Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TR/Dldr.agent.cikx


  • Please log in to reply
20 replies to this topic

#1 Feeski

Feeski

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:57 PM

Posted 05 September 2009 - 05:30 AM

I have a Dell Inspiron laptop that is running Windows Vista Home Premium.

I live in South Korean and enjoy super-fast internet until recently.

I often watch internet TV and I guess that I was infected by this trojan from using Megavideo. I have had no problems with it before, but it kept trying to get me to install this Gaming Harbour toolbar, which I thought I had X'd out, but Avira told me that I had this trojan as I was getting dating sites and Gaming Harbour randomly opening web pages.

Used Avira Free-Edition to try and clean. It said it was fixed, but same things kept happening. Tried Ad-aware too and no joy. Now removed Avira and tried AVG which also discoved same trojan and said it was fixed, and also uninstalled Firefox as that was where the trouble began. IE is now just closing all the time in a desperate attempt to stop these sites opening is now very slow.


So far I have been advised on BC to run Malwarebytes, ATF and Superantispyware and RootRepeal. After running all of these I was directed here. You can get the full blow-by-blow account here: http://www.bleepingcomputer.com/forums/t/252610/infected-with-trdldragentcikx/

Here is the DDS.txt report:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Fiona at 19:12:29.38 on 05/09/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3061.1713 [GMT -7:00]

SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:Windowssystem32wininit.exe
C:Windowssystem32lsm.exe
C:Windowssystem32svchost.exe -k DcomLaunch
C:Windowssystem32svchost.exe -k rpcss
C:WindowsSystem32svchost.exe -k secsvcs
C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32svchost.exe -k GPSvcGroup
C:Windowssystem32SLsvc.exe
C:Windowssystem32svchost.exe -k LocalService
C:Windowssystem32svchost.exe -k NetworkService
C:Program FilesLavasoftAd-AwareAAWService.exe
C:WindowsSystem32spoolsv.exe
C:Windowssystem32svchost.exe -k LocalServiceNoNetwork
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:PROGRA~1AVGAVG8avgwdsvc.exe
C:Windowssystem32svchost.exe -k bthsvcs
C:Windowssystem32npkcagentsvc.exe
C:Windowssystem32npkcmsvc.exe
C:Windowssystem32svchost.exe -k NetworkServiceNetworkRestricted
C:PROGRA~1AVGAVG8avgam.exe
C:Windowssystem32svchost.exe -k imgsvc
C:PROGRA~1AVGAVG8avgrsx.exe
C:WindowsSystem32svchost.exe -k WerSvcGroup
C:Windowssystem32SearchIndexer.exe
C:Windowssystem32taskeng.exe
C:Program FilesCanonCALCALMAIN.exe
C:Windowssystem32wbemunsecapp.exe
C:Windowssystem32wbemwmiprvse.exe
C:Windowssystem32taskeng.exe
C:Windowssystem32Dwm.exe
C:WindowsExplorer.EXE
C:Windowssystem32npkcAL.exe
C:Program FilesWindows DefenderMSASCui.exe
C:WindowsSystem32igfxtray.exe
C:WindowsSystem32igfxpers.exe
C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe
C:Program FilesCommon FilesRealUpdate_OBrealsched.exe
C:WindowsOEM02Mon.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesLavasoftAd-AwareAAWTray.exe
C:Program FilesJavajre6binjusched.exe
C:Windowssystem32igfxsrvc.exe
C:Program FilesAVGAVG8avgtray.exe
C:Program FilesWindows Sidebarsidebar.exe
C:Windowsehomeehtray.exe
C:Program FilesSkypePhoneSkype.exe
C:Program FilesuTorrentuTorrent.exe
C:Windowsehomeehmsas.exe
C:Program FilesDellQuickSetquickset.exe
C:PROGRA~1AVGAVG8avgnsx.exe
C:Program FilesSkypePlugin ManagerskypePM.exe
C:Program FilesiPodbiniPodService.exe
C:Windowssystem32wuauclt.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Windowssystem32SearchFilterHost.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Windowssystem32SearchProtocolHost.exe
C:UsersFionaDesktopdds.scr
C:Windowssystem32conime.exe
C:Windowssystem32DllHost.exe
C:Windowssystem32wbemwmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg8toolbarIEToolbar.dll
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: Gom Search: {375a6ab2-feec-445d-b853-2139fb561f80} - c:program filesgretechgomsearchgsearch.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:program filesmicrosoft officeoffice12GrooveShellExtensions.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg8toolbarIEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:program filesavgavg8toolbarIEToolbar.dll
uRun: [Sidebar] c:program fileswindows sidebarsidebar.exe /autoRun
uRun: [ehTray.exe] c:windowsehomeehTray.exe
uRun: [Skype] "c:program filesskypephoneSkype.exe" /nosplash /minimized
uRun: [uTorrent] "c:program filesutorrentuTorrent.exe"
mRun: [Windows Defender] %ProgramFiles%Windows DefenderMSASCui.exe -hide
mRun: [IgfxTray] c:windowssystem32igfxtray.exe
mRun: [HotKeysCmds] c:windowssystem32hkcmd.exe
mRun: [Persistence] c:windowssystem32igfxpers.exe
mRun: [Korean IME Migration] c:progra~1common~1micros~1ime12imekrIMKRMIG.EXE
mRun: [GrooveMonitor] "c:program filesmicrosoft officeoffice12GrooveMonitor.exe"
mRun: [TkBellExe] "c:program filescommon filesrealupdate_obrealsched.exe" -osboot
mRun: [OEM02Mon.exe] c:windowsOEM02Mon.exe
mRun: [QuickTime Task] "c:program filesquicktimeQTTask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [Ad-Watch] c:program fileslavasoftad-awareAAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 9.0readerReader_sl.exe"
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
mRun: [AVG8_TRAY] c:progra~1avgavg8avgtray.exe
StartupFolder: c:progra~2micros~1windowsstartm~1programsstartupquickset.lnk - c:program filesdellquicksetquickset.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {013BCEA5-8309-448b-8604-85F23D7861A5} - {375A6AB2-FEEC-445D-B853-2139FB561F80} - c:program filesgretechgomsearchgsearch.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1micros~2office12ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office12REFIEBAR.DLL
DPF: {42E8651D-C437-4203-93F5-24E20C2C4465} - hxxps://www.vpay.co.kr/kvpfiles_vista/KVPCyberCard_VISTA.cab
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
DPF: {5CA5E00D-80A8-475A-BF08-816FD56DBC38} - hxxp://support.kornet.net/sw5/order/Speed/cab/KTSpeedNewCtrl.cab
DPF: {78530AB7-7AC1-48E6-961E-A8D4EED52BAA} - hxxp://hakj.snut.ac.kr:8080/AIViewer37/AIGeneratorOcx.cab
DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - hxxps://vbv.samsungcard.co.kr/XecureObject/vista/xw_install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {A9F090E5-FC80-4772-AFEE-D102AB6E77D6} - hxxp://pgdownload.lgdacom.net/dacom/IssacWebProCMS_4_2_7_3_DE.cab
DPF: {C1143E84-B2B1-473B-9F20-E62DD754FCAF} - hxxps://vbv.samsungcard.co.kr/ubikey/VineTransfer.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - hxxp://www.hikorea.go.kr/activeX/nProtect/npkcx_inca.cab
DPF: {D912AABC-6CB0-416F-85B6-CABBB86FD558} - hxxp://plugin.inicis.com/wallet60/INIwallet60_vista.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:program filesmicrosoft officeoffice12GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:progra~1common~1skypeSKYPE4~1.DLL
Notify: !SASWinLogon - c:program filessuperantispywareSASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:program filesmicrosoft officeoffice12GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:program filessuperantispywareSASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:windowssystem32driversavgrkx86.sys [2009-8-21 12552]
R0 Lbd;Lbd;c:windowssystem32driversLbd.sys [2009-6-15 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2009-8-21 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:windowssystem32driversavgtdix.sys [2009-8-21 108552]
R1 SASDIFSV;SASDIFSV;c:program filessuperantispywaresasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:program filessuperantispywareSASKUTIL.SYS [2009-8-5 74480]
R2 avg8wd;AVG8 WatchDog;c:progra~1avgavg8avgwdsvc.exe [2009-8-21 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:program fileslavasoftad-awareAAWService.exe [2009-1-18 1029456]
R2 npkcagentsvc;npkcagentsvc;c:windowssystem32npkcagentsvc.exe [2009-2-13 24576]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:windowssystem32driversIntcHdmi.sys [2008-10-28 111616]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:windowssystem32driversOEM02Dev.sys [2007-10-10 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:windowssystem32driversOEM02Vfx.sys [2007-3-5 7424]
S3 SASENUM;SASENUM;c:program filessuperantispywareSASENUM.SYS [2009-8-5 7408]

=============== Created Last 30 ================

2009-09-02 21:38 --d----- c:program filesCobian Backup 8
2009-08-31 21:33 --d----- c:usersfionaDoctorWeb
2009-08-30 21:46 --d----- c:programdataSUPERAntiSpyware.com
2009-08-30 21:46 --d----- c:progra~2SUPERAntiSpyware.com
2009-08-30 21:45 --d----- c:usersfionaappdataroamingSUPERAntiSpyware.com
2009-08-30 21:45 --d----- c:program filesSUPERAntiSpyware
2009-08-30 21:44 --d----- c:program filescommon filesWise Installation Wizard
2009-08-30 21:20 --d----- c:usersfionaappdataroamingMalwarebytes
2009-08-30 21:20 38,160 a------- c:windowssystem32driversmbamswissarmy.sys
2009-08-30 21:20 19,096 a------- c:windowssystem32driversmbam.sys
2009-08-30 21:20 --d----- c:programdataMalwarebytes
2009-08-30 21:20 --d----- c:program filesMalwarebytes' Anti-Malware
2009-08-30 21:20 --d----- c:progra~2Malwarebytes
2009-08-27 00:34 --d----- c:programdataOffice Genuine Advantage
2009-08-27 00:34 --d----- c:usersfionaOffice Genuine Advantage
2009-08-27 00:03 2,048 a------- c:windowssystem32tzres.dll
2009-08-27 00:01 4,240,384 a------- c:windowssystem32GameUXLegacyGDFs.dll
2009-08-27 00:01 28,672 a------- c:windowssystem32Apphlpdm.dll
2009-08-22 10:43 66 a------- c:windowswininit.ini
2009-08-21 17:40 --d-h--- C:$AVG8.VAULT$
2009-08-21 17:18 11,952 a------- c:windowssystem32avgrsstx.dll
2009-08-21 17:18 12,552 a------- c:windowssystem32driversavgrkx86.sys
2009-08-21 17:18 108,552 a------- c:windowssystem32driversavgtdix.sys
2009-08-21 17:17 335,240 a------- c:windowssystem32driversavgldx86.sys
2009-08-21 17:17 --d----- c:windowssystem32driversAvg
2009-08-21 17:17 --d----- c:programdataAVG Security Toolbar
2009-08-21 17:17 --d----- c:progra~2AVG Security Toolbar
2009-08-21 17:17 --d----- c:program filesAVG
2009-08-21 17:17 --d----- c:programdataavg8
2009-08-21 17:17 --d----- c:progra~2avg8
2009-08-21 17:05 --d----- c:usersfionaappdataroamingAVG8

==================== Find3M ====================

2009-08-18 19:48 55,656 a------- c:windowssystem32driversavgntflt.sys
2009-08-03 15:07 403,816 a------- c:windowssystem32OGACheckControl.dll
2009-08-03 15:07 322,928 a------- c:windowssystem32OGAAddin.dll
2009-08-03 15:07 230,768 a------- c:windowssystem32OGAEXEC.exe
2009-07-25 05:23 411,368 a------- c:windowssystem32deploytk.dll
2009-07-21 14:52 915,456 a------- c:windowssystem32wininet.dll
2009-07-21 14:47 109,056 a------- c:windowssystem32iesysprep.dll
2009-07-21 14:47 71,680 a------- c:windowssystem32iesetup.dll
2009-07-21 13:13 133,632 a------- c:windowssystem32ieUnatt.exe
2009-07-17 06:54 71,680 a------- c:windowssystem32atl.dll
2009-07-15 05:40 8,147,456 a------- c:windowssystem32wmploc.DLL
2009-07-15 05:39 313,344 a------- c:windowssystem32wmpdxm.dll
2009-07-15 05:39 4,096 a------- c:windowssystem32dxmasf.dll
2009-07-15 05:39 7,680 a------- c:windowssystem32spwmp.dll
2009-06-15 07:54 175,104 a------- c:windowssystem32wdigest.dll
2009-06-15 07:53 156,672 a------- c:windowssystem32t2embed.dll
2009-06-15 07:53 72,704 a------- c:windowssystem32secur32.dll
2009-06-15 07:53 270,848 a------- c:windowssystem32schannel.dll
2009-06-15 07:53 218,624 a------- c:windowssystem32msv1_0.dll
2009-06-15 07:52 1,259,008 a------- c:windowssystem32lsasrv.dll
2009-06-15 07:52 23,552 a------- c:windowssystem32lpk.dll
2009-06-15 07:52 499,712 a------- c:windowssystem32kerberos.dll
2009-06-15 07:52 72,704 a------- c:windowssystem32fontsub.dll
2009-06-15 07:51 10,240 a------- c:windowssystem32dciman32.dll
2009-06-15 05:48 9,728 a------- c:windowssystem32lsass.exe
2009-06-15 05:42 289,792 a------- c:windowssystem32atmfd.dll
2009-06-11 20:29 15,688 a------- c:windowssystem32lsdelete.exe
2009-06-10 04:42 160,256 a------- c:windowssystem32wkssvc.dll
2009-06-10 04:38 91,136 a------- c:windowssystem32avifil32.dll
2009-06-05 13:57 86,016 a------- c:windowsinfinfstrng.dat
2009-06-05 13:57 86,016 a------- c:windowsinfinfstor.dat
2009-06-05 13:57 51,200 a------- c:windowsinfinfpub.dat
2009-06-05 13:51 665,600 a------- c:windowsinfdrvindex.dat
2008-01-20 19:43 174 a--sh--- c:program filesdesktop.ini
2006-11-02 05:42 287,440 a------- c:windowsinfperflib0409perfi.dat
2006-11-02 05:42 287,440 a------- c:windowsinfperflib0409perfh.dat
2006-11-02 05:42 30,674 a------- c:windowsinfperflib0409perfd.dat
2006-11-02 05:42 30,674 a------- c:windowsinfperflib0409perfc.dat
2006-11-02 02:20 287,440 a------- c:windowsinfperflib0000perfi.dat
2006-11-02 02:20 287,440 a------- c:windowsinfperflib0000perfh.dat
2006-11-02 02:20 30,674 a------- c:windowsinfperflib0000perfd.dat
2006-11-02 02:20 30,674 a------- c:windowsinfperflib0000perfc.dat

============= FINISH: 19:13:53.76 ===============







Will attach the other reports. Hope you can help me.

Hi,

Just to add that the computer has been blue-screening fairly often, at least once everytime that I switch it on. Usually win32.sys errors, but also had 0X8E and BAD_POOL_HEADER...

I had a lot of trouble with blue-screens when I first got the laptop, but it seemed to stop after a number of updates, but the crashes are back.

Thanks.

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 05 September 2009 - 03:57 PM.


BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:57 AM

Posted 21 September 2009 - 12:35 PM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 Feeski

Feeski
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:57 PM

Posted 22 September 2009 - 09:24 AM

Hi Suebaby,

Thank you so much for helping me.

I have had to make one change to my computer since I posted the other logs. My AVG Antivirus was a trial version, so I had to download the Avira Free version instead otherwise I would have been left with no antivirus.

I used the Random/Random tool that you asked me to. If you need the RootRepeal or DDS done again, let me know. Here is the HJT log:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Fiona at 2009-09-22 23:20:33
Microsoft® Windows Vista™ Home Premium Service Pack 2
System drive C: has 100 GB (45%) free of 226 GB
Total RAM: 3061 MB (60% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:20:42, on 22/09/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Fiona\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3MC0G1L5\RSIT[1].exe
C:\Program Files\trend micro\Fiona.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: gsearch - {375A6AB2-FEEC-445D-B853-2139FB561F80} - C:\Program Files\GRETECH\GomSearch\gsearch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Korean IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O9 - Extra button: ? ????? - {013BCEA5-8309-448b-8604-85F23D7861A5} - C:\Program Files\GRETECH\GomSearch\gsearch.dll
O9 - Extra 'Tools' menuitem: ? ????? - {013BCEA5-8309-448b-8604-85F23D7861A5} - C:\Program Files\GRETECH\GomSearch\gsearch.dll
O9 - Extra button: OneNote? ??? - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: OneNote? ??? - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {42E8651D-C437-4203-93F5-24E20C2C4465} (KvpVCardCtl Control) - https://www.vpay.co.kr/kvpfiles_vista/KVPCyberCard_VISTA.cab
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab
O16 - DPF: {5CA5E00D-80A8-475A-BF08-816FD56DBC38} (KTCtrl Class) - http://support.kornet.net/sw5/order/Speed/...peedNewCtrl.cab
O16 - DPF: {78530AB7-7AC1-48E6-961E-A8D4EED52BAA} (AIGenerator Class) - http://hakj.snut.ac.kr:8080/AIViewer37/AIGeneratorOcx.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - https://vbv.samsungcard.co.kr/XecureObject/.../xw_install.cab
O16 - DPF: {A9F090E5-FC80-4772-AFEE-D102AB6E77D6} (IssacWebProCMS Class) - http://pgdownload.lgdacom.net/dacom/IssacW..._4_2_7_3_DE.cab
O16 - DPF: {C1143E84-B2B1-473B-9F20-E62DD754FCAF} (VineTransfer Control) - https://vbv.samsungcard.co.kr/ubikey/VineTransfer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://www.hikorea.go.kr/activeX/nProtect/npkcx_inca.cab
O16 - DPF: {D912AABC-6CB0-416F-85B6-CABBB86FD558} (INIwallet60 Control) - http://plugin.inicis.com/wallet60/INIwallet60_vista.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: npkcagentsvc - - C:\Windows\system32\npkcagentsvc.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Windows\system32\npkcmsvc.exe

--
End of file - 7943 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Ad-Aware Update (Weekly).job
C:\Windows\tasks\User_Feed_Synchronization-{A6CC1CB9-9493-4791-B5F2-96FA98083334}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{375A6AB2-FEEC-445D-B853-2139FB561F80}]
Gom Search - C:\Program Files\GRETECH\GomSearch\gsearch.dll [2008-06-17 218616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829}

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-20 1008184]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2008-02-15 141848]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2008-02-15 166424]
"Persistence"=C:\Windows\system32\igfxpers.exe [2008-02-15 133656]
"Korean IME Migration"=C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE [2006-10-26 26400]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-10-28 185872]
"OEM02Mon.exe"=C:\Windows\OEM02Mon.exe [2007-05-09 36864]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"Ad-Watch"=C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe [2009-07-30 520024]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-10 1233920]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-20 125952]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2008-11-18 21633320]
"uTorrent"=C:\Program Files\uTorrent\uTorrent.exe [2009-07-27 288048]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
QuickSet.lnk - C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2008-01-02 200704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b0ce59e-fb43-11dd-9311-001fe1e042d0}]
shell\AutoRun\command - v3pif.bat
shell\explore\command - v3pif.bat
shell\open\command - v3pif.bat


======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2009-09-22 23:20:33 ----D---- C:\rsit
2009-09-22 23:20:33 ----D---- C:\Program Files\trend micro
2009-09-19 14:27:42 ----D---- C:\ProgramData\Avira
2009-09-19 14:27:42 ----D---- C:\Program Files\Avira
2009-09-02 21:38:31 ----D---- C:\Program Files\Cobian Backup 8
2009-09-01 21:37:30 ----A---- C:\RootRepeal report 09-01-09 (21-37-30).txt
2009-08-30 21:46:10 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2009-08-30 21:45:23 ----D---- C:\Users\Fiona\AppData\Roaming\SUPERAntiSpyware.com
2009-08-30 21:45:23 ----D---- C:\Program Files\SUPERAntiSpyware
2009-08-30 21:44:07 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-08-30 21:20:56 ----D---- C:\Users\Fiona\AppData\Roaming\Malwarebytes
2009-08-30 21:20:52 ----D---- C:\ProgramData\Malwarebytes
2009-08-30 21:20:52 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-27 00:34:34 ----D---- C:\ProgramData\Office Genuine Advantage
2009-08-27 00:03:08 ----A---- C:\Windows\system32\tzres.dll
2009-08-27 00:01:44 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2009-08-27 00:01:44 ----A---- C:\Windows\system32\Apphlpdm.dll

======List of files/folders modified in the last 1 months======

2009-09-22 23:20:37 ----D---- C:\Windows\Temp
2009-09-22 23:20:33 ----RD---- C:\Program Files
2009-09-22 23:20:13 ----D---- C:\Users\Fiona\AppData\Roaming\Skype
2009-09-22 23:20:01 ----D---- C:\Users\Fiona\AppData\Roaming\uTorrent
2009-09-22 22:10:38 ----D---- C:\Users\Fiona\AppData\Roaming\skypePM
2009-09-22 22:09:57 ----D---- C:\Windows\system32\LogFiles
2009-09-22 00:03:31 ----SHD---- C:\System Volume Information
2009-09-21 22:47:51 ----D---- C:\Windows\Minidump
2009-09-21 22:47:47 ----D---- C:\Windows
2009-09-19 14:35:57 ----D---- C:\Windows\System32
2009-09-19 14:34:28 ----SD---- C:\Users\Fiona\AppData\Roaming\Microsoft
2009-09-19 14:34:28 ----D---- C:\Windows\system32\drivers
2009-09-19 14:34:27 ----HD---- C:\ProgramData
2009-09-19 14:25:43 ----D---- C:\Windows\Prefetch
2009-09-19 14:25:42 ----SHD---- C:\Windows\Installer
2009-09-19 14:25:42 ----SHD---- C:\Config.Msi
2009-09-14 23:58:46 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-09-14 23:58:45 ----D---- C:\Windows\inf
2009-09-14 00:32:52 ----D---- C:\Windows\system32\WDI
2009-09-03 23:09:55 ----D---- C:\ProgramData\NCH Swift Sound
2009-09-03 23:09:47 ----D---- C:\Program Files\NCH Swift Sound
2009-09-02 23:39:53 ----D---- C:\Windows\system32\catroot2
2009-09-01 22:42:12 ----A---- C:\Windows\ntbtlog.txt
2009-08-30 21:44:07 ----D---- C:\Program Files\Common Files
2009-08-27 01:44:13 ----D---- C:\Windows\rescache
2009-08-27 01:25:36 ----D---- C:\Windows\system32\en-US
2009-08-27 01:25:32 ----D---- C:\Windows\AppPatch
2009-08-27 00:03:39 ----D---- C:\Windows\winsxs
2009-08-27 00:03:37 ----D---- C:\Windows\system32\catroot
2009-08-27 00:02:23 ----D---- C:\Windows\system32\zh-TW
2009-08-27 00:02:23 ----D---- C:\Windows\system32\zh-HK
2009-08-27 00:02:23 ----D---- C:\Windows\system32\tr-TR
2009-08-27 00:02:23 ----D---- C:\Windows\system32\sv-SE
2009-08-27 00:02:23 ----D---- C:\Windows\system32\pt-BR
2009-08-27 00:02:23 ----D---- C:\Windows\system32\nl-NL
2009-08-27 00:02:23 ----D---- C:\Windows\system32\nb-NO
2009-08-27 00:02:23 ----D---- C:\Windows\system32\ko-KR
2009-08-27 00:02:23 ----D---- C:\Windows\system32\it-IT
2009-08-27 00:02:23 ----D---- C:\Windows\system32\he-IL
2009-08-27 00:02:23 ----D---- C:\Windows\system32\fr-FR
2009-08-27 00:02:23 ----D---- C:\Windows\system32\fi-FI
2009-08-27 00:02:23 ----D---- C:\Windows\system32\es-ES
2009-08-27 00:02:23 ----D---- C:\Windows\system32\el-GR
2009-08-27 00:02:23 ----D---- C:\Windows\system32\de-DE
2009-08-27 00:02:23 ----D---- C:\Windows\system32\da-DK
2009-08-27 00:02:23 ----D---- C:\Windows\system32\ar-SA
2009-08-27 00:02:02 ----D---- C:\Program Files\Internet Explorer
2009-08-26 23:10:52 ----D---- C:\Program Files\Mozilla Firefox
2009-08-26 23:09:05 ----SD---- C:\Windows\Downloaded Program Files

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys [2009-02-13 11608]
R1 avipbb;avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2009-08-05 9968]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-05 74480]
R1 ssmdrv;ssmdrv; C:\Windows\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R2 avgntflt;avgntflt; C:\Windows\system32\DRIVERS\avgntflt.sys [2009-07-28 55656]
R2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2007-02-24 39936]
R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2007-01-23 42496]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2007-03-21 37376]
R3 BthEnum;Bluetooth Enumerator Service; C:\Windows\system32\DRIVERS\BthEnum.sys [2009-04-10 22528]
R3 BthPan;Bluetooth Device (Personal Area Network); C:\Windows\system32\DRIVERS\bthpan.sys [2008-01-20 92160]
R3 BTHUSB;Bluetooth Radio USB Driver; C:\Windows\System32\Drivers\BTHUSB.sys [2009-04-10 29696]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-20 14208]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2009-04-10 236544]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2008-01-20 987648]
R3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2008-01-20 200704]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-01-02 2016256]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service; C:\Windows\system32\drivers\IntcHdmi.sys [2007-06-06 111616]
R3 NETw4v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-09-26 2251776]
R3 OEM02Dev;Creative Camera OEM002 Driver; C:\Windows\system32\DRIVERS\OEM02Dev.sys [2007-10-10 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver; C:\Windows\system32\DRIVERS\OEM02Vfx.sys [2007-03-05 7424]
R3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2009-04-10 148992]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2009-04-10 89088]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\VSTCNXT3.SYS [2008-01-20 654336]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-20 11264]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller; C:\Windows\system32\DRIVERS\yk60x86.sys [2007-12-06 298496]
S3 BTHPORT;Bluetooth Port Driver; C:\Windows\System32\Drivers\BTHport.sys [2009-04-10 507904]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-20 5632]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-20 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-20 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-20 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-20 6016]
S3 NETw3v32;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw3v32.sys [2008-01-20 2225664]
S3 npkcrypt;npkcrypt; \??\C:\Windows\system32\npkcrypt.sys [2007-06-26 35600]
S3 npkcusb;npkcusb; \??\C:\Windows\system32\npkcusb.sys [2007-04-20 24272]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [2009-08-05 7408]
S3 usbvideo;USB Video Device (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-20 134016]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-20 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-20 83328]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-20 386616]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2008-01-20 21504]
R2 CCALib8;Canon Camera Access Library 8; C:\Program Files\Canon\CAL\CALMAIN.exe [2005-09-30 96341]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-07-30 1029456]
R2 npkcagentsvc;npkcagentsvc; C:\Windows\system32\npkcagentsvc.exe [2009-02-13 24576]
R2 npkcmsvc;npkcmsvc; C:\Windows\system32\npkcmsvc.exe [2009-02-13 61540]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]

-----------------EOF-----------------

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:57 AM

Posted 23 September 2009 - 03:04 PM

The item(s) below indicate(s) you have installed .

C:\Program Files\uTorrent\uTorrent.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"


Since the nature of P2P programs are counter productive to restoring your PC to a healthy state, I ask that you remove P2P file sharing programs prior to my providing you with malware removal assistance. Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer.

The people who design and distribute malware will use any method to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular method is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.
To remove the P2P program:
  • Click Start > Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight , click Remove.
  • Close the Add or Remove Programs and the Control Panel windows.
  • Using Windows Explorer (Windows key+e), search for the folder. If the program folder is still there, select/highlight . DELETE it. (File > Delete.) If Windows is not installed on the C drive, replace C:\ with the appropriate drive letter.
  • Close Windows Explorer.
There is a Video showing how to uninstall a program (Grinler) detailing how to add or remove program in Windows for those who find a visual aid appealing. NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

I am not asking you to do remove the P2P program(s) without giving you good reasons for doing so.
  • P2P programs form a direct conduit on to your computer.
  • P2P security measures are easily circumvented.
  • Some P2P programs will share everything on the computer with anyone by default. If your P2P program is not configured correctly, you may be sharing more files than you realize.
  • There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.
  • P2P programs have always been a target of malware writers. There are more Viruses, Worms and Trojans being distributed with the downloaded files.
  • P2P programs connected to a network can be used to spread malware, share private documents, or use the file server to both store and forward malware.
  • Many of the files in P2P networks are copyrighted and legal action could result.
  • Pedophiles can use P2P communities to distribute child porn materials or attempt to make contact with children.
  • This article from InfoWorld, Seattle Man Arrested For P To P ID Theft, illustrates perfectly the dangers of a poorly configured P2P program.
  • Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
  • When you use them, you are downloading software from an unknown source directly onto your computer bypassing your Firewall and Anti-Virus software. Many of these Downloads are being targeted to carry infections.
References for the risk of these programs are:If you continue to use P2P programs, you will probably get infected again.

Please uninstall all P2P programs and post a new HijackThis log.


I could find little or no information regarding these files:

O23 - Service: npkcagentsvc - - C:\Windows\system32\npkcagentsvc.exe

O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Windows\system32\npkcmsvc.exe


Please upload the file to Jotti or VirusTotal or Virscan.

Note: Internet Explorer is the browser to use for best results.

Please upload suspicious file(s) to Jotti.
  • Click the white box beside the Browse box.
  • Copy and paste the following file path into the white box.

    O23 - Service: npkcagentsvc - - C:\Windows\system32\ npkcagentsvc.exe
  • Press Submit. The file will be submitted for testing.
  • Please wait for all the scanners to finish, then post the results in your next response.
Alternatively, if Jotti is busy or inaccessible, you may try VirusTotal.
  • Click the white box beside the Browse box.
  • Copy and paste the following file path into the white box.

    O23 - Service: npkcagentsvc - - C:\Windows\system32\npkcagentsvc.exe
  • Click Send File.
or
  • Please go to VirSCAN.org free on-line scan service.
  • Copy and paste the following file path into the "Suspicious files to scan" box at the top of the page on the VirScan web site:

    O23 - Service: npkcagentsvc - - C:\Windows\system32\npkcagentsvc.exe
  • Click on the Upload button
  • After the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply. (Ctrl & V)
Follow the same procedures for this file:

O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Windows\system32\npkcmsvc.exe

Please post the results in your next reply.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#5 Feeski

Feeski
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:57 PM

Posted 25 September 2009 - 07:05 AM

Hello again,

Utorrent has been uninstalled.

Here is the first report.

File npkcagentsvc.exe received on 2009.04.21 00:49:04 (UTC)
Current status: finished

Result: 0/40 (0.00%)
Compact Print results Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.21 -
AhnLab-V3 5.0.0.2 2009.04.20 -
AntiVir 7.9.0.148 2009.04.20 -
Antiy-AVL 2.0.3.1 2009.04.20 -
Authentium 5.1.2.4 2009.04.20 -
Avast 4.8.1335.0 2009.04.20 -
AVG 8.5.0.287 2009.04.20 -
BitDefender 7.2 2009.04.21 -
CAT-QuickHeal 10.00 2009.04.20 -
ClamAV 0.94.1 2009.04.20 -
Comodo 1123 2009.04.20 -
DrWeb 4.44.0.09170 2009.04.21 -
eSafe 7.0.17.0 2009.04.20 -
eTrust-Vet 31.6.6440 2009.04.20 -
F-Prot 4.4.4.56 2009.04.20 -
F-Secure 8.0.14470.0 2009.04.21 -
Fortinet 3.117.0.0 2009.04.20 -
GData 19 2009.04.20 -
Ikarus T3.1.1.49.0 2009.04.21 -
K7AntiVirus 7.10.709 2009.04.20 -
Kaspersky 7.0.0.125 2009.04.21 -
McAfee 5590 2009.04.20 -
McAfee+Artemis 5590 2009.04.20 -
McAfee-GW-Edition 6.7.6 2009.04.21 -
Microsoft 1.4602 2009.04.21 -
NOD32 4023 2009.04.20 -
Norman 6.00.06 2009.04.20 -
nProtect 2009.1.8.0 2009.04.20 -
Panda 10.0.0.14 2009.04.20 -
PCTools 4.4.2.0 2009.04.21 -
Prevx1 V2 2009.04.21 -
Rising 21.26.04.00 2009.04.20 -
Sophos 4.40.0 2009.04.21 -
Sunbelt 3.2.1858.2 2009.04.18 -
Symantec 1.4.4.12 2009.04.21 -
TheHacker 6.3.4.0.312 2009.04.20 -
TrendMicro 8.700.0.1004 2009.04.20 -
VBA32 3.12.10.2 2009.04.20 -
ViRobot 2009.4.20.1700 2009.04.20 -
VirusBuster 4.6.5.0 2009.04.20 -
Additional information
File size: 24576 bytes
MD5 : d3ca6602fefe412f4fd4657c49574632
SHA1 : 683542249d180dd2ffef128d91430f0e2c70f41c
SHA256: 96fffc3eccc23fa2fc421e4d903f8cf6b3ba22ca8589033738ff1330a65daaef
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x22E0
timedatestamp.....: 0x45B95CE5 (Fri Jan 26 02:44:05 2007)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1462 0x2000 4.42 e75d7e25fe5c2e3e40bbe14e9351322c
.rdata 0x3000 0x9F8 0x1000 3.76 5b3f9f5e54ada234fbd24ce6957a47ff
.data 0x4000 0x594 0x1000 1.60 e6ebb9bb51b4a42dcd80eeeaf2b92737
.rsrc 0x5000 0x438 0x1000 1.06 8ed35680ae052350ca8044d40158bcc3

( 7 imports )

> advapi32.dll: RevertToSelf, OpenProcessToken, DuplicateTokenEx, SetTokenInformation, ImpersonateLoggedOnUser, CreateProcessAsUserA, SetServiceStatus, RegisterServiceCtrlHandlerA, ControlService, DeleteService, CreateServiceA, CloseServiceHandle, OpenSCManagerA, OpenServiceA, StartServiceA, QueryServiceStatus, StartServiceCtrlDispatcherA, InitializeSecurityDescriptor, SetSecurityDescriptorDacl
> kernel32.dll: UnmapViewOfFile, OpenFileMappingA, CreateFileMappingA, MapViewOfFile, GetCurrentProcess, GetSystemDirectoryA, GetLastError, CreateEventA, SetEvent, WaitForSingleObject, GetModuleHandleA, CloseHandle, GetVersionExA, LoadLibraryA, GetProcAddress, FreeLibrary, GetModuleFileNameA, Sleep, GetCommandLineA
> mfc42.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> msvcp60.dll: _cerr@std@@3V_$basic_ostream@DU_$char_traits@D@std@@@1@A, __0Init@ios_base@std@@QAE@XZ, __1Init@ios_base@std@@QAE@XZ, __1_Winit@std@@QAE@XZ, __0_Winit@std@@QAE@XZ, __6std@@YAAAV_$basic_ostream@DU_$char_traits@D@std@@@0@AAV10@PBD@Z, _endl@std@@YAAAV_$basic_ostream@DU_$char_traits@D@std@@@1@AAV21@@Z
> msvcrt.dll: sprintf, _mbscmp, __CxxFrameHandler, __dllonexit, _onexit, _exit, _XcptFilter, exit, __p___initenv, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, printf, _stricmp
> user32.dll: wsprintfA
> wtsapi32.dll: WTSFreeMemory, WTSEnumerateSessionsA, WTSEnumerateProcessesA

( 0 exports )

TrID : File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 384:SP/sAmOon5GTPf8LXblTn4bkQsE4mRs3pJnY:SIO8LXV4k37J
PEiD : Armadillo v1.71
RDS : NSRL Reference Data Set
-

#6 Feeski

Feeski
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:57 PM

Posted 25 September 2009 - 07:11 AM

And here is the data for the next file, both were scanned with Virus Total.

File npkcmsvc.exe received on 2009.09.25 12:08:57 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:


Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.25 -
AhnLab-V3 5.0.0.2 2009.09.24 -
AntiVir 7.9.1.25 2009.09.25 -
Antiy-AVL 2.0.3.7 2009.09.25 -
Authentium 5.1.2.4 2009.09.25 -
Avast 4.8.1351.0 2009.09.24 -
AVG 8.5.0.412 2009.09.25 -
BitDefender 7.2 2009.09.25 -
CAT-QuickHeal 10.00 2009.09.25 -
ClamAV 0.94.1 2009.09.25 -
Comodo 2431 2009.09.25 -
DrWeb 5.0.0.12182 2009.09.25 -
eSafe 7.0.17.0 2009.09.24 -
eTrust-Vet 31.6.6760 2009.09.25 -
F-Prot 4.5.1.85 2009.09.24 -
F-Secure 8.0.14470.0 2009.09.25 -
Fortinet 3.120.0.0 2009.09.25 -
GData 19 2009.09.25 -
Ikarus T3.1.1.72.0 2009.09.25 -
Jiangmin 11.0.800 2009.09.25 -
K7AntiVirus 7.10.853 2009.09.24 -
Kaspersky 7.0.0.125 2009.09.25 -
McAfee 5751 2009.09.24 -
McAfee+Artemis 5751 2009.09.24 -
McAfee-GW-Edition 6.8.5 2009.09.25 -
Microsoft 1.5005 2009.09.23 -
NOD32 4456 2009.09.25 -
Norman 6.01.09 2009.09.24 -
nProtect 2009.1.8.0 2009.09.25 -
Panda 10.0.2.2 2009.09.24 -
PCTools 4.4.2.0 2009.09.25 -
Prevx 3.0 2009.09.25 -
Rising 21.48.43.00 2009.09.25 -
Sophos 4.45.0 2009.09.25 -
Sunbelt 3.2.1858.2 2009.09.24 -
Symantec 1.4.4.12 2009.09.25 -
TheHacker 6.5.0.2.017 2009.09.24 -
TrendMicro 8.950.0.1094 2009.09.25 -
VBA32 3.12.10.11 2009.09.25 -
ViRobot 2009.9.25.1956 2009.09.25 -
VirusBuster 4.6.5.0 2009.09.24 -
Additional information
File size: 61540 bytes
MD5...: 34f2c2777e26a6eded1c112d0dbf8c36
SHA1..: 8498b63ae3eb8e9c7d423fa3f93391953fdbcc27
SHA256: ce108c051162aa861da9d0fc7e16c82e2495d3d1bd461e7cb00b59e61177d639
ssdeep: 768:PZVrSq6knTj0X4c8f25tceo+i9cpz1y2r:P/rSqVf7DiUcpz13r

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x660c
timedatestamp.....: 0x45b5c336 (Tue Jan 23 08:11:34 2007)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x7d19 0x8000 4.56 824c96262494ec034de839907f0ea15d
.rdata 0x9000 0x6f9 0x1000 1.24 b635d2084d4108da8b8d81a8cf84ce57
.data 0xa000 0x10b8 0x1000 2.99 c81e2bc92bb84e21ae63c9e5169eeed4
.idata 0xc000 0xf0d 0x1000 4.02 456a7a70e4928c4647d3e47e66ec5829
.rsrc 0xd000 0x1e33 0x2000 2.93 609948e63347dec818ba0c9c2cb0c9d3
.reloc 0xf000 0x6ac 0x1000 2.93 01386f6443f7eb8bdd347549944d183b

( 6 imports )
> SETUPAPI.dll: SetupDiEnumDeviceInfo, SetupDiSetClassInstallParamsA, SetupDiGetDeviceRegistryPropertyA, SetupDiGetClassDevsA, SetupDiCallClassInstaller, SetupDiDestroyDeviceInfoList, SetupDiSetDeviceRegistryPropertyA
> MFC42.DLL: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> MSVCRT.dll: strrchr, getenv, realloc, _except_handler3, _mbscmp, strchr, free, __CxxFrameHandler, __dllonexit, _onexit, _exit, sprintf, _access, _stricmp, printf, _XcptFilter, exit, __p___initenv, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, malloc, _controlfp
> KERNEL32.dll: GetProcessHeap, HeapAlloc, HeapFree, GetFileSize, FormatMessageA, LocalLock, LocalFree, CreateProcessA, GetExitCodeProcess, CreateNamedPipeA, ConnectNamedPipe, ReadFile, WriteFile, FlushFileBuffers, DisconnectNamedPipe, DeviceIoControl, CreateFileA, GetVersion, GetLastError, GetVersionExA, GetSystemDirectoryA, Sleep, OpenEventA, CreateEventA, CreateThread, CloseHandle, TerminateThread, WaitForSingleObject, SetEvent, WaitForMultipleObjects
> USER32.dll: wsprintfA, MessageBoxA
> ADVAPI32.dll: QueryServiceObjectSecurity, GetSecurityDescriptorDacl, BuildExplicitAccessWithNameA, SetEntriesInAclA, SetServiceObjectSecurity, RegQueryInfoKeyA, RegOpenKeyA, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, RegOpenKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegDeleteValueA, RegCloseKey, RegisterServiceCtrlHandlerA, SetServiceStatus, OpenServiceA, ControlService, DeleteService, OpenSCManagerA, CreateServiceA, CloseServiceHandle, ChangeServiceConfig2A, StartServiceA, QueryServiceStatus, StartServiceCtrlDispatcherA

( 0 exports )

RDS...: NSRL Reference Data Set
-
sigcheck:
publisher....: INCA Internet Co., Ltd.
copyright....: Copyright © INCA Internet. 2000-2007
product......: nProtect KeyCrypt Manager Service
description..: nProtect KeyCrypt Manager Service
original name: npkcmsvc.exe
internal name: npkcmsvc
file version.: 2007, 1, 23, 1
comments.....: nProtect KeyCrypt Manager Service
signers......: -
signing date.: -
verified.....: Unsigned

trid..: Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
pdfid.: -

#7 Feeski

Feeski
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:57 PM

Posted 25 September 2009 - 07:19 AM

And here is the new HijackThis log:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Fiona at 2009-09-25 21:20:55
Microsoft® Windows Vista™ Home Premium Service Pack 2
System drive C: has 101 GB (45%) free of 226 GB
Total RAM: 3061 MB (60% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:20:58, on 25/09/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Fiona\Desktop\RSIT.exe
C:\Program Files\trend micro\Fiona.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: gsearch - {375A6AB2-FEEC-445D-B853-2139FB561F80} - C:\Program Files\GRETECH\GomSearch\gsearch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Korean IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O9 - Extra button: ? ????? - {013BCEA5-8309-448b-8604-85F23D7861A5} - C:\Program Files\GRETECH\GomSearch\gsearch.dll
O9 - Extra 'Tools' menuitem: ? ????? - {013BCEA5-8309-448b-8604-85F23D7861A5} - C:\Program Files\GRETECH\GomSearch\gsearch.dll
O9 - Extra button: OneNote? ??? - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: OneNote? ??? - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {42E8651D-C437-4203-93F5-24E20C2C4465} (KvpVCardCtl Control) - https://www.vpay.co.kr/kvpfiles_vista/KVPCyberCard_VISTA.cab
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab
O16 - DPF: {5CA5E00D-80A8-475A-BF08-816FD56DBC38} (KTCtrl Class) - http://support.kornet.net/sw5/order/Speed/...peedNewCtrl.cab
O16 - DPF: {78530AB7-7AC1-48E6-961E-A8D4EED52BAA} (AIGenerator Class) - http://hakj.snut.ac.kr:8080/AIViewer37/AIGeneratorOcx.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - https://vbv.samsungcard.co.kr/XecureObject/.../xw_install.cab
O16 - DPF: {A9F090E5-FC80-4772-AFEE-D102AB6E77D6} (IssacWebProCMS Class) - http://pgdownload.lgdacom.net/dacom/IssacW..._4_2_7_3_DE.cab
O16 - DPF: {C1143E84-B2B1-473B-9F20-E62DD754FCAF} (VineTransfer Control) - https://vbv.samsungcard.co.kr/ubikey/VineTransfer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://www.hikorea.go.kr/activeX/nProtect/npkcx_inca.cab
O16 - DPF: {D912AABC-6CB0-416F-85B6-CABBB86FD558} (INIwallet60 Control) - http://plugin.inicis.com/wallet60/INIwallet60_vista.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: npkcagentsvc - - C:\Windows\system32\npkcagentsvc.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Windows\system32\npkcmsvc.exe

--
End of file - 7833 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Ad-Aware Update (Weekly).job
C:\Windows\tasks\User_Feed_Synchronization-{A6CC1CB9-9493-4791-B5F2-96FA98083334}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{375A6AB2-FEEC-445D-B853-2139FB561F80}]
Gom Search - C:\Program Files\GRETECH\GomSearch\gsearch.dll [2008-06-17 218616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829}

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-20 1008184]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2008-02-15 141848]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2008-02-15 166424]
"Persistence"=C:\Windows\system32\igfxpers.exe [2008-02-15 133656]
"Korean IME Migration"=C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE [2006-10-26 26400]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-10-28 185872]
"OEM02Mon.exe"=C:\Windows\OEM02Mon.exe [2007-05-09 36864]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"Ad-Watch"=C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe [2009-07-30 520024]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-10 1233920]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-20 125952]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2008-11-18 21633320]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
QuickSet.lnk - C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2008-01-02 200704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b0ce59e-fb43-11dd-9311-001fe1e042d0}]
shell\AutoRun\command - v3pif.bat
shell\explore\command - v3pif.bat
shell\open\command - v3pif.bat


======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2009-09-22 23:20:33 ----D---- C:\rsit
2009-09-22 23:20:33 ----D---- C:\Program Files\trend micro
2009-09-19 14:27:42 ----D---- C:\ProgramData\Avira
2009-09-19 14:27:42 ----D---- C:\Program Files\Avira
2009-09-02 21:38:31 ----D---- C:\Program Files\Cobian Backup 8
2009-09-01 21:37:30 ----A---- C:\RootRepeal report 09-01-09 (21-37-30).txt
2009-08-30 21:46:10 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2009-08-30 21:45:23 ----D---- C:\Users\Fiona\AppData\Roaming\SUPERAntiSpyware.com
2009-08-30 21:45:23 ----D---- C:\Program Files\SUPERAntiSpyware
2009-08-30 21:44:07 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-08-30 21:20:56 ----D---- C:\Users\Fiona\AppData\Roaming\Malwarebytes
2009-08-30 21:20:52 ----D---- C:\ProgramData\Malwarebytes
2009-08-30 21:20:52 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-27 00:34:34 ----D---- C:\ProgramData\Office Genuine Advantage
2009-08-27 00:03:08 ----A---- C:\Windows\system32\tzres.dll
2009-08-27 00:01:44 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2009-08-27 00:01:44 ----A---- C:\Windows\system32\Apphlpdm.dll

======List of files/folders modified in the last 1 months======

2009-09-25 21:20:58 ----D---- C:\Windows\Prefetch
2009-09-25 21:20:56 ----D---- C:\Windows\Temp
2009-09-25 20:48:53 ----RD---- C:\Program Files
2009-09-25 20:48:52 ----D---- C:\Users\Fiona\AppData\Roaming\uTorrent
2009-09-25 20:46:19 ----D---- C:\Users\Fiona\AppData\Roaming\Skype
2009-09-25 20:44:49 ----D---- C:\Users\Fiona\AppData\Roaming\skypePM
2009-09-25 14:54:27 ----SHD---- C:\System Volume Information
2009-09-25 04:06:37 ----D---- C:\Windows\Minidump
2009-09-25 04:06:33 ----D---- C:\Windows
2009-09-25 04:00:02 ----D---- C:\Windows\system32\catroot2
2009-09-22 22:09:57 ----D---- C:\Windows\system32\LogFiles
2009-09-19 14:35:57 ----D---- C:\Windows\System32
2009-09-19 14:34:28 ----SD---- C:\Users\Fiona\AppData\Roaming\Microsoft
2009-09-19 14:34:28 ----D---- C:\Windows\system32\drivers
2009-09-19 14:34:27 ----HD---- C:\ProgramData
2009-09-19 14:25:42 ----SHD---- C:\Windows\Installer
2009-09-19 14:25:42 ----SHD---- C:\Config.Msi
2009-09-14 23:58:46 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-09-14 23:58:45 ----D---- C:\Windows\inf
2009-09-14 00:32:52 ----D---- C:\Windows\system32\WDI
2009-09-03 23:09:55 ----D---- C:\ProgramData\NCH Swift Sound
2009-09-03 23:09:47 ----D---- C:\Program Files\NCH Swift Sound
2009-09-01 22:42:12 ----A---- C:\Windows\ntbtlog.txt
2009-08-30 21:44:07 ----D---- C:\Program Files\Common Files
2009-08-27 01:44:13 ----D---- C:\Windows\rescache
2009-08-27 01:25:36 ----D---- C:\Windows\system32\en-US
2009-08-27 01:25:32 ----D---- C:\Windows\AppPatch
2009-08-27 00:03:39 ----D---- C:\Windows\winsxs
2009-08-27 00:03:37 ----D---- C:\Windows\system32\catroot
2009-08-27 00:02:23 ----D---- C:\Windows\system32\zh-TW
2009-08-27 00:02:23 ----D---- C:\Windows\system32\zh-HK
2009-08-27 00:02:23 ----D---- C:\Windows\system32\tr-TR
2009-08-27 00:02:23 ----D---- C:\Windows\system32\sv-SE
2009-08-27 00:02:23 ----D---- C:\Windows\system32\pt-BR
2009-08-27 00:02:23 ----D---- C:\Windows\system32\nl-NL
2009-08-27 00:02:23 ----D---- C:\Windows\system32\nb-NO
2009-08-27 00:02:23 ----D---- C:\Windows\system32\ko-KR
2009-08-27 00:02:23 ----D---- C:\Windows\system32\it-IT
2009-08-27 00:02:23 ----D---- C:\Windows\system32\he-IL
2009-08-27 00:02:23 ----D---- C:\Windows\system32\fr-FR
2009-08-27 00:02:23 ----D---- C:\Windows\system32\fi-FI
2009-08-27 00:02:23 ----D---- C:\Windows\system32\es-ES
2009-08-27 00:02:23 ----D---- C:\Windows\system32\el-GR
2009-08-27 00:02:23 ----D---- C:\Windows\system32\de-DE
2009-08-27 00:02:23 ----D---- C:\Windows\system32\da-DK
2009-08-27 00:02:23 ----D---- C:\Windows\system32\ar-SA
2009-08-27 00:02:02 ----D---- C:\Program Files\Internet Explorer
2009-08-26 23:10:52 ----D---- C:\Program Files\Mozilla Firefox
2009-08-26 23:09:05 ----SD---- C:\Windows\Downloaded Program Files

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys [2009-02-13 11608]
R1 avipbb;avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2009-08-05 9968]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-05 74480]
R1 ssmdrv;ssmdrv; C:\Windows\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R2 avgntflt;avgntflt; C:\Windows\system32\DRIVERS\avgntflt.sys [2009-07-28 55656]
R2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2007-02-24 39936]
R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2007-01-23 42496]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2007-03-21 37376]
R3 BthEnum;Bluetooth Enumerator Service; C:\Windows\system32\DRIVERS\BthEnum.sys [2009-04-10 22528]
R3 BthPan;Bluetooth Device (Personal Area Network); C:\Windows\system32\DRIVERS\bthpan.sys [2008-01-20 92160]
R3 BTHUSB;Bluetooth Radio USB Driver; C:\Windows\System32\Drivers\BTHUSB.sys [2009-04-10 29696]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-20 14208]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2009-04-10 236544]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2008-01-20 987648]
R3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2008-01-20 200704]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-01-02 2016256]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service; C:\Windows\system32\drivers\IntcHdmi.sys [2007-06-06 111616]
R3 NETw4v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-09-26 2251776]
R3 OEM02Dev;Creative Camera OEM002 Driver; C:\Windows\system32\DRIVERS\OEM02Dev.sys [2007-10-10 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver; C:\Windows\system32\DRIVERS\OEM02Vfx.sys [2007-03-05 7424]
R3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2009-04-10 148992]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2009-04-10 89088]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\VSTCNXT3.SYS [2008-01-20 654336]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-20 11264]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller; C:\Windows\system32\DRIVERS\yk60x86.sys [2007-12-06 298496]
S3 BTHPORT;Bluetooth Port Driver; C:\Windows\System32\Drivers\BTHport.sys [2009-04-10 507904]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-20 5632]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-20 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-20 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-20 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-20 6016]
S3 NETw3v32;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw3v32.sys [2008-01-20 2225664]
S3 npkcrypt;npkcrypt; \??\C:\Windows\system32\npkcrypt.sys [2007-06-26 35600]
S3 npkcusb;npkcusb; \??\C:\Windows\system32\npkcusb.sys [2007-04-20 24272]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [2009-08-05 7408]
S3 usbvideo;USB Video Device (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-20 134016]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-20 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-20 83328]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-20 386616]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2008-01-20 21504]
R2 CCALib8;Canon Camera Access Library 8; C:\Program Files\Canon\CAL\CALMAIN.exe [2005-09-30 96341]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-07-30 1029456]
R2 npkcagentsvc;npkcagentsvc; C:\Windows\system32\npkcagentsvc.exe [2009-02-13 24576]
R2 npkcmsvc;npkcmsvc; C:\Windows\system32\npkcmsvc.exe [2009-02-13 61540]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]

-----------------EOF-----------------

#8 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:57 AM

Posted 25 September 2009 - 10:53 AM

NOTE: If for some reason you are unable to complete a step(s), skip that step and continue with the rest of the steps. Please describe your problem with the step in your next reply.

Step 1

You may want to print this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step 2

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB). Before running, it will stop Explorer and all other running apps. When finished, if a reboot is required the user must reboot to finish clearing any in-use temp files.

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.
  • Please download TFC by OldTimer to your desktop.
  • Open the file and close any other windows.
  • It will close all programs itself when run; make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job.
  • After it is finished, it should reboot your machine, if not, do this yourself to ensure a complete clean.
Step 3

In normal mode, run an online antivirus check from at least two and preferably three of the following sites
BitDefender
Computer Associates Online Virus Scan
Panda's ActiveScan
Trend Micro Housecall
Windows Live Safety Center Free Online Scan
This scanner from Trend does not require an Active X to run.
  • Detects and removes malware ( viruses, worms, trojans, etc. )
  • Detects and removes grayware and spyware
  • Restores damage caused by malware to your system.
  • Notifies about vulnerabilities in installed programs and connected network services.
  • Multi-platform support for: Windows, Linux, Solaris.
  • Easy-to-use with the Microsoft Internet Explorer and Mozilla Firefox.
When you have completed the scans, if you get a report of files that can’t be cleaned / deleted, make a note of the file location of anything that cannot be deleted so you can delete it yourself. Please post that list in your next reply.

Step 4

Please download Spybot-S&D©® and install Spybot-S&D©® .
  • Be sure to UNCHECK TeaTimer when presented with the option to install. You can enable it after you are clean.
  • Run Spybot-S&D©® , go to the Menu Bar at the top choose Mode and make certain that "Default mode" has a check mark beside it.
  • Click the button "Search for Updates".
  • If any updates are found, install them by placing a check mark next to each one and clicking "Download Updates".
  • If you encounter any error messages while downloading the updates, manually download them from here.
  • Click on "Immunize". When it detects what has or has not been blocked, block all remaining items by clicking the green plus sign next to immunize at the top.
  • Click the button "Check for Problems".
  • When Spybot-S&D©® is complete, it will be showing RED entries, bold BLACK entries and GREEN entries in the window.
  • Make certain there is a check mark beside all of the RED entries ONLY.
  • Choose "Fix Selected Problems" and allow Spybot-S&D©® to fix the RED entries.
  • REBOOT to complete the scan and clear memory.
Note: After Windows loads, Spybot-S&D©® may run again to clean some files that it could not clean during the prior session. Follow the same procedure.

Step 5
  • Please download Ad-Aware Free - Anniversary Edition to your desktop. The Ad-Aware Free - Anniversary Edition installation file will be Ad-AwareAE.exe.
  • Double-click the file and follow the on-screen instructions in the Installation Wizard to install.
  • When the Please Enter Your License Information screen appears, click Cancel and Ad-Aware Free - Anniversary Edition will be installed.
  • When the Ad-Aware Free - Anniversary Edition Has Been Successfully Installed Screen appears, click Finish to complete the installation and to launch Ad-Aware Free - Anniversary Edition.
  • The Status screen will appear. You will see four sections.
    • System Protection Status section where you will see Real Time Protection with a check in the Off dialog box and Automatic Updates with a check in the On dialog box.
    • Update Status section
    • System Scan section
    • License Status section where you will see that the Type: will be Free Edition and License Expires in: Never.
  • In the list on the left of the screen, click Scan. You will be given a choice of Smart Scan, Full Scan, and Custom Scan. (Scheduler on the right of the screen is only available in Ad-Aware 2008 Plus and Ad-Aware Pro.)
  • In the list on the left of the screen, click Settings > Scanning tab. Use the default settings unless you see some changes that you want to make.
  • In the list on the left of the screen, click Status. In the System Scan section, click Scan Now.
  • When the scan finishes, the Critical Objects tab window appears.
  • Under Scan Results, you will see the list of Critical Objects that Ad-Aware Free - Anniversary Edition found. You are given three choices, Add to ignore, Quarantine, Remove, and System Restore. You may choose to create a System Restore Point prior to removing any objects that you are unsure of removing or after a scan when you know the system is clean. If Critical Objects are found, select all objects found (right click anywhere in the list of found objects and click "Select All Objects").
  • Click Remove.
  • If no Critical Objects are found, click the Privacy Objects tab.
  • If there are Privacy Objects listed, select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Select Add to ignore or Remove..
  • Click Remove.
  • If no Privacy Objects are found, click the Log File tab to see the statistics of the Ad-Aware Free - Anniversary Edition scan.
  • Click Finish.
  • The next screen shows you the Scan Summary in the left panel and System Restore in the right panel.
    • You may choose to create a System Restore Point prior to removing any objects that you are unsure of removing or after a scan when you know the system is clean. If you choose to create a System Restore Point, click Set.
    • You may want to export the results Click Export and save the log on your computer .
    • Click Scan Again to repeat the scan.
  • You will be returned to the Status screen. Click on the X in the upper right corner to exit Ad-Aware Free - Anniversary Edition.
Step 6

I recommend using Spyware Blaster.
  • Please download SpywareBlaster and save it to your desktop.
  • Double click on it to install the program.
  • Follow the prompts and choose the default locations when installing the program.
  • When the program is installed, it will place an icon on your desktop.
  • Double click on the SpywareBlaster icon and you will be presented with a brief tutorial. On the first page of this tutorial, you will see some of the SpywareBlaster features
  • Click on the Next button to proceed to the second page of the tutorial.
  • If you want to purchase the software, then you should select Automatic Updating. If you do not plan on purchasing the software, then you should select the option for Manual Updating. Press the Next button.
  • At the next screen, click Finish.
  • At the next screen, Protection Status, click Enable All Protection.
  • Click Download Latest Protection Updates. This will ensure that SpywareBlaster has the latest definitions so that it can protect your browser more efficiently. You should update SpywareBlaster regularly, as much as every few days, in order to provide the best protection. Each time you update, be sure to click Enable All Protection.
Step 7

Malwarebytes' Anti-Malware is FREEWARE, however you may upgrade to the PRO version which contains realtime protection, scheduled scanning and updating.
  • Please download Malwarebytes Anti-Malware (MBAM). Alternate download link
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing scan. If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from the Malware Bytes Web site. Scroll down the page until you see Latest Database; click Download from GT500.org
  • Double-click on mbam-rules.exe to install.
  • On the Scanner tab, make sure the Perform Quick Scan option is selected.
  • Click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and Scan in progress will show at the top. It may take some time to complete; please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully.
  • At the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
  • Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Step 8

We need to disconnect your computer from the Internet. By doing this, it prevents any further Internet activity until the removal of malware is complete. You need to make it impossible for viruses, trojan horses, worms and spyware to call for backup once you start to dismantle them. They will continue to infect your computer with new variants while you are connected to the Internet. We also need to prevent hackers from controlling your system and they will try to prevent you from removing the pests they installed on your computer.

Close ALL browser windows (including this one). Exit all processes and items in your System tray.

According to how your computer connects to the Internet, please disconnect your computer from the Internet. Possible means of disconnecting your computer from the Internet include:
  • Physically remove the cable for your broadband Internet service “Always On” Connection from your computer.
  • Turn your modem off.
  • Disconnect your modem cable from your computer.
  • Turn the device off for Hand-held wireless connections.
  • Some laptops have a switch that will disconnect the laptop from the Internet.
Step 9

During the process of removing malware from your computer, there are times you may need to use specialized fix tools. Certain embedded files that are part of these specialized fix tools may be detected by your antivirus or anti-malware scanner as a RiskTool, Hacking tool, Potentially unwanted tool, a virus or a Trojan when that is not the case.
These tools have been carefully created and tested by security experts so if your antivirus or anti-malware program flags them as malware, then it is a False Positive. Antivirus scanners cannot distinguish between good and malicious use of such programs; therefore, they may alert you or even automatically remove them. In these cases, the removal of these files can have unpredictable results and unintentional results.
To avoid any problems while using a specialized fix tool, it is very important that you temporarily disable your antivirus and/or anti-malware programs before using the specialized fix tool.
When your system has been cleaned, it is important that you enable your security programs to avoid reinfection.
Please disable the following program(s):

SUPERAntiSpyware

We need to disable SUPERAntiSpyware as it may interfere with the fixes that we need to make.
  • Right click on the icon in your System Tray.
  • Click Exit
  • Make sure that the program, SUPERAntiSpyware itself, is also closed/not running.
Step 10

Now we will address the HijackThis fixes.

The following entries are associated with Gretech's GOM Media Player - detected by some as Win/Adware.AskPop Toolbar. I recommend that you uninstall Gretech's GOM Media Player using the Add or Remove Programs.

O9 - Extra button: ? ????? - {013BCEA5-8309-448b-8604-85F23D7861A5} - C:\Program Files\GRETECH\GomSearch\gsearch.dll

O9 - Extra 'Tools' menuitem: ? ????? - {013BCEA5-8309-448b-8604-85F23D7861A5} - C:\Program Files\GRETECH\GomSearch\gsearch.dll

  • If you have not already done so, please download Trend Micro - HijackThis.
  • Double click HJTInstall.exe to begin installation.
  • Accept the installation location, which by default is C:\Program Files\Trend Micro\HijackThis or click the Browse... button if you want to save it in another location.
  • Click Install.
  • A shortcut will be created on your Desktop and HijackThis will run automatically.
  • Click the button labeled Do a system scan only.
  • Click the Scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
  • Click in the boxes to the left of the following entries to place check marks (make sure not to miss any):

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    O16 - DPF: {5CA5E00D-80A8-475A-BF08-816FD56DBC38} (KTCtrl Class) - http://support.kornet.net/sw5/order/Speed/...peedNewCtrl.cab
    O16 - DPF: {78530AB7-7AC1-48E6-961E-A8D4EED52BAA} (AIGenerator Class) - http://hakj.snut.ac.kr:8080/AIViewer37/AIGeneratorOcx.cab
    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://www.hikorea.go.kr/activeX/nProtect/npkcx_inca.cab
    O16 - DPF: {D912AABC-6CB0-416F-85B6-CABBB86FD558} (INIwallet60 Control) - http://plugin.inicis.com/wallet60/INIwallet60_vista.cab

  • Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.
Step 11

Optional Fixes is the name that we use for fixes for unnecessary programs that load during startup and run in the background. These programs are not required to start automatically as you can start them manually if you need them. You would be removing the program from your startup but you would not be removing the program itself.

Your computer may be sluggish due to the many programs loading during startup and running in the background that are not necessary. Windows has a facility for starting programs at startup time. Some of these programs are required for your computer and the applications installed on it to run correctly. A good example of such a program is a virus-checking application that must always run, constantly checking for and isolating or removing files with viruses. Other such programs are not strictly required, or are optional. In some cases, you can gain significant performance enhancements by disabling the automatic startup of these programs. In many cases, the functionality offered by the programs is still available by starting the programs manually by, for example, starting the program from the Windows Start->Programs menu. Media players and instant messaging programs often fall into this category. In fact, it is common for many modern software applications, when installed, to add programs at startup that add items to the system tray or shortcut (context) menus in Windows Explorer to provide quick access to the features and functions of these applications. While they may be useful, they do increase boot time and consume system resources. It is advised that you disable these programs so that they do not take up necessary resources or slow the boot time.

Other than ScanRegistry, SystemTray, StateMgr, antivirus program entries, and firewall program entries, very few others need to load and run.

Read the articles below to see if it applies to your computer problem with being slow to respond.
Slow Computer/browser? Check Here First; It May Not Be Malware
What to do if your Computer is running slowly
Help! My computer is slow!
50 Tips for a Super Fast PC
4 Ways to Speed Up Your Computer's Performance
It's not always malware: How to fix the top 10 Internet Explorer issues

If you decide that you want to stop the Optional Fixes in your startup, let me know and I will give you a list with instructions. You would be removing the program from your startup but you would not be removing the program itself.

Step 12

Please download and scan with Dr.Web CureIt. Follow the instructions here for performing a scan in "Safe Mode" .
-- Post the log in your next reply.

Perform an anti-rootkit (ARK) scan with one of the following:Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug your Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. You should not be alarmed if you see any hidden entries created by these software programs after performing a scan.

Step 13

Check to see if you have insecure applications with
Secunia Software Inspector. Secunia Software Inspector:
  • Detects insecure versions of common/popular programs installed on your computer.
  • Verifies that all Microsoft patches are applied.
  • Assists you in updating, patching, and protecting your computer.
  • Activates additional security features in Sun Java.
  • Runs through your browser. No installation or download is required.
Step 14

Please run HijackThis in Normal Mode and post a new HijackThis log so I can make sure that all the malware was deleted according to plan.

Please post:
  • the list of file names and locations for any files that cannot be cleaned / deleted that were reported after you completed the online scans.
  • the log from MalwareBytes
  • a new HijackThis log
Please advise me of any problems you still have.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#9 Feeski

Feeski
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:57 PM

Posted 30 September 2009 - 01:01 AM

Hi Suebaby,

Just to let you know that I did get the last post. It may take me a few more days to get round to doing all this. I will let you know if or when any problems arise.

Thanks again.

Fiona.

#10 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:57 AM

Posted 01 October 2009 - 07:02 AM

Thanks for letting me know.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#11 Feeski

Feeski
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:57 PM

Posted 02 October 2009 - 11:18 AM

Hi Suebaby,

I am about half way through the process. I scanned with Bitdefender, Computer Associates Scan and Windows Live...all clean. As I already had Ad-aware installed, I unistalled, ran Spybot...it found some things and cleaned and then ran it again, although the computer blue-screened as the second scan started...it has been crashing once almost every time I switch it on, so...

Put Ad-aware back on...another crash after reboot. Did a smart scan and cleaned about 50 cookies and then did a full scan and all clean.

SpywareBlaster is on and MalwareBytes came up all clean. Here is the log:
Malwarebytes' Anti-Malware 1.41
Database version: 2895
Windows 6.0.6002 Service Pack 2

03/10/2009 01:16:09
mbam-log-2009-10-03 (01-16-09).txt

Scan type: Quick Scan
Objects scanned: 89029
Time elapsed: 4 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Will post the Hijack this etc in the next reply.

Cheers,

Fiona.

#12 Feeski

Feeski
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:57 PM

Posted 02 October 2009 - 02:23 PM

Dear Suebaby,

Completed the rest of the fixes. Ran Dr.Web...I think that everything was moved, it let me moved stuff half-way through the scan, but after all the buttons were greyed out. On reboot the computer ran CheckDisk which seemed to be fine, but after the computer crashed again, 0x08E error. Ran RootRepeal, Secunia and Hijack this. Here are the logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:21:02, on 03/10/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe






RootRepeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/03 03:47
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\Windows\system32\DRIVERS\1394BUS.SYS
Address: 0x8E43F000 Size: 57344 File Visible: - Signed: -
Status: -

Name: acpi.sys
Image Path: C:\Windows\system32\drivers\acpi.sys
Address: 0x807B9000 Size: 286720 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x81E3C000 Size: 3903488 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\Windows\system32\drivers\afd.sys
Address: 0x8F321000 Size: 294912 File Visible: - Signed: -
Status: -

Name: asyncmac.sys
Image Path: C:\Windows\system32\DRIVERS\asyncmac.sys
Address: 0xA9512000 Size: 36864 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: C:\Windows\system32\drivers\atapi.sys
Address: 0x89E8C000 Size: 32768 File Visible: - Signed: -
Status: -

Name: ataport.SYS
Image Path: C:\Windows\system32\drivers\ataport.SYS
Address: 0x89E94000 Size: 122880 File Visible: - Signed: -
Status: -

Name: avgio.sys
Image Path: C:\Program Files\Avira\AntiVir Desktop\avgio.sys
Address: 0x8F50A000 Size: 6144 File Visible: - Signed: -
Status: -

Name: avgntflt.sys
Image Path: C:\Windows\system32\DRIVERS\avgntflt.sys
Address: 0x8F5B8000 Size: 81920 File Visible: - Signed: -
Status: -

Name: avipbb.sys
Image Path: C:\Windows\system32\DRIVERS\avipbb.sys
Address: 0x8F461000 Size: 114688 File Visible: - Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:\Windows\system32\DRIVERS\BATTC.SYS
Address: 0x805F2000 Size: 40960 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\Windows\System32\Drivers\Beep.SYS
Address: 0x8F256000 Size: 28672 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\Windows\system32\BOOTVID.dll
Address: 0x80488000 Size: 32768 File Visible: - Signed: -
Status: -

Name: bowser.sys
Image Path: C:\Windows\system32\DRIVERS\bowser.sys
Address: 0xA95A3000 Size: 102400 File Visible: - Signed: -
Status: -

Name: BthEnum.sys
Image Path: C:\Windows\system32\DRIVERS\BthEnum.sys
Address: 0x8F535000 Size: 40960 File Visible: - Signed: -
Status: -

Name: bthpan.sys
Image Path: C:\Windows\system32\DRIVERS\bthpan.sys
Address: 0x8F53F000 Size: 106496 File Visible: - Signed: -
Status: -

Name: bthport.sys
Image Path: C:\Windows\System32\Drivers\bthport.sys
Address: 0x8F48A000 Size: 524288 File Visible: - Signed: -
Status: -

Name: BTHUSB.sys
Image Path: C:\Windows\System32\Drivers\BTHUSB.sys
Address: 0x8F47D000 Size: 53248 File Visible: - Signed: -
Status: -

Name: cdd.dll
Image Path: C:\Windows\System32\cdd.dll
Address: 0x968F0000 Size: 57344 File Visible: - Signed: -
Status: -

Name: cdfs.sys
Image Path: C:\Windows\system32\DRIVERS\cdfs.sys
Address: 0xAB0C5000 Size: 90112 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\Windows\system32\DRIVERS\cdrom.sys
Address: 0x8E504000 Size: 98304 File Visible: - Signed: -
Status: -

Name: CI.dll
Image Path: C:\Windows\system32\CI.dll
Address: 0x804D1000 Size: 917504 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\Windows\system32\drivers\CLASSPNP.SYS
Address: 0x8A598000 Size: 135168 File Visible: - Signed: -
Status: -

Name: CLFS.SYS
Image Path: C:\Windows\system32\CLFS.SYS
Address: 0x80490000 Size: 266240 File Visible: - Signed: -
Status: -

Name: CmBatt.sys
Image Path: C:\Windows\system32\DRIVERS\CmBatt.sys
Address: 0x8E51F000 Size: 14208 File Visible: - Signed: -
Status: -

Name: compbatt.sys
Image Path: C:\Windows\system32\DRIVERS\compbatt.sys
Address: 0x805EF000 Size: 10496 File Visible: - Signed: -
Status: -

Name: crashdmp.sys
Image Path: C:\Windows\System32\Drivers\crashdmp.sys
Address: 0x8F562000 Size: 53248 File Visible: - Signed: -
Status: -

Name: crcdisk.sys
Image Path: C:\Windows\system32\drivers\crcdisk.sys
Address: 0x8A5B9000 Size: 36864 File Visible: - Signed: -
Status: -

Name: dfsc.sys
Image Path: C:\Windows\System32\Drivers\dfsc.sys
Address: 0x8F44A000 Size: 94208 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: C:\Windows\system32\drivers\disk.sys
Address: 0x8A587000 Size: 69632 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\Windows\system32\drivers\drmk.sys
Address: 0x89F7E000 Size: 151552 File Visible: - Signed: -
Status: -

Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x8F56F000 Size: 45056 File Visible: No Signed: -
Status: -

Name: dump_msahci.sys
Image Path: C:\Windows\System32\Drivers\dump_msahci.sys
Address: 0x8F57A000 Size: 40960 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\Windows\System32\drivers\Dxapi.sys
Address: 0x8F584000 Size: 40960 File Visible: - Signed: -
Status: -

Name: dxgkrnl.sys
Image Path: C:\Windows\System32\drivers\dxgkrnl.sys
Address: 0x8EE58000 Size: 651264 File Visible: - Signed: -
Status: -

Name: ecache.sys
Image Path: C:\Windows\System32\drivers\ecache.sys
Address: 0x8A560000 Size: 159744 File Visible: - Signed: -
Status: -

Name: fastfat.SYS
Image Path: C:\Windows\System32\Drivers\fastfat.SYS
Address: 0xAB0DD000 Size: 163840 File Visible: - Signed: -
Status: -

Name: fileinfo.sys
Image Path: C:\Windows\system32\drivers\fileinfo.sys
Address: 0x89EEE000 Size: 65536 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: C:\Windows\system32\drivers\fltmgr.sys
Address: 0x89EBC000 Size: 204800 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\Windows\System32\Drivers\Fs_Rec.SYS
Address: 0x8F246000 Size: 36864 File Visible: - Signed: -
Status: -

Name: fwpkclnt.sys
Image Path: C:\Windows\System32\drivers\fwpkclnt.sys
Address: 0x8A2E8000 Size: 110592 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
Address: 0x8E51C000 Size: 9984 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\Windows\system32\hal.dll
Address: 0x81E09000 Size: 208896 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\Windows\system32\DRIVERS\HDAudBus.sys
Address: 0x8EF5B000 Size: 577536 File Visible: - Signed: -
Status: -

Name: HdAudio.sys
Image Path: C:\Windows\system32\drivers\HdAudio.sys
Address: 0x89FA3000 Size: 258048 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\Windows\system32\DRIVERS\HIDCLASS.SYS
Address: 0x89FE2000 Size: 65536 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\Windows\system32\DRIVERS\HIDPARSE.SYS
Address: 0x8F1F6000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\Windows\system32\DRIVERS\hidusb.sys
Address: 0x8F1ED000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\Windows\system32\drivers\HTTP.sys
Address: 0xA951B000 Size: 438272 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\Windows\system32\DRIVERS\i8042prt.sys
Address: 0x8E4DB000 Size: 77824 File Visible: - Signed: -
Status: -

Name: igdkmd32.sys
Image Path: C:\Windows\system32\DRIVERS\igdkmd32.sys
Address: 0x8E80B000 Size: 6606848 File Visible: - Signed: -
Status: -

Name: IntcHdmi.sys
Image Path: C:\Windows\system32\drivers\IntcHdmi.sys
Address: 0x8F1CA000 Size: 135168 File Visible: - Signed: -
Status: -

Name: intelide.sys
Image Path: C:\Windows\system32\drivers\intelide.sys
Address: 0x89E61000 Size: 28672 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\Windows\system32\DRIVERS\intelppm.sys
Address: 0x8A303000 Size: 61440 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\Windows\system32\DRIVERS\kbdclass.sys
Address: 0x8E4F9000 Size: 45056 File Visible: - Signed: -
Status: -

Name: kbdhid.sys
Image Path: C:\Windows\system32\DRIVERS\kbdhid.sys
Address: 0x8F559000 Size: 36864 File Visible: - Signed: -
Status: -

Name: kdcom.dll
Image Path: C:\Windows\system32\kdcom.dll
Address: 0x80400000 Size: 28672 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\Windows\system32\DRIVERS\ks.sys
Address: 0x8A383000 Size: 172032 File Visible: - Signed: -
Status: -

Name: ksecdd.sys
Image Path: C:\Windows\System32\Drivers\ksecdd.sys
Address: 0x89F0D000 Size: 462848 File Visible: - Signed: -
Status: -

Name: Lbd.sys
Image Path: C:\Windows\system32\DRIVERS\Lbd.sys
Address: 0x89EFE000 Size: 57472 File Visible: - Signed: -
Status: -

Name: lltdio.sys
Image Path: C:\Windows\system32\DRIVERS\lltdio.sys
Address: 0xA94BB000 Size: 65536 File Visible: - Signed: -
Status: -

Name: luafv.sys
Image Path: C:\Windows\system32\drivers\luafv.sys
Address: 0x8F59D000 Size: 110592 File Visible: - Signed: -
Status: -

Name: mcupdate_GenuineIntel.dll
Image Path: C:\Windows\system32\mcupdate_GenuineIntel.dll
Address: 0x80407000 Size: 458752 File Visible: - Signed: -
Status: -

Name: modem.sys
Image Path: C:\Windows\system32\drivers\modem.sys
Address: 0x8F1BD000 Size: 53248 File Visible: - Signed: -
Status: -

Name: monitor.sys
Image Path: C:\Windows\system32\DRIVERS\monitor.sys
Address: 0x8F58E000 Size: 61440 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\Windows\system32\DRIVERS\mouclass.sys
Address: 0x8E4EE000 Size: 45056 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\Windows\system32\DRIVERS\mouhid.sys
Address: 0x8F23E000 Size: 32768 File Visible: - Signed: -
Status: -

Name: mountmgr.sys
Image Path: C:\Windows\System32\drivers\mountmgr.sys
Address: 0x89E76000 Size: 65536 File Visible: - Signed: -
Status: -

Name: mpsdrv.sys
Image Path: C:\Windows\System32\drivers\mpsdrv.sys
Address: 0xA95BC000 Size: 86016 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\Windows\system32\drivers\mrxdav.sys
Address: 0xA95D1000 Size: 135168 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\Windows\system32\DRIVERS\mrxsmb.sys
Address: 0x8F5CC000 Size: 126976 File Visible: - Signed: -
Status: -

Name: mrxsmb10.sys
Image Path: C:\Windows\system32\DRIVERS\mrxsmb10.sys
Address: 0xAB001000 Size: 233472 File Visible: - Signed: -
Status: -

Name: mrxsmb20.sys
Image Path: C:\Windows\system32\DRIVERS\mrxsmb20.sys
Address: 0xAB03A000 Size: 98304 File Visible: - Signed: -
Status: -

Name: msahci.sys
Image Path: C:\Windows\system32\drivers\msahci.sys
Address: 0x89EB2000 Size: 40960 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\Windows\System32\Drivers\Msfs.SYS
Address: 0x8F2A3000 Size: 45056 File Visible: - Signed: -
Status: -

Name: msisadrv.sys
Image Path: C:\Windows\system32\drivers\msisadrv.sys
Address: 0x805B1000 Size: 32768 File Visible: - Signed: -
Status: -

Name: msiscsi.sys
Image Path: C:\Windows\system32\DRIVERS\msiscsi.sys
Address: 0x8E52C000 Size: 192512 File Visible: - Signed: -
Status: -

Name: msrpc.sys
Image Path: C:\Windows\system32\drivers\msrpc.sys
Address: 0x8A119000 Size: 176128 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\Windows\system32\DRIVERS\mssmbios.sys
Address: 0x8E800000 Size: 40960 File Visible: - Signed: -
Status: -

Name: mup.sys
Image Path: C:\Windows\System32\Drivers\mup.sys
Address: 0x8A551000 Size: 61440 File Visible: - Signed: -
Status: -

Name: ndis.sys
Image Path: C:\Windows\system32\drivers\ndis.sys
Address: 0x8A00E000 Size: 1093632 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\Windows\system32\DRIVERS\ndistapi.sys
Address: 0x8E5BE000 Size: 45056 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\Windows\system32\DRIVERS\ndisuio.sys
Address: 0xA94F5000 Size: 40960 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\Windows\system32\DRIVERS\ndiswan.sys
Address: 0x8E5C9000 Size: 143360 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\Windows\System32\Drivers\NDProxy.SYS
Address: 0x8A3EF000 Size: 69632 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\Windows\system32\DRIVERS\netbios.sys
Address: 0x8F37F000 Size: 57344 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\Windows\System32\DRIVERS\netbt.sys
Address: 0x8F2EF000 Size: 204800 File Visible: - Signed: -
Status: -

Name: NETIO.SYS
Image Path: C:\Windows\system32\drivers\NETIO.SYS
Address: 0x8A144000 Size: 241664 File Visible: - Signed: -
Status: -

Name: NETw4v32.sys
Image Path: C:\Windows\system32\DRIVERS\NETw4v32.sys
Address: 0x8E200000 Size: 2289664 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\Windows\System32\Drivers\Npfs.SYS
Address: 0x8F2AE000 Size: 57344 File Visible: - Signed: -
Status: -

Name: nsiproxy.sys
Image Path: C:\Windows\system32\drivers\nsiproxy.sys
Address: 0x8F440000 Size: 40960 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: C:\Windows\System32\Drivers\Ntfs.sys
Address: 0x8A400000 Size: 1114112 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\Windows\system32\ntkrnlpa.exe
Address: 0x81E3C000 Size: 3903488 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\Windows\System32\Drivers\Null.SYS
Address: 0x8F24F000 Size: 28672 File Visible: - Signed: -
Status: -

Name: nwifi.sys
Image Path: C:\Windows\system32\DRIVERS\nwifi.sys
Address: 0xA94CB000 Size: 172032 File Visible: - Signed: -
Status: -

Name: OEM02Dev.sys
Image Path: C:\Windows\system32\DRIVERS\OEM02Dev.sys
Address: 0x8F202000 Size: 235648 File Visible: - Signed: -
Status: -

Name: OEM02Vfx.sys
Image Path: C:\Windows\system32\DRIVERS\OEM02Vfx.sys
Address: 0x8F23C000 Size: 7424 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: C:\Windows\system32\DRIVERS\ohci1394.sys
Address: 0x8E42F000 Size: 62208 File Visible: - Signed: -
Status: -

Name: pacer.sys
Image Path: C:\Windows\system32\DRIVERS\pacer.sys
Address: 0x8F369000 Size: 90112 File Visible: - Signed: -
Status: -

Name: partmgr.sys
Image Path: C:\Windows\System32\drivers\partmgr.sys
Address: 0x805E0000 Size: 61440 File Visible: - Signed: -
Status: -

Name: pavboot.sys
Image Path: C:\Windows\system32\drivers\pavboot.sys
Address: 0x89E86000 Size: 21888 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: C:\Windows\system32\drivers\pci.sys
Address: 0x805B9000 Size: 159744 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\Windows\system32\drivers\PCIIDEX.SYS
Address: 0x89E68000 Size: 57344 File Visible: - Signed: -
Status: -

Name: peauth.sys
Image Path: C:\Windows\system32\drivers\peauth.sys
Address: 0xAB105000 Size: 909312 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x81E3C000 Size: 3903488 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\Windows\system32\drivers\portcls.sys
Address: 0x8A1BB000 Size: 184320 File Visible: - Signed: -
Status: -

Name: PSHED.dll
Image Path: C:\Windows\system32\PSHED.dll
Address: 0x80477000 Size: 69632 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\Windows\System32\DRIVERS\rasacd.sys
Address: 0x8F2BC000 Size: 36864 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\Windows\system32\DRIVERS\rasl2tp.sys
Address: 0x8E5A7000 Size: 94208 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\Windows\system32\DRIVERS\raspppoe.sys
Address: 0x8E5EC000 Size: 61440 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\Windows\system32\DRIVERS\raspptp.sys
Address: 0x8EFE8000 Size: 81920 File Visible: - Signed: -
Status: -

Name: rassstp.sys
Image Path: C:\Windows\system32\DRIVERS\rassstp.sys
Address: 0x8A35E000 Size: 86016 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x81E3C000 Size: 3903488 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\Windows\system32\DRIVERS\rdbss.sys
Address: 0x8F404000 Size: 245760 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\Windows\System32\DRIVERS\RDPCDD.sys
Address: 0x8F293000 Size: 32768 File Visible: - Signed: -
Status: -

Name: rdpencdd.sys
Image Path: C:\Windows\system32\drivers\rdpencdd.sys
Address: 0x8F29B000 Size: 32768 File Visible: - Signed: -
Status: -

Name: rfcomm.sys
Image Path: C:\Windows\system32\DRIVERS\rfcomm.sys
Address: 0x8F50C000 Size: 167936 File Visible: - Signed: -
Status: -

Name: rimmptsk.sys
Image Path: C:\Windows\system32\DRIVERS\rimmptsk.sys
Address: 0x8E467000 Size: 61440 File Visible: - Signed: -
Status: -

Name: rimsptsk.sys
Image Path: C:\Windows\system32\DRIVERS\rimsptsk.sys
Address: 0x8E476000 Size: 81920 File Visible: - Signed: -
Status: -

Name: rixdptsk.sys
Image Path: C:\Windows\system32\DRIVERS\rixdptsk.sys
Address: 0x8E48A000 Size: 331776 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xA95F2000 Size: 49152 File Visible: No Signed: -
Status: -

Name: rspndr.sys
Image Path: C:\Windows\system32\DRIVERS\rspndr.sys
Address: 0xA94FF000 Size: 77824 File Visible: - Signed: -
Status: -

Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0x8F3CB000 Size: 24576 File Visible: - Signed: -
Status: -

Name: SASKUTIL.sys
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Address: 0x8F3A6000 Size: 151552 File Visible: - Signed: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\Windows\System32\Drivers\SCSIPORT.SYS
Address: 0x80793000 Size: 155648 File Visible: - Signed: -
Status: -

Name: sdbus.sys
Image Path: C:\Windows\system32\DRIVERS\sdbus.sys
Address: 0x8E44D000 Size: 106496 File Visible: - Signed: -
Status: -

Name: secdrv.SYS
Image Path: C:\Windows\System32\Drivers\secdrv.SYS
Address: 0xAB1E3000 Size: 40960 File Visible: - Signed: -
Status: -

Name: smb.sys
Image Path: C:\Windows\system32\DRIVERS\smb.sys
Address: 0x8F2DB000 Size: 81920 File Visible: - Signed: -
Status: -

Name: spldr.sys
Image Path: C:\Windows\System32\Drivers\spldr.sys
Address: 0x8A549000 Size: 32768 File Visible: - Signed: -
Status: -

Name: spqr.sys
Image Path: C:\Windows\System32\Drivers\spqr.sys
Address: 0x8068A000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: spsys.sys
Image Path: C:\Windows\system32\drivers\spsys.sys
Address: 0xA940B000 Size: 720896 File Visible: - Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: srv.sys
Image Path: C:\Windows\System32\DRIVERS\srv.sys
Address: 0xAB079000 Size: 311296 File Visible: - Signed: -
Status: -

Name: srv2.sys
Image Path: C:\Windows\System32\DRIVERS\srv2.sys
Address: 0xAB052000 Size: 159744 File Visible: - Signed: -
Status: -

Name: srvnet.sys
Image Path: C:\Windows\System32\DRIVERS\srvnet.sys
Address: 0xA9586000 Size: 118784 File Visible: - Signed: -
Status: -

Name: ssmdrv.sys
Image Path: C:\Windows\system32\DRIVERS\ssmdrv.sys
Address: 0x8F3A0000 Size: 23040 File Visible: - Signed: -
Status: -

Name: storport.sys
Image Path: C:\Windows\system32\DRIVERS\storport.sys
Address: 0x8E55B000 Size: 266240 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\Windows\system32\DRIVERS\swenum.sys
Address: 0x8E5FB000 Size: 4992 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\Windows\System32\drivers\tcpip.sys
Address: 0x8A200000 Size: 950272 File Visible: - Signed: -
Status: -

Name: tcpipreg.sys
Image Path: C:\Windows\System32\drivers\tcpipreg.sys
Address: 0xAB1ED000 Size: 49152 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\Windows\system32\DRIVERS\TDI.SYS
Address: 0x8E59C000 Size: 45056 File Visible: - Signed: -
Status: -

Name: tdx.sys
Image Path: C:\Windows\system32\DRIVERS\tdx.sys
Address: 0x8F2C5000 Size: 90112 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\Windows\system32\DRIVERS\termdd.sys
Address: 0x8A373000 Size: 65536 File Visible: - Signed: -
Status: -

Name: TSDDD.dll
Image Path: C:\Windows\System32\TSDDD.dll
Address: 0x968D0000 Size: 36864 File Visible: - Signed: -
Status: -

Name: tunmp.sys
Image Path: C:\Windows\system32\DRIVERS\tunmp.sys
Address: 0x8A5E4000 Size: 36864 File Visible: - Signed: -
Status: -

Name: tunnel.sys
Image Path: C:\Windows\system32\DRIVERS\tunnel.sys
Address: 0x8A5EF000 Size: 45056 File Visible: - Signed: -
Status: -

Name: umbus.sys
Image Path: C:\Windows\system32\DRIVERS\umbus.sys
Address: 0x8A3AD000 Size: 53248 File Visible: - Signed: -
Status: -

Name: usbccgp.sys
Image Path: C:\Windows\system32\DRIVERS\usbccgp.sys
Address: 0x8A1E8000 Size: 94208 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\Windows\system32\DRIVERS\USBD.SYS
Address: 0x8F1EB000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\Windows\system32\DRIVERS\usbehci.sys
Address: 0x8EF4C000 Size: 61440 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\Windows\system32\DRIVERS\usbhub.sys
Address: 0x8A3BA000 Size: 217088 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\Windows\system32\DRIVERS\USBPORT.SYS
Address: 0x8EF0E000 Size: 253952 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\Windows\system32\DRIVERS\usbuhci.sys
Address: 0x8EF03000 Size: 45056 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\Windows\System32\drivers\vga.sys
Address: 0x8F266000 Size: 49152 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\Windows\System32\drivers\VIDEOPRT.SYS
Address: 0x8F272000 Size: 135168 File Visible: - Signed: -
Status: -

Name: volmgr.sys
Image Path: C:\Windows\system32\drivers\volmgr.sys
Address: 0x89E08000 Size: 61440 File Visible: - Signed: -
Status: -

Name: volmgrx.sys
Image Path: C:\Windows\System32\drivers\volmgrx.sys
Address: 0x89E17000 Size: 303104 File Visible: - Signed: -
Status: -

Name: volsnap.sys
Image Path: C:\Windows\system32\drivers\volsnap.sys
Address: 0x8A510000 Size: 233472 File Visible: - Signed: -
Status: -

Name: VSTAZL3.SYS
Image Path: C:\Windows\system32\DRIVERS\VSTAZL3.SYS
Address: 0x8A17F000 Size: 245760 File Visible: - Signed: -
Status: -

Name: VSTCNXT3.SYS
Image Path: C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
Address: 0x8F10A000 Size: 733184 File Visible: - Signed: -
Status: -

Name: VSTDPV3.SYS
Image Path: C:\Windows\system32\DRIVERS\VSTDPV3.SYS
Address: 0x8F006000 Size: 1064960 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\Windows\system32\DRIVERS\wanarp.sys
Address: 0x8F38D000 Size: 77824 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\Windows\System32\drivers\watchdog.sys
Address: 0x8EEF7000 Size: 49152 File Visible: - Signed: -
Status: -

Name: Wdf01000.sys
Image Path: C:\Windows\system32\drivers\Wdf01000.sys
Address: 0x80601000 Size: 507904 File Visible: - Signed: -
Status: -

Name: WDFLDR.SYS
Image Path: C:\Windows\system32\drivers\WDFLDR.SYS
Address: 0x8067D000 Size: 53248 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0x966B0000 Size: 2105344 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\Windows\System32\win32k.sys
Address: 0x966B0000 Size: 2105344 File Visible: - Signed: -
Status: -

Name: wmiacpi.sys
Image Path: C:\Windows\system32\DRIVERS\wmiacpi.sys
Address: 0x8E523000 Size: 36864 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\Windows\System32\Drivers\WMILIB.SYS
Address: 0x8078A000 Size: 36864 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x81E3C000 Size: 3903488 File Visible: - Signed: -
Status: -

Name: yk60x86.sys
Image Path: C:\Windows\system32\DRIVERS\yk60x86.sys
Address: 0x8A312000 Size: 311296 File Visible: - Signed: -
Status: -


C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\trend micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: gsearch - {375A6AB2-FEEC-445D-B853-2139FB561F80} - C:\Program Files\GRETECH\GomSearch\gsearch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Korean IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O9 - Extra button: ? ????? - {013BCEA5-8309-448b-8604-85F23D7861A5} - C:\Program Files\GRETECH\GomSearch\gsearch.dll
O9 - Extra 'Tools' menuitem: ? ????? - {013BCEA5-8309-448b-8604-85F23D7861A5} - C:\Program Files\GRETECH\GomSearch\gsearch.dll
O9 - Extra button: OneNote? ??? - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: OneNote? ??? - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/...S/wlscctrl2.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: npkcagentsvc - - C:\Windows\system32\npkcagentsvc.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Windows\system32\npkcmsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 7303 bytes

Hope all is well.

Thanks.

#13 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:57 AM

Posted 07 October 2009 - 07:09 AM

Sorry. Haven't been feeling well. Please post a new HijackThis log. The log in your last post is incomplete. I need the entire log including the heading. Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#14 Feeski

Feeski
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:57 PM

Posted 08 October 2009 - 08:42 PM

Dear Suebaby,

Sorry to hear that you haven't been well. I am off for a weekend break this weekend, but will be back on Monday. Here is the new Hijack this log. The computer is still doing its usual of blue-screening once pretty much every time it is switched on, usually a x08E error or x0A, after it has crashed and restarted then it is always fine.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:42, on 09/10/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\trend micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: gsearch - {375A6AB2-FEEC-445D-B853-2139FB561F80} - C:\Program Files\GRETECH\GomSearch\gsearch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Korean IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O9 - Extra button: ? ????? - {013BCEA5-8309-448b-8604-85F23D7861A5} - C:\Program Files\GRETECH\GomSearch\gsearch.dll
O9 - Extra 'Tools' menuitem: ? ????? - {013BCEA5-8309-448b-8604-85F23D7861A5} - C:\Program Files\GRETECH\GomSearch\gsearch.dll
O9 - Extra button: OneNote? ??? - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: OneNote? ??? - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/...S/wlscctrl2.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: npkcagentsvc - - C:\Windows\system32\npkcagentsvc.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Windows\system32\npkcmsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 7540 bytes

#15 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:57 AM

Posted 09 October 2009 - 09:06 AM

Try uninstalling GRETECH. See if Blue Screen still appears. Reinstall GRETECH. Let me know what happens.
C:\Program Files\GRETECH
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users