixes in your startup, let me know and I will give you a list with instructions. You would be removing the program from your startup but you would not be removing the program itself.

Step 14
  • Please download GooredFix , making sure that you save this file to your Desktop.
  • Double-click GooredFix.exe on your Desktop (Note: If you are using Vista, right-click GooredFix and select Run As Administrator...).
  • Select Option#1 - Find Goored (no fix), by typing 1 and pressing Enter.
  • A logfile should popup shortly. Please post the log in your next reply.
Step 15

I do not see any signs of an antivirus program or a firewall on your system.

An antivirus program is an essential part of computer security and you do not appear to have one running on your system. There are a few available for free that have excellent reputations.

AVG 8 Anti-Virus Free Edition

AntiVir Personal

Avast! 4 Home Edition
If needed, see How to Install, Configure, and Use Avast Antivirus


A Firewall is an essential part of computer security and you do not appear to have a third party software firewall running on your system. If you have one, and I missed it, please ignore this. The firewalls in Windows XP SP2 and SP3 are more effective than that in SP1, but neither filters outbound traffic (traffic going out from your computer to the Internet). In SP2 and SP3 the firewall is ON by default, but in SP1 it is OFF by default. In Vista, the firewall operates both inbound and outbound, but by default, most outbound filtering in the Windows Vista firewall is turned off.

A third party firewall is generally considered to be more effective and more configurable and usually works on both inbound and outbound traffic.

There are several firewalls that provide better protection than the Windows SP2/SP3 firewalls. Follow these steps to turn off/disable the Windows Firewall before installing a new firewall:
  • Download the new firewall to your desktop.
  • Disconnect from the Internet.
  • Click Start > Control Panel.
  • Switch to Classic View if you have not already done so.
  • Double click on the Windows Firewall icon.
  • Click Off (Not recommended).
  • Install the new Firewall.
Do not attempt to run two software firewalls since like running two antivirus programs, they will possibly cause problems and conflict with each other.

There are a few firewalls available for free that appear to be good and easy to use:For more information about firewalls, and why a two-way firewall is better than the Windows XP one-way firewall, please read Understanding and Using Firewalls.

Step 16

Please run [b]HijackThis in Normal Mode
and post:
  • the list of file names and locations for any files that cannot be cleaned / deleted that were reported after you completed the online scans.
  • the log from [b]SUPERAntiSpyware
  • a new HijackThis log
Please advise me of any problems you still have.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#5 joeanonymous

joeanonymous
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 04 April 2009 - 02:50 PM

Hi suebaby41,

I was unable to complete all the steps outlined in your last post due to some problems I encountered as well as some questions I have. I was able to get down to just before step 12 where I was suppose to run HijackThis, which I have not run yet. While getting down to this point I ran into several problems which I will describe below. I also have a few questions about running HijackThis which I also posted below.

As you may recall from one of my last posts, I previously downloaded Malwarebyte's Anti-Malware, Spybot Search and Destroy, and Lavasoft Ad-Aware. I could not run the scans on MBAM or Spybot, they would not run when I hit scan, and Lavasoft would alway run finding the same malware two files in a continuous loop without fixing. I ended up removing these three programs from my computer before proceeding with your steps. I realize one of your steps (step 6) is to load and run MBAM, which I did (with problems) and describe below. I hope removing these three programs do not cause any difficulty.

I was able to get thru step 3 with no difficulty. Step 4, the online scans is where I began to get problems.

Step 4

I ended up trying ALL the online scans you recommended. Only three of them actually worked to completion. The others caused problems. I spent several days getting thru step 4. Here are the three scans that worked and the results:

McAfee Freescan
Came up with three threats, 1) file C:\\WINDOWS\System32\cmcfg.dll, threat name Generic.dx, 2) file C:\\WINDOWS\Temp\2.tmp, threat name Generic Downloader.x, 3) file C:\\WINDOWS\Temp\2.tmp.exe, threat name Generic Downloader.x. There was no action to select to address these threats and there was no report generated.

WindowSecurity.com TrojanScan
I used the Smart Scan rather than the Deep Scan as recommended by the program. Found two high risk objects, C:\\WINDOWS\Temp\2.tmp and C:\\WINDOWS\Temp\2.tmp.exe (same as McAfee). I quaranteed the objects and the program generated a short report shown below.

BEGIN REPORT:
a-squared Web Malware Scanner v. 4.0

Scan settings:

Objects: Memory, Traces, Cookies, C:\WINDOWS\, C:\Program Files
Scan archives: On
Heuristics: Off
ADS Scan: On

Scan start: 4/3/2009 1:35:49 PM

C:\WINDOWS\Temp\2.tmp detected: Trojan-Downloader.Win32.Agent.bkyy!A2
C:\WINDOWS\Temp\2.tmp.exe detected: Trojan-Downloader.Win32.Agent.bkyy!A2

Scanned

Files: 37330
Traces: 327974
Cookies: 13
Processes: 29

Found

Files: 2
Traces: 0
Cookies: 2
Processes: 0

Scan end: 4/3/2009 2:04:15 PM
Scan time: 12:28:26 AM
END REPORT


Windows Live Safety Center Free Online Scan
I used a Complete Scan rather than a Quick Scan as recommended by the program. The scan found 1 severe issue with 4 items detected described as Trojan:Win32/Boaxxe.I and listed the file C:\WINDOWS\System32\cmcfg3.dll. the scan also found 1 medium threat with 1 item detected described as Program:Win32/PowerRegScheduler. The program listed all these items as "Unable to clean". There was no report generated.

Below are the problems I encountered using the other scans on your list. I'm not sure if it helps you to list the problems but I'll do it anyway just in case it helps. A few of the scans came up with some info which might be useful.

BitDefender
I downloaded and tried to run but got hung up on the updating screen. I was stuck on this screen for over half an hour with no progress and the status bar remaining at 0%. The cancel button would not work, I had to use task manager to shut it down. My computer was also frozen afterward and I had to reboot to regain functionality. I tried loading again afterwards but then kept getting the message "could not load the online scanner" at the BitDefender website.

Kaspersky Online Virus Scanner
I was able to start the scan but a few seconds into the scan the program identified file comctl32.dll at the location C:\WINDOWS\WinSxS...0.5512_x-ww_35d4ce83. The scanner got stuck at this point and showed no progress in its timer which was stuck at 4 seconds. I waited overnight but still no progress. Could not shut down. Had to use task manager and then reboot.

Panda's ActiveScan
Came up with a window saying I was "infected" a few minutes into the scan. Listed the infection as Adware by the name of IST.ISTBar. It would not let me remove it unless I paid, which I did not. I was also not able to continue the scan after it found this initial item.

Trend Micro Housecall
Got stuck on the screen indicating "Updating and Starting Housecall Scan". The idle bar kept moving back and forth and I left running for several hours but no progress. I finally cancelled.


Step 5

I was able to download Spyware Blaster with no problems.


Step 6

I once again downloaded MBAM onto my system but I could not get the scan to run as before. The program is loaded on my computer but nothing happens when I try to either update or scan. I let the computer sit there for several hours but still the scan did not run.


Step 7

I tried to download and run SUPERAntiSpyware but I kept getting the message "SuperAntiSpyware has encountered a problem and needs to close." I tried installing again but kept getting the same message. Since I couold not run, I could not generate a report log.


Step 8

I tried running avast! antirootkit but kept getting the error "Error. Can't open disk device C:"


Step 9

I tried downloading and running Secunia Software Inspector. I was able to begin the scan but 8 seconds in, the counter would stop and nothing would happen. The program info indicates a scan takes from 5-40 seconds. I let it sit for one half hour with no progress. I finally stoped the scan by hitting stop.


Steps 10, 11 and 12

This is as far as I got. I have a few questions before proceeding any farther.

Should I proceed forward given the problems I encountered above? Do I need to redo anything?

In step 10 you indicated I should disconnect from the internet. I am assuming I need to disconnect and then run HiJackThis while disconnected. Is this correct?

In step 11 you refer to "specialized fix tools" and the problems other anti-virus software can cause while running the specialized fix tools. I am assuming the specialized fix tools you are referring to is HijackThis. You indicate I should disable Windows Defender which is straightforward. You also indicate I should exit SUPERAntiSpyware, however I had problems with SUPERAntiSpyware as mentioned above. Do I still need to exit. I don't think it is running since it is not on my system tray. You also indicate I should disable Spybot however I removed Spybot from my system as mentioned above.

In Step 12 you indicate I should run HijackThis. However, I never downloaded HijackThis on th my computer. Initially I downloaded and ran DDS according to your tutorial and posted the logs. You then instructed me to download and run RSIT and post the logs. I am not certain if DDS and RSIT are versions of HijackThis and what I should run. Should I download HijackThis on to my computer and run or should I be using RSIT or DDS.

I have another point of confusion. In step 12 you ask me to run HijackThis. Then in step 14 you ask me to run GooredFix. Then in step 16 you ask me to run HijackThis again and post the log. Am I suppose to run HijackThis twice as indicated in these steps?

A few other notes. In step 13 you talk about Optional Fixes to not load unnecessary programs at startup until needed. I would like to stop the optional fixes at startup. I am not sure when this should be addressed. Should we wait until my system is cleaned. Just let me know what to do.

In step 15 you talk about using an antivirus program and a firewall. I will definitely install each as soon as my system is clean.

Sorry for the long post and any difficulties I am having. I look forward to your next response and the next steps towards cleaning my system.

Thanks.

Joe Anonymous

#6 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:28 PM

Posted 04 April 2009 - 04:05 PM

Were you able to run gooredFix? If so, please post the log.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#7 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:28 PM

Posted 04 April 2009 - 04:21 PM

Some of the files we need to remove are in temporary files.
  • Click Start, point to Settings, and click Control Panel (or Start -> Control Panel).
  • Double-click Internet Options icon in Control Panel, and click Delete Files button.
  • Check Delete all offline content box, and click OK.
  • Click Settings button, and set Amount of disk space to use somewhere between 1 and 3 MB (make it 10 MB if you are using dial-up Internet connection)
  • Double-click Folder Options icon.
  • Switch to View tab, and check Display the full path in the address bar and Show hidden files and folders options.
  • Click OK button.
  • Close all programs and windows.
  • Browse to the following temporary folders and delete their content (DO NOT delete folders themselves, only what's inside):
    C:\WINDOWS\Temp
    C:\Documents and Settings\{COMPUTER USER NAME}\Local Settings\Temp
  • It's OK if you can't delete some (active) files.
  • Close all windows.
  • Restart computer.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#8 joeanonymous

joeanonymous
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 04 April 2009 - 05:17 PM

Hi suebaby41,

I ran GooredFix with option 1. Here is the log.

GooredFix v1.92 by jpshortstuff
Log created at 15:12 on 04/04/2009 running Option #1 (Del Real)
Firefox version [Unable to determine]

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"


Also deleted files as you instructed. You requested I set the amount of disk space to between 1M and 3M. The lowest it will let me go is 8M. It was set to 1024M before I changed it.

I will await your next instructions.

Joe Anonymous

#9 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:28 PM

Posted 05 April 2009 - 06:36 PM

  • Please download Sysclean Package and save it to your desktop.
    • Create a new folder on drive "C:\" and name it Sysclean - (C:\Sysclean).
    • Place the SYSCLEAN.COM inside that folder.
    • Then download the latest Official Pattern Release for windows - (Pattern files are usually named lptxxx.zip, where xxx is the pattern file number.)
    • Extract (unzip) the lptxxx.zip pattern file into the Sysclean (C:\Sysclean) folder where you put SYSCLEAN.COM.
    • For information on how to extract a file if you are not sure how to do this, see How to create and extract a Zip File in Windows ME/XP/2003.
    • DO NOT scan yet.
  • Reboot your computer in SAFE MODE using the F8 method. To do this:
    • Restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears), press the F8 key repeatedly.
    • A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in Safe Mode.
  • Please disconnect from the Internet. Please close ALL browser windows (including this one). Some antivirus programs such as Avast will alert you to a virus attack when running "Sysclean" so disable them before going to the next step.
  • Scan with Sysclean as follows:
    • Open the Sysclean folder and double-click on sysclean.com to start the scanning process.
    • Put a check mark on the Automatically clean or delete infected files option by clicking in the check box.
    • Click the Advanced >> button.
    • The scan options appear. Select the Scan all local fixed drives.
    • Click the Scan button on the Trend Micro System Cleaner console.
    • It will take some time to complete. Be patient and let it clean whatever it finds.
    • Another MS-DOS window will appear containing the log file generated in the Trend Micro System Cleaner folder.
    • To view the log, click the View button on the Trend Micro System Cleaner console. The Trend Micro System Cleaner Log window appears.
      • The Files Detected section shows the viruses that were detected by Sysclean
      • The Files Clean section shows the viruses that were cleaned.
      • The Clean Fail section shows the viruses that were not cleaned.
    • This fix tool generates the log file, SYSCLEAN.LOG, in its current folder.
    • When the scan is finished, open your Sysclean folder and copy and paste the contents of sysclean.log in your next reply.
    • Exit when done, reboot normally and enable your antivirus program.
    This tool generates a log file (sysclean.log) in the same folder where the scan is completed. When using 'Sysclean", it is best to "use the Administrator's account" or an account with Administrative rights otherwise you will not have the rights to scan some locations. The scanning process may result in "Access Denied" messages for some files. This is normal because these files are protected by the system.
  • If needed, see Instructions With Screenshots.
  • Please post a new HijackThis log and the contents of the sysclean.log.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#10 joeanonymous

joeanonymous
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 06 April 2009 - 01:13 PM

Hi suebaby41,

I followed your instructions and downloaded and ran Sysclean Package with the official Pattern Release for Windows in the Sysclean folder. I did run into a problem. When I tried to run Sysclean, it came up with an error message:

"SSAPIPTN.DA5 is missing. Spyware scan will start disabled. Please download a copy from www.trendmicro.com"

I exited Sysclean, went to the trendmicro website and found the file SSAPIPTN.DA5. I put an unzipped copy into the Sysclean folder. I then tried running Sysclean again and it ran without displaying the error message. I hope this was the right thing to do. Let me know if not and I will try again.

Sysclean ran successfully but unfortunately I do not think it found and cleaned anything. (Computer still has same google redirect and other problems when I checked after Sysclean scan.) Below is a copy of the Sysclean log which which I think indicates no viruses found.

You also asked that I run HijackThis again and post the log. I still have the same uncertainty/question about whether HijackThis and RSIT are the same or not. I decided to run RSIT again assuming it is the log you asked for. The log is posted below after the Sysclean log.

I will await your next instructions. Once again, I appreciate all you efforts and look forward to getting my system cleaned. Thanks.

Joe Anonymous

Here is the Sysclean log:

/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006-2007, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2009-04-05, 21:22:57, Auto-clean mode specified.
2009-04-05, 21:22:58, Failed to initialize Rootkit Driver.
2009-04-05, 21:22:58, Running scanner "C:\Sysclean\TSC.BIN"...
2009-04-05, 21:26:33, Scanner "C:\Sysclean\TSC.BIN" has finished running.
2009-04-05, 21:26:33, TSC Log:

˙ţD a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 0 ( B u i l d 1 1 7 2 )


W i n d o w s X P ( B u i l d 2 6 0 0 : S e r v i c e P a c k 3 )




S t a r t t i m e : S u n A p r 0 5 2 0 0 9 2 1 : 2 2 : 5 9





L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ S y s c l e a n \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]


L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ S y s c l e a n \ t s c . p t n " ( v e r s i o n 1 0 2 4 ) [ s u c c e s s ]





C o m p l e t e t i m e : S u n A p r 0 5 2 0 0 9 2 1 : 2 6 : 3 2


E x e c u t e p a t t e r n c o u n t ( 3 0 4 3 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )





2009-04-05, 21:26:33, Running scanner "C:\Sysclean\VSCANTM.BIN"...
2009-04-05, 23:11:12, Scanner "C:\Sysclean\VSCANTM.BIN" has finished running.
2009-04-05, 23:11:12, VSCANTM Log:

2009-04-05, 23:11:12, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 4/5/2009 21:26:33
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 943 (379453/379453 Patterns) (2009/04/03) (594300)

Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Sysclean\lpt$vpn.943

58650 files have been read.
58650 files have been checked.
58058 files have been scanned.
167019 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 4/5/2009 23:11:11 1 hour 44 minutes 28 seconds (6267.99 seconds) has elapsed.(106.871 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-04-05, 23:11:12, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 4/5/2009 21:26:33
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 943 (379453/379453 Patterns) (2009/04/03) (594300)

Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Sysclean\lpt$vpn.943

58650 files have been read.
58650 files have been checked.
58058 files have been scanned.
167019 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 4/5/2009 23:11:11 1 hour 44 minutes 28 seconds (6267.99 seconds) has elapsed.(106.871 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-04-05, 23:11:12, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 4/5/2009 21:26:33
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 943 (379453/379453 Patterns) (2009/04/03) (594300)

Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Sysclean\lpt$vpn.943

58650 files have been read.
58650 files have been checked.
58058 files have been scanned.
167019 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 4/5/2009 23:11:11 1 hour 44 minutes 28 seconds (6267.99 seconds) has elapsed.(106.871 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-04-05, 23:11:12, Running SSAPI scanner ""...
2009-04-06, 00:03:25, SSAPI Log:

SSAPI Scanner Version: 1.0.1003
SSAPI Engine Version: 5.2.1032
SSAPI Pattern Version: 7.53
SSAPI Anti-Rootkit Version: <Failed>

Spyware Scan Started: 04/05/2009 23:11:19

Detected: 0 items.

Spyware Scan Ended: 04/06/2009 00:03:25
Scan Complete. Time=3132.794434.


Here is the RSIT log:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Del Real at 2009-04-06 10:51:08
Microsoft Windows XP Professional Service Pack 3
System drive C: has 12 GB (31%) free of 38 GB
Total RAM: 511 MB (50% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:20 AM, on 4/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Del Real\Desktop\RSIT.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\trend micro\Del Real.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C0EF78E-65AF-40FC-B4A6-8582F0BC6660} - C:\WINDOWS\system32\cmcfg3.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://www.webpcfos.com/webpcfos/Citrix/wficat.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {413D6754-BFD4-47FE-9346-319559290BFA} (HTECtrl Class) - https://www.webpcfos.com/webpcfos/websabre/HTEweb.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17ffd68521fc20...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...573/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 7211 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Del Real.job
C:\WINDOWS\tasks\WGASetup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0C0EF78E-65AF-40FC-B4A6-8582F0BC6660}]
C:\WINDOWS\system32\cmcfg3.dll [2008-04-13 96256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\System32\NvCpl.dll [2003-05-02 4640768]
"nwiz"=nwiz.exe /install []
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2007-02-02 180269]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-09-06 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"NvMediaCenter"=C:\WINDOWS\System32\NVMCTRAY.DLL [2003-05-02 49152]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Dataviz Messenger.lnk - C:\WINDOWS\DvzCommon\DvzMsgr.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-06 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WINDOW~4\MpShHook.dll [2006-11-03 83224]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Palm\HOTSYNC.EXE"="C:\Program Files\Palm\HOTSYNC.EXE:*:Disabled:HotSync® Manager Application"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Disabled:Internet Explorer"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-04-05 21:02:56 ----A---- C:\WINDOWS\ntbtlog.txt
2009-04-05 20:54:34 ----D---- C:\Sysclean
2009-04-03 18:22:41 ----D---- C:\Program Files\SUPERAntiSpyware
2009-04-03 18:22:41 ----D---- C:\Documents and Settings\Del Real\Application Data\SUPERAntiSpyware.com
2009-04-03 18:22:06 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-04-03 17:35:41 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-04-03 17:31:44 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-04-03 17:31:34 ----D---- C:\Program Files\SpywareBlaster
2009-04-03 14:52:34 ----D---- C:\Program Files\Windows Live Safety Center
2009-04-03 14:18:51 ----D---- C:\Program Files\Panda Security
2009-04-03 11:47:20 ----D---- C:\WINDOWS\McAfee.com
2009-04-02 17:45:38 ----D---- C:\WINDOWS\BDOSCAN8
2009-04-02 17:00:12 ----A---- C:\WINDOWS\system32\javaws.exe
2009-04-02 17:00:12 ----A---- C:\WINDOWS\system32\javaw.exe
2009-04-02 17:00:12 ----A---- C:\WINDOWS\system32\java.exe
2009-03-31 21:56:29 ----D---- C:\WINDOWS\system32\KB905474
2009-03-30 17:17:06 ----D---- C:\rsit
2009-03-21 20:51:06 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-21 18:06:19 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-03-21 14:12:58 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-03-20 18:16:17 ----A---- C:\WINDOWS\system32\cmcfg3.dll
2009-03-20 18:16:06 ----SHD---- C:\WINDOWS\system32\twain_32
2009-03-10 22:58:51 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-03-10 22:58:36 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$

======List of files/folders modified in the last 1 months======

2009-04-06 10:51:18 ----D---- C:\WINDOWS\Temp
2009-04-06 10:51:12 ----D---- C:\Program Files\Trend Micro
2009-04-06 10:38:06 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-06 10:38:04 ----SD---- C:\WINDOWS\Tasks
2009-04-06 10:34:59 ----D---- C:\WINDOWS\system32
2009-04-06 10:34:54 ----D---- C:\WINDOWS\system32\drivers
2009-04-05 21:16:57 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-05 21:03:47 ----D---- C:\Documents and Settings
2009-04-05 21:02:56 ----D---- C:\WINDOWS
2009-04-05 20:31:59 ----D---- C:\WINDOWS\Prefetch
2009-04-03 18:26:30 ----SHD---- C:\WINDOWS\Installer
2009-04-03 18:22:41 ----D---- C:\Program Files
2009-04-03 18:22:06 ----D---- C:\Program Files\Common Files
2009-04-03 14:54:56 ----HD---- C:\WINDOWS\inf
2009-04-03 14:52:35 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-04-02 17:02:30 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-04-02 17:00:08 ----D---- C:\Program Files\Java
2009-03-21 18:06:11 ----D---- C:\WINDOWS\WinSxS
2009-03-21 15:31:26 ----D---- C:\Program Files\XoftSpy
2009-03-10 22:58:54 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-03-10 22:58:44 ----A---- C:\WINDOWS\imsins.BAK
2009-03-10 18:18:00 ----HD---- C:\WINDOWS\$hf_mig$
2009-03-09 05:19:08 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-03-08 10:55:06 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R3 ctljystk;Creative SBLive! Gameport; C:\WINDOWS\System32\DRIVERS\ctljystk.sys [2001-08-17 3712]
R3 emu10k;Creative SB Live! (WDM); C:\WINDOWS\system32\drivers\emu10k1m.sys [2001-08-17 283904]
R3 emu10k1;Creative Interface Manager Driver (WDM); C:\WINDOWS\system32\drivers\ctlfacem.sys [2001-08-17 6912]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller; C:\WINDOWS\system32\DRIVERS\m4cxw2k3.sys [2006-03-16 227584]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2003-05-02 1312555]
R3 sfman;Creative SoundFont Manager Driver (WDM); C:\WINDOWS\system32\drivers\sfmanm.sys [2001-08-17 36480]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter; C:\WINDOWS\System32\DRIVERS\AN983.sys [2002-08-28 36224]
S3 aswArKrn;aswArKrn; \??\C:\DOCUME~1\DELREA~1\LOCALS~1\Temp\aswArKrn.sys []
S3 PalmUSBD;PalmUSBD; C:\WINDOWS\system32\drivers\PalmUSBD.sys []
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\System32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2003-05-02 69632]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]

-----------------EOF-----------------

#11 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:28 PM

Posted 07 April 2009 - 05:11 PM

Step 1
  • Please download SDFix and save it to your Desktop.
  • Double click SDFix.exe and it will extract the files to C:\SDFix.
  • Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • When your computer restarts, the Fixtool will run again to complete the removal process.
  • When Finished is displayed, press any key to end the script and load your desktop icons.
  • After the desktop icons load, the SDFix report will open on screen and save into the SDFix folder as Report.txt. Report.txt will also be copied to Clipboard.
  • If needed, see SDFix ReadMe.
Step 2

Please download a-squared Free.
  • Follow all the instructions given by the installer.
  • Once installed, the a-squared Updater will automatically start. Downloading updates will take some time.
  • Click Scan your computer for malware infections.
  • Make sure all three setting options are checked. Click Scan selected folders. The scan will start.
  • Click Save HTML-Report. Save the report to somewhere convenient for you to remember the location such as your desktop.
  • If malware is found, click the button Remove Selected Malware.
To continue to use a-squared Free, you will need to use the a-squared Updator to manually update the program. Click Security Status > Update Now. The a-squared Free program contains only the basic scanner. Background Guard, Automatic Updates, Scheduled Scans and HiJackFree are only available with the a-squared Anti-Malware ("pay for use") software.

Step 3

Please post:
  • the contents of the Report.txt from SDFix
  • the log from a-squared Free
  • a new HijackThis log

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#12 joeanonymous

joeanonymous
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 07 April 2009 - 07:14 PM

Hi suebaby41,

I have a problem with SDFix. I am able to download onto my desktop but I cannot get it to run and extract the files into C:\SDFix. When I double click on the SDFix icon on my desktop, I first get a security warning that the publisher is not recognized but I allow it to run anyway by clicking the run button. My cursor then displays an hourglass for a few seconds as if something is happening. However, nothing happens. I waited for some time to make sure I gave it enough time but it never creates the folder C:\SDFix or extracts the files. I did a windows search for both SDFix and RunThis.bat just in case it extracted the files elsewhere but the search only found SDFix on my desktop. I tried downloading SDFix again several times and running again several times with no success. I used your SDFix Readme link and read the How to Use SDFix page which instructed me to verify the comspec variable which was correct. I did not do anything else.

Can you please advise.

Thanks.

Joe Anonymous

#13 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:28 PM

Posted 07 April 2009 - 07:41 PM

Try running a-squared first and then SDFix.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#14 joeanonymous

joeanonymous
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 08 April 2009 - 10:16 PM

Hi suebaby41,

I was finally able to run SDFix. I first ran a-squared Free prior to SDFix as suggested (more on this below). The contents of SDFix's Report.txt is posted below where indicated. Unfortunately I do not believe it fixed my problem. I am still getting the google redirects. Just after SDFix finished in Safe Mode and immediately after the reboot, I got the following Windows message: "NTVDM.EXE has encountered a problem and needs to close. We are sorry for the inconvenience." I then pressed the "Don't Send" to Microsoft option. SDFix then continued to run after the reboot. After SDFix had finished running, I got the same above message once again.

FYI: At first I could not get SDFix to run by downloading and saving on my desktop as instructed. I finally got it to work, that is, extract the files into C:\SDFix, by clicking "run" instead of "save" to the desktop from your link on your previous post.

As mentioned above, before I could get SDFix to work, I ran a-squared Free using a Smart Scan as the program suggested. It found the three following items:
Trojan.Win32.Alureon!IK, 8 processes - high risk
Rootkit.Win32.Podnuha!IK, 3 processes - high risk
Virus.Win32.Virut.q!IK, 1 file - high risk
I saved the report which is posted below where indicated as a-squared Smart Scan. I clicked the "Delete Selected Objects" button and got the following message several times: "C:\WINDOWS\System32\cmcfg3.dll can not be deleted". I also got a second following message several times: "\\?\globalroot\systemroot\system32\UACtrpyuonu can not be deleted". I then got another message telling me my system was shutting down with a 30 second countdown timer. Part of the message read "System shutdown initiated by NT AUTHORITY\SYSTEM". The rest of the message was something about a DCOM process timing out. I don't know exactly because my system shut down before I could write it down.

After starting my system back up after the shutdown, I ran a-squared Free once again this time using a Deep Scan. The program had told me before that if I encounted anything with the Smart Scan, I should rerun using a Deep Scan. During the Deep Scan, it found the following two items similar to the items found with a Smart Scan but not exactly the same:
Trojan.Win32.Alureon!IK, 6 processes - high risk
Rootkit.Win32.Podnuha!IK, 1 process - high risk
I saved the report which is posted below where indicated as a-squared Deep Scan (to differentiate it from the Smart Scan report). I then clicked the "Delete Selected Objects" button once again got the following two messages several times: "C:\WINDOWS\System32\cmcfg3.dll can not be deleted" and "\\?\globalroot\systemroot\system32\UACtrpyuonu can not be deleted". This time my system did not shut down as before.

After running SDFix as described in the first paragraph above, I then ran RSIT to generate a HijackThis log which is posted below where indicated.

I will await further instructions. Once again, I appreciate your continued assistance. I seem to be infected with something very stubborn.

Joe Anonymous


*** Here is the SDFix report ***


SDFix: Version 1.240
Run by Del Real on Wed 04/08/2009 at 06:25 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds - Deleted
C:\Documents and Settings\NetworkService\Application Data\twain_32\user.ds - Deleted


Could Not Remove C:\WINDOWS\system32\twain_32\local.ds
Could Not Remove C:\WINDOWS\system32\twain_32\user.ds
Could Not Remove C:\WINDOWS\system32\twext.exe

Folder C:\Documents and Settings\LocalService\Application Data\twain_32 - Removed
Folder C:\Documents and Settings\NetworkService\Application Data\twain_32 - Removed
Folder C:\WINDOWS\system32\twain_32 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-08 18:43:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\Del Real\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Palm\\HOTSYNC.EXE"="C:\\Program Files\\Palm\\HOTSYNC.EXE:*:Disabled:HotSyncr Manager Application"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

C:\WINDOWS\system32\twain_32\local.ds Found
C:\WINDOWS\system32\twain_32\user.ds Found
C:\WINDOWS\system32\twext.exe Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 3 Oct 2008 23 A.SH. --- "C:\WINDOWS\system32\ffbdafcd8_g.dll"

Finished!


*** Here is the first a-squared Free log using Smart Scan ***

a-squared Anti-Malware - Version 4.0
Last update: 4/7/2009 5:55:58 PM

Scan settings:

Objects: Memory, Traces, Cookies, C:\WINDOWS\, C:\Program Files
Scan archives: On
Heuristics: Off
ADS Scan: On

Scan start: 4/7/2009 5:56:55 PM

[880] \\?\globalroot\systemroot\system32\UACtrpyuonu.dll detected: Trojan.Win32.Alureon!IK
[948] \\?\globalroot\systemroot\system32\UACtrpyuonu.dll detected: Trojan.Win32.Alureon!IK
[1088] \\?\globalroot\systemroot\system32\UACtrpyuonu.dll detected: Trojan.Win32.Alureon!IK
[1208] \\?\globalroot\systemroot\system32\UACtrpyuonu.dll detected: Trojan.Win32.Alureon!IK
[1412] \\?\globalroot\systemroot\system32\UACtrpyuonu.dll detected: Trojan.Win32.Alureon!IK
[1096] \\?\globalroot\systemroot\system32\UACtrpyuonu.dll detected: Trojan.Win32.Alureon!IK
[1096] C:\WINDOWS\system32\cmcfg3.dll detected: Rootkit.Win32.Podnuha!IK
[3900] \\?\globalroot\systemroot\system32\UACtrpyuonu.dll detected: Trojan.Win32.Alureon!IK
[3900] C:\WINDOWS\system32\cmcfg3.dll detected: Rootkit.Win32.Podnuha!IK
[4520] \\?\globalroot\systemroot\system32\UACtrpyuonu.dll detected: Trojan.Win32.Alureon!IK
[4520] C:\WINDOWS\system32\cmcfg3.dll detected: Rootkit.Win32.Podnuha!IK
C:\WINDOWS\system32\cmcfg3.dll detected: Rootkit.Win32.Podnuha!IK
C:\WINDOWS\Temp\TMP0000009F8617191E08696C02 detected: Virus.Win32.Virut.q!IK

Scanned

Files: 120356
Traces: 593601
Cookies: 16
Processes: 32

Found

Files: 2
Traces: 0
Cookies: 0
Processes: 11
Registry keys: 0

Scan end: 4/7/2009 7:12:37 PM
Scan time: 1:15:42


*** Here is the second a-square Free log using Deep Scan ***

a-squared Anti-Malware - Version 4.0
Last update: 4/8/2009 1:28:26 PM

Scan settings:

Objects: Memory, Traces, Cookies, C:\
Scan archives: On
Heuristics: Off
ADS Scan: On

Scan start: 4/8/2009 1:29:36 PM

[880] \\?\globalroot\systemroot\system32\UACtrpyuonu.dll detected: Trojan.Win32.Alureon!IK
[948] \\?\globalroot\systemroot\system32\UACtrpyuonu.dll detected: Trojan.Win32.Alureon!IK
[1104] \\?\globalroot\systemroot\system32\UACtrpyuonu.dll detected: Trojan.Win32.Alureon!IK
[1232] \\?\globalroot\systemroot\system32\UACtrpyuonu.dll detected: Trojan.Win32.Alureon!IK
[1472] \\?\globalroot\systemroot\system32\UACtrpyuonu.dll detected: Trojan.Win32.Alureon!IK
[2820] \\?\globalroot\systemroot\system32\UACtrpyuonu.dll detected: Trojan.Win32.Alureon!IK
[2820] C:\WINDOWS\system32\cmcfg3.dll detected: Rootkit.Win32.Podnuha!IK
C:\WINDOWS\system32\cmcfg3.dll detected: Rootkit.Win32.Podnuha!IK

Scanned

Files: 112891
Traces: 598424
Cookies: 8
Processes: 30

Found

Files: 1
Traces: 0
Cookies: 0
Processes: 7
Registry keys: 0

Scan end: 4/8/2009 5:30:54 PM
Scan time: 4:01:18


*** Here is the HijackThis log using RSIT ***

Logfile of random's system information tool 1.06 (written by random/random)
Run by Del Real at 2009-04-08 18:48:55
Microsoft Windows XP Professional Service Pack 3
System drive C: has 12 GB (31%) free of 38 GB
Total RAM: 511 MB (50% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:49:07 PM, on 4/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Del Real\Desktop\RSIT.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\trend micro\Del Real.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,C:\WINDOWS\system32\twext.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C0EF78E-65AF-40FC-B4A6-8582F0BC6660} - C:\WINDOWS\system32\cmcfg3.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://www.webpcfos.com/webpcfos/Citrix/wficat.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {413D6754-BFD4-47FE-9346-319559290BFA} (HTECtrl Class) - https://www.webpcfos.com/webpcfos/websabre/HTEweb.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17ffd68521fc20...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...573/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 7546 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Del Real.job
C:\WINDOWS\tasks\WGASetup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0C0EF78E-65AF-40FC-B4A6-8582F0BC6660}]
C:\WINDOWS\system32\cmcfg3.dll [2008-04-13 96256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\System32\NvCpl.dll [2003-05-02 4640768]
"nwiz"=nwiz.exe /install []
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2007-02-02 180269]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-09-06 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"a-squared"=C:\Program Files\a-squared Anti-Malware\a2guard.exe [2009-02-25 2799760]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"NvMediaCenter"=C:\WINDOWS\System32\NVMCTRAY.DLL [2003-05-02 49152]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Dataviz Messenger.lnk - C:\WINDOWS\DvzCommon\DvzMsgr.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-06 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WINDOW~4\MpShHook.dll [2006-11-03 83224]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Palm\HOTSYNC.EXE"="C:\Program Files\Palm\HOTSYNC.EXE:*:Disabled:HotSync® Manager Application"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Disabled:Internet Explorer"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-04-08 18:11:07 ----D---- C:\WINDOWS\ERUNT
2009-04-08 18:00:40 ----D---- C:\SDFix
2009-04-07 17:48:38 ----D---- C:\Program Files\a-squared Anti-Malware
2009-04-05 21:02:56 ----A---- C:\WINDOWS\ntbtlog.txt
2009-04-05 20:54:34 ----D---- C:\Sysclean
2009-04-03 18:22:41 ----D---- C:\Program Files\SUPERAntiSpyware
2009-04-03 18:22:41 ----D---- C:\Documents and Settings\Del Real\Application Data\SUPERAntiSpyware.com
2009-04-03 18:22:06 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-04-03 17:35:41 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-04-03 17:31:44 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-04-03 17:31:34 ----D---- C:\Program Files\SpywareBlaster
2009-04-03 14:52:34 ----D---- C:\Program Files\Windows Live Safety Center
2009-04-03 14:18:51 ----D---- C:\Program Files\Panda Security
2009-04-03 11:47:20 ----D---- C:\WINDOWS\McAfee.com
2009-04-02 17:45:38 ----D---- C:\WINDOWS\BDOSCAN8
2009-04-02 17:00:12 ----A---- C:\WINDOWS\system32\javaws.exe
2009-04-02 17:00:12 ----A---- C:\WINDOWS\system32\javaw.exe
2009-04-02 17:00:12 ----A---- C:\WINDOWS\system32\java.exe
2009-04-02 16:48:34 ----SHD---- C:\WINDOWS\system32\lowsec
2009-03-31 21:56:29 ----D---- C:\WINDOWS\system32\KB905474
2009-03-30 17:17:06 ----D---- C:\rsit
2009-03-21 20:51:06 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-21 18:06:19 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-03-21 14:12:58 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-03-20 18:16:17 ----A---- C:\WINDOWS\system32\cmcfg3.dll
2009-03-20 18:16:06 ----SHD---- C:\WINDOWS\system32\twain_32
2009-03-10 22:58:51 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-03-10 22:58:36 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$

======List of files/folders modified in the last 1 months======

2009-04-08 18:49:05 ----D---- C:\WINDOWS\Temp
2009-04-08 18:48:59 ----D---- C:\Program Files\Trend Micro
2009-04-08 18:43:05 ----D---- C:\WINDOWS\Prefetch
2009-04-08 18:41:53 ----SD---- C:\WINDOWS\Tasks
2009-04-08 18:22:07 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-04-08 18:11:07 ----D---- C:\WINDOWS
2009-04-08 18:06:18 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-08 12:53:22 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-08 12:49:55 ----D---- C:\WINDOWS\system32
2009-04-07 17:48:38 ----D---- C:\Program Files
2009-04-06 10:34:54 ----D---- C:\WINDOWS\system32\drivers
2009-04-05 21:03:47 ----D---- C:\Documents and Settings
2009-04-03 18:26:30 ----SHD---- C:\WINDOWS\Installer
2009-04-03 18:22:06 ----D---- C:\Program Files\Common Files
2009-04-03 14:54:56 ----HD---- C:\WINDOWS\inf
2009-04-03 14:52:35 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-04-02 17:02:30 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-04-02 17:00:08 ----D---- C:\Program Files\Java
2009-03-21 18:06:11 ----D---- C:\WINDOWS\WinSxS
2009-03-21 15:31:26 ----D---- C:\Program Files\XoftSpy
2009-03-10 22:58:44 ----A---- C:\WINDOWS\imsins.BAK
2009-03-10 18:18:00 ----HD---- C:\WINDOWS\$hf_mig$
2009-03-09 05:19:08 ----A---- C:\WINDOWS\system32\deploytk.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R3 catchme;catchme; \??\C:\DOCUME~1\DELREA~1\LOCALS~1\Temp\catchme.sys []
R3 ctljystk;Creative SBLive! Gameport; C:\WINDOWS\System32\DRIVERS\ctljystk.sys [2001-08-17 3712]
R3 emu10k;Creative SB Live! (WDM); C:\WINDOWS\system32\drivers\emu10k1m.sys [2001-08-17 283904]
R3 emu10k1;Creative Interface Manager Driver (WDM); C:\WINDOWS\system32\drivers\ctlfacem.sys [2001-08-17 6912]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller; C:\WINDOWS\system32\DRIVERS\m4cxw2k3.sys [2006-03-16 227584]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2003-05-02 1312555]
R3 sfman;Creative SoundFont Manager Driver (WDM); C:\WINDOWS\system32\drivers\sfmanm.sys [2001-08-17 36480]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter; C:\WINDOWS\System32\DRIVERS\AN983.sys [2002-08-28 36224]
S3 aswArKrn;aswArKrn; \??\C:\DOCUME~1\DELREA~1\LOCALS~1\Temp\aswArKrn.sys []
S3 PalmUSBD;PalmUSBD; C:\WINDOWS\system32\drivers\PalmUSBD.sys []
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\System32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 a2AntiMalware;a-squared Anti-Malware Service; C:\Program Files\a-squared Anti-Malware\a2service.exe [2009-02-25 425080]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2003-05-02 69632]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]

-----------------EOF-----------------

#15 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:28 PM

Posted 10 April 2009 - 07:48 AM

Trojan.Win32.Alureon!IK, 8 processes - high risk
Rootkit.Win32.Podnuha!IK, 3 processes - high risk
Virus.Win32.Virut.q!IK, 1 file - high risk


I have some very bad news for you.

Virus.Win32.Virut.q!IK

Your system is infected with Virut. Virut is a Polymorphic File Infector which is a virus that changes its virus signature (i.e., its binary pattern) every time it replicates and infects a new file in order to keep from being detected by an antivirus program. Virut infects .EXE and .SCR files. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker - for example to download/run more malware on the compromised computer. Emails may be harvested as well. This latest variant may also search for htm, html, asp and php files on the drives and modifies them by inserting an iframe that points to a malicious website. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, the files are corrupted beyond repair.

Miekiemoes regarding Virut:

This one is being spread via illegal sites (cracksites/keygens etc) and P2P Software (limewire, shareaza).
The P2P software makes sense, because many people are infected with this virus. So, since this virus infects legitimate files, the files being shared via P2P software such as limewire are also infected. So I'm pretty sure that more than 50% of the files being shared through P2P nowadays is infected with Virut unfortunately.


Although some programs such as Malwarebytes will clean the reader_s.exe from your computer, the damage has already been done.


Security experts suggest that a format and clean install or destructive recovery, if you have an OEM recovery partition, is the best way to clean the infection. It is the best and safest way to return the machine to its normal working state. DO NOT do a repair install.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Important: Do not back up to another machine as it may become compromised. Burn to DVD/CD or to an external drive which has nothing else on it so that you can format it if it happens to become infected from the backups.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users