Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot run MBAM, HiJack This, or install AVG.


  • This topic is locked This topic is locked
55 replies to this topic

#1 edp333

edp333

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 09 November 2009 - 07:49 PM

Referred from here: http://www.bleepingcomputer.com/forums/t/270084/cannot-run-mbam-hijack-this-etc/ ~ OB

I downloaded MBAM and HiJackThis, but was not able to run them even in safe mode. I was able to run esetsmartinstaller_enu, MS Malicious Software Removal Tool, MS Scanner, and rkill. Several trojans were detected and removed including win32/Alvreon and win32/FakeCog. Tried to follow the Prep Guide but wasunable to get DDS to run, but was able to get a HiJackThis log with RSIT.

Here is a copy of the log:

Logfile of random's system information tool 1.06 (written by random/random)
Run by user at 2009-11-09 18:36:57
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 38 GB (50%) free of 76 GB
Total RAM: 1023 MB (58% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:31 PM, on 11/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
c:Program FilesMicrosoft Security EssentialsMsMpEng.exe
C:Program FilesWindows DefenderMsMpEng.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesNVIDIA CorporationNetworkAccessManagerApache GroupApache2binapache.exe
C:Program FilesNVIDIA CorporationNetworkAccessManagerbinnSvcIp.exe
C:Program FilesNVIDIA CorporationNetworkAccessManagerbinnSvcLog.exe
C:PROGRA~1EARTHL~2PCFINE~1MXTask.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesNVIDIA CorporationNetworkAccessManagerApache GroupApache2binapache.exe
C:Program FilesNVIDIA CorporationNetworkAccessManagerbinnSvcAppFlt.exe
C:Program FilesNVIDIA CorporationNetworkAccessManagerbinnTrayFw.exe
C:WINDOWSAGRSMMSG.exe
C:Program FilesYahoo!Search ProtectionSearchProtection.exe
C:Program FilesWindows DefenderMSASCui.exe
C:Program FilesMicrosoft Security Essentialsmsseces.exe
C:WINDOWSexplorer.exe
C:Documents and SettingsuserDesktopRSIT.exe
C:Program Filestrend microuser.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.yahoo.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.yahoo.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.yahoo.com/
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:Program FilesEarthLinkToolbarElnkPuB.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:Program FilesEarthLinkToolbarProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:Program FilesEarthLinkToolbaruninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:Program FilesEarthLinkToolbarToolbar.dll
O4 - HKLM..Run: [nTrayFw] C:Program FilesNVIDIA CorporationNetworkAccessManagerbinnTrayFw.exe
O4 - HKLM..Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..Run: [YSearchProtection] "C:Program FilesYahoo!Search ProtectionSearchProtection.exe"
O4 - HKLM..Run: [Windows Defender] "C:Program FilesWindows DefenderMSASCui.exe" -hide
O4 - HKLM..Run: [MSSE] "c:Program FilesMicrosoft Security Essentialsmsseces.exe" -hide
O4 - HKCU..Run: [Protection System] C:Program FilesProtection Systempsystem.exe
O4 - HKCU..Run: [Messenger (Yahoo!)] "C:Program FilesYahoo!MessengerYahooMessenger.exe" -quiet
O4 - HKCU..Run: [Search Protection] C:Program FilesYahoo!Search ProtectionSearchProtection.exe
O4 - HKCU..Run: [ms18_word] C:Documents and Settingsuserms18_word.exe
O8 - Extra context menu item: EarthLink Google Search - res://C:Program FilesEarthLinkToolbarSearchUI.dll/search.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O12 - Plugin for .pdf: C:Program FilesInternet ExplorerPLUGINSnppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1247701221125
O23 - Service: app_filter - Unknown owner - C:Program FilesNVIDIA CorporationNetworkAccessManagerbinnSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:Program FilesNVIDIA CorporationNetworkAccessManagerApache GroupApache2binapache.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:WINDOWSSystem32hwclock.exe (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:Program FilesNVIDIA CorporationNetworkAccessManagerbinnSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:Program FilesNVIDIA CorporationNetworkAccessManagerbinnSvcLog.exe
O23 - Service: PC FineTune Task Manager - Avanquest North America, Inc. - C:PROGRA~1EARTHL~2PCFINE~1MXTask.exe

--
End of file - 5971 bytes

======Scheduled tasks folder======

C:WINDOWStasksMP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{512ACF1B-64D9-4928-B382-A80556F28DB4}]
ElnkPubBHO Class - C:Program FilesEarthLinkToolbarElnkPuB.dll [2008-11-04 255472]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{9579D574-D4D8-4335-9560-FE8641A013BD}]
ElnkProtectionBHO Class - C:Program FilesEarthLinkToolbarProtctIE.dll [2008-11-04 415216]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{E713904C-DF05-4C79-BBAD-02DB923253BE}]
ElnkLegacyUninstBHO Class - C:Program FilesEarthLinkToolbaruninsttb.dll [2008-11-04 280048]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar]
{C7768536-96F8-4001-B1A2-90EE21279187} - EarthLink Toolbar - C:Program FilesEarthLinkToolbarToolbar.dll [2008-11-04 873968]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
"nTrayFw"=C:Program FilesNVIDIA CorporationNetworkAccessManagerbinnTrayFw.exe [2004-11-20 266240]
"AGRSMMSG"=C:WINDOWSAGRSMMSG.exe [2005-12-12 88204]
"YSearchProtection"=C:Program FilesYahoo!Search ProtectionSearchProtection.exe [2009-02-23 111856]
"Windows Defender"=C:Program FilesWindows DefenderMSASCui.exe [2006-11-03 866584]
"MSSE"=c:Program FilesMicrosoft Security Essentialsmsseces.exe [2009-09-13 1048392]

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
"Protection System"=C:Program FilesProtection Systempsystem.exe []
"Messenger (Yahoo!)"=C:Program FilesYahoo!MessengerYahooMessenger.exe [2009-05-26 4351216]
"Search Protection"=C:Program FilesYahoo!Search ProtectionSearchProtection.exe [2009-02-23 111856]
"ms18_word"=C:Documents and Settingsuserms18_word.exe []

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:PROGRA~1WIFD1F~1MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalMsMpSvc]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWinDefend]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootnetworkMsMpSvc]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootnetworkUploadMgr]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootnetworkWinDefend]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesexplorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofileauthorizedapplicationslist]
"C:WINDOWSSystem32qbubjogw.exe"="C:WINDOWSSystem32qbubjogw.exe:*:Enabled:Ultimate Tool"
"C:WINDOWSSystem32azvyue.exe"="C:WINDOWSSystem32azvyue.exe:*:Enabled:Ultimate Tool"
"C:WINDOWSSystem32ssywx.exe"="C:WINDOWSSystem32ssywx.exe:*:Enabled:Ultimate Tool"
"C:WINDOWSSystem32qvvcq.exe"="C:WINDOWSSystem32qvvcq.exe:*:Enabled:Ultimate Tool"
"C:WINDOWSSystem32jqbfdhz.exe"="C:WINDOWSSystem32jqbfdhz.exe:*:Enabled:Ultimate Tool"
"C:WINDOWSSystem32apkprhx.exe"="C:WINDOWSSystem32apkprhx.exe:*:Enabled:Ultimate Tool"
"C:youre.exe"="C:youre.exe:*:Enabled:Ultimate Tool"
"C:WINDOWSSystem32zoyyyz.exe"="C:WINDOWSSystem32zoyyyz.exe:*:Enabled:Ultimate Tool"
"C:WINDOWSSystem32msbiygma.exe"="C:WINDOWSSystem32msbiygma.exe:*:Enabled:Ultimate Tool"
"%windir%system32sessmgr.exe"="%windir%system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicydomainprofileauthorizedapplicationslist]
"%windir%system32sessmgr.exe"="%windir%system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{51d10ffe-719b-11de-9c9c-806d6172696f}]
shellAutoRuncommand - D:setup.exe


======List of files/folders created in the last 1 months======

2009-11-09 18:36:58 ----D---- C:Program Filestrend micro
2009-11-09 18:36:57 ----D---- C:rsit
2009-11-09 14:41:06 ----D---- C:Program FilesMicrosoft Security Essentials
2009-11-09 14:40:56 ----HDC---- C:WINDOWS$NtUninstallKB914882$
2009-11-09 14:32:31 ----N---- C:WINDOWSsystem32MpSigStub.exe
2009-11-09 14:29:37 ----D---- C:Program FilesWindows Defender
2009-11-09 14:24:30 ----D---- C:WINDOWSPrefetch
2009-11-09 14:19:58 ----N---- C:WINDOWSsystem32proxycfg.exe
2009-11-09 14:19:58 ----N---- C:WINDOWSsystem32logman.exe
2009-11-09 14:19:53 ----N---- C:WINDOWSsystem32cmsetacl.dll
2009-11-09 14:19:53 ----N---- C:WINDOWSsystem32btpanui.dll
2009-11-09 14:19:53 ----N---- C:WINDOWSsystem32bthserv.dll
2009-11-09 14:19:53 ----N---- C:WINDOWSsystem32bthci.dll
2009-11-09 14:19:53 ----N---- C:WINDOWSsystem32blastcln.exe
2009-11-09 14:19:53 ----N---- C:WINDOWSsystem32auditusr.exe
2009-11-09 14:19:53 ----N---- C:WINDOWSsystem32ativvaxx.dll
2009-11-09 14:19:53 ----N---- C:WINDOWSsystem32ativtmxx.dll
2009-11-09 14:19:53 ----N---- C:WINDOWSsystem32ati3duag.dll
2009-11-09 14:19:53 ----N---- C:WINDOWSsystem32ati3d1ag.dll
2009-11-09 14:19:53 ----N---- C:WINDOWSsystem32ati2dvag.dll
2009-11-09 14:19:53 ----N---- C:WINDOWSsystem32ati2dvaa.dll
2009-11-09 14:19:53 ----N---- C:WINDOWSsystem32ati2cqag.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32mdmxsdk.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32kbdukx.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32kbdsmsno.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32kbdsmsfi.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32kbdno1.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32kbdmlt48.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32kbdmlt47.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32kbdmaori.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32kbdinmal.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32kbdinben.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32kbdinbe1.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32kbdfi1.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32ir50_qcx.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32ir50_qc.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32ir50_32.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32ir41_qcx.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32ir41_qc.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32ieencode.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32httpapi.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32hsfcisp2.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32fwcfg.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32fsquirt.exe
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32fltmc.exe
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32fltlib.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32extmgr.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32dxdiagn.dll
2009-11-09 14:19:52 ----N---- C:WINDOWSsystem32d3d9.dll
2009-11-09 14:19:51 ----N---- C:WINDOWSsystem32slextspk.dll
2009-11-09 14:19:51 ----N---- C:WINDOWSsystem32slcoinst.dll
2009-11-09 14:19:51 ----N---- C:WINDOWSsystem32sdhcinst.dll
2009-11-09 14:19:51 ----N---- C:WINDOWSsystem32s3gnb.dll
2009-11-09 14:19:51 ----N---- C:WINDOWSsystem32powercfg.exe
2009-11-09 14:19:51 ----N---- C:WINDOWSsystem32pnrpnsp.dll
2009-11-09 14:19:51 ----N---- C:WINDOWSsystem32p2psvc.dll
2009-11-09 14:19:51 ----N---- C:WINDOWSsystem32p2pnetsh.dll
2009-11-09 14:19:51 ----N---- C:WINDOWSsystem32p2pgraph.dll
2009-11-09 14:19:51 ----N---- C:WINDOWSsystem32p2pgasvc.dll
2009-11-09 14:19:51 ----N---- C:WINDOWSsystem32p2p.dll
2009-11-09 14:19:51 ----N---- C:WINDOWSsystem32mtxparhd.dll
2009-11-09 14:19:51 ----N---- C:WINDOWSsystem32mspmsnsv.dll
2009-11-09 14:19:51 ----N---- C:WINDOWSsystem32msdadiag.dll
2009-11-09 14:19:51 ----N---- C:WINDOWSsystem32mp4sdmod.dll
2009-11-09 14:19:51 ----N---- C:WINDOWSsystem32mp43dmod.dll
2009-11-09 14:19:50 ----N---- C:WINDOWSsystem32wmspdmod.dll
2009-11-09 14:19:50 ----N---- C:WINDOWSsystem32wmsdmoe2.dll
2009-11-09 14:19:50 ----N---- C:WINDOWSsystem32wmpdxm.dll
2009-11-09 14:19:50 ----N---- C:WINDOWSsystem32wmpasf.dll
2009-11-09 14:19:50 ----N---- C:WINDOWSsystem32wmp.dll
2009-11-09 14:19:50 ----N---- C:WINDOWSsystem32wmidx.dll
2009-11-09 14:19:50 ----N---- C:WINDOWSsystem32wmerror.dll
2009-11-09 14:19:50 ----N---- C:WINDOWSsystem32winshfhc.dll
2009-11-09 14:19:50 ----N---- C:WINDOWSsystem32w3ssl.dll
2009-11-09 14:19:50 ----N---- C:WINDOWSsystem32twext.dll
2009-11-09 14:19:50 ----N---- C:WINDOWSsystem32strmfilt.dll
2009-11-09 14:19:50 ----N---- C:WINDOWSsystem32smbinst.exe
2009-11-09 14:19:50 ----N---- C:WINDOWSsystem32slserv.exe
2009-11-09 14:19:50 ----N---- C:WINDOWSsystem32slrundll.exe
2009-11-09 14:19:50 ----N---- C:WINDOWSsystem32slgen.dll
2009-11-09 14:19:49 ----N---- C:WINDOWSsystem32xmlprovi.dll
2009-11-09 14:19:49 ----N---- C:WINDOWSsystem32xmlprov.dll
2009-11-09 14:19:49 ----N---- C:WINDOWSsystem32wuaueng1.dll
2009-11-09 14:19:49 ----N---- C:WINDOWSsystem32wuauclt1.exe
2009-11-09 14:19:49 ----N---- C:WINDOWSsystem32wshbth.dll
2009-11-09 14:19:49 ----N---- C:WINDOWSsystem32wscsvc.dll
2009-11-09 14:19:49 ----N---- C:WINDOWSsystem32wscntfy.exe
2009-11-09 14:19:49 ----N---- C:WINDOWSsystem32wmvdmoe2.dll
2009-11-09 14:19:49 ----N---- C:WINDOWSsystem32wmspdmoe.dll
2009-11-09 14:19:49 ----N---- C:WINDOWSslrundll.exe
2009-11-09 14:17:08 ----N---- C:WINDOWSsystem32xpsp2res.dll
2009-11-09 14:16:40 ----A---- C:WINDOWS002220_.tmp
2009-11-09 11:38:47 ----D---- C:Documents and SettingsuserApplication DataSun
2009-11-07 22:18:20 ----D---- C:Program FilesWindows Live Safety Center
2009-11-07 14:02:07 ----D---- C:Documents and SettingsuserApplication DataAVG8
2009-11-07 10:33:04 ----A---- C:WINDOWSsystem32MRT.exe
2009-11-06 21:00:32 ----D---- C:Program FilesMalwarebytes' Anti-Malware
2009-11-06 21:00:32 ----D---- C:Documents and SettingsAll Users.WINDOWSApplication DataMalwarebytes
2009-11-06 20:33:14 ----A---- C:WINDOWSntbtlog.txt

======List of files/folders modified in the last 1 months======

2009-11-09 18:36:58 ----RD---- C:Program Files
2009-11-09 16:23:14 ----D---- C:WINDOWSTemp
2009-11-09 15:06:46 ----SD---- C:WINDOWSTasks
2009-11-09 15:05:22 ----A---- C:WINDOWSSchedLgU.Txt
2009-11-09 14:48:31 ----D---- C:WINDOWSsystem32CatRoot2
2009-11-09 14:45:38 ----D---- C:WINDOWS
2009-11-09 14:45:26 ----D---- C:WINDOWSDebug
2009-11-09 14:41:42 ----D---- C:WINDOWSsecurity
2009-11-09 14:41:14 ----SHD---- C:WINDOWSInstaller
2009-11-09 14:41:11 ----HD---- C:WINDOWSinf
2009-11-09 14:41:11 ----D---- C:WINDOWSsystem32drivers
2009-11-09 14:41:10 ----SD---- C:Documents and SettingsAll Users.WINDOWSApplication DataMicrosoft
2009-11-09 14:40:58 ----D---- C:WINDOWSsystem32
2009-11-09 14:40:54 ----HD---- C:WINDOWS$hf_mig$
2009-11-09 14:28:41 ----A---- C:WINDOWSsystem32PerfStringBackup.INI
2009-11-09 14:25:55 ----A---- C:WINDOWSOEWABLog.txt
2009-11-09 14:25:44 ----A---- C:WINDOWSimsins.BAK
2009-11-09 14:24:57 ----A---- C:WINDOWSsetuplog.txt
2009-11-09 14:24:04 ----D---- C:WINDOWSsystem32wbem
2009-11-09 14:24:04 ----D---- C:WINDOWSAppPatch
2009-11-09 14:24:03 ----RSD---- C:WINDOWSFonts
2009-11-09 14:22:04 ----D---- C:WINDOWSsystem32CatRoot
2009-11-09 14:20:21 ----RASH---- C:boot.ini
2009-11-09 14:20:21 ----A---- C:WINDOWSwin.ini
2009-11-09 14:19:58 ----D---- C:WINDOWSHelp
2009-11-09 14:19:57 ----D---- C:WINDOWSsystem32Setup
2009-11-09 14:19:57 ----D---- C:WINDOWSsystem32oobe
2009-11-09 14:19:57 ----D---- C:Program FilesCommon FilesSystem
2009-11-09 14:19:56 ----D---- C:WINDOWSsystem32mui
2009-11-09 14:19:56 ----D---- C:WINDOWSime
2009-11-09 14:19:49 ----D---- C:Program FilesWindows Media Player
2009-11-09 14:19:48 ----D---- C:WINDOWSPeerNet
2009-11-09 14:19:48 ----D---- C:Program FilesMovie Maker
2009-11-09 14:19:47 ----D---- C:WINDOWSMedia
2009-11-09 14:18:23 ----D---- C:Program FilesInternet Explorer
2009-11-09 14:18:22 ----D---- C:WINDOWSsystem32Restore
2009-11-09 14:18:22 ----D---- C:WINDOWSsystem32npp
2009-11-09 14:18:22 ----D---- C:WINDOWSmsagent
2009-11-09 14:18:20 ----D---- C:WINDOWSsrchasst
2009-11-09 14:18:18 ----D---- C:Program FilesNetMeeting
2009-11-09 14:18:17 ----D---- C:WINDOWSsystem32Com
2009-11-09 14:18:14 ----D---- C:Program FilesWindows NT
2009-11-09 14:18:14 ----D---- C:Program FilesOutlook Express
2009-11-09 14:18:09 ----RSHDC---- C:WINDOWSsystem32dllcache
2009-11-09 14:18:02 ----D---- C:WINDOWSsystem32usmt
2009-11-09 14:18:01 ----D---- C:WINDOWSsystem
2009-11-09 14:17:08 ----RD---- C:WINDOWSWeb
2009-11-09 14:17:00 ----RASH---- C:NTDETECT.COM
2009-11-09 14:16:33 ----HDC---- C:WINDOWS$NtServicePackUninstall$
2009-11-09 14:15:30 ----D---- C:WINDOWSEHome
2009-11-07 22:18:20 ----SD---- C:WINDOWSDownloaded Program Files
2009-11-06 21:11:25 ----D---- C:Program FilesESET
2009-11-06 20:39:41 ----D---- C:WINDOWSMinidump
2009-11-06 20:33:24 ----D---- C:Documents and Settings
2009-10-12 12:32:09 ----D---- C:Documents and SettingsuserApplication DataMSN6
2009-10-12 12:23:28 ----A---- C:WINDOWSModemLog_Agere Systems PCI Soft Modem.txt

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 MpFilter;Microsoft Malware Protection Driver; C:WINDOWSsystem32DRIVERSMpFilter.sys [2009-06-18 142832]
R1 NVTCP;NVIDIA TCP/IP Protocol Driver; C:WINDOWSSystem32DRIVERSNVTcp.sys [2004-11-10 94976]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:WINDOWSSystem32driversws2ifsl.sys [2003-03-31 12032]
R3 AgereSoftModem;Agere Systems Soft Modem; C:WINDOWSSystem32DRIVERSAGRSM.sys [2005-12-12 1124097]
R3 Arp1394;1394 ARP Client Protocol; C:WINDOWSSystem32DRIVERSarp1394.sys [2004-08-03 60800]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:WINDOWSsystem32driversmsmpu401.sys [2001-08-17 2944]
R3 MTsensor;ATK0110 ACPI UTILITY; C:WINDOWSSystem32DRIVERSASACPI.sys [2004-08-13 5810]
R3 NIC1394;1394 Net Driver; C:WINDOWSSystem32DRIVERSnic1394.sys [2004-08-03 61824]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:WINDOWSSystem32DRIVERSNVENETFD.sys [2004-11-10 33408]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:WINDOWSSystem32DRIVERSnvnetbus.sys [2004-11-10 12928]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:WINDOWSSystem32DRIVERSusbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:WINDOWSSystem32DRIVERSusbhub.sys [2004-08-03 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:WINDOWSSystem32DRIVERSusbohci.sys [2004-08-03 17024]
S1 jwgvxnhg;jwgvxnhg; ??C:WINDOWSsystem32driversjwgvxnhg.sys []
S1 kbdhid;Keyboard HID Driver; C:WINDOWSSystem32DRIVERSkbdhid.sys [2004-08-03 14848]
S1 SABKUTIL;SABKUTIL; ??C:Documents and SettingsuserDesktopSABKUTIL.sys []
S3 HidUsb;Microsoft HID Class Driver; C:WINDOWSSystem32DRIVERShidusb.sys [2001-08-17 9600]
S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:WINDOWSSystem32DriversRootMdm.sys [2003-03-31 5888]
S3 RT2500;RT2500 Wireless Driver; C:WINDOWSSystem32DRIVERSRT2500.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:WINDOWSSystem32DRIVERSusbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:WINDOWSSystem32DRIVERSusbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:WINDOWSSystem32DRIVERSusbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:WINDOWSSystem32DRIVERSUSBSTOR.SYS [2004-08-03 26496]
S4 IntelIde;IntelIde; C:WINDOWSsystem32driversIntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 app_filter;app_filter; C:Program FilesNVIDIA CorporationNetworkAccessManagerbinnSvcAppFlt.exe [2004-11-20 139264]
R2 ForcewareWebInterface;Forceware Web Interface; C:Program FilesNVIDIA CorporationNetworkAccessManagerApache GroupApache2binapache.exe [2004-10-30 20543]
R2 MsMpSvc;Microsoft Antimalware Service; c:Program FilesMicrosoft Security EssentialsMsMpEng.exe [2009-07-02 17904]
R2 nSvcIp;ForceWare IP service; C:Program FilesNVIDIA CorporationNetworkAccessManagerbinnSvcIp.exe [2004-11-20 110653]
R2 nSvcLog;ForceWare user log service; C:Program FilesNVIDIA CorporationNetworkAccessManagerbinnSvcLog.exe [2004-11-20 53313]
R2 PC FineTune Task Manager;PC FineTune Task Manager; C:PROGRA~1EARTHL~2PCFINE~1MXTask.exe [2008-11-14 120088]
R2 WinDefend;Windows Defender; C:Program FilesWindows DefenderMsMpEng.exe [2006-11-03 13592]
S2 hwclock;Hardware Clock Driver; C:WINDOWSSystem32hwclock.exe []

-----------------EOF-----------------

P.S. When trying to run RootRepeal the error message is sisplayed: Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog.

When continuing RootRepeal the computer freezes in the Initializing, please wait..... process.

Merged posts. ~ OB

Edited by Orange Blossom, 09 November 2009 - 09:50 PM.


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:25 PM

Posted 16 November 2009 - 02:19 AM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh rsit log, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 edp333

edp333
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 16 November 2009 - 12:39 PM

Thanks, I know you are busy and appreciate the help.

This RSIT was run in Safe Mode as the computer will no longer boot to normal mode. I tried to run the sfc /scannow process, but it is now being shut down immediately like the MBAM, etc.

Logfile of random's system information tool 1.06 (written by random/random)
Run by user at 2009-11-16 11:32:35
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 38 GB (50%) free of 76 GB
Total RAM: 1023 MB (70% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:41 AM, on 11/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\user\Desktop\RSIT.exe
C:\Program Files\trend micro\user.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKCU\..\Run: [Protection System] C:\Program Files\Protection System\psystem.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ms18_word] C:\Documents and Settings\user\ms18_word.exe
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1247701221125
O23 - Service: app_filter - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: PC FineTune Task Manager - Avanquest North America, Inc. - C:\PROGRA~1\EARTHL~2\PCFINE~1\MXTask.exe

--
End of file - 5207 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{512ACF1B-64D9-4928-B382-A80556F28DB4}]
ElnkPubBHO Class - C:\Program Files\EarthLink\Toolbar\ElnkPuB.dll [2008-11-04 255472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9579D574-D4D8-4335-9560-FE8641A013BD}]
ElnkProtectionBHO Class - C:\Program Files\EarthLink\Toolbar\ProtctIE.dll [2008-11-04 415216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E713904C-DF05-4C79-BBAD-02DB923253BE}]
ElnkLegacyUninstBHO Class - C:\Program Files\EarthLink\Toolbar\uninsttb.dll [2008-11-04 280048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{C7768536-96F8-4001-B1A2-90EE21279187} - EarthLink Toolbar - C:\Program Files\EarthLink\Toolbar\Toolbar.dll [2008-11-04 873968]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"nTrayFw"=C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe [2004-11-20 266240]
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2005-12-12 88204]
"YSearchProtection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [2009-02-23 111856]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"MSSE"=c:\Program Files\Microsoft Security Essentials\msseces.exe [2009-09-13 1048392]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Protection System"=C:\Program Files\Protection System\psystem.exe []
"Messenger (Yahoo!)"=C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2009-05-26 4351216]
"Search Protection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [2009-02-23 111856]
"ms18_word"=C:\Documents and Settings\user\ms18_word.exe []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\System32\qbubjogw.exe"="C:\WINDOWS\System32\qbubjogw.exe:*:Enabled:Ultimate Tool"
"C:\WINDOWS\System32\azvyue.exe"="C:\WINDOWS\System32\azvyue.exe:*:Enabled:Ultimate Tool"
"C:\WINDOWS\System32\ssywx.exe"="C:\WINDOWS\System32\ssywx.exe:*:Enabled:Ultimate Tool"
"C:\WINDOWS\System32\qvvcq.exe"="C:\WINDOWS\System32\qvvcq.exe:*:Enabled:Ultimate Tool"
"C:\WINDOWS\System32\jqbfdhz.exe"="C:\WINDOWS\System32\jqbfdhz.exe:*:Enabled:Ultimate Tool"
"C:\WINDOWS\System32\apkprhx.exe"="C:\WINDOWS\System32\apkprhx.exe:*:Enabled:Ultimate Tool"
"C:\youre.exe"="C:\youre.exe:*:Enabled:Ultimate Tool"
"C:\WINDOWS\System32\zoyyyz.exe"="C:\WINDOWS\System32\zoyyyz.exe:*:Enabled:Ultimate Tool"
"C:\WINDOWS\System32\msbiygma.exe"="C:\WINDOWS\System32\msbiygma.exe:*:Enabled:Ultimate Tool"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51d10ffe-719b-11de-9c9c-806d6172696f}]
shell\AutoRun\command - D:\setup.exe


======List of files/folders created in the last 1 months======

2009-11-12 13:27:55 ----A---- C:\WINDOWS\system32\muweb.dll
2009-11-12 13:27:55 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2009-11-12 13:27:55 ----A---- C:\WINDOWS\system32\mucltui.dll
2009-11-12 13:27:50 ----D---- C:\WINDOWS\LastGood.Tmp
2009-11-09 18:36:58 ----D---- C:\Program Files\trend micro
2009-11-09 18:36:57 ----D---- C:\rsit
2009-11-09 14:41:06 ----D---- C:\Program Files\Microsoft Security Essentials
2009-11-09 14:40:56 ----HDC---- C:\WINDOWS\$NtUninstallKB914882$
2009-11-09 14:32:31 ----N---- C:\WINDOWS\system32\MpSigStub.exe
2009-11-09 14:29:37 ----D---- C:\Program Files\Windows Defender
2009-11-09 14:24:30 ----D---- C:\WINDOWS\Prefetch
2009-11-09 14:19:58 ----N---- C:\WINDOWS\system32\proxycfg.exe
2009-11-09 14:19:58 ----N---- C:\WINDOWS\system32\logman.exe
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\cmsetacl.dll
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\btpanui.dll
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\bthserv.dll
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\bthci.dll
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\blastcln.exe
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\auditusr.exe
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\ativvaxx.dll
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\ativtmxx.dll
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\ati3duag.dll
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\ati3d1ag.dll
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\ati2dvag.dll
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\ati2dvaa.dll
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\ati2cqag.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\mdmxsdk.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\kbdukx.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\kbdsmsno.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\kbdsmsfi.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\kbdno1.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\kbdmlt48.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\kbdmlt47.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\kbdmaori.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\kbdinmal.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\kbdinben.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\kbdinbe1.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\kbdfi1.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\ir50_qcx.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\ir50_qc.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\ir50_32.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\ir41_qcx.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\ir41_qc.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\ieencode.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\httpapi.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\hsfcisp2.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\fwcfg.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\fsquirt.exe
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\fltmc.exe
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\fltlib.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\extmgr.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\dxdiagn.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\d3d9.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\slextspk.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\slcoinst.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\sdhcinst.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\s3gnb.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\powercfg.exe
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\pnrpnsp.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\p2psvc.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\p2pnetsh.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\p2pgraph.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\p2pgasvc.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\p2p.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\mtxparhd.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\mspmsnsv.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\msdadiag.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\mp4sdmod.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\mp43dmod.dll
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\wmspdmod.dll
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\wmsdmoe2.dll
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\wmpdxm.dll
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\wmpasf.dll
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\wmp.dll
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\wmidx.dll
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\wmerror.dll
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\winshfhc.dll
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\w3ssl.dll
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\twext.dll
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\strmfilt.dll
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\smbinst.exe
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\slserv.exe
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\slrundll.exe
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\slgen.dll
2009-11-09 14:19:49 ----N---- C:\WINDOWS\system32\xmlprovi.dll
2009-11-09 14:19:49 ----N---- C:\WINDOWS\system32\xmlprov.dll
2009-11-09 14:19:49 ----N---- C:\WINDOWS\system32\wuaueng1.dll
2009-11-09 14:19:49 ----N---- C:\WINDOWS\system32\wuauclt1.exe
2009-11-09 14:19:49 ----N---- C:\WINDOWS\system32\wshbth.dll
2009-11-09 14:19:49 ----N---- C:\WINDOWS\system32\wscsvc.dll
2009-11-09 14:19:49 ----N---- C:\WINDOWS\system32\wscntfy.exe
2009-11-09 14:19:49 ----N---- C:\WINDOWS\system32\wmvdmoe2.dll
2009-11-09 14:19:49 ----N---- C:\WINDOWS\system32\wmspdmoe.dll
2009-11-09 14:19:49 ----N---- C:\WINDOWS\slrundll.exe
2009-11-09 14:17:08 ----N---- C:\WINDOWS\system32\xpsp2res.dll
2009-11-09 14:16:40 ----A---- C:\WINDOWS\002220_.tmp
2009-11-09 11:38:47 ----D---- C:\Documents and Settings\user\Application Data\Sun
2009-11-07 22:18:20 ----D---- C:\Program Files\Windows Live Safety Center
2009-11-07 14:02:07 ----D---- C:\Documents and Settings\user\Application Data\AVG8
2009-11-07 10:33:04 ----A---- C:\WINDOWS\system32\MRT.exe
2009-11-06 21:00:32 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-11-06 21:00:32 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-11-06 20:33:14 ----A---- C:\WINDOWS\ntbtlog.txt

======List of files/folders modified in the last 1 months======

2009-11-16 11:28:31 ----SD---- C:\WINDOWS\Tasks
2009-11-16 09:49:59 ----D---- C:\WINDOWS\system32
2009-11-16 09:49:22 ----D---- C:\WINDOWS
2009-11-12 13:30:40 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-11-12 13:28:00 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-11-12 13:27:56 ----D---- C:\WINDOWS\Temp
2009-11-12 13:27:55 ----HD---- C:\WINDOWS\inf
2009-11-12 13:27:55 ----D---- C:\WINDOWS\Help
2009-11-12 13:25:57 ----D---- C:\WINDOWS\system32\CatRoot2
2009-11-09 19:18:45 ----D---- C:\WINDOWS\system32\drivers
2009-11-09 18:36:58 ----RD---- C:\Program Files
2009-11-09 14:45:26 ----D---- C:\WINDOWS\Debug
2009-11-09 14:41:42 ----D---- C:\WINDOWS\security
2009-11-09 14:41:14 ----SHD---- C:\WINDOWS\Installer
2009-11-09 14:41:10 ----SD---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft
2009-11-09 14:40:59 ----A---- C:\WINDOWS\imsins.BAK
2009-11-09 14:40:54 ----HD---- C:\WINDOWS\$hf_mig$
2009-11-09 14:28:41 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-11-09 14:25:55 ----A---- C:\WINDOWS\OEWABLog.txt
2009-11-09 14:24:57 ----A---- C:\WINDOWS\setuplog.txt
2009-11-09 14:24:04 ----D---- C:\WINDOWS\system32\wbem
2009-11-09 14:24:04 ----D---- C:\WINDOWS\AppPatch
2009-11-09 14:24:03 ----RSD---- C:\WINDOWS\Fonts
2009-11-09 14:22:04 ----D---- C:\WINDOWS\system32\CatRoot
2009-11-09 14:20:21 ----RASH---- C:\boot.ini
2009-11-09 14:20:21 ----A---- C:\WINDOWS\win.ini
2009-11-09 14:19:57 ----D---- C:\WINDOWS\system32\Setup
2009-11-09 14:19:57 ----D---- C:\WINDOWS\system32\oobe
2009-11-09 14:19:57 ----D---- C:\Program Files\Common Files\System
2009-11-09 14:19:56 ----D---- C:\WINDOWS\system32\mui
2009-11-09 14:19:56 ----D---- C:\WINDOWS\ime
2009-11-09 14:19:49 ----D---- C:\Program Files\Windows Media Player
2009-11-09 14:19:48 ----D---- C:\WINDOWS\PeerNet
2009-11-09 14:19:48 ----D---- C:\Program Files\Movie Maker
2009-11-09 14:19:47 ----D---- C:\WINDOWS\Media
2009-11-09 14:18:23 ----D---- C:\Program Files\Internet Explorer
2009-11-09 14:18:22 ----D---- C:\WINDOWS\system32\Restore
2009-11-09 14:18:22 ----D---- C:\WINDOWS\system32\npp
2009-11-09 14:18:22 ----D---- C:\WINDOWS\msagent
2009-11-09 14:18:20 ----D---- C:\WINDOWS\srchasst
2009-11-09 14:18:18 ----D---- C:\Program Files\NetMeeting
2009-11-09 14:18:17 ----D---- C:\WINDOWS\system32\Com
2009-11-09 14:18:14 ----D---- C:\Program Files\Windows NT
2009-11-09 14:18:14 ----D---- C:\Program Files\Outlook Express
2009-11-09 14:18:02 ----D---- C:\WINDOWS\system32\usmt
2009-11-09 14:18:01 ----D---- C:\WINDOWS\system
2009-11-09 14:17:08 ----RD---- C:\WINDOWS\Web
2009-11-09 14:17:00 ----RASH---- C:\NTDETECT.COM
2009-11-09 14:16:33 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-11-09 14:15:30 ----D---- C:\WINDOWS\EHome
2009-11-07 22:18:20 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-11-06 21:11:25 ----D---- C:\Program Files\ESET
2009-11-06 20:39:41 ----D---- C:\WINDOWS\Minidump
2009-11-06 20:33:24 ----D---- C:\Documents and Settings

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 NVTCP;NVIDIA TCP/IP Protocol Driver; C:\WINDOWS\System32\DRIVERS\NVTcp.sys [2004-11-10 94976]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-03-31 12032]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\System32\DRIVERS\ASACPI.sys [2004-08-13 5810]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2004-08-03 17024]
S1 jwgvxnhg;jwgvxnhg; \??\C:\WINDOWS\system32\drivers\jwgvxnhg.sys []
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S1 MpFilter;Microsoft Malware Protection Driver; C:\WINDOWS\system32\DRIVERS\MpFilter.sys [2009-06-18 142832]
S1 SABKUTIL;SABKUTIL; \??\C:\Documents and Settings\user\Desktop\SABKUTIL.sys []
S3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\System32\DRIVERS\AGRSM.sys [2005-12-12 1124097]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2004-08-03 60800]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-03 61824]
S3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\System32\DRIVERS\NVENETFD.sys [2004-11-10 33408]
S3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\System32\DRIVERS\nvnetbus.sys [2004-11-10 12928]
S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2003-03-31 5888]
S3 rootrepeal;rootrepeal; \??\C:\WINDOWS\system32\drivers\rootrepeal.sys []
S3 RT2500;RT2500 Wireless Driver; C:\WINDOWS\System32\DRIVERS\RT2500.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 MsMpSvc;Microsoft Antimalware Service; c:\Program Files\Microsoft Security Essentials\MsMpEng.exe [2009-07-02 17904]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S2 app_filter;app_filter; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe [2004-11-20 139264]
S2 ForcewareWebInterface;Forceware Web Interface; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe [2004-10-30 20543]
S2 hwclock;Hardware Clock Driver; C:\WINDOWS\System32\hwclock.exe []
S2 nSvcIp;ForceWare IP service; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe [2004-11-20 110653]
S2 nSvcLog;ForceWare user log service; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe [2004-11-20 53313]
S2 PC FineTune Task Manager;PC FineTune Task Manager; C:\PROGRA~1\EARTHL~2\PCFINE~1\MXTask.exe [2008-11-14 120088]

-----------------EOF-----------------

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:25 PM

Posted 16 November 2009 - 12:48 PM

Hi again,

Let's see if we can blow some more life into your system.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New rsit log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 edp333

edp333
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 16 November 2009 - 04:26 PM

ComboFix will not run. The process us terminated immediately. I ran rdisk and tried to run ComboFix afterward with the same results.

I cannot find a way to turn off the protection system.exe if this is causing the problem.

#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:25 PM

Posted 17 November 2009 - 03:34 AM

Hi,

Let's try a bit different way.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Download Combofix†from any of the links below. You must†rename it (exampleName.exe) before saving it. Save it to your desktop.

Link 1
Link 2

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on exampleName.exe†& follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with rsit log.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 edp333

edp333
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 17 November 2009 - 07:38 AM

After renaming Comofix it opens the blue window with an error message of; "Date Error: 2009-11-17 Check your settings." When I click the OK button Combofix is terminated. I changed the date to 2009-11-18 and Combofix ran with another error message; "This machine does not have Microsoft recovery console installed. Without it, ComboFix shall not attempt the fixing of some serious infections. Click 'Yes' to have ComboFix install it." I was not able to get a connection, but ran ComboFix anyway. Next ComboFix displayed a message;

ComboFix has detected the presence of rootkit activity and needs to reboot the machine.
Kindly note down on paper, the name of each file. We may need it later.

C:\ WINDOWS\system32\drivers\UACnqtirprqxf.sys
C:\ WINDOWS\system32\UACuboxjkvrns.dll
C:\ WINDOWS\system32\UACmlkyxuirtn.dll
C:\ WINDOWS\system32\UACsjgpqfvphh.dll
C:\ WINDOWS\system32\UACtowkmbdupx.dll
C:\ WINDOWS\system32\UACpbaslwbpxo.dll
C:\ WINDOWS\system32\UACteparmkutv.dll
C:\ WINDOWS\system32\UACdhxnsefxyy.dll
C:\ WINDOWS\system32\UACuwybvkspmy.dll

Windows was able to boot into normal mode, but after clicking yes to install Microsoft recovery console the blue screen of death appeared about 1 minute into the process: "A problem has been detected and windows has shut down to prevent damage to your computer.
IRQL_NOT_LESS_OR_EQUAL"

On Reboot the diskchk ran repairing,replacing, and rearranging files. I will post again after I am able to get the computer rebooted and get the logs you requested.

#8 edp333

edp333
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 17 November 2009 - 09:30 AM

Every time I run ComboFix the computer goes to the blue screen with a registry error. On restart the Windows Registry Recovery states: One of the files containing the systemís registry had to be recovered by use of a log or alternate copy. The recovery was successful.

I have tried running rKill first with the same results and getting the same results in safe mode.
I was able to run MBAM once and have included that log, but it made no difference in the running of ComboFix.

Here are the MBAM log and RSIT log:

Malwarebytes' Anti-Malware 1.41
Database version: 3101
Windows 5.1.2600 Service Pack 2

11/18/2009 7:28:49 AM
mbam-log-2009-11-18 (07-28-49).txt

Scan type: Quick Scan
Objects scanned: 146557
Time elapsed: 8 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\CoreGuard (Rogue.CoreguardAV) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\System Guard 2009 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hwclock (Backdoor.IRCBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ms18_word (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\protection system (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\DLLs (Rogue.SystemGuard) -> Quarantined and deleted successfully.
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\DLLs\c.cgm (Rogue.SystemGuard) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\blacklist.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\core.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\track.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wins\SVCHOST.EXE (Backdoor.IRCBot) -> Quarantined and deleted successfully.

Logfile of random's system information tool 1.06 (written by random/random)
Run by user at 2009-11-18 08:23:17
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 38 GB (50%) free of 76 GB
Total RAM: 1023 MB (64% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:21 AM, on 11/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\PROGRA~1\EARTHL~2\PCFINE~1\MXTask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\PROGRA~1\EARTHL~2\PCFINE~1\mxtask2.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Desktop\RSIT.exe
C:\Program Files\trend micro\user.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1247701221125
O23 - Service: app_filter - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: PC FineTune Task Manager - Avanquest North America, Inc. - C:\PROGRA~1\EARTHL~2\PCFINE~1\MXTask.exe

--
End of file - 6041 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{512ACF1B-64D9-4928-B382-A80556F28DB4}]
ElnkPubBHO Class - C:\Program Files\EarthLink\Toolbar\ElnkPuB.dll [2008-11-04 255472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9579D574-D4D8-4335-9560-FE8641A013BD}]
ElnkProtectionBHO Class - C:\Program Files\EarthLink\Toolbar\ProtctIE.dll [2008-11-04 415216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E713904C-DF05-4C79-BBAD-02DB923253BE}]
ElnkLegacyUninstBHO Class - C:\Program Files\EarthLink\Toolbar\uninsttb.dll [2008-11-04 280048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{C7768536-96F8-4001-B1A2-90EE21279187} - EarthLink Toolbar - C:\Program Files\EarthLink\Toolbar\Toolbar.dll [2008-11-04 873968]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"nTrayFw"=C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe [2004-11-20 266240]
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2005-12-12 88204]
"YSearchProtection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [2009-02-23 111856]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"MSSE"=c:\Program Files\Microsoft Security Essentials\msseces.exe [2009-09-13 1048392]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"=C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2009-05-26 4351216]
"Search Protection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\System32\qbubjogw.exe"="C:\WINDOWS\System32\qbubjogw.exe:*:Enabled:Ultimate Tool"
"C:\WINDOWS\System32\azvyue.exe"="C:\WINDOWS\System32\azvyue.exe:*:Enabled:Ultimate Tool"
"C:\WINDOWS\System32\ssywx.exe"="C:\WINDOWS\System32\ssywx.exe:*:Enabled:Ultimate Tool"
"C:\WINDOWS\System32\qvvcq.exe"="C:\WINDOWS\System32\qvvcq.exe:*:Enabled:Ultimate Tool"
"C:\WINDOWS\System32\jqbfdhz.exe"="C:\WINDOWS\System32\jqbfdhz.exe:*:Enabled:Ultimate Tool"
"C:\WINDOWS\System32\apkprhx.exe"="C:\WINDOWS\System32\apkprhx.exe:*:Enabled:Ultimate Tool"
"C:\youre.exe"="C:\youre.exe:*:Enabled:Ultimate Tool"
"C:\WINDOWS\System32\zoyyyz.exe"="C:\WINDOWS\System32\zoyyyz.exe:*:Enabled:Ultimate Tool"
"C:\WINDOWS\System32\msbiygma.exe"="C:\WINDOWS\System32\msbiygma.exe:*:Enabled:Ultimate Tool"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
shell\AutoRun\command - D:\setup.exe


======List of files/folders created in the last 1 months======

2009-11-18 08:17:36 ----D---- C:\32788R22FWJFW
2009-11-18 07:32:01 ----SD---- C:\Combo-Fix
2009-11-18 07:18:20 ----D---- C:\Documents and Settings\user\Application Data\Malwarebytes
2009-11-18 07:00:23 ----A---- C:\Boot.bak
2009-11-18 07:00:13 ----RASHD---- C:\cmdcons
2009-11-18 05:37:59 ----A---- C:\WINDOWS\zip.exe
2009-11-18 05:37:59 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-11-18 05:37:59 ----A---- C:\WINDOWS\SWSC.exe
2009-11-18 05:37:59 ----A---- C:\WINDOWS\SWREG.exe
2009-11-18 05:37:59 ----A---- C:\WINDOWS\sed.exe
2009-11-18 05:37:59 ----A---- C:\WINDOWS\PEV.exe
2009-11-18 05:37:59 ----A---- C:\WINDOWS\NIRCMD.exe
2009-11-18 05:37:59 ----A---- C:\WINDOWS\MBR.exe
2009-11-18 05:37:59 ----A---- C:\WINDOWS\grep.exe
2009-11-17 05:32:19 ----D---- C:\WINDOWS\ERDNT
2009-11-17 05:30:32 ----D---- C:\Qoobox
2009-11-12 13:27:55 ----A---- C:\WINDOWS\system32\muweb.dll
2009-11-12 13:27:55 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2009-11-12 13:27:55 ----A---- C:\WINDOWS\system32\mucltui.dll
2009-11-09 18:36:58 ----D---- C:\Program Files\trend micro
2009-11-09 18:36:57 ----D---- C:\rsit
2009-11-09 14:41:06 ----D---- C:\Program Files\Microsoft Security Essentials
2009-11-09 14:40:56 ----HDC---- C:\WINDOWS\$NtUninstallKB914882$
2009-11-09 14:32:31 ----N---- C:\WINDOWS\system32\MpSigStub.exe
2009-11-09 14:29:37 ----D---- C:\Program Files\Windows Defender
2009-11-09 14:24:30 ----D---- C:\WINDOWS\Prefetch
2009-11-09 14:19:58 ----N---- C:\WINDOWS\system32\proxycfg.exe
2009-11-09 14:19:58 ----N---- C:\WINDOWS\system32\logman.exe
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\cmsetacl.dll
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\btpanui.dll
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\bthserv.dll
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\bthci.dll
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\blastcln.exe
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\auditusr.exe
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\ativvaxx.dll
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\ativtmxx.dll
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\ati3duag.dll
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\ati3d1ag.dll
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\ati2dvag.dll
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\ati2dvaa.dll
2009-11-09 14:19:53 ----N---- C:\WINDOWS\system32\ati2cqag.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\mdmxsdk.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\kbdukx.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\kbdsmsno.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\kbdsmsfi.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\kbdno1.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\kbdmlt48.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\kbdmlt47.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\kbdmaori.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\kbdinmal.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\kbdinben.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\kbdinbe1.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\kbdfi1.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\ir50_qcx.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\ir50_qc.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\ir50_32.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\ir41_qcx.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\ir41_qc.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\ieencode.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\httpapi.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\hsfcisp2.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\fwcfg.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\fsquirt.exe
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\fltmc.exe
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\fltlib.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\extmgr.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\dxdiagn.dll
2009-11-09 14:19:52 ----N---- C:\WINDOWS\system32\d3d9.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\slextspk.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\slcoinst.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\sdhcinst.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\s3gnb.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\powercfg.exe
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\pnrpnsp.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\p2psvc.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\p2pnetsh.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\p2pgraph.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\p2pgasvc.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\p2p.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\mtxparhd.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\mspmsnsv.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\msdadiag.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\mp4sdmod.dll
2009-11-09 14:19:51 ----N---- C:\WINDOWS\system32\mp43dmod.dll
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\wmspdmod.dll
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\wmsdmoe2.dll
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\wmpdxm.dll
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\wmpasf.dll
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\wmp.dll
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\wmidx.dll
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\wmerror.dll
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\winshfhc.dll
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\w3ssl.dll
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\twext.dll
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\strmfilt.dll
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\smbinst.exe
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\slserv.exe
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\slrundll.exe
2009-11-09 14:19:50 ----N---- C:\WINDOWS\system32\slgen.dll
2009-11-09 14:19:49 ----N---- C:\WINDOWS\system32\xmlprovi.dll
2009-11-09 14:19:49 ----N---- C:\WINDOWS\system32\xmlprov.dll
2009-11-09 14:19:49 ----N---- C:\WINDOWS\system32\wuaueng1.dll
2009-11-09 14:19:49 ----N---- C:\WINDOWS\system32\wuauclt1.exe
2009-11-09 14:19:49 ----N---- C:\WINDOWS\system32\wshbth.dll
2009-11-09 14:19:49 ----N---- C:\WINDOWS\system32\wscsvc.dll
2009-11-09 14:19:49 ----N---- C:\WINDOWS\system32\wscntfy.exe
2009-11-09 14:19:49 ----N---- C:\WINDOWS\system32\wmvdmoe2.dll
2009-11-09 14:19:49 ----N---- C:\WINDOWS\system32\wmspdmoe.dll
2009-11-09 14:19:49 ----N---- C:\WINDOWS\slrundll.exe
2009-11-09 14:17:08 ----N---- C:\WINDOWS\system32\xpsp2res.dll
2009-11-09 14:16:40 ----A---- C:\WINDOWS\002220_.tmp
2009-11-09 11:38:47 ----D---- C:\Documents and Settings\user\Application Data\Sun
2009-11-07 22:18:20 ----D---- C:\Program Files\Windows Live Safety Center
2009-11-07 14:02:07 ----D---- C:\Documents and Settings\user\Application Data\AVG8
2009-11-07 10:33:04 ----A---- C:\WINDOWS\system32\MRT.exe
2009-11-06 21:00:32 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-11-06 21:00:32 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-11-06 20:33:14 ----A---- C:\WINDOWS\ntbtlog.txt

======List of files/folders modified in the last 1 months======

2009-11-18 08:22:11 ----D---- C:\WINDOWS\system32\CatRoot2
2009-11-18 08:22:08 ----SD---- C:\WINDOWS\Tasks
2009-11-18 08:20:23 ----D---- C:\WINDOWS\Temp
2009-11-18 08:15:32 ----D---- C:\WINDOWS
2009-11-18 08:09:34 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-11-18 07:32:18 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-11-18 07:28:49 ----RD---- C:\Program Files
2009-11-18 07:28:49 ----D---- C:\WINDOWS\system32\wins
2009-11-18 07:28:49 ----D---- C:\WINDOWS\system32
2009-11-18 07:04:32 ----D---- C:\WINDOWS\Minidump
2009-11-18 07:00:23 ----RASH---- C:\boot.ini
2009-11-18 06:42:48 ----HD---- C:\WINDOWS\inf
2009-11-18 06:10:08 ----D---- C:\WINDOWS\system32\drivers
2009-11-18 06:10:08 ----D---- C:\WINDOWS\system32\config
2009-11-12 13:27:55 ----D---- C:\WINDOWS\Help
2009-11-09 14:45:26 ----D---- C:\WINDOWS\Debug
2009-11-09 14:41:42 ----D---- C:\WINDOWS\security
2009-11-09 14:41:14 ----SHD---- C:\WINDOWS\Installer
2009-11-09 14:41:10 ----SD---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft
2009-11-09 14:40:59 ----A---- C:\WINDOWS\imsins.BAK
2009-11-09 14:40:54 ----HD---- C:\WINDOWS\$hf_mig$
2009-11-09 14:28:41 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-11-09 14:25:55 ----A---- C:\WINDOWS\OEWABLog.txt
2009-11-09 14:24:57 ----A---- C:\WINDOWS\setuplog.txt
2009-11-09 14:24:04 ----D---- C:\WINDOWS\system32\wbem
2009-11-09 14:24:04 ----D---- C:\WINDOWS\AppPatch
2009-11-09 14:24:03 ----RSD---- C:\WINDOWS\Fonts
2009-11-09 14:22:04 ----D---- C:\WINDOWS\system32\CatRoot
2009-11-09 14:20:21 ----A---- C:\WINDOWS\win.ini
2009-11-09 14:19:57 ----D---- C:\WINDOWS\system32\Setup
2009-11-09 14:19:57 ----D---- C:\WINDOWS\system32\oobe
2009-11-09 14:19:57 ----D---- C:\Program Files\Common Files\System
2009-11-09 14:19:56 ----D---- C:\WINDOWS\system32\mui
2009-11-09 14:19:56 ----D---- C:\WINDOWS\ime
2009-11-09 14:19:49 ----D---- C:\Program Files\Windows Media Player
2009-11-09 14:19:48 ----D---- C:\WINDOWS\PeerNet
2009-11-09 14:19:48 ----D---- C:\Program Files\Movie Maker
2009-11-09 14:19:47 ----D---- C:\WINDOWS\Media
2009-11-09 14:18:23 ----D---- C:\Program Files\Internet Explorer
2009-11-09 14:18:22 ----D---- C:\WINDOWS\system32\Restore
2009-11-09 14:18:22 ----D---- C:\WINDOWS\system32\npp
2009-11-09 14:18:22 ----D---- C:\WINDOWS\msagent
2009-11-09 14:18:20 ----D---- C:\WINDOWS\srchasst
2009-11-09 14:18:18 ----D---- C:\Program Files\NetMeeting
2009-11-09 14:18:17 ----D---- C:\WINDOWS\system32\Com
2009-11-09 14:18:14 ----D---- C:\Program Files\Windows NT
2009-11-09 14:18:14 ----D---- C:\Program Files\Outlook Express
2009-11-09 14:18:02 ----D---- C:\WINDOWS\system32\usmt
2009-11-09 14:18:01 ----D---- C:\WINDOWS\system
2009-11-09 14:17:08 ----RD---- C:\WINDOWS\Web
2009-11-09 14:17:00 ----RASH---- C:\NTDETECT.COM
2009-11-09 14:16:33 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-11-09 14:15:30 ----D---- C:\WINDOWS\EHome
2009-11-07 22:18:20 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-11-06 21:11:25 ----D---- C:\Program Files\ESET
2009-11-06 20:33:24 ----D---- C:\Documents and Settings

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 MpFilter;Microsoft Malware Protection Driver; C:\WINDOWS\system32\DRIVERS\MpFilter.sys [2009-06-18 142832]
R1 NVTCP;NVIDIA TCP/IP Protocol Driver; C:\WINDOWS\System32\DRIVERS\NVTcp.sys [2004-11-10 94976]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-03-31 12032]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\System32\DRIVERS\AGRSM.sys [2005-12-12 1124097]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2004-08-03 60800]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\System32\DRIVERS\ASACPI.sys [2004-08-13 5810]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-03 61824]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\System32\DRIVERS\NVENETFD.sys [2004-11-10 33408]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\System32\DRIVERS\nvnetbus.sys [2004-11-10 12928]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2004-08-03 17024]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S1 jwgvxnhg;jwgvxnhg; \??\C:\WINDOWS\system32\drivers\jwgvxnhg.sys []
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S1 SABKUTIL;SABKUTIL; \??\C:\Documents and Settings\user\Desktop\SABKUTIL.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\user\LOCALS~1\Temp\catchme.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2003-03-31 5888]
S3 rootrepeal;rootrepeal; \??\C:\WINDOWS\system32\drivers\rootrepeal.sys []
S3 RT2500;RT2500 Wireless Driver; C:\WINDOWS\System32\DRIVERS\RT2500.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-03 15104]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 app_filter;app_filter; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe [2004-11-20 139264]
R2 ForcewareWebInterface;Forceware Web Interface; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe [2004-10-30 20543]
R2 MsMpSvc;Microsoft Antimalware Service; c:\Program Files\Microsoft Security Essentials\MsMpEng.exe [2009-07-02 17904]
R2 nSvcIp;ForceWare IP service; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe [2004-11-20 110653]
R2 nSvcLog;ForceWare user log service; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe [2004-11-20 53313]
R2 PC FineTune Task Manager;PC FineTune Task Manager; C:\PROGRA~1\EARTHL~2\PCFINE~1\MXTask.exe [2008-11-14 120088]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]

-----------------EOF-----------------

#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:25 PM

Posted 17 November 2009 - 09:54 AM

Hello,

Download GMER here by clicking download exe -button and then saving it your desktop:
  • Double-click .exe that you downloaded
  • Click rootkit-tab and then scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log in your reply.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 edp333

edp333
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 17 November 2009 - 11:37 AM

This is all of the log I can get saved before the system blue screens and shuts down:

GMER 1.0.15.15227 - http://www.gmer.net
Rootkit quick scan 2009-11-18 10:31:33
Windows 5.1.2600 Service Pack 2
Running: h3zdneqd.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\uxtdipog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip NVTcp.sys (NVIDIA Networking Protocol Driver./NVIDIA Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp NVTcp.sys (NVIDIA Networking Protocol Driver./NVIDIA Corporation)

---- EOF - GMER 1.0.15 ----

GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-18 10:33:37
Windows 5.1.2600 Service Pack 2
Running: h3zdneqd.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\uxtdipog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip NVTcp.sys (NVIDIA Networking Protocol Driver./NVIDIA Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp NVTcp.sys (NVIDIA Networking Protocol Driver./NVIDIA Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACnqtirprqxf.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACnqtirprqxf.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACuboxjkvrns.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACmlkyxuirtn.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACsjgpqfvphh.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACtowkmbdupx.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACpbaslwbpxo.db
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACteparmkutv.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACdhxnsefxyy.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACuwybvkspmy.dll

#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:25 PM

Posted 17 November 2009 - 12:03 PM

Hi,

Please follow Manually installing the Windows Recovery Console part of ComboFix tutorial to get recovery console installed. This is correct recovery console pack (for Home Edition with SP2 installed) for you. Just remember to change language in change language combobox if your operating system language is other than English.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 edp333

edp333
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 17 November 2009 - 01:12 PM

ComboFix selected and installed the Recovery Console earlier. If you like I can reinstall as per the directions.

#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:25 PM

Posted 17 November 2009 - 01:46 PM

This is what you wrote earlier:

When I click the OK button Combofix is terminated. I changed the date to 2009-11-18 and Combofix ran with another error message; "This machine does not have Microsoft recovery console installed. Without it, ComboFix shall not attempt the fixing of some serious infections. Click 'Yes' to have ComboFix install it." I was not able to get a connection, but ran ComboFix anyway.

I understood that connection wasn't available and so recovery console couldn't be installed. Could you tell me if recovery console was installed after all?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 edp333

edp333
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 17 November 2009 - 02:15 PM

Yes, on one of my many attempts ComboFix downloaded and installed the recovery console. The computer now boots with the Recovery Console option or Windows XP option. The installation of the recovery console did nothing for the ComboFix blue screen crash and reboot.

#15 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:25 PM

Posted 17 November 2009 - 02:38 PM

Ok. Thanks for confirming :(

Could you try to run ComboFix in safe mode, please? Before that, make sure Microsoft Security Essentials (MSE) is disabled:
1. Start MSE
2. Click Settings -tab
3. Click Real-time protection on the left side and uncheck Turn on real-time protection (recommended) checkbox.
4. Click save changes -button and close MSE.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users