Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.H.Vundo Most programs won't open. Help requested.


  • This topic is locked This topic is locked
28 replies to this topic

#1 snipersgethead

snipersgethead

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 13 April 2009 - 09:36 PM

Hello everyone, I have a serious case of the Vundo virus so let me give you my symptoms before posting my HJT log to give a more detailed description.

- As the title states, most of my programs can't operate or operate incorrectly. HJT will only run in Safe Mode and even then sometimes it won't work. MBAM can only do a quick scan, starting a full scan causes it to shut down instantly. Used MBAM's quick scan and it found 15 things, but there are still 3 objects I cannot get rid of. Also when I run MBAM, I'm not completely sure but it closes when before the quarantining process finishes. It's right after Verifying Folders or something like that when it closes.

- An NT/Authority shutdown takes place in about 45 min-1 hr. use of the computer, in both safe mode and normal mode.

- Firefox chugs through slowly when starting up, the list of my history is messed up. As in my most viewed websites aren't first when I type in the first letter or so.

- Also, I think my version of Java is very outdated if that helps any.

- It has stopped happening for now but a few days ago I started getting quite a couple of BSOD's, different ones everytime.

- I have NOD32 installed. Many of my taskbar objects such as NOD32 doesn't show up. Although when I view the processes in Task Manager, it shows ekrn.exe is running [Which is NOD32]

So, I'm really hoping you guys can somehow help me, honestly this virus is a pain and with the limitations on my programs I'm not sure how I can handle. I'm pretty sure if you asked me to use ComboFix it would run though. Here's my HJT log. I won't mess with anything till you guys respond back to avoid troubles.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:09 PM, on 4/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.www.daemon-search.com/default
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 82.98.231.89 browser-security.microsoft.com
O1 - Hosts: 82.98.231.89 best-click-scanner.info
O1 - Hosts: 82.98.231.89 antivirus-xp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.infosecuritycenter.com
O1 - Hosts: 82.98.231.89 microsoft.softwaresecurityhelp.com
O1 - Hosts: 82.98.231.89 onlinenotifyq.net
O1 - Hosts: 82.98.231.89 antivirusxp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.browser-security-center.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {14a39665-e898-4519-bdfe-9bf36cb0beba} - C:\WINDOWS\system32\goyukuyu.dll (file missing)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll (file missing)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: KontekstualAds Class - {72217827-914b-46c6-a6ee-c00c70842ebf} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ATICCC] "c:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [wumusudeyi] Rundll32.exe "C:\WINDOWS\system32\jesonowe.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [PicoZip] C:\PROGRA~1\PicoZip\PicoZipTray.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [nDler2] \\?\globalroot\systemroot\system32\nDler2.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (file missing)
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {1CE47888-DD62-482C-9723-4814BB04D45D} (musicshake) - http://pump.musicshake.com/NewDownload/musicshake.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL cjjutz.dll dygeqs.dll C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll C:\WINDOWS\system32\bivayuye.dll c:\windows\system32\wivagoge.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 12174 bytes

Edited by snipersgethead, 14 April 2009 - 07:40 PM.


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 16 April 2009 - 01:20 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1
Link 2
Link 3
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 snipersgethead

snipersgethead
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 16 April 2009 - 03:34 PM

Thank you so much fenzodahl512 for replying [ And good luck on your exam today! :] ] I had to run MBAM to fix rundll temporarily to run ComboFix in Safe Mode [With Networking but the log says it didn't install the Recovery Console even though I clicked yes. Anyway to download it again? Afraid if I click ComboFix again it would scan again right after it downloads the console.] if that matters. It reported some rootkits so I assumed I was already compromised and changed all my personal information including passwords. Here's my logs.

ComboFix 09-04-17.01 - mine 04/16/2009 18:22.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.696 [GMT -5:00]
Running from: c:\documents and settings\mine\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\IE4 Error Log.txt
c:\windows\system32\bivayuye.dll
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekacuoijwsa.sys
c:\windows\system32\drivers\senekaevjplspu.sys
c:\windows\system32\drivers\senekaijyltetk.sys
c:\windows\system32\drivers\senekaisetdwjd.sys
c:\windows\system32\drivers\senekajbgphhlu.sys
c:\windows\system32\drivers\senekakcmbtlim.sys
c:\windows\system32\drivers\senekakfipuqfs.sys
c:\windows\system32\drivers\senekakfsiqdfg.sys
c:\windows\system32\drivers\senekaksruwboy.sys
c:\windows\system32\drivers\senekalrwgpuof.sys
c:\windows\system32\drivers\senekaocdsxrrs.sys
c:\windows\system32\drivers\senekaptmxfmli.sys
c:\windows\system32\drivers\senekaritvfvxo.sys
c:\windows\system32\drivers\senekarthmmint.sys
c:\windows\system32\drivers\senekaunbwkdyq.sys
c:\windows\system32\drivers\senekaxdqawrxy.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\ilidemon.ini
c:\windows\system32\kofelifu.dll
c:\windows\system32\nadejota.dll
c:\windows\system32\p2hhr.bat
c:\windows\system32\Process.exe
c:\windows\system32\senekaagpwwlhe.dll
c:\windows\system32\senekaamulktft.dll
c:\windows\system32\senekaanvxtlgn.dat
c:\windows\system32\senekabutubybp.dll
c:\windows\system32\senekacioriyuw.dll
c:\windows\system32\senekaextpeqxt.dll
c:\windows\system32\senekagmnotaqm.dll
c:\windows\system32\senekagqxtobwt.dll
c:\windows\system32\senekahgxtbkvv.dll
c:\windows\system32\senekahxnseoux.dll
c:\windows\system32\senekahxsribcm.dll
c:\windows\system32\senekaiutoipoq.dll
c:\windows\system32\senekaklsdlhkv.dll
c:\windows\system32\senekalmasmyrb.dat
c:\windows\system32\senekalticovmp.dat
c:\windows\system32\senekaoppspetx.dll
c:\windows\system32\senekapfqrnplv.dat
c:\windows\system32\senekaputoipoi.dll
c:\windows\system32\senekapynbeqxf.dat
c:\windows\system32\senekaqmchwecm.dat
c:\windows\system32\senekaspinlnkb.dat
c:\windows\system32\senekatjrevrdq.dll
c:\windows\system32\senekatmbfpmbc.dll
c:\windows\system32\senekaucxekrec.dat
c:\windows\system32\senekavpqfwkbx.dat
c:\windows\system32\senekavspfvnss.dat
c:\windows\system32\senekaxbfbatxg.dat
c:\windows\system32\senekaycrnsete.dll
c:\windows\system32\senekaycypqbut.dll
c:\windows\system32\senekayuspipoq.dat
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\uhiyozey.ini
c:\windows\Tasks\omnfyqio.job
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))
.

2009-04-16 20:29 . 2009-04-16 20:29 23040 ----a-w c:\windows\system32\ak1.exe
2009-04-16 20:19 . 2004-08-10 12:00 4224 ----a-w c:\windows\system32\drivers\OLDF.tmp
2009-04-16 20:19 . 2009-04-16 22:55 102126 ----a-w c:\windows\system32\drivers\e631f230.sys
2009-04-16 20:19 . 2009-04-16 20:19 132096 ----a-w C:\xrptlo.exe
2009-04-16 20:19 . 2009-04-16 20:19 22528 ----a-w C:\rnvx.exe
2009-04-16 20:18 . 2009-04-16 20:19 2 ----a-w C:\-591305412
2009-04-16 20:18 . 2009-04-16 20:18 20480 ----a-w C:\swww.exe
2009-04-16 20:18 . 2009-04-16 20:18 23040 ----a-w C:\tmpl.exe
2009-04-16 20:18 . 2009-04-16 20:18 44544 ----a-w C:\tbbek.exe
2009-04-15 00:51 . 2009-04-15 00:51 -------- d--h--w C:\$AVG8.VAULT$
2009-04-14 23:38 . 2009-04-14 23:38 -------- d-----w c:\windows\LV4CKT19IRZ8GPX5
2009-04-14 23:28 . 2009-04-14 23:28 10520 ------w c:\windows\system32\avgrsstx.dll.install_backup
2009-04-14 23:28 . 2009-04-15 02:15 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-13 00:19 . 2009-04-13 00:20 642 ----a-w c:\windows\ST6UNST.001
2009-04-13 00:19 . 2009-04-13 00:19 73216 ----a-w c:\windows\temp.005
2009-04-13 00:07 . 2009-03-03 17:19 39184 ----a-w c:\windows\system32\drivers\TfSysMon.sys
2009-04-13 00:07 . 2009-03-03 17:19 33040 ----a-w c:\windows\system32\drivers\TfNetMon.sys
2009-04-13 00:07 . 2009-03-03 17:19 12560 ----a-w c:\windows\system32\drivers\TfKbMon.sys
2009-04-13 00:07 . 2009-03-03 17:19 51472 ----a-w c:\windows\system32\drivers\TfFsMon.sys
2009-04-13 00:07 . 2009-04-13 00:07 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-04-12 19:53 . 2009-04-12 19:53 73216 ----a-w c:\windows\temp.004
2009-04-12 19:53 . 2009-04-12 19:53 642 ----a-w c:\windows\ST6UNST.000
2009-04-12 19:53 . 2001-07-29 16:48 245727 ------w c:\windows\pwcenter.CAB
2009-04-12 14:23 . 2009-04-12 14:23 73216 ----a-w c:\windows\temp.003
2009-04-12 14:22 . 2009-04-12 14:22 73216 ----a-w c:\windows\temp.002
2009-04-10 17:47 . 2009-04-10 17:47 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-04-10 02:03 . 2009-04-10 13:43 0 ----a-w c:\windows\Vjocihibaz.bin
2009-04-10 02:03 . 2009-04-10 02:03 -------- d-----w c:\documents and settings\mine\Local Settings\Application Data\{535F38E7-94DE-40D0-ABD9-E14F41CA32AE}
2009-04-10 02:03 . 2009-04-10 13:43 408 ----a-w c:\windows\Yninagesag.dat
2009-04-04 23:42 . 2009-04-08 12:20 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-04-04 23:42 . 2009-04-07 21:00 32 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-04 23:42 . 2009-04-07 21:00 32 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-04 23:42 . 2009-04-07 21:00 32 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-04 23:42 . 2009-04-07 21:00 32 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-04 23:25 . 2009-04-04 23:25 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-04-04 15:11 . 2009-04-04 15:39 -------- d-----w c:\documents and settings\mine\DoctorWeb
2009-04-04 02:18 . 2009-04-04 02:18 -------- d-----w c:\documents and settings\mine\Local Settings\Application Data\ESET
2009-04-04 01:14 . 2009-04-04 01:14 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-04-02 22:58 . 2009-04-02 22:58 -------- d-----w C:\VundoFix Backups
2009-03-25 03:00 . 2009-01-09 23:00 572640 ----a-w C:\MobileInstallation.bak
2009-03-24 20:33 . 2007-03-20 16:33 28672 ----a-w c:\windows\system32\drivers\libusb0.sys
2009-03-24 20:33 . 2007-03-20 16:33 43520 ----a-w c:\windows\system32\libusb0.dll
2009-03-24 20:32 . 2009-02-16 02:54 933888 ----a-w c:\windows\system32\SENXPCTL.OCX
2009-03-24 20:32 . 2009-02-26 04:43 65536 ----a-w c:\windows\system32\device.OCX
2009-03-24 20:32 . 2009-02-17 09:23 32768 ----a-w c:\windows\system32\Bar.OCX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 22:55 . 2007-06-15 17:01 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-16 20:15 . 2009-01-16 20:15 79872 --sha-w c:\windows\system32\faviguzu.dll
2009-04-16 02:19 . 2009-01-16 02:19 87552 --sha-w c:\windows\system32\maremapa.dll.vir
2009-04-14 02:20 . 2009-04-13 00:07 -------- d-----w c:\program files\ThreatFire
2009-04-14 00:08 . 2009-01-11 00:18 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-13 00:20 . 2007-09-15 17:59 249856 ------w c:\windows\Setup1.exe
2009-04-12 14:23 . 2009-03-04 21:53 -------- d-----w c:\program files\Power Center
2009-04-12 02:12 . 2009-04-02 22:58 532 ----a-w C:\VundoFix.txt
2009-04-11 01:40 . 2009-01-11 01:40 51200 --sha-w c:\windows\system32\wemipipo.exe
2009-04-10 13:39 . 2009-01-10 13:39 51200 --sha-w c:\windows\system32\lebapide.exe
2009-04-10 01:39 . 2009-01-10 01:39 51200 --sha-w c:\windows\system32\rolonize.exe
2009-04-10 01:39 . 2009-01-10 01:39 41984 --sha-w c:\windows\system32\turijola.exe
2009-04-06 20:32 . 2009-01-11 00:18 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-04 23:42 . 2009-04-04 23:42 -------- d-----w c:\program files\Kaspersky Lab
2009-04-04 23:31 . 2007-02-25 21:30 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-04 23:26 . 2007-02-25 21:31 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-31 22:31 . 2008-05-26 12:15 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-25 02:42 . 2009-03-25 02:42 -------- d-----w c:\program files\iPhone Tunnel Suite
2009-03-25 02:33 . 2009-03-25 02:33 -------- d-----w c:\program files\WinSCP
2009-03-25 01:39 . 2009-03-24 20:32 -------- d-----w c:\program files\QuickFreedom
2009-03-24 20:33 . 2009-03-24 20:33 -------- d-----w c:\program files\LibUSB-Win32
2009-03-07 13:55 . 2009-03-07 13:55 -------- d-----w c:\program files\OpD2d
2009-03-07 13:54 . 2009-03-07 13:54 479942 ----a-w C:\opd2d.exe
2009-03-07 01:40 . 2008-03-15 00:57 -------- d-----w c:\program files\Diablo II
2009-01-24 23:01 . 2009-01-24 23:01 4047 ----a-w C:\EyeCandyLog.txt
2009-01-24 00:41 . 2006-07-18 03:46 186216 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-05 02:25 . 2008-08-01 23:57 31 ----a-w c:\documents and settings\mine\jagex_runescape_preferences.dat
2008-06-03 12:03 . 2008-06-03 12:03 46149 ----a-w c:\program files\uninstal.log
2007-05-31 21:08 . 2007-05-31 21:07 2000 ----a-w c:\program files\mtachat.txt
2007-05-06 16:42 . 2007-05-06 16:42 0 ----a-w c:\documents and settings\mine\Application Data\wklnhst.dat
2007-03-05 17:50 . 2007-03-24 18:28 28966400 ----a-w c:\documents and settings\mine\mamepp.exe
2007-03-05 17:40 . 2007-03-24 18:29 48640 ----a-w c:\documents and settings\mine\romcmp.exe
2007-03-05 17:40 . 2007-03-24 18:28 10240 ----a-w c:\documents and settings\mine\ledutil.exe
2007-03-05 17:40 . 2007-03-24 18:28 12288 ----a-w c:\documents and settings\mine\jedutil.exe
2007-03-05 17:40 . 2007-03-24 18:28 186880 ----a-w c:\documents and settings\mine\chdman.exe
2006-10-23 00:47 . 2006-10-23 00:45 127 ----a-w c:\documents and settings\mine\Local Settings\Application Data\fusioncache.dat
2006-07-18 17:14 . 2006-10-23 00:45 35072 ----a-w c:\documents and settings\mine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-07-18 03:45 . 2006-07-18 03:45 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
.

------- Sigcheck -------

[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[7] 2004-08-10 12:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB917953$\tcpip.sys
[7] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\system32\dllcache\tcpip.sys
[-] 2006-04-20 11:51 359808 B4E29943B4B04BD5E7381546848E6669 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"PicoZip"="c:\progra~1\PicoZip\PicoZipTray.exe" [2006-06-09 581632]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2007-03-05 1103480]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools\daemon.exe" [2007-12-29 486856]
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 495616]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-08-11 1124352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-07-25 364544]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-26 299008]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2006-02-02 73728]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 1077322]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-02-15 185896]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-01-19 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-01-19 217088]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"TotalRecorderScheduler"="c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe" [2005-02-14 81920]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2009-03-03 263440]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-17 2879488]
"NDSTray.exe"="NDSTray.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2006-03-18 89541]
"TFncKy"="TFncKy.exe" [BU]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]
"CFSServ.exe"="CFSServ.exe" [BU]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-08-24 16050688]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-7-17 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"= DrvTrNTm.dll
"wave"= DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli nTATFWM2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R1 e631f230;e631f230;c:\windows\System32\drivers\e631f230.sys [2009-04-16 102126]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\DRIVERS\tdudf.sys [2006-06-28 98816]
R2 ThreatFire;ThreatFire; [x]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2007-03-20 28672]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-04-06 38496]
R3 SVRPEDRV;SVRPEDRV; [x]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-03-03 33040]
R3 XDva007;XDva007; [x]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-03-03 51472]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-03-03 39184]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77aee2e7-0f1f-11dc-b1ff-0016e376c1e7}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbe9f83b-b4a1-11db-b1e1-00a0d1547f62}]
\Shell\AutoRun\command - LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

BHO-{14a39665-e898-4519-bdfe-9bf36cb0beba} - c:\windows\system32\goyukuyu.dll
BHO-{72217827-914b-46c6-a6ee-c00c70842ebf} - (no file)
WebBrowser-{84938242-5C5B-4A55-B6B9-A1507543B418} - (no file)
HKCU-Run-Aim6 - c:\program files\AIM6\aim6.exe
HKCU-Run-BitTorrent - c:\program files\BitTorrent\bittorrent.exe
HKLM-Run-Flashget - c:\program files\FlashGet\flashget.exe
HKLM-Run-CPMdff2560f - c:\windows\system32\buhefoli.dll
HKLM-Run-wumusudeyi - c:\windows\system32\jesonowe.dll
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
HKU-Default-Run-Windows Resurections - c:\windows\TEMP\otw39glc3.exe
SharedTaskScheduler-{D7BF4552-94F1-42BD-F434-3604812C856D} - (no file)
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\buhefoli.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.www.daemon-search.com/default
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: {1CE47888-DD62-482C-9723-4814BB04D45D} - hxxp://pump.musicshake.com/NewDownload/musicshake.cab
FF - ProfilePath - c:\documents and settings\mine\Application Data\Mozilla\Firefox\Profiles\f78ve8ku.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\mine\Application Data\Mozilla\Firefox\Profiles\f78ve8ku.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-16 18:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(400)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1348)
c:\windows\system32\msi.dll
.
Completion time: 2009-04-16 18:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-16 23:38

Pre-Run: 6,817,615,872 bytes free
Post-Run: 21,024,727,040 bytes free

327





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:38:45 PM, on 4/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.www.daemon-search.com/default
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ATICCC] "c:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PicoZip] C:\PROGRA~1\PicoZip\PicoZipTray.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (file missing)
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {1CE47888-DD62-482C-9723-4814BB04D45D} (musicshake) - http://pump.musicshake.com/NewDownload/musicshake.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 9788 bytes

Edited by snipersgethead, 16 April 2009 - 06:44 PM.


#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 16 April 2009 - 09:25 PM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
e631f230

Collect::
c:\windows\system32\ak1.exe
c:\windows\system32\drivers\e631f230.sys
C:\xrptlo.exe
C:\rnvx.exe
C:\swww.exe
C:\tmpl.exe
C:\tbbek.exe
c:\windows\system32\wemipipo.exe
c:\windows\system32\lebapide.exe
c:\windows\system32\rolonize.exe
c:\windows\system32\turijola.exe

File::
c:\windows\system32\drivers\OLDF.tmp
C:\-591305412
c:\windows\Vjocihibaz.bin
c:\windows\temp.005
c:\windows\temp.004
c:\windows\temp.003
c:\windows\temp.002
c:\windows\Yninagesag.dat
c:\windows\system32\faviguzu.dll
c:\windows\system32\maremapa.dll.vir

Folder::
c:\documents and settings\mine\Local Settings\Application Data\{535F38E7-94DE-40D0-ABD9-E14F41CA32AE}

FCopy::
c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sys

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


**Note**

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • Simply follow the instructions to copy/paste/send the requested file.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 snipersgethead

snipersgethead
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 16 April 2009 - 10:19 PM

My sound hasn't been working because Winamp said "Bad Direct Sound Driver". When I click on the Device Manager it says my speakers are working properly. Although when I go into Sound Devices in Control Panel it says I have "No Audio Device" even though it shows my speakers in the Hardware Tab.


ComboFix 09-04-17.01 - mine 04/16/2009 21:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.484 [GMT -5:00]
Running from: c:\documents and settings\mine\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\mine\Desktop\CFScript.txt

FILE ::
C:\-591305412
c:\windows\system32\drivers\OLDF.tmp
c:\windows\system32\faviguzu.dll
c:\windows\system32\maremapa.dll.vir
c:\windows\temp.002
c:\windows\temp.003
c:\windows\temp.004
c:\windows\temp.005
c:\windows\Vjocihibaz.bin
c:\windows\Yninagesag.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-591305412
c:\documents and settings\mine\Local Settings\Application Data\{535F38E7-94DE-40D0-ABD9-E14F41CA32AE}
c:\documents and settings\mine\Local Settings\Application Data\{535F38E7-94DE-40D0-ABD9-E14F41CA32AE}\chrome.manifest
c:\documents and settings\mine\Local Settings\Application Data\{535F38E7-94DE-40D0-ABD9-E14F41CA32AE}\chrome\content\_cfg.js
c:\documents and settings\mine\Local Settings\Application Data\{535F38E7-94DE-40D0-ABD9-E14F41CA32AE}\chrome\content\c.js
c:\documents and settings\mine\Local Settings\Application Data\{535F38E7-94DE-40D0-ABD9-E14F41CA32AE}\chrome\content\overlay.xul
c:\documents and settings\mine\Local Settings\Application Data\{535F38E7-94DE-40D0-ABD9-E14F41CA32AE}\install.rdf
C:\rnvx.exe
C:\swww.exe
C:\tbbek.exe
C:\tmpl.exe
c:\windows\system32\ak1.exe
c:\windows\system32\drivers\e631f230.sys
c:\windows\system32\drivers\OLDF.tmp
c:\windows\system32\faviguzu.dll
c:\windows\system32\lebapide.exe
c:\windows\system32\maremapa.dll.vir
c:\windows\system32\rolonize.exe
c:\windows\system32\turijola.exe
c:\windows\system32\wemipipo.exe
c:\windows\temp.002
c:\windows\temp.003
c:\windows\temp.004
c:\windows\temp.005
c:\windows\Vjocihibaz.bin
c:\windows\Yninagesag.dat
C:\xrptlo.exe

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_e631f230


((((((((((((((((((((((((( Files Created from 2009-03-17 to 2009-04-17 )))))))))))))))))))))))))))))))
.

2009-04-15 00:51 . 2009-04-15 00:51 -------- d--h--w C:\$AVG8.VAULT$
2009-04-14 23:38 . 2009-04-14 23:38 -------- d-----w c:\windows\LV4CKT19IRZ8GPX5
2009-04-14 23:28 . 2009-04-14 23:28 10520 ------w c:\windows\system32\avgrsstx.dll.install_backup
2009-04-14 23:28 . 2009-04-15 02:15 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-13 00:19 . 2009-04-13 00:20 642 ----a-w c:\windows\ST6UNST.001
2009-04-12 19:53 . 2009-04-12 19:53 642 ----a-w c:\windows\ST6UNST.000
2009-04-12 19:53 . 2001-07-29 16:48 245727 ------w c:\windows\pwcenter.CAB
2009-04-10 17:47 . 2009-04-10 17:47 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-04-04 23:42 . 2009-04-08 12:20 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-04-04 23:42 . 2009-04-07 21:00 32 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-04 23:42 . 2009-04-07 21:00 32 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-04 23:42 . 2009-04-07 21:00 32 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-04 23:42 . 2009-04-07 21:00 32 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-04 23:25 . 2009-04-04 23:25 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-04-04 15:11 . 2009-04-04 15:39 -------- d-----w c:\documents and settings\mine\DoctorWeb
2009-04-04 02:18 . 2009-04-04 02:18 -------- d-----w c:\documents and settings\mine\Local Settings\Application Data\ESET
2009-04-04 01:14 . 2009-04-04 01:14 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-04-02 22:58 . 2009-04-02 22:58 -------- d-----w C:\VundoFix Backups
2009-03-25 03:00 . 2009-01-09 23:00 572640 ----a-w C:\MobileInstallation.bak
2009-03-24 20:33 . 2007-03-20 16:33 28672 ----a-w c:\windows\system32\drivers\libusb0.sys
2009-03-24 20:33 . 2007-03-20 16:33 43520 ----a-w c:\windows\system32\libusb0.dll
2009-03-24 20:32 . 2009-02-16 02:54 933888 ----a-w c:\windows\system32\SENXPCTL.OCX
2009-03-24 20:32 . 2009-02-26 04:43 65536 ----a-w c:\windows\system32\device.OCX
2009-03-24 20:32 . 2009-02-17 09:23 32768 ----a-w c:\windows\system32\Bar.OCX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-17 01:03 . 2007-06-15 17:01 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-16 23:39 . 2009-04-16 23:39 9789 ----a-w C:\hijackthis.log
2009-04-14 00:08 . 2009-01-11 00:18 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-13 00:20 . 2007-09-15 17:59 249856 ------w c:\windows\Setup1.exe
2009-04-12 14:23 . 2009-03-04 21:53 -------- d-----w c:\program files\Power Center
2009-04-12 02:12 . 2009-04-02 22:58 532 ----a-w C:\VundoFix.txt
2009-04-06 20:32 . 2009-01-11 00:18 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-04 23:42 . 2009-04-04 23:42 -------- d-----w c:\program files\Kaspersky Lab
2009-04-04 23:31 . 2007-02-25 21:30 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-04 23:26 . 2007-02-25 21:31 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-31 22:31 . 2008-05-26 12:15 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-25 02:42 . 2009-03-25 02:42 -------- d-----w c:\program files\iPhone Tunnel Suite
2009-03-25 02:33 . 2009-03-25 02:33 -------- d-----w c:\program files\WinSCP
2009-03-25 01:39 . 2009-03-24 20:32 -------- d-----w c:\program files\QuickFreedom
2009-03-24 20:33 . 2009-03-24 20:33 -------- d-----w c:\program files\LibUSB-Win32
2009-03-07 13:55 . 2009-03-07 13:55 -------- d-----w c:\program files\OpD2d
2009-03-07 13:54 . 2009-03-07 13:54 479942 ----a-w C:\opd2d.exe
2009-03-07 01:40 . 2008-03-15 00:57 -------- d-----w c:\program files\Diablo II
2009-01-24 23:01 . 2009-01-24 23:01 4047 ----a-w C:\EyeCandyLog.txt
2009-01-24 00:41 . 2006-07-18 03:46 186216 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-05 02:25 . 2008-08-01 23:57 31 ----a-w c:\documents and settings\mine\jagex_runescape_preferences.dat
2008-06-03 12:03 . 2008-06-03 12:03 46149 ----a-w c:\program files\uninstal.log
2007-05-31 21:08 . 2007-05-31 21:07 2000 ----a-w c:\program files\mtachat.txt
2007-05-06 16:42 . 2007-05-06 16:42 0 ----a-w c:\documents and settings\mine\Application Data\wklnhst.dat
2007-03-05 17:50 . 2007-03-24 18:28 28966400 ----a-w c:\documents and settings\mine\mamepp.exe
2007-03-05 17:40 . 2007-03-24 18:29 48640 ----a-w c:\documents and settings\mine\romcmp.exe
2007-03-05 17:40 . 2007-03-24 18:28 10240 ----a-w c:\documents and settings\mine\ledutil.exe
2007-03-05 17:40 . 2007-03-24 18:28 12288 ----a-w c:\documents and settings\mine\jedutil.exe
2007-03-05 17:40 . 2007-03-24 18:28 186880 ----a-w c:\documents and settings\mine\chdman.exe
2006-10-23 00:47 . 2006-10-23 00:45 127 ----a-w c:\documents and settings\mine\Local Settings\Application Data\fusioncache.dat
2006-07-18 17:14 . 2006-10-23 00:45 35072 ----a-w c:\documents and settings\mine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-07-18 03:45 . 2006-07-18 03:45 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-16_23.32.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-17 03:02 . 2009-04-17 03:02 16384 c:\windows\Temp\Perflib_Perfdata_b50.dat
+ 2006-07-18 02:36 . 2006-04-20 11:51 359808 c:\windows\system32\dllcache\tcpip.sys
- 2006-07-18 03:31 . 2006-04-20 11:51 359808 c:\windows\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"PicoZip"="c:\progra~1\PicoZip\PicoZipTray.exe" [2006-06-09 581632]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2007-03-05 1103480]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools\daemon.exe" [2007-12-29 486856]
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 495616]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-08-11 1124352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-07-25 364544]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-26 299008]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2006-02-02 73728]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 1077322]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-02-15 185896]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-01-19 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-01-19 217088]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"TotalRecorderScheduler"="c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe" [2005-02-14 81920]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-17 2879488]
"NDSTray.exe"="NDSTray.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2006-03-18 89541]
"TFncKy"="TFncKy.exe" [BU]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]
"CFSServ.exe"="CFSServ.exe" [BU]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-08-24 16050688]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-7-17 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"= DrvTrNTm.dll
"wave"= DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli nTATFWM2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77aee2e7-0f1f-11dc-b1ff-0016e376c1e7}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbe9f83b-b4a1-11db-b1e1-00a0d1547f62}]
\Shell\AutoRun\command - LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.www.daemon-search.com/default
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: {1CE47888-DD62-482C-9723-4814BB04D45D} - hxxp://pump.musicshake.com/NewDownload/musicshake.cab
FF - ProfilePath - c:\documents and settings\mine\Application Data\Mozilla\Firefox\Profiles\f78ve8ku.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\mine\Application Data\Mozilla\Firefox\Profiles\f78ve8ku.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-16 22:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(500)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4092)
c:\windows\system32\msi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\program files\Matroska Pack\haali\mmfinfo.dll
c:\program files\Matroska Pack\haali\mkunicode.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\TODDSrv.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\windows\system32\wdfmgr.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\DDWMon.exe
c:\windows\ehome\ehmsas.exe
c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\TPSBattM.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\Common Files\Nokia\MPAPI\MPAPI3s.exe
.
**************************************************************************
.
Completion time: 2009-04-17 22:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-17 03:09
ComboFix2.txt 2009-04-16 23:38

Pre-Run: 19,990,028,288 bytes free
Post-Run: 19,975,856,128 bytes free

295

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 16 April 2009 - 10:44 PM

Do you can actually hear music through Winamp/Windows Media Player?

Do CFScript step again but this time with this script

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

Post the log here

Edited by fenzodahl512, 16 April 2009 - 10:48 PM.
edited

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 snipersgethead

snipersgethead
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 16 April 2009 - 11:23 PM

No, it just errors with "Bad DirectSound Drive" the song doesn't even start. In Youtube the video plays without sound and on music streaming sites the data loads but doesn't play. Also, ComboFix didn't do anything with the new script, it just stalled with the underscore blinking.

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 16 April 2009 - 11:28 PM

exit ComboFix.. Lets tackle the sound problem first.. When exactly the computer get the sound driver problem?.. Is it after I asked you to do the first CFScript?

Edited by fenzodahl512, 16 April 2009 - 11:38 PM.
typo..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 snipersgethead

snipersgethead
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 17 April 2009 - 06:44 AM

Yes, right after the first CF run. When it rebooted and made the log I tried to play a song but programs keep telling me there's something wrong. Either a bad sound driver or I have no sound device. The Error Code on Winamp is 8878000A if that helps. My guess is that ComboFix probably deleted a driver or something.

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 17 April 2009 - 07:11 AM

Please use System Restore to restore your computer at the time before you run ComboFix (the first run).. Please visit here if you do not know how..

Then tell me about your audio problem.. Is it resolved? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 snipersgethead

snipersgethead
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 17 April 2009 - 03:29 PM

No, the only sound I get is when an error message pops up or a warning appears. The sound is that loud annoying beep caused by the system and not the speakers itself [Hard to explain, hopefully you know what I mean.] I'm not sure I restored far back enough because my earliest checkpoint was on the day I used CF. My sound was working before ComboFix with the numerous infections.

EDIT: Also, I get redirects sometimes when I click links using google search. Not to bad places, but to look yellowbook and sometimes it goes to a googe undefined 404 error.

EDIT2: I fixed the sound problem somewhat. Not sure what fixed it but I did two things, reinstalled sound drivers a second time and clicked on this program in control program that relates to my Realtek HD Audio Player. Although in Sound and Audio Devices Properties it still shows as "No Audio Device" and the only default device I can select is "Playback through TotalRecorder" which was an old recording program I had a long time ago, rather than Realtek HD Audio. Winamp plays songs fine but Youtube and other streaming sites still have no audio, while some programs say there is still a problem with the drivers.

Edited by snipersgethead, 17 April 2009 - 05:49 PM.


#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 17 April 2009 - 09:05 PM

Ok, firstly, do you do the System Restore thingy that I asked you before?.. If still not, please don't do it yet..

Remove your ComboFix and download a fresh one from below.. Run it and post the log here :thumbup2:

Link 2

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 snipersgethead

snipersgethead
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 17 April 2009 - 10:23 PM

Yes I did run system restore, sorry I forgot to inform you about that in my last post. My sound stopped working again, even on Winamp. Here's my new log, I had to run it in Safe Mode because it stalled with the blinking underscore again when I tried to run it in normal mode. And yes I did delete the old one and used the new one you asked me to download.

ComboFix 09-04-18.01 - mine 04/17/2009 21:57.3 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.674 [GMT -5:00]
Running from: c:\documents and settings\mine\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.

2009-04-17 21:42 . 2009-04-17 23:56 -------- d-----w C:\RECYCLER(3)
2009-04-17 11:59 . 2008-10-23 22:42 290816 ----a-w c:\windows\vncutil.exe
2009-04-17 11:59 . 2009-03-17 17:44 36352 ----a-w c:\windows\system32\RtkCoInstXP.dll
2009-04-17 11:59 . 2009-03-17 19:07 122880 ----a-w c:\windows\RtkAudioService.exe
2009-04-17 11:59 . 2008-08-06 01:10 1684736 ----a-w c:\windows\system32\drivers\Ambfilt.sys
2009-04-17 11:59 . 2006-01-04 20:41 1389056 ----a-w c:\windows\system32\drivers\Monfilt.sys
2009-04-15 00:51 . 2009-04-15 00:51 -------- d--h--w C:\$AVG8.VAULT$
2009-04-14 23:38 . 2009-04-14 23:38 -------- d-----w c:\windows\LV4CKT19IRZ8GPX5
2009-04-14 23:28 . 2009-04-14 23:28 10520 ------w c:\windows\system32\avgrsstx.dll.install_backup
2009-04-14 23:28 . 2009-04-15 02:15 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-13 00:19 . 2009-04-13 00:20 642 ----a-w c:\windows\ST6UNST.001
2009-04-12 19:53 . 2009-04-12 19:53 642 ----a-w c:\windows\ST6UNST.000
2009-04-12 19:53 . 2001-07-29 16:48 245727 ------w c:\windows\pwcenter.CAB
2009-04-10 17:47 . 2009-04-10 17:47 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-04-04 23:42 . 2009-04-08 12:20 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-04-04 23:42 . 2009-04-07 21:00 32 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-04 23:42 . 2009-04-07 21:00 32 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-04 23:42 . 2009-04-07 21:00 32 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-04 23:42 . 2009-04-07 21:00 32 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-04 23:25 . 2009-04-04 23:25 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-04-04 15:11 . 2009-04-04 15:39 -------- d-----w c:\documents and settings\mine\DoctorWeb
2009-04-04 02:18 . 2009-04-04 02:18 -------- d-----w c:\documents and settings\mine\Local Settings\Application Data\ESET
2009-04-04 01:14 . 2009-04-04 01:14 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-04-02 22:58 . 2009-04-02 22:58 -------- d-----w C:\VundoFix Backups
2009-03-25 03:00 . 2009-01-09 23:00 572640 ----a-w C:\MobileInstallation.bak
2009-03-24 20:33 . 2007-03-20 16:33 28672 ----a-w c:\windows\system32\drivers\libusb0.sys
2009-03-24 20:33 . 2007-03-20 16:33 43520 ----a-w c:\windows\system32\libusb0.dll
2009-03-24 20:32 . 2009-02-16 02:54 933888 ----a-w c:\windows\system32\SENXPCTL.OCX
2009-03-24 20:32 . 2009-02-26 04:43 65536 ----a-w c:\windows\system32\device.OCX
2009-03-24 20:32 . 2009-02-17 09:23 32768 ----a-w c:\windows\system32\Bar.OCX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-17 23:56 . 2006-07-18 03:47 -------- d-----w c:\program files\Realtek
2009-04-17 01:03 . 2007-06-15 17:01 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-16 23:39 . 2009-04-16 23:39 9789 ----a-w C:\hijackthis.log
2009-04-14 00:08 . 2009-01-11 00:18 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-13 00:20 . 2007-09-15 17:59 249856 ------w c:\windows\Setup1.exe
2009-04-12 14:23 . 2009-03-04 21:53 -------- d-----w c:\program files\Power Center
2009-04-12 02:12 . 2009-04-02 22:58 532 ----a-w C:\VundoFix.txt
2009-04-06 20:32 . 2009-01-11 00:18 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-04 23:42 . 2009-04-04 23:42 -------- d-----w c:\program files\Kaspersky Lab
2009-04-04 23:31 . 2007-02-25 21:30 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-04 23:26 . 2007-02-25 21:31 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-31 22:31 . 2008-05-26 12:15 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-30 22:13 . 2006-08-31 16:36 5063168 ----a-w c:\windows\system32\drivers\RtkHDAud.sys
2009-03-27 16:22 . 2006-08-31 16:36 17567744 ----a-w c:\windows\RTHDCPL.EXE
2009-03-27 16:22 . 2006-08-31 16:36 17567744 ----a-w c:\windows\RTHDCPL(2).EXE
2009-03-25 02:42 . 2009-03-25 02:42 -------- d-----w c:\program files\iPhone Tunnel Suite
2009-03-25 02:33 . 2009-03-25 02:33 -------- d-----w c:\program files\WinSCP
2009-03-25 01:39 . 2009-03-24 20:32 -------- d-----w c:\program files\QuickFreedom
2009-03-24 20:33 . 2009-03-24 20:33 -------- d-----w c:\program files\LibUSB-Win32
2009-03-17 18:58 . 2006-08-31 16:36 540672 ----a-w c:\windows\RtlExUpd.dll
2009-03-10 19:32 . 2006-08-31 16:36 2168320 ----a-w c:\windows\MicCal.exe
2009-03-07 13:55 . 2009-03-07 13:55 -------- d-----w c:\program files\OpD2d
2009-03-07 13:54 . 2009-03-07 13:54 479942 ----a-w C:\opd2d.exe
2009-03-07 01:40 . 2008-03-15 00:57 -------- d-----w c:\program files\Diablo II
2009-03-02 16:14 . 2007-12-28 04:42 57344 ----a-w c:\windows\ALCMTR.EXE
2009-01-24 23:01 . 2009-01-24 23:01 4047 ----a-w C:\EyeCandyLog.txt
2009-01-24 00:41 . 2006-07-18 03:46 186216 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-21 20:54 . 2006-08-31 16:36 1206816 ----a-w c:\windows\RtlUpd.exe
2008-12-05 02:25 . 2008-08-01 23:57 31 ----a-w c:\documents and settings\mine\jagex_runescape_preferences.dat
2008-06-03 12:03 . 2008-06-03 12:03 46149 ----a-w c:\program files\uninstal.log
2007-05-31 21:08 . 2007-05-31 21:07 2000 ----a-w c:\program files\mtachat.txt
2007-05-06 16:42 . 2007-05-06 16:42 0 ----a-w c:\documents and settings\mine\Application Data\wklnhst.dat
2007-03-05 17:50 . 2007-03-24 18:28 28966400 ----a-w c:\documents and settings\mine\mamepp.exe
2007-03-05 17:40 . 2007-03-24 18:29 48640 ----a-w c:\documents and settings\mine\romcmp.exe
2007-03-05 17:40 . 2007-03-24 18:28 10240 ----a-w c:\documents and settings\mine\ledutil.exe
2007-03-05 17:40 . 2007-03-24 18:28 12288 ----a-w c:\documents and settings\mine\jedutil.exe
2007-03-05 17:40 . 2007-03-24 18:28 186880 ----a-w c:\documents and settings\mine\chdman.exe
2006-10-23 00:47 . 2006-10-23 00:45 127 ----a-w c:\documents and settings\mine\Local Settings\Application Data\fusioncache.dat
2006-07-18 17:14 . 2006-10-23 00:45 35072 ----a-w c:\documents and settings\mine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-07-18 03:45 . 2006-07-18 03:45 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-16_23.32.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 00:56 . 2004-08-04 05:56 23552 c:\windows\system32\wdmaud.drv
- 2004-08-04 00:56 . 2004-08-04 07:56 23552 c:\windows\system32\wdmaud.drv
+ 2009-04-18 01:01 . 2008-08-19 18:26 77824 c:\windows\system32\ReinstallBackups\0006\DriverFiles\SOUNDMAN.EXE
+ 2009-04-18 01:01 . 2004-08-04 05:56 23552 c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\wdmaud.drv
+ 2009-04-18 01:01 . 2004-08-04 04:08 48640 c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\stream.sys
+ 2009-04-18 01:01 . 2004-08-04 04:08 60288 c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\drmk.sys
+ 2009-04-18 01:01 . 2009-03-02 16:14 57344 c:\windows\system32\ReinstallBackups\0006\DriverFiles\ALCMTR.EXE
+ 2004-08-03 23:08 . 2004-08-04 04:08 48640 c:\windows\system32\drivers\stream.sys
- 2004-08-03 23:08 . 2004-08-04 05:08 48640 c:\windows\system32\drivers\stream.sys
+ 2006-07-18 03:47 . 2004-08-04 04:08 60288 c:\windows\system32\drivers\drmk.sys
- 2006-07-18 03:47 . 2004-08-04 05:08 60288 c:\windows\system32\drivers\drmk.sys
+ 2004-08-04 00:56 . 2004-08-04 05:56 23552 c:\windows\system32\dllcache\wdmaud.drv
- 2004-08-04 00:56 . 2004-08-04 07:56 23552 c:\windows\system32\dllcache\wdmaud.drv
- 2004-08-03 23:08 . 2004-08-04 05:08 48640 c:\windows\system32\dllcache\stream.sys
+ 2004-08-03 23:08 . 2004-08-04 04:08 48640 c:\windows\system32\dllcache\stream.sys
- 2006-07-18 03:47 . 2004-08-04 05:08 60288 c:\windows\system32\dllcache\drmk.sys
+ 2006-07-18 03:47 . 2004-08-04 04:08 60288 c:\windows\system32\dllcache\drmk.sys
+ 2006-08-31 16:36 . 2008-08-19 18:26 77824 c:\windows\SOUNDMAN.EXE
+ 2001-08-17 22:36 . 2001-08-18 03:36 8192 c:\windows\system32\streamci.dll
- 2001-08-17 22:36 . 2004-08-10 12:00 8192 c:\windows\system32\streamci.dll
+ 2009-04-18 01:01 . 2004-08-04 05:56 4096 c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\ksuser.dll
- 2006-07-18 03:47 . 2004-08-04 06:56 4096 c:\windows\system32\ksuser.dll
+ 2006-07-18 03:47 . 2004-08-04 05:56 4096 c:\windows\system32\ksuser.dll
- 2004-08-03 22:58 . 2004-08-10 12:00 4352 c:\windows\system32\drivers\swenum.sys
+ 2004-08-03 22:58 . 2004-08-04 03:58 4352 c:\windows\system32\drivers\swenum.sys
+ 2004-08-03 22:58 . 2004-08-04 03:58 4352 c:\windows\system32\dllcache\swenum.sys
+ 2001-08-17 22:36 . 2001-08-18 03:36 8192 c:\windows\system32\dllcache\streamci.dll
- 2006-07-18 03:47 . 2004-08-04 06:56 4096 c:\windows\system32\dllcache\ksuser.dll
+ 2006-07-18 03:47 . 2004-08-04 05:56 4096 c:\windows\system32\dllcache\ksuser.dll
+ 2006-07-18 03:47 . 2009-03-05 18:35 131072 c:\windows\system32\RTCOM\RTLCPAPI.dll
+ 2006-08-31 16:36 . 2009-03-30 15:52 266240 c:\windows\system32\RTCOM\RTCOMDLL.dll
+ 2009-04-18 01:01 . 2009-03-05 18:35 131072 c:\windows\system32\ReinstallBackups\0006\DriverFiles\RTLCPAPI.dll
+ 2009-04-18 01:01 . 2009-03-30 15:52 266240 c:\windows\system32\ReinstallBackups\0006\DriverFiles\RTCOMDLL.dll
+ 2009-04-18 01:01 . 2006-02-01 01:31 145920 c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\portcls.sys
+ 2009-04-18 01:01 . 2004-08-04 04:15 140928 c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\ks.sys
- 2004-08-03 23:15 . 2004-08-04 05:15 140928 c:\windows\system32\drivers\ks.sys
+ 2004-08-03 23:15 . 2004-08-04 04:15 140928 c:\windows\system32\drivers\ks.sys
+ 2004-08-03 23:15 . 2004-08-04 04:15 140928 c:\windows\system32\dllcache\ks.sys
- 2004-08-03 23:15 . 2004-08-04 05:15 140928 c:\windows\system32\dllcache\ks.sys
+ 2009-04-17 20:14 . 2009-04-18 00:12 1373588 c:\windows\system32\Restore\rstrlog.dat
+ 2009-04-18 01:01 . 2007-11-20 23:15 1826816 c:\windows\system32\ReinstallBackups\0006\DriverFiles\SkyTel.exe
+ 2009-04-18 01:01 . 2009-01-21 20:54 1206816 c:\windows\system32\ReinstallBackups\0006\DriverFiles\RtlUpd.exe
+ 2009-04-18 01:01 . 2008-06-19 21:27 9715200 c:\windows\system32\ReinstallBackups\0006\DriverFiles\RTLCPL.EXE
+ 2009-04-18 01:01 . 2009-03-30 22:13 5063168 c:\windows\system32\ReinstallBackups\0006\DriverFiles\RtkHDAud.sys
+ 2009-04-18 01:01 . 2009-03-10 19:32 2168320 c:\windows\system32\ReinstallBackups\0006\DriverFiles\MicCal.exe
+ 2009-04-18 01:01 . 2008-06-19 21:42 2808832 c:\windows\system32\ReinstallBackups\0006\DriverFiles\ALCWZRD.EXE
+ 2006-08-31 16:36 . 2007-11-20 23:15 1826816 c:\windows\SkyTel.exe
+ 2006-08-31 16:36 . 2008-06-19 21:27 9715200 c:\windows\RTLCPL.EXE
+ 2006-08-31 16:36 . 2008-06-19 21:42 2808832 c:\windows\ALCWZRD.EXE
- 2006-08-31 16:36 . 2006-05-04 22:26 2808832 c:\windows\alcwzrd.exe
+ 2009-04-18 01:01 . 2009-03-27 16:22 17567744 c:\windows\system32\ReinstallBackups\0006\DriverFiles\RTHDCPL.EXE
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"PicoZip"="c:\progra~1\PicoZip\PicoZipTray.exe" [2006-06-09 581632]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2007-03-05 1103480]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools\daemon.exe" [2007-12-29 486856]
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 495616]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-08-11 1124352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-07-25 364544]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-26 299008]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2006-02-02 73728]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 1077322]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-02-15 185896]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-01-19 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-01-19 217088]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"TotalRecorderScheduler"="c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe" [2005-02-14 81920]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NDSTray.exe"="NDSTray.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2006-03-18 89541]
"TFncKy"="TFncKy.exe" [BU]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]
"CFSServ.exe"="CFSServ.exe" [BU]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-03-27 17567744]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-7-17 155648]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"mixer"= DrvTrNTm.dll
"wave"= DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli nTATFWM2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2008-08-06 1684736]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2007-03-20 28672]
R3 mbamswissarmy;mbamswissarmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-04-06 38496]
R3 SVRPEDRV;SVRPEDRV; [x]
R3 XDva007;XDva007; [x]
S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\DRIVERS\tdudf.sys [2006-06-28 98816]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77aee2e7-0f1f-11dc-b1ff-0016e376c1e7}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbe9f83b-b4a1-11db-b1e1-00a0d1547f62}]
\Shell\AutoRun\command - LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.www.daemon-search.com/default
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: {1CE47888-DD62-482C-9723-4814BB04D45D} - hxxp://pump.musicshake.com/NewDownload/musicshake.cab
FF - ProfilePath - c:\documents and settings\mine\Application Data\Mozilla\Firefox\Profiles\f78ve8ku.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\mine\Application Data\Mozilla\Firefox\Profiles\f78ve8ku.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-17 22:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(512)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3292)
c:\windows\system32\msi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\TODDSrv.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\windows\system32\wdfmgr.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\DDWMon.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Common Files\Nokia\MPAPI\MPAPI3s.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\windows\system32\rundll32.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-04-18 22:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-18 03:11
ComboFix2.txt 2009-04-17 03:09
ComboFix3.txt 2009-04-16 23:38

Pre-Run: 19,489,230,848 bytes free
Post-Run: 18,566,131,712 bytes free

316

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 17 April 2009 - 10:37 PM

The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Go HERE and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
For detailed instruction on how to back-up registry via ERUNT, please visit HERE




NEXT


Please download the OTMoveIt3 by OldTimer
  • Save it to your Desktop.
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    :processes
    explorer.exe
    
    :services
    SVRPEDRV
    XDva007
    
    :reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
    
    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Reboot your computer and uninstall >> reinstall your audio driver.. Tell me how its going :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 snipersgethead

snipersgethead
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 18 April 2009 - 07:51 AM

Sound is still a no go. Did a full un-installation then a re-installation as told. Strange how it shows in hardware but I cannot select it as an audio device.


========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========

Service\Driver SVRPEDRV deleted successfully.

Service\Driver XDva007 deleted successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully!
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\mine\LOCALS~1\Temp\etilqs_Rej1WKk27Z0GyneIgX6Z scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\mine\LOCALS~1\Temp\Perflib_Perfdata_4b0.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\mine\LOCALS~1\Temp\Perflib_Perfdata_910.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\mine\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\rg4sfay scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ydf8dk scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\mine\Local Settings\Application Data\Mozilla\Firefox\Profiles\f78ve8ku.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\mine\Local Settings\Application Data\Mozilla\Firefox\Profiles\f78ve8ku.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04172009_231534

Files moved on Reboot...
File C:\DOCUME~1\mine\LOCALS~1\Temp\etilqs_Rej1WKk27Z0GyneIgX6Z not found!
File C:\DOCUME~1\mine\LOCALS~1\Temp\Perflib_Perfdata_4b0.dat not found!
File C:\DOCUME~1\mine\LOCALS~1\Temp\Perflib_Perfdata_910.dat not found!
File move failed. C:\WINDOWS\temp\rg4sfay scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ydf8dk scheduled to be moved on reboot.
C:\Documents and Settings\mine\Local Settings\Application Data\Mozilla\Firefox\Profiles\f78ve8ku.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\mine\Local Settings\Application Data\Mozilla\Firefox\Profiles\f78ve8ku.default\XUL.mfl moved successfully.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users