Jump to content

Brianzx7

Members
  • Posts

    5
  • Joined

  • Last visited

Posts posted by Brianzx7

  1. Well, the file has not returned, so that is a good sign. Thank you again for helping me.

    On a slightly different note, why would anybody be so bored that they create these things to screw with peoples computers? Do you think the perps should be tracked down and fined and/or imprisoned? I do.

    ~B

  2. Thank you very much for taking the time to help me!

    Here is the ComboFix log after I ran it with the CFScript.

    ComboFix 09-04-04.01 - Brian 2009-04-06 14:22:39.3 - NTFSx86

    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.583 [GMT -7:00]

    Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe

    Command switches used :: c:\documents and settings\Brian\Desktop\CFScript.txt

    * Created a new restore point

    FILE ::

    c:\windows\cpstrl.dll

    c:\windows\ujoduvakadevi.dll

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    .

    c:\windows\cpstrl.dll

    c:\windows\ujoduvakadevi.dll

    .

    ((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))

    .

    2009-04-06 13:14 . 2009-04-06 13:14 <DIR> d-------- c:\program files\Trend Micro

    2009-04-06 12:06 . 2009-04-06 12:06 <DIR> d-------- c:\program files\CCleaner

    2009-04-02 08:25 . 2009-04-02 11:06 <DIR> d-------- c:\documents and settings\Brian\.housecall6.6

    2009-03-29 13:19 . 2009-03-29 13:19 <DIR> d-------- c:\program files\ffdshow

    2009-03-29 13:19 . 2008-12-11 13:27 547 --a------ c:\windows\system32\ff_vfw.dll.manifest

    2009-03-29 13:03 . 2009-03-29 13:51 <DIR> d-------- c:\documents and settings\Brian\Application Data\FLV Extract

    2009-03-24 17:50 . 2009-03-24 17:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM

    2009-03-20 23:48 . 2009-03-20 23:48 <DIR> d-------- c:\program files\Real

    2009-03-20 23:48 . 2009-03-20 23:48 <DIR> d-------- c:\program files\Common Files\xing shared

    2009-03-20 23:48 . 2009-03-20 23:48 <DIR> d-------- c:\program files\Common Files\Real

    2009-03-20 23:07 . 2009-03-27 21:52 237,568 --a------ c:\windows\system32\rmc_rtspdl.dll

    2009-03-20 23:07 . 2009-03-27 21:52 156,672 --a------ c:\windows\system32\rmc_fixasf.exe

    2009-03-20 23:06 . 2009-03-20 23:06 <DIR> d-------- c:\windows\Replay Media Catcher

    2009-03-20 23:06 . 2009-03-27 23:29 <DIR> d-------- c:\program files\Replay Media Catcher

    2009-03-20 23:06 . 2009-03-27 21:52 323,584 --a------ c:\windows\system32\AUDIOGENIE2.DLL

    2009-03-19 17:01 . 2009-03-19 17:53 <DIR> d-------- c:\program files\iTunes

    2009-03-19 17:01 . 2009-03-19 17:01 <DIR> d-------- c:\program files\iPod

    2009-03-19 17:01 . 2009-03-19 17:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

    2009-03-19 16:55 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll

    2009-03-11 17:02 . 2009-03-11 16:51 15,688 --a------ c:\windows\system32\lsdelete.exe

    2009-03-11 16:51 . 2009-03-11 16:50 64,160 --a------ c:\windows\system32\drivers\Lbd.sys

    2009-03-11 16:45 . 2009-03-11 16:45 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

    .

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2009-04-02 15:25 102,664 ----a-w c:\windows\system32\drivers\tmcomm.sys

    2009-04-01 03:29 --------- d-----w c:\program files\Java

    2009-03-29 19:48 --------- d-----w c:\program files\Avidemux 2.4

    2009-03-29 19:41 --------- d-----w c:\documents and settings\Brian\Application Data\Audacity

    2009-03-28 01:50 --------- d-----w c:\documents and settings\Brian\Application Data\gtk-2.0

    2009-03-27 18:12 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

    2009-03-26 23:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

    2009-03-26 23:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

    2009-03-25 23:32 --------- d-----w c:\documents and settings\Brian\Application Data\AVS4YOU

    2009-03-20 00:53 --------- d-----w c:\documents and settings\Brian\Application Data\Apple Computer

    2009-03-20 00:01 --------- d-----w c:\program files\Common Files\Apple

    2009-03-20 00:00 --------- d-----w c:\program files\Bonjour

    2009-03-19 23:59 --------- d-----w c:\program files\QuickTime

    2009-03-17 04:44 --------- d-----w c:\documents and settings\Brian\Application Data\Move Networks

    2009-03-12 00:22 --------- d-----w c:\documents and settings\All Users\Application Data\RapidSolution

    2009-03-11 15:01 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

    2009-03-06 06:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys

    2009-02-26 20:38 --------- d-----w c:\program files\Microsoft Silverlight

    2009-02-24 05:13 --------- d-----w c:\program files\Free Video Tools

    2009-02-20 20:43 --------- d-----w c:\documents and settings\Brian\Application Data\vlc

    2009-02-20 20:35 --------- d-----w c:\program files\VideoLAN

    2009-02-19 23:25 --------- d-----w c:\program files\iTunes Library Updater

    2009-02-19 18:53 --------- d-----w c:\program files\Common Files\AVSMedia

    2009-02-19 18:53 --------- d-----w c:\program files\AVS4YOU

    2009-02-19 18:53 --------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU

    2009-02-19 18:19 --------- d-----w c:\program files\PixiePack Codec Pack

    2009-02-19 18:16 --------- d-----w c:\program files\RapidSolution

    2009-02-19 18:09 --------- d-----w c:\program files\Ultra QuickTime Converter

    2009-02-19 18:03 --------- d-----w c:\program files\MediaCoder

    2009-02-19 18:03 --------- d-----w c:\documents and settings\Brian\Application Data\Broad Intelligence

    2009-02-19 04:08 --------- d-----w c:\documents and settings\Brian\Application Data\ImTOO Software Studio

    2009-02-19 04:07 --------- d-----w c:\program files\ImTOO

    .

    ((((((((((((((((((((((((((((( SnapShot@2009-04-06_12.28.54.90 )))))))))))))))))))))))))))))))))))))))))

    .

    - 2009-04-02 22:43:49 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

    + 2009-04-06 20:05:15 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

    - 2009-04-02 22:43:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

    + 2009-04-06 20:05:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

    - 2009-04-02 22:43:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

    + 2009-04-06 20:05:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

    - 2009-04-06 18:38:17 64,774 ----a-w c:\windows\system32\perfc009.dat

    + 2009-04-06 20:50:21 64,774 ----a-w c:\windows\system32\perfc009.dat

    - 2009-04-06 18:38:17 409,800 ----a-w c:\windows\system32\perfh009.dat

    + 2009-04-06 20:50:21 409,800 ----a-w c:\windows\system32\perfh009.dat

    + 2009-04-06 21:26:08 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_374.dat

    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    *Note* empty entries & legit default entries are not shown

    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-03-14 160592]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-03-08 344064]

    "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2006-04-18 405504]

    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-14 815104]

    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

    "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]

    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

    "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]

    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]

    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-20 198160]

    "WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2005-07-04 184320]

    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

    "AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 c:\windows\AGRSMMSG.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-03-14 160592]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\

    Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-04-20 25214]

    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-20 113664]

    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-02-27 581693]

    DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-04-07 184320]

    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-03-18 972064]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]

    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

    "%windir%\\system32\\sessmgr.exe"=

    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

    "c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=

    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-11 64160]

    R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]

    R2 OneTouch 4.0 Monitor;OneTouch 4.0 Monitor;c:\program files\Visioneer\OneTouch 4.0\OtService.exe [2007-09-21 131072]

    R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2007-04-07 88192]

    S2 UndeleteService;Executive Software Undelete;"c:\program files\Executive Software\Undelete\UdServe.exe" --> c:\program files\Executive Software\Undelete\UdServe.exe [?]

    S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2007-09-10 109080]

    S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [2007-09-25 15152]

    S3 GTFFBUS;GT FF BUS;c:\windows\system32\drivers\gtffbus.sys [2007-06-01 17024]

    S3 GTMNDISIRPXP;GT M 3G+ IRP NDIS;c:\windows\system32\drivers\Gtm51Irp.sys [2007-06-01 120960]

    S3 GTPTSER;GT PT SER;c:\windows\system32\drivers\gtptser.sys [2007-06-01 8064]

    S3 GTUQBUS;GT UQ BUS;c:\windows\system32\drivers\gtuqbus.sys [2007-06-01 36992]

    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]

    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-10-10 17920]

    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-10-10 7680]

    S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-10-10 42112]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]

    c:\program files\PixiePack Codec Pack\InstallerHelper.exe

    .

    Contents of the 'Scheduled Tasks' folder

    2009-03-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job

    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-11 16:49]

    2009-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job

    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

    .

    .

    ------- Supplementary Scan -------

    .

    uStart Page = hxxp://www.google.com/

    uInternet Settings,ProxyOverride = *.local

    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

    IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

    IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

    IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

    IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

    IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

    IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

    LSP: bmnet.dll

    Trusted Zone: internet

    Trusted Zone: mcafee.com

    Trusted Zone: turbotax.com

    FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\thl3pekb.default\

    FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll

    FF - plugin: c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\thl3pekb.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

    .

    **************************************************************************

    catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2009-04-06 14:26:30

    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully

    hidden files: 0

    **************************************************************************

    .

    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(984)

    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'lsass.exe'(1040)

    c:\windows\system32\bmnet.dll

    .

    ------------------------ Other Running Processes ------------------------

    .

    c:\windows\system32\ati2evxx.exe

    c:\windows\system32\scardsvr.exe

    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

    c:\windows\system32\bmwebcfg.exe

    c:\program files\Bonjour\mDNSResponder.exe

    c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

    c:\windows\system32\Crypserv.exe

    c:\program files\Java\jre6\bin\jqs.exe

    c:\program files\Analog Devices\SoundMAX\SMAgent.exe

    c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

    c:\windows\system32\ati2evxx.exe

    c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe

    c:\program files\iPod\bin\iPodService.exe

    c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe

    c:\windows\system32\wbem\wmiadap.exe

    .

    **************************************************************************

    .

    Completion time: 2009-04-06 14:30:12 - machine was rebooted

    ComboFix-quarantined-files.txt 2009-04-06 21:30:10

    ComboFix2.txt 2009-04-06 20:49:54

    ComboFix3.txt 2009-04-06 19:29:40

    Pre-Run: 7,050,506,240 bytes free

    Post-Run: 7,033,880,576 bytes free

    227 --- E O F --- 2009-03-20 10:02:17

  3. Here is the ComboFix log:

    ComboFix 09-04-04.01 - Brian 2009-04-06 13:40:45.2 - NTFSx86

    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.642 [GMT -7:00]

    Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe

    .

    ((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))

    .

    2009-04-06 13:14 . 2009-04-06 13:14 <DIR> d-------- c:\program files\Trend Micro

    2009-04-06 12:06 . 2009-04-06 12:06 <DIR> d-------- c:\program files\CCleaner

    2009-04-02 08:25 . 2009-04-02 11:06 <DIR> d-------- c:\documents and settings\Brian\.housecall6.6

    2009-03-29 13:19 . 2009-03-29 13:19 <DIR> d-------- c:\program files\ffdshow

    2009-03-29 13:19 . 2008-12-11 13:27 547 --a------ c:\windows\system32\ff_vfw.dll.manifest

    2009-03-29 13:03 . 2009-03-29 13:51 <DIR> d-------- c:\documents and settings\Brian\Application Data\FLV Extract

    2009-03-24 17:50 . 2009-03-24 17:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM

    2009-03-20 23:48 . 2009-03-20 23:48 <DIR> d-------- c:\program files\Real

    2009-03-20 23:48 . 2009-03-20 23:48 <DIR> d-------- c:\program files\Common Files\xing shared

    2009-03-20 23:48 . 2009-03-20 23:48 <DIR> d-------- c:\program files\Common Files\Real

    2009-03-20 23:07 . 2009-03-27 21:52 237,568 --a------ c:\windows\system32\rmc_rtspdl.dll

    2009-03-20 23:07 . 2009-03-27 21:52 156,672 --a------ c:\windows\system32\rmc_fixasf.exe

    2009-03-20 23:06 . 2009-03-20 23:06 <DIR> d-------- c:\windows\Replay Media Catcher

    2009-03-20 23:06 . 2009-03-27 23:29 <DIR> d-------- c:\program files\Replay Media Catcher

    2009-03-20 23:06 . 2009-03-27 21:52 323,584 --a------ c:\windows\system32\AUDIOGENIE2.DLL

    2009-03-19 17:01 . 2009-03-19 17:53 <DIR> d-------- c:\program files\iTunes

    2009-03-19 17:01 . 2009-03-19 17:01 <DIR> d-------- c:\program files\iPod

    2009-03-19 17:01 . 2009-03-19 17:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

    2009-03-19 16:55 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll

    2009-03-11 17:02 . 2009-03-11 16:51 15,688 --a------ c:\windows\system32\lsdelete.exe

    2009-03-11 16:51 . 2009-03-11 16:50 64,160 --a------ c:\windows\system32\drivers\Lbd.sys

    2009-03-11 16:45 . 2009-03-11 16:45 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

    .

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2009-04-02 15:25 102,664 ----a-w c:\windows\system32\drivers\tmcomm.sys

    2009-04-01 03:29 --------- d-----w c:\program files\Java

    2009-03-29 19:48 --------- d-----w c:\program files\Avidemux 2.4

    2009-03-29 19:41 --------- d-----w c:\documents and settings\Brian\Application Data\Audacity

    2009-03-28 01:50 --------- d-----w c:\documents and settings\Brian\Application Data\gtk-2.0

    2009-03-27 18:12 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

    2009-03-26 23:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

    2009-03-26 23:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

    2009-03-25 23:32 --------- d-----w c:\documents and settings\Brian\Application Data\AVS4YOU

    2009-03-20 00:53 --------- d-----w c:\documents and settings\Brian\Application Data\Apple Computer

    2009-03-20 00:01 --------- d-----w c:\program files\Common Files\Apple

    2009-03-20 00:00 --------- d-----w c:\program files\Bonjour

    2009-03-19 23:59 --------- d-----w c:\program files\QuickTime

    2009-03-17 04:44 --------- d-----w c:\documents and settings\Brian\Application Data\Move Networks

    2009-03-12 00:22 --------- d-----w c:\documents and settings\All Users\Application Data\RapidSolution

    2009-03-11 15:01 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

    2009-03-06 06:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys

    2009-02-26 20:38 --------- d-----w c:\program files\Microsoft Silverlight

    2009-02-24 05:13 --------- d-----w c:\program files\Free Video Tools

    2009-02-20 20:43 --------- d-----w c:\documents and settings\Brian\Application Data\vlc

    2009-02-20 20:35 --------- d-----w c:\program files\VideoLAN

    2009-02-19 23:25 --------- d-----w c:\program files\iTunes Library Updater

    2009-02-19 18:53 --------- d-----w c:\program files\Common Files\AVSMedia

    2009-02-19 18:53 --------- d-----w c:\program files\AVS4YOU

    2009-02-19 18:53 --------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU

    2009-02-19 18:19 --------- d-----w c:\program files\PixiePack Codec Pack

    2009-02-19 18:16 --------- d-----w c:\program files\RapidSolution

    2009-02-19 18:09 --------- d-----w c:\program files\Ultra QuickTime Converter

    2009-02-19 18:03 --------- d-----w c:\program files\MediaCoder

    2009-02-19 18:03 --------- d-----w c:\documents and settings\Brian\Application Data\Broad Intelligence

    2009-02-19 04:08 --------- d-----w c:\documents and settings\Brian\Application Data\ImTOO Software Studio

    2009-02-19 04:07 --------- d-----w c:\program files\ImTOO

    .

    ((((((((((((((((((((((((((((( SnapShot@2009-04-06_12.28.54.90 )))))))))))))))))))))))))))))))))))))))))

    .

    - 2009-04-02 22:43:49 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

    + 2009-04-06 20:05:15 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

    - 2009-04-02 22:43:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

    + 2009-04-06 20:05:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

    - 2009-04-02 22:43:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

    + 2009-04-06 20:05:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

    - 2009-04-06 18:38:17 64,774 ----a-w c:\windows\system32\perfc009.dat

    + 2009-04-06 20:05:44 64,774 ----a-w c:\windows\system32\perfc009.dat

    - 2009-04-06 18:38:17 409,800 ----a-w c:\windows\system32\perfh009.dat

    + 2009-04-06 20:05:45 409,800 ----a-w c:\windows\system32\perfh009.dat

    + 2009-04-06 20:45:49 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1a0.dat

    + 2008-04-14 00:12:08 157,696 ----a-w c:\windows\ujoduvakadevi.dll

    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    *Note* empty entries & legit default entries are not shown

    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-03-14 160592]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-03-08 344064]

    "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2006-04-18 405504]

    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-14 815104]

    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

    "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]

    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

    "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]

    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]

    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-20 198160]

    "WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2005-07-04 184320]

    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

    "Hlipiyupadewiyo"="c:\windows\ujoduvakadevi.dll" [2008-04-13 157696]

    "AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 c:\windows\AGRSMMSG.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-03-14 160592]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\

    Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-04-20 25214]

    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-20 113664]

    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-02-27 581693]

    DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-04-07 184320]

    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-03-18 972064]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

    Notification Packages REG_MULTI_SZ scecli cpstrl.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]

    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

    "%windir%\\system32\\sessmgr.exe"=

    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

    "c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=

    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-11 64160]

    R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]

    R2 OneTouch 4.0 Monitor;OneTouch 4.0 Monitor;c:\program files\Visioneer\OneTouch 4.0\OtService.exe [2007-09-21 131072]

    R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2007-04-07 88192]

    S2 UndeleteService;Executive Software Undelete;"c:\program files\Executive Software\Undelete\UdServe.exe" --> c:\program files\Executive Software\Undelete\UdServe.exe [?]

    S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2007-09-10 109080]

    S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [2007-09-25 15152]

    S3 GTFFBUS;GT FF BUS;c:\windows\system32\drivers\gtffbus.sys [2007-06-01 17024]

    S3 GTMNDISIRPXP;GT M 3G+ IRP NDIS;c:\windows\system32\drivers\Gtm51Irp.sys [2007-06-01 120960]

    S3 GTPTSER;GT PT SER;c:\windows\system32\drivers\gtptser.sys [2007-06-01 8064]

    S3 GTUQBUS;GT UQ BUS;c:\windows\system32\drivers\gtuqbus.sys [2007-06-01 36992]

    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]

    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-10-10 17920]

    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-10-10 7680]

    S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-10-10 42112]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]

    c:\program files\PixiePack Codec Pack\InstallerHelper.exe

    .

    Contents of the 'Scheduled Tasks' folder

    2009-03-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job

    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-11 16:49]

    2009-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job

    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

    .

    .

    ------- Supplementary Scan -------

    .

    uStart Page = hxxp://www.google.com/

    uInternet Settings,ProxyOverride = *.local

    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

    IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

    IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

    IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

    IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

    IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

    IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

    LSP: bmnet.dll

    Trusted Zone: internet

    Trusted Zone: mcafee.com

    Trusted Zone: turbotax.com

    FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\thl3pekb.default\

    FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll

    FF - plugin: c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\thl3pekb.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

    .

    **************************************************************************

    catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2009-04-06 13:46:07

    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully

    hidden files: 0

    **************************************************************************

    .

    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(988)

    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'lsass.exe'(1044)

    c:\windows\cpstrl.dll

    c:\windows\system32\bmnet.dll

    .

    ------------------------ Other Running Processes ------------------------

    .

    c:\windows\system32\ati2evxx.exe

    c:\windows\system32\scardsvr.exe

    c:\windows\system32\ati2evxx.exe

    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

    c:\windows\system32\bmwebcfg.exe

    c:\program files\Bonjour\mDNSResponder.exe

    c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

    c:\windows\system32\Crypserv.exe

    c:\program files\Java\jre6\bin\jqs.exe

    c:\program files\Analog Devices\SoundMAX\SMAgent.exe

    c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

    c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe

    c:\program files\iPod\bin\iPodService.exe

    c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe

    c:\windows\system32\wbem\wmiadap.exe

    .

    **************************************************************************

    .

    Completion time: 2009-04-06 13:49:52 - machine was rebooted

    ComboFix-quarantined-files.txt 2009-04-06 20:49:49

    ComboFix2.txt 2009-04-06 19:29:40

    Pre-Run: 7,063,465,984 bytes free

    Post-Run: 7,069,171,712 bytes free

    221 --- E O F --- 2009-03-20 10:02:17

  4. Hello all, I have a strange malware that keeps coming back. Here is what it says currently in the registry:

    Hlipiyupadewiyo rundll32.exe "C:\WINDOWS\ujoduvakadevi.dll",e

    This is located under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    Here is the ugly part. If I delete this entry, it comes back in a couple of minutes. If I run MalwareBytes, it finds it, deletes it and it will com back. If I log into safe mode and delete the dll file(currently named "ujoduvakadevi.dll, it will come back named something different. However, the main name always stays the same(Hlipiyupadewiyo)

    I have tried Ad Aware, CCleaner, ComboFix, and of course MalwareBytes. Nothing seems to get rid of it permanently.

    Below is the HiJackThis log.

    Thanks for any help

    ~B

    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 1:14:41 PM, on 4/6/2009

    Platform: Windows XP SP3 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

    Boot mode: Normal

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

    C:\WINDOWS\AGRSMMSG.exe

    C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe

    C:\Program Files\iTunes\iTunesHelper.exe

    C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    C:\Program Files\Java\jre6\bin\jusched.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

    C:\WINDOWS\system32\bmwebcfg.exe

    C:\Program Files\Bonjour\mDNSResponder.exe

    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

    C:\WINDOWS\system32\crypserv.exe

    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

    C:\Program Files\Java\jre6\bin\jqs.exe

    C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe

    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    C:\WINDOWS\system32\svchost.exe

    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

    C:\Program Files\iPod\bin\iPodService.exe

    C:\Program Files\Mozilla Firefox\firefox.exe

    C:\WINDOWS\regedit.exe

    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.mcafee.com

    O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175990021875

    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab

    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...570/mcfscan.cab

    O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = linksys.com,linksys.com,linksys.com,linksys.com,linksys.com

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = linksys.com,linksys.com,linksys.com,linksys.com,linksys.com

    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

    O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe

    O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe

    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

    O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

    O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe

    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    O23 - Service: Executive Software Undelete (UndeleteService) - Unknown owner - C:\Program Files\Executive Software\Undelete\UdServe.exe (file missing)

    --

    End of file - 13582 bytes

  5. Aspirina - What was the point of finding the reg key that you can't see and writing down the name of it?

    ~B

    Here is what you should do:

    to check the name of the malware file (in case the malware uses a random name when installing) you should do this

    - Go to Start -> Run and type REGEDIT.EXE

    - Find this key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and walk over the keys you find here with the Down Arrow button of your keyboard. You will easily find it because you will get a popup from regedit telling you that the key can't be read. Write down the name of the key and then do the following (you can close regedit for now):

    - Run Malwarebytes' Anti-Malware or some antimalware tool.

    - Remove everything you find (if you have this malware, then you will find seneka and some other nasty stuff like crypts.dll).

    - If it asks for restart to fix everything click on Yes.

    - Restart your system in Safe Mode.

    - Go to Start -> Run and type REGEDIT.EXE (again)

    - Go to Edit -> Search and search for fystemroot in the registry (be sure to find EVERY match)

    - In every key you find the value, you have to go to Edit -> Permissions and set permissions (total control) for you (administrator) then apply and double click on the key, replace %fystemroot% with %Systemroot% every time and then restart your computer normally.

    - Just in case... run your antimalware program again, because the downloader can install it again after you removed the malware the first time, as it can download it and you won't notice (before starting in safe mode).

    Well I wrote this because I couldn't find anything about before so I hope it works for you too. By the way.. malwarebytes anti-malware halts my system badly when performing a full scan in both drives (sometimes it finishes the full scan of the smaller partition completely but not always, so i think it may be the amount of files and the memory of my computer or something that can make the whole system freeze.) - Ah and I don't speak English very well so I hope you understand everything. I tried to do .. not my best but... I tried (?)

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.