Reallyhatesspyware
-
Posts
20 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by Reallyhatesspyware
-
-
Not sure what I'm supposed to be seeing.
*Description according to her*
"It's slower, but my computer isn't under complete attack anymore!"
-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:42 AM, on 07/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Program Files\SGPSA\BHO.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08c5 -f video -m logitech -d 11.0.0.1217 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08c5 -f video -m logitech -d 11.0.0.1217 (User 'Default user')
O4 - Startup: IMVU.lnk = C:\Documents and Settings\Chris Woodward\Application Data\IMVUClient\IMVUClient.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Chris Woodward\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
--
End of file - 8743 bytes
-
The Hijackthis Log was from after I rebooted her computer because of the MBAM log. Don't know if that means anything..just thought I'd tell ya
-
Sorry it took so long to respond miekie. Didn't get an email notification till tonight.
Here is this MBAM log taken tonight.
________________________________________________________________________________
__
Malwarebytes' Anti-Malware 1.44
Database version: 3700
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702
07/02/2010 1:42:46 AM
mbam-log-2010-02-07 (01-42-46).txt
Scan type: Quick Scan
Objects scanned: 131459
Time elapsed: 8 minute(s), 15 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.FakeAV) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jittawte (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jicgiiyp (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Chris Woodward\Local Settings\Temp\EQKg.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Woodward\Local Settings\Temp\sClw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Woodward\Local Settings\Temporary Internet Files\Content.IE5\QPI4JMG9\eHbf2015c2V0100f080006Rba08fd69102Tf4497487201l0409K23261b0b318J0b0006010[1
] (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Woodward\Local Settings\Temporary Internet Files\Content.IE5\QPI4JMG9\eHbf2015c2V0100f080006Rba08fd69102Tf4497487201l0409Kbcc29e78318J0b0006010[1
] (Trojan.FakeAlert) -> Quarantined and deleted successfully.
________________________________________________________________________________
__
And here is this Hijackthis log from tonight.
________________________________________________________________________________
__
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:49:10 AM, on 07/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RDSHOST.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Program Files\SGPSA\BHO.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08c5 -f video -m logitech -d 11.0.0.1217 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08c5 -f video -m logitech -d 11.0.0.1217 (User 'Default user')
O4 - Startup: IMVU.lnk = C:\Documents and Settings\Chris Woodward\Application Data\IMVUClient\IMVUClient.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Chris Woodward\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
--
End of file - 7733 bytes
-
Helping my girlfriend fix her computer. Here is the Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:49 PM, on 04/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\RDSHOST.exe
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Program Files\SGPSA\BHO.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [jittawte] C:\Documents and Settings\Chris Woodward\Local Settings\Application Data\xpjmgj\mbyrsftav.exe
O4 - HKCU\..\Run: [jicgiiyp] C:\Documents and Settings\Chris Woodward\Local Settings\Application Data\pmhoso\mskysftav.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08c5 -f video -m logitech -d 11.0.0.1217 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08c5 -f video -m logitech -d 11.0.0.1217 (User 'Default user')
O4 - Startup: IMVU.lnk = C:\Documents and Settings\Chris Woodward\Application Data\IMVUClient\IMVUClient.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Chris Woodward\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
--
End of file - 7983 bytes
-
Nevermind about the MagicJack. Fixed that easily enough.
-
This process seems to have deleted one of my non-malware programs.
"MagicJack", which is an plug-in internet phone. Is there anyway I can reinstall that? As it's not coming up in the normal re-installation process -
After typing in SC query EVENTLOG
------------------------------------------------------------------
Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Stephen Reid>SC query EVENTLOG
SERVICE_NAME: EVENTLOG
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
C:\Documents and Settings\Stephen Reid>
-------------------------------------------------------------------------------------------------------------------------------------
Text after Scan
------------------------------------------------------------------------------------------------------------------------------------
ComboFix 09-09-22.02 - Stephen Reid 09/22/2009 16:47.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.328 [GMT -7:00]
Running from: c:\documents and settings\Stephen Reid\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Stephen Reid\Desktop\cfscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FILE ::
"C:\hwdgqmcw.exe"
"c:\program files\Common Files\fyno._sy"
"c:\windows\qypyd.com"
"c:\windows\sycapyvac.dat"
file zipped: c:\windows\system32\nakuwiyi.dll
file zipped: c:\windows\system32\rikosego.dll
file zipped: c:\windows\system32\witiwegu.dll
file zipped: c:\windows\system32\mfsdisk.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Stephen Reid\Application Data\mjusbsp
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\_911offline.html
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\_shuttingdown.html
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\ar00000\install.exe
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\ar00000\magicJack.dll
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\ar00000\magicJackSplash.exe
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\ar00000\mjsetup.exe
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\ar00000\splash.gif
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\ar00000\WarningMJCouldNotStart.gif
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\big.skn
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\cdloader2.exe
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\closeWindow.png
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\in00000\magicJack.dll
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\in00000\magicJackSplash.exe
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\in00000\mjsetup.exe
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\in00000\setup.exe
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\in00000\splash.gif
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\in00000\WarningMJCouldNotStart.gif
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\Loader.gif
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\magicJack.dll
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\magicJack.exe
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\magicJackLoader.exe
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\magicJackSplash.exe
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\mainBannerOffline.html
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\octvqe1_apiw.dll
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\SJHandsetMagicJack.dll
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\small.skn
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\st00000\magicJack.dll
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\st00000\magicJackSplash.exe
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\st00000\mjsetup.exe
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\st00000\splash.gif
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\st00000\WarningMJCouldNotStart.gif
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\TjIpSys.dll
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\TjVista.dll
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\ug00000\install.exe
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\ug00000\magicJack.dll
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\ug00000\magicJackSplash.exe
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\ug00000\setup.exe
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\ug00000\splash.gif
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\ug00000\WarningMJCouldNotStart.gif
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\Upgrade\install1.exe
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\Upgrade\install1.ini
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\Upgrade\setup1.exe
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\Upgrade\setup1.ini
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\WarningMJCouldNotStart.gif
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\WarningNoDeviceFound.gif
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\wroffline.html
c:\documents and settings\Stephen Reid\Application Data\mjusbsp\wroffline1.html
C:\hwdgqmcw.exe
c:\program files\Common Files\fyno._sy
c:\windows\qypyd.com
c:\windows\sycapyvac.dat
c:\windows\system32\nakuwiyi.dll
c:\windows\system32\rikosego.dll
c:\windows\system32\wawavara.dll
c:\windows\system32\witiwegu.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_XVPWUN
-------\Service_ezjqasr
-------\Service_fyjxwqs
-------\Service_xvpwun
((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))
.
2009-09-21 21:15 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-21 21:15 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-21 21:15 . 2009-09-21 21:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-21 21:07 . 2009-09-21 21:07 -------- d-----w- c:\documents and settings\Stephen Reid\Local Settings\Application Data\tjnet
2009-09-13 01:35 . 2009-09-13 01:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-09-12 22:39 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-09-12 22:39 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-09-12 22:39 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-09-12 22:39 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-09-12 22:39 . 2009-09-12 22:39 -------- d-----w- c:\program files\Avira
2009-09-12 22:39 . 2009-09-12 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-09-12 22:38 . 2009-09-12 22:38 -------- d-----w- c:\program files\Trend Micro
2009-09-12 21:56 . 2009-09-12 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-09-12 21:54 . 2009-09-17 08:40 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-09-12 21:54 . 2009-09-12 21:54 -------- d-----w- c:\program files\Common Files\iS3
2009-09-12 21:41 . 2009-09-12 21:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-09-12 21:40 . 2009-09-12 21:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-12 21:38 . 2009-09-12 21:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-12 21:20 . 2009-09-12 21:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-12 21:09 . 2009-09-12 21:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-09-12 20:31 . 2009-09-12 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-09-12 00:38 . 2009-09-18 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\myitlab
2009-09-10 22:01 . 2009-09-11 09:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-09 06:11 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-06 22:10 . 2009-09-06 22:10 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-09-04 18:25 . 2009-09-18 08:25 45 ----a-w- c:\documents and settings\Stephen Reid\jagex_runescape_preferences2.dat
2009-08-27 22:12 . 2009-09-11 03:59 -------- d-----w- c:\program files\Warcraft III
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-22 23:50 . 2009-04-20 17:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-22 23:43 . 2009-05-25 19:31 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\Skype
2009-09-22 23:05 . 2009-05-25 19:37 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\skypePM
2009-09-22 21:12 . 2009-06-22 21:12 88064 --sha-w- c:\windows\system32\majubilu.dll
2009-09-18 08:25 . 2009-04-04 08:33 37 ----a-w- c:\documents and settings\Stephen Reid\jagex_runescape_preferences.dat
2009-09-17 20:29 . 2006-02-16 09:42 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-09-16 02:27 . 2009-09-16 02:26 3296 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-09-16 02:26 . 2009-09-16 02:26 2464 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-09-11 09:24 . 2009-07-17 02:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-07 21:34 . 2009-09-07 21:34 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\Apple Computer
2009-09-07 21:34 . 2009-09-07 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-09-07 21:34 . 2009-09-07 21:33 -------- d-----w- c:\program files\iTunes
2009-09-07 21:33 . 2009-09-07 21:33 -------- d-----w- c:\program files\iPod
2009-09-07 21:33 . 2009-09-07 21:25 -------- d-----w- c:\program files\Common Files\Apple
2009-09-07 21:33 . 2009-09-07 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-07 21:33 . 2009-09-07 21:33 -------- d-----w- c:\program files\Bonjour
2009-09-07 21:32 . 2006-02-16 09:56 -------- d-----w- c:\program files\QuickTime
2009-09-07 21:26 . 2009-09-07 21:26 -------- d-----w- c:\program files\Apple Software Update
2009-09-07 21:25 . 2009-09-07 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-01 00:08 . 2009-05-04 11:18 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\HPAppData
2009-08-25 19:23 . 2006-02-15 16:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-25 19:19 . 2009-08-22 23:25 -------- d-----w- c:\program files\Microsoft Games
2009-08-23 23:20 . 2009-08-23 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Age of Empires 3 YPack Trial
2009-08-23 22:42 . 2009-08-23 22:32 -------- d-----w- c:\program files\PlaneShift Steel Blue
2009-08-23 22:34 . 2009-08-23 22:34 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\PlaneShift
2009-08-23 22:34 . 2009-08-23 22:34 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\CrystalSpace
2009-08-23 22:18 . 2009-08-23 22:18 -------- d-----w- c:\program files\Guild Wars
2009-08-22 23:28 . 2009-08-22 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Age of Empires 3 XPack Trial
2009-08-22 20:57 . 2009-05-22 01:46 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-08-05 09:11 . 2006-02-15 14:03 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 19:28 . 2009-05-30 07:58 -------- d-----w- c:\program files\PopCap Games
2009-07-29 19:26 . 2009-04-06 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo
2009-07-24 06:43 . 2009-07-24 06:28 25 ----a-w- c:\windows\popcinfot.dat
2009-07-20 10:45 . 2009-07-11 08:24 139016 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-20 10:45 . 2009-07-11 08:24 189488 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-17 18:55 . 2006-02-15 14:02 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 17:08 . 2006-02-15 14:05 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 08:24 . 2009-07-11 08:24 139152 ----a-w- c:\documents and settings\Stephen Reid\Application Data\PnkBstrK.sys
2009-07-11 08:24 . 2009-07-11 08:24 794408 ----a-w- c:\windows\system32\pbsvc.exe
2009-07-11 08:24 . 2009-07-11 08:24 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-06-29 16:12 . 2006-02-15 14:04 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-02-15 14:02 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-02-15 14:02 17408 ------w- c:\windows\system32\corpol.dll
2009-06-25 18:36 . 2006-02-15 14:03 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2006-02-15 14:03 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2006-02-15 14:03 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2006-02-15 14:03 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2006-02-15 14:03 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2006-02-15 14:03 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2006-02-15 14:03 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 18:36 . 2006-02-15 14:03 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2006-02-15 14:03 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2006-02-15 14:03 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2006-02-15 14:03 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2006-02-15 14:03 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 08:17 . 2006-02-15 14:04 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:17 . 2006-02-15 14:03 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:17 . 2006-02-15 14:03 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:17 . 2006-02-15 14:03 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:17 . 2006-02-15 14:02 729600 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:17 . 2006-02-15 14:02 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-21 17:12 . 2009-06-21 17:12 49152 --sha-w- c:\windows\system32\fahisili.dll.tmp
2009-06-21 17:12 . 2009-06-21 17:12 49152 --sha-w- c:\windows\system32\hanelawi.dll.tmp
.
((((((((((((((((((((((((((((( SnapShot@2009-09-21_23.56.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-22 23:53 . 2009-09-22 23:53 16384 c:\windows\temp\Perflib_Perfdata_7a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\af49317e-6a14-4015-8442-b9c13b4491cf.exe" [2009-09-04 1994480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-28 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"jidoridow"="c:\windows\system32\majubilu.dll" [2009-09-22 88064]
"TFncKy"="TFncKy.exe" [bU]
"TDispVol"="TDispVol.exe" - c:\windows\system32\TDispVol.exe [2005-03-11 73728]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-10-15 88203]
"NDSTray.exe"="NDSTray.exe" [bU]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]
"CFSServ.exe"="CFSServ.exe" [bU]
"vomiguheme"="fezijepa.dll" [bU]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{42ee3da9-7d44-4012-b3bf-85aa0a10e1c7}"= "c:\windows\system32\majubilu.dll" [2009-09-22 88064]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"minefivom"= {42ee3da9-7d44-4012-b3bf-85aa0a10e1c7} - c:\windows\system32\majubilu.dll [2009-09-22 88064]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\ijji\\ENGLISH\\u_gbound.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III - The WarChiefs Trial\\age3x.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\avgnt.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56477:TCP"= 56477:TCP:Pando Media Booster
"56477:UDP"= 56477:UDP:Pando Media Booster
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/12/2009 3:39 PM 108289]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys --> c:\windows\system32\Drivers\avgtdix.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> C:c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S3 mfsdisk;mfsdisk;c:\windows\system32\mfsdisk.sys [2/15/2006 7:03 AM 2304]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]
S4 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2/15/2006 7:04 AM 14336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder
2009-09-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Stephen Reid\Application Data\Mozilla\Firefox\Profiles\s3y4kzv2.default\
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Stephen Reid\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Stephen Reid\Application Data\Mozilla\Firefox\Profiles\s3y4kzv2.default\extensions\justintvpublisher@justin.tv\platform\WINNT_x86-msvc\plugins\npjustintvpublish.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-22 17:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(948)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(2360)
c:\windows\system32\WININET.dll
c:\windows\system32\majubilu.dll
c:\windows\system32\TDispVol.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\TPSBattM.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-09-23 17:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-23 00:11
ComboFix2.txt 2009-09-22 20:26
ComboFix3.txt 2009-09-21 23:59
Pre-Run: 75,653,201,920 bytes free
Post-Run: 75,580,739,584 bytes free
Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
393 --- E O F --- 2009-09-14 10:00
-
Here you go pal
ComboFix 09-09-22.01 - Stephen Reid 09/22/2009 13:12.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.241 [GMT -7:00]
Running from: c:\documents and settings\Stephen Reid\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\biguhezex.inf
c:\documents and settings\All Users\Application Data\dyhupypa.sys
c:\documents and settings\All Users\Application Data\erih.bat
c:\documents and settings\All Users\Application Data\ikoq.bat
c:\documents and settings\All Users\Application Data\jymum.inf
c:\documents and settings\All Users\Application Data\yxuhek.vbs
c:\documents and settings\All Users\Application Data\zasuwas.bin
c:\documents and settings\All Users\Documents\awavav._dl
c:\documents and settings\All Users\Documents\cijoxoh.inf
c:\documents and settings\All Users\Documents\ejepasa.dll
c:\documents and settings\All Users\Documents\iqexydoby.inf
c:\documents and settings\All Users\Documents\iqyhyzir.ban
c:\documents and settings\All Users\Documents\niwunax.inf
c:\documents and settings\All Users\Documents\umebejyd.bat
c:\documents and settings\All Users\Documents\uxaqa.reg
c:\documents and settings\Stephen Reid\Application Data\ekezono.vbs
c:\documents and settings\Stephen Reid\Application Data\ekygak.vbs
c:\documents and settings\Stephen Reid\Application Data\emyzedelyz.pif
c:\documents and settings\Stephen Reid\Application Data\imomu.com
c:\documents and settings\Stephen Reid\Application Data\kijanezuk.bin
c:\documents and settings\Stephen Reid\Application Data\mojowy.com
c:\documents and settings\Stephen Reid\Application Data\ukuc.sys
c:\documents and settings\Stephen Reid\Application Data\ymuqad.dll
c:\documents and settings\Stephen Reid\Cookies\sygisysyno._dl
c:\documents and settings\Stephen Reid\Cookies\upysaqen.dl
c:\documents and settings\Stephen Reid\Local Settings\Application Data\hokuwawy.inf
c:\documents and settings\Stephen Reid\Local Settings\Application Data\ivawyjewe.bin
c:\documents and settings\Stephen Reid\Local Settings\Application Data\jubynon.dl
c:\documents and settings\Stephen Reid\Local Settings\Temporary Internet Files\akyxyxeji.dll
c:\documents and settings\Stephen Reid\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\documents and settings\Stephen Reid\Local Settings\Temporary Internet Files\ived.vbs
c:\documents and settings\Stephen Reid\Local Settings\Temporary Internet Files\nacality.lib
c:\documents and settings\Stephen Reid\Local Settings\Temporary Internet Files\nojagosuna.bat
c:\documents and settings\Stephen Reid\Local Settings\Temporary Internet Files\obidyk.ban
c:\documents and settings\Stephen Reid\Local Settings\Temporary Internet Files\orydu.bat
c:\documents and settings\Stephen Reid\Local Settings\Temporary Internet Files\savynywyn.pif
c:\documents and settings\Stephen Reid\Local Settings\Temporary Internet Files\suqotoj.bat
c:\documents and settings\Stephen Reid\Local Settings\Temporary Internet Files\utap.pif
c:\documents and settings\Stephen Reid\Local Settings\Temporary Internet Files\xekuki._sy
c:\documents and settings\Stephen Reid\Local Settings\Temporary Internet Files\yzapyzanu.lib
c:\program files\Common Files\depod.com
c:\program files\Common Files\enyna.bat
c:\program files\Common Files\fudoly.inf
c:\program files\Common Files\lecypijafi.scr
c:\program files\Common Files\oxyza.dl
c:\program files\Common Files\uzijuda.dll
c:\program files\Common Files\xixicu.sys
c:\program files\Common Files\ycisobevus.sys
c:\windows\aborujary.sys
c:\windows\apucas.exe
c:\windows\duqi.ban
c:\windows\gupuc.scr
c:\windows\hofuc.ban
c:\windows\Installer\441c572.msi
c:\windows\Installer\9bffb.msi
c:\windows\osemokaqy.inf
c:\windows\sofa.ban
c:\windows\system32\18467.exe
c:\windows\system32\41.exe
c:\windows\system32\6334.exe
c:\windows\system32\drivers\SKYNETsmykyorn.sys
c:\windows\system32\fazibu.bat
c:\windows\system32\fezijepa.dll
c:\windows\system32\iniasd.txt
c:\windows\system32\jakibise.dll
c:\windows\system32\parodupa.dll
c:\windows\system32\qubi.pif
c:\windows\system32\SKYNETalihyxen.dat
c:\windows\system32\SKYNETarowrhyg.dll
c:\windows\system32\SKYNETpumihtvc.dat
c:\windows\system32\SKYNETttquvppe.dll
c:\windows\system32\tewohisowy.pif
c:\windows\system32\yoharoyi.dll
c:\windows\tycu.exe
c:\windows\unaper.ban
c:\windows\xacuze.reg
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Legacy_SKYNETqohmnmwx
-------\Legacy_UACD.SYS
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_SKYNETqohmnmwx
((((((((((((((((((((((((( Files Created from 2009-08-22 to 2009-09-22 )))))))))))))))))))))))))))))))
.
2009-09-21 21:25 . 2009-09-21 21:25 11045 ----a-w- c:\windows\qypyd.com
2009-09-21 21:15 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-21 21:15 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-21 21:15 . 2009-09-21 21:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-21 21:07 . 2009-09-21 21:07 -------- d-----w- c:\documents and settings\Stephen Reid\Local Settings\Application Data\tjnet
2009-09-21 17:12 . 2009-09-21 17:12 49152 ----a-w- C:\hwdgqmcw.exe
2009-09-19 02:25 . 2009-09-22 04:57 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\mjusbsp
2009-09-13 01:35 . 2009-09-13 01:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-09-12 22:39 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-09-12 22:39 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-09-12 22:39 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-09-12 22:39 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-09-12 22:39 . 2009-09-12 22:39 -------- d-----w- c:\program files\Avira
2009-09-12 22:39 . 2009-09-12 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-09-12 22:38 . 2009-09-12 22:38 -------- d-----w- c:\program files\Trend Micro
2009-09-12 21:56 . 2009-09-12 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-09-12 21:54 . 2009-09-17 08:40 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-09-12 21:54 . 2009-09-12 21:54 -------- d-----w- c:\program files\Common Files\iS3
2009-09-12 21:48 . 2009-09-12 21:48 18565 ----a-w- c:\windows\sycapyvac.dat
2009-09-12 21:41 . 2009-09-12 21:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-09-12 21:40 . 2009-09-12 21:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-12 21:38 . 2009-09-12 21:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-12 21:20 . 2009-09-12 21:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-12 21:09 . 2009-09-12 21:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-09-12 20:31 . 2009-09-12 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-09-12 00:38 . 2009-09-18 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\myitlab
2009-09-10 22:01 . 2009-09-11 09:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-09 06:11 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-06 22:10 . 2009-09-06 22:10 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-09-04 18:25 . 2009-09-18 08:25 45 ----a-w- c:\documents and settings\Stephen Reid\jagex_runescape_preferences2.dat
2009-08-27 22:12 . 2009-09-11 03:59 -------- d-----w- c:\program files\Warcraft III
2009-08-23 23:20 . 2009-08-23 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Age of Empires 3 YPack Trial
2009-08-23 23:18 . 2005-05-26 22:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-08-23 22:34 . 2009-08-23 22:34 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\PlaneShift
2009-08-23 22:34 . 2009-08-23 22:34 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\CrystalSpace
2009-08-23 22:32 . 2009-08-23 22:42 -------- d-----w- c:\program files\PlaneShift Steel Blue
2009-08-23 22:18 . 2009-08-23 22:18 -------- d-----w- c:\program files\Guild Wars
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-22 20:15 . 2009-04-20 17:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-22 20:12 . 2009-05-25 19:31 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\Skype
2009-09-22 15:02 . 2009-05-25 19:37 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\skypePM
2009-09-22 09:12 . 2009-06-22 09:12 49664 --sha-w- c:\windows\system32\rikosego.dll
2009-09-22 09:12 . 2009-06-22 09:12 87552 --sha-w- c:\windows\system32\nakuwiyi.dll
2009-09-21 21:25 . 2009-09-21 21:25 11490 ----a-w- c:\program files\Common Files\fyno._sy
2009-09-21 21:14 . 2009-06-21 21:14 87552 ------w- c:\windows\system32\fevusota.dll
2009-09-18 08:25 . 2009-04-04 08:33 37 ----a-w- c:\documents and settings\Stephen Reid\jagex_runescape_preferences.dat
2009-09-17 20:29 . 2006-02-16 09:42 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-09-16 02:27 . 2009-09-16 02:26 3296 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-09-16 02:26 . 2009-09-16 02:26 2464 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-09-11 09:24 . 2009-07-17 02:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-07 21:34 . 2009-09-07 21:34 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\Apple Computer
2009-09-07 21:34 . 2009-09-07 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-09-07 21:34 . 2009-09-07 21:33 -------- d-----w- c:\program files\iTunes
2009-09-07 21:33 . 2009-09-07 21:33 -------- d-----w- c:\program files\iPod
2009-09-07 21:33 . 2009-09-07 21:25 -------- d-----w- c:\program files\Common Files\Apple
2009-09-07 21:33 . 2009-09-07 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-07 21:33 . 2009-09-07 21:33 -------- d-----w- c:\program files\Bonjour
2009-09-07 21:32 . 2006-02-16 09:56 -------- d-----w- c:\program files\QuickTime
2009-09-07 21:26 . 2009-09-07 21:26 -------- d-----w- c:\program files\Apple Software Update
2009-09-07 21:25 . 2009-09-07 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-01 00:08 . 2009-05-04 11:18 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\HPAppData
2009-08-25 19:23 . 2006-02-15 16:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-25 19:19 . 2009-08-22 23:25 -------- d-----w- c:\program files\Microsoft Games
2009-08-22 23:28 . 2009-08-22 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Age of Empires 3 XPack Trial
2009-08-22 20:57 . 2009-05-22 01:46 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-08-05 09:11 . 2006-02-15 14:03 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 19:28 . 2009-05-30 07:58 -------- d-----w- c:\program files\PopCap Games
2009-07-29 19:26 . 2009-04-06 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo
2009-07-24 06:43 . 2009-07-24 06:28 25 ----a-w- c:\windows\popcinfot.dat
2009-07-20 10:45 . 2009-07-11 08:24 139016 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-20 10:45 . 2009-07-11 08:24 189488 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-17 18:55 . 2006-02-15 14:02 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 17:08 . 2006-02-15 14:05 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 08:24 . 2009-07-11 08:24 139152 ----a-w- c:\documents and settings\Stephen Reid\Application Data\PnkBstrK.sys
2009-07-11 08:24 . 2009-07-11 08:24 794408 ----a-w- c:\windows\system32\pbsvc.exe
2009-07-11 08:24 . 2009-07-11 08:24 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-06-29 16:12 . 2006-02-15 14:04 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-02-15 14:02 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-02-15 14:02 17408 ------w- c:\windows\system32\corpol.dll
2009-06-25 18:36 . 2006-02-15 14:03 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2006-02-15 14:03 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2006-02-15 14:03 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2006-02-15 14:03 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2006-02-15 14:03 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2006-02-15 14:03 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2006-02-15 14:03 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 18:36 . 2006-02-15 14:03 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2006-02-15 14:03 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2006-02-15 14:03 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2006-02-15 14:03 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2006-02-15 14:03 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 08:17 . 2006-02-15 14:04 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:17 . 2006-02-15 14:03 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:17 . 2006-02-15 14:03 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:17 . 2006-02-15 14:03 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:17 . 2006-02-15 14:02 729600 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:17 . 2006-02-15 14:02 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-21 17:12 . 2009-06-21 17:12 49152 --sha-w- c:\windows\system32\fahisili.dll.tmp
2009-06-21 17:12 . 2009-06-21 17:12 49152 --sha-w- c:\windows\system32\hanelawi.dll.tmp
2009-06-22 09:13 . 2009-06-22 09:13 49664 --sha-w- c:\windows\system32\witiwegu.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-09-21_23.56.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-22 20:20 . 2009-09-22 20:20 16384 c:\windows\temp\Perflib_Perfdata_230.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cea18b11-bc29-4514-88c0-181bbc858c9f}]
2009-06-22 09:13 49664 --sha-w- c:\windows\system32\witiwegu.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\af49317e-6a14-4015-8442-b9c13b4491cf.exe" [2009-09-04 1994480]
"cdloader"="c:\documents and settings\Stephen Reid\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-28 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"jidoridow"="c:\windows\system32\nakuwiyi.dll" [2009-09-22 87552]
"TFncKy"="TFncKy.exe" [bU]
"TDispVol"="TDispVol.exe" - c:\windows\system32\TDispVol.exe [2005-03-11 73728]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-10-15 88203]
"NDSTray.exe"="NDSTray.exe" [bU]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]
"CFSServ.exe"="CFSServ.exe" [bU]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{2faad82f-36d8-4d4c-9f9f-7e9650c7c6f1}"= "c:\windows\system32\nakuwiyi.dll" [2009-09-22 87552]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"relejogag"= {2faad82f-36d8-4d4c-9f9f-7e9650c7c6f1} - c:\windows\system32\nakuwiyi.dll [2009-09-22 87552]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\ijji\\ENGLISH\\u_gbound.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III - The WarChiefs Trial\\age3x.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Stephen Reid\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56477:TCP"= 56477:TCP:Pando Media Booster
"56477:UDP"= 56477:UDP:Pando Media Booster
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/12/2009 3:39 PM 108289]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys --> c:\windows\system32\Drivers\avgtdix.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> C:c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 ezjqasr;ezjqasr;c:\windows\system32\drivers\prcjjli.sys --> c:\windows\system32\drivers\prcjjli.sys [?]
S2 fyjxwqs;fyjxwqs;c:\windows\system32\drivers\pbie.sys --> c:\windows\system32\drivers\pbie.sys [?]
S3 mfsdisk;mfsdisk;c:\windows\system32\mfsdisk.sys [2/15/2006 7:03 AM 2304]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]
S4 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2/15/2006 7:04 AM 14336]
S4 xvpwun;xvpwun;\??\c:\windows\system32\drivers\xjehpubegdv.sys --> c:\windows\system32\drivers\xjehpubegdv.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder
2009-09-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Stephen Reid\Application Data\Mozilla\Firefox\Profiles\s3y4kzv2.default\
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Stephen Reid\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Stephen Reid\Application Data\Mozilla\Firefox\Profiles\s3y4kzv2.default\extensions\justintvpublisher@justin.tv\platform\WINNT_x86-msvc\plugins\npjustintvpublish.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-vomiguheme - fezijepa.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-22 13:21
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(948)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(1076)
c:\windows\system32\WININET.dll
c:\windows\system32\nakuwiyi.dll
c:\windows\system32\TDispVol.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\program files\SUPERAntiSpyware\SASSEH.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\TPSBattM.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-09-22 13:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-22 20:26
ComboFix2.txt 2009-09-21 23:59
Pre-Run: 75,848,577,024 bytes free
Post-Run: 75,687,084,032 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
428 --- E O F --- 2009-09-14 10:00
-
ComboFix Log
ComboFix 09-09-16.05 - xxxxxx 09/21/2009 16:52.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.439 [GMT -7:00]
Running from: c:\documents and settings\xxxxxxx\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-3868997124-911790988-508925577-500
c:\recycler\S-1-5-21-3868997124-911790988-508925577-500\desktop.ini
c:\recycler\S-1-5-21-3868997124-911790988-508925577-500\INFO2
c:\windows\Install.txt
c:\windows\kb913800.exe
c:\windows\system32\cru629.dat
c:\windows\system32\Install.txt
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\sdra64.exe
.
((((((((((((((((((((((((( Files Created from 2009-08-21 to 2009-09-21 )))))))))))))))))))))))))))))))
.
2009-09-21 23:14 . 2009-09-21 23:14 0 ----a-w- c:\windows\system32\6334.exe
2009-09-21 22:14 . 2009-09-21 22:14 0 ----a-w- c:\windows\system32\18467.exe
2009-09-21 21:25 . 2009-09-21 21:25 17821 ----a-w- c:\windows\gupuc.scr
2009-09-21 21:25 . 2009-09-21 21:25 13589 ----a-w- c:\program files\Common Files\xixicu.sys
2009-09-21 21:25 . 2009-09-21 21:25 11045 ----a-w- c:\windows\qypyd.com
2009-09-21 21:25 . 2009-09-21 21:25 10041 ----a-w- c:\program files\Common Files\lecypijafi.scr
2009-09-21 21:15 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-21 21:15 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-21 21:15 . 2009-09-21 21:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-21 21:14 . 2009-09-21 21:14 0 ----a-w- c:\windows\system32\41.exe
2009-09-21 21:14 . 2009-09-21 21:14 43 ----a-w- c:\windows\system32\SKYNETpumihtvc.dat
2009-09-21 21:07 . 2009-09-21 21:07 -------- d-----w- c:\documents and settings\Stephen Reid\Local Settings\Application Data\tjnet
2009-09-21 17:12 . 2009-09-21 17:12 49152 ----a-w- C:\hwdgqmcw.exe
2009-09-19 02:25 . 2009-09-21 06:17 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\mjusbsp
2009-09-13 01:35 . 2009-09-13 01:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-09-12 22:39 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-09-12 22:39 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-09-12 22:39 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-09-12 22:39 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-09-12 22:39 . 2009-09-12 22:39 -------- d-----w- c:\program files\Avira
2009-09-12 22:39 . 2009-09-12 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-09-12 22:38 . 2009-09-12 22:38 -------- d-----w- c:\program files\Trend Micro
2009-09-12 21:56 . 2009-09-12 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-09-12 21:54 . 2009-09-17 08:40 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-09-12 21:54 . 2009-09-12 21:54 -------- d-----w- c:\program files\Common Files\iS3
2009-09-12 21:48 . 2009-09-12 21:48 12851 ----a-w- c:\windows\system32\tewohisowy.pif
2009-09-12 21:48 . 2009-09-12 21:48 18565 ----a-w- c:\windows\sycapyvac.dat
2009-09-12 21:48 . 2009-09-12 21:48 10784 ----a-w- c:\windows\aborujary.sys
2009-09-12 21:48 . 2009-09-12 21:48 10009 ----a-w- c:\program files\Common Files\uzijuda.dll
2009-09-12 21:41 . 2009-09-12 21:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-09-12 21:40 . 2009-09-12 21:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-12 21:38 . 2009-09-12 21:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-12 21:20 . 2009-09-12 21:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-12 21:09 . 2009-09-12 21:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-09-12 21:03 . 2009-09-12 21:03 18297 ----a-w- c:\program files\Common Files\enyna.bat
2009-09-12 21:03 . 2009-09-12 21:03 17514 ----a-w- c:\program files\Common Files\ycisobevus.sys
2009-09-12 21:03 . 2009-09-12 21:03 16053 ----a-w- c:\windows\tycu.exe
2009-09-12 21:03 . 2009-09-12 21:03 15949 ----a-w- c:\windows\apucas.exe
2009-09-12 21:03 . 2009-09-12 21:03 14000 ----a-w- c:\windows\system32\fazibu.bat
2009-09-12 21:03 . 2009-09-12 21:03 13136 ----a-w- c:\windows\xacuze.reg
2009-09-12 21:03 . 2009-09-12 21:03 12125 ----a-w- c:\documents and settings\Stephen Reid\Local Settings\Application Data\ivawyjewe.bin
2009-09-12 21:03 . 2009-09-12 21:03 11047 ----a-w- c:\windows\system32\qubi.pif
2009-09-12 21:03 . 2009-09-12 21:03 10592 ----a-w- c:\program files\Common Files\depod.com
2009-09-12 20:31 . 2009-09-12 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-09-12 00:38 . 2009-09-18 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\myitlab
2009-09-10 22:01 . 2009-09-11 09:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-09 06:11 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-06 22:10 . 2009-09-06 22:10 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-09-04 18:25 . 2009-09-18 08:25 45 ----a-w- c:\documents and settings\Stephen Reid\jagex_runescape_preferences2.dat
2009-08-27 22:12 . 2009-09-11 03:59 -------- d-----w- c:\program files\Warcraft III
2009-08-23 23:20 . 2009-08-23 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Age of Empires 3 YPack Trial
2009-08-23 23:18 . 2005-05-26 22:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-08-23 22:34 . 2009-08-23 22:34 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\PlaneShift
2009-08-23 22:34 . 2009-08-23 22:34 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\CrystalSpace
2009-08-23 22:32 . 2009-08-23 22:42 -------- d-----w- c:\program files\PlaneShift Steel Blue
2009-08-23 22:18 . 2009-08-23 22:18 -------- d-----w- c:\program files\Guild Wars
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-21 23:50 . 2009-05-25 19:31 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\Skype
2009-09-21 21:25 . 2009-09-21 21:25 19654 ----a-w- c:\documents and settings\Stephen Reid\Application Data\mojowy.com
2009-09-21 21:25 . 2009-09-21 21:25 18205 ----a-w- c:\documents and settings\Stephen Reid\Application Data\ukuc.sys
2009-09-21 21:25 . 2009-09-21 21:25 17986 ----a-w- c:\program files\Common Files\fudoly.inf
2009-09-21 21:25 . 2009-09-21 21:25 17220 ----a-w- c:\program files\Common Files\oxyza.dl
2009-09-21 21:25 . 2009-09-21 21:25 11490 ----a-w- c:\program files\Common Files\fyno._sy
2009-09-21 21:14 . 2009-08-10 09:53 1036226 ----a-w- c:\windows\system32\SKYNETalihyxen.dat
2009-09-21 21:14 . 2009-06-21 21:14 87552 ------w- c:\windows\system32\fevusota.dll
2009-09-21 21:14 . 2009-06-21 21:14 36864 --sha-w- c:\windows\system32\parodupa.dll
2009-09-21 21:13 . 2009-05-25 19:37 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\skypePM
2009-09-18 08:25 . 2009-04-04 08:33 37 ----a-w- c:\documents and settings\Stephen Reid\jagex_runescape_preferences.dat
2009-09-17 20:29 . 2006-02-16 09:42 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-09-17 19:08 . 2009-04-20 17:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-16 02:27 . 2009-09-16 02:26 3296 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-09-16 02:26 . 2009-09-16 02:26 2464 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-09-12 21:48 . 2009-09-12 21:48 12079 ----a-w- c:\documents and settings\All Users\Application Data\yxuhek.vbs
2009-09-12 21:48 . 2009-09-12 21:48 10112 ----a-w- c:\documents and settings\Stephen Reid\Application Data\emyzedelyz.pif
2009-09-12 21:48 . 2009-09-12 21:48 14213 ----a-w- c:\documents and settings\Stephen Reid\Application Data\kijanezuk.bin
2009-09-12 21:48 . 2009-09-12 21:48 10466 ----a-w- c:\documents and settings\All Users\Application Data\dyhupypa.sys
2009-09-12 21:03 . 2009-09-12 21:03 18670 ----a-w- c:\documents and settings\Stephen Reid\Application Data\imomu.com
2009-09-12 21:03 . 2009-09-12 21:03 18631 ----a-w- c:\documents and settings\Stephen Reid\Application Data\ymuqad.dll
2009-09-12 21:03 . 2009-09-12 21:03 13495 ----a-w- c:\documents and settings\All Users\Application Data\ikoq.bat
2009-09-12 21:03 . 2009-09-12 21:03 13187 ----a-w- c:\documents and settings\All Users\Application Data\erih.bat
2009-09-12 21:03 . 2009-09-12 21:03 12643 ----a-w- c:\documents and settings\All Users\Application Data\zasuwas.bin
2009-09-12 21:03 . 2009-09-12 21:03 11876 ----a-w- c:\documents and settings\Stephen Reid\Application Data\ekezono.vbs
2009-09-12 21:03 . 2009-09-12 21:03 10668 ----a-w- c:\documents and settings\Stephen Reid\Application Data\ekygak.vbs
2009-09-11 09:24 . 2009-07-17 02:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-07 21:34 . 2009-09-07 21:34 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\Apple Computer
2009-09-07 21:34 . 2009-09-07 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-09-07 21:34 . 2009-09-07 21:33 -------- d-----w- c:\program files\iTunes
2009-09-07 21:33 . 2009-09-07 21:33 -------- d-----w- c:\program files\iPod
2009-09-07 21:33 . 2009-09-07 21:25 -------- d-----w- c:\program files\Common Files\Apple
2009-09-07 21:33 . 2009-09-07 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-07 21:33 . 2009-09-07 21:33 -------- d-----w- c:\program files\Bonjour
2009-09-07 21:32 . 2006-02-16 09:56 -------- d-----w- c:\program files\QuickTime
2009-09-07 21:26 . 2009-09-07 21:26 -------- d-----w- c:\program files\Apple Software Update
2009-09-07 21:25 . 2009-09-07 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-01 00:08 . 2009-05-04 11:18 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\HPAppData
2009-08-25 19:23 . 2006-02-15 16:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-25 19:19 . 2009-08-22 23:25 -------- d-----w- c:\program files\Microsoft Games
2009-08-22 23:28 . 2009-08-22 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Age of Empires 3 XPack Trial
2009-08-22 20:57 . 2009-05-22 01:46 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-08-10 09:53 . 2009-08-10 09:53 20480 ------w- c:\windows\system32\SKYNETarowrhyg.dll
2009-08-10 09:53 . 2009-08-10 09:53 70656 ----a-w- c:\windows\system32\drivers\SKYNETsmykyorn.sys
2009-08-10 09:53 . 2009-08-10 09:53 44544 ------w- c:\windows\system32\SKYNETttquvppe.dll
2009-08-05 09:11 . 2006-02-15 14:03 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 19:28 . 2009-05-30 07:58 -------- d-----w- c:\program files\PopCap Games
2009-07-29 19:26 . 2009-04-06 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo
2009-07-24 10:34 . 2006-02-18 15:00 -------- d-----w- c:\program files\GemMaster
2009-07-24 06:43 . 2009-07-24 06:28 25 ----a-w- c:\windows\popcinfot.dat
2009-07-24 06:27 . 2009-07-24 06:27 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-07-20 10:45 . 2009-07-11 08:24 139016 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-20 10:45 . 2009-07-11 08:24 189488 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-17 18:55 . 2006-02-15 14:02 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 17:08 . 2006-02-15 14:05 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 08:24 . 2009-07-11 08:24 139152 ----a-w- c:\documents and settings\Stephen Reid\Application Data\PnkBstrK.sys
2009-07-11 08:24 . 2009-07-11 08:24 794408 ----a-w- c:\windows\system32\pbsvc.exe
2009-07-11 08:24 . 2009-07-11 08:24 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-06-29 16:12 . 2006-02-15 14:04 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-02-15 14:02 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-02-15 14:02 17408 ------w- c:\windows\system32\corpol.dll
2009-06-25 18:36 . 2006-02-15 14:03 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2006-02-15 14:03 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2006-02-15 14:03 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2006-02-15 14:03 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2006-02-15 14:03 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2006-02-15 14:03 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2006-02-15 14:03 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 18:36 . 2006-02-15 14:03 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2006-02-15 14:03 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2006-02-15 14:03 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2006-02-15 14:03 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2006-02-15 14:03 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 08:17 . 2006-02-15 14:04 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:17 . 2006-02-15 14:03 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:17 . 2006-02-15 14:03 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:17 . 2006-02-15 14:03 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:17 . 2006-02-15 14:02 729600 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:17 . 2006-02-15 14:02 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-21 17:12 . 2009-06-21 17:12 49152 --sha-w- c:\windows\system32\fahisili.dll
2009-06-21 17:12 . 2009-06-21 17:12 49152 --sha-w- c:\windows\system32\hanelawi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\af49317e-6a14-4015-8442-b9c13b4491cf.exe" [2009-09-04 1994480]
"cdloader"="c:\documents and settings\Stephen Reid\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-28 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"jidoridow"="c:\windows\system32\fevusota.dll" [2009-09-21 87552]
"TFncKy"="TFncKy.exe" [bU]
"TDispVol"="TDispVol.exe" - c:\windows\system32\TDispVol.exe [2005-03-11 73728]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-10-15 88203]
"NDSTray.exe"="NDSTray.exe" [bU]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]
"CFSServ.exe"="CFSServ.exe" [bU]
"vomiguheme"="fahisili.dll" - c:\windows\system32\fahisili.dll [2009-06-21 49152]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{3c72b957-1a9d-489b-8599-9bb96c15d007}"= "c:\windows\system32\fevusota.dll" [2009-09-21 87552]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"hevamulaj"= {3c72b957-1a9d-489b-8599-9bb96c15d007} - c:\windows\system32\fevusota.dll [2009-09-21 87552]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli fahisili.dll hanelawi.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\ijji\\ENGLISH\\u_gbound.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\rundll32.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III - The WarChiefs Trial\\age3x.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Stephen Reid\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\WINDOWS\\system32\\lsass.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56477:TCP"= 56477:TCP:Pando Media Booster
"56477:UDP"= 56477:UDP:Pando Media Booster
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/12/2009 3:39 PM 108289]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys --> c:\windows\system32\Drivers\avgtdix.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> C:c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 ezjqasr;ezjqasr;c:\windows\system32\drivers\prcjjli.sys --> c:\windows\system32\drivers\prcjjli.sys [?]
S2 fyjxwqs;fyjxwqs;c:\windows\system32\drivers\pbie.sys --> c:\windows\system32\drivers\pbie.sys [?]
S3 mfsdisk;mfsdisk;c:\windows\system32\mfsdisk.sys [2/15/2006 7:03 AM 2304]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]
S4 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2/15/2006 7:04 AM 14336]
S4 xvpwun;xvpwun;\??\c:\windows\system32\drivers\xjehpubegdv.sys --> c:\windows\system32\drivers\xjehpubegdv.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea8bdd27-a4ac-11de-9936-00038a000015}]
\Shell\AutoRun\command - E:\autorun.exe
\Shell\phone\command - E:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder
2009-09-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Stephen Reid\Application Data\Mozilla\Firefox\Profiles\s3y4kzv2.default\
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Stephen Reid\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Stephen Reid\Application Data\Mozilla\Firefox\Profiles\s3y4kzv2.default\extensions\justintvpublisher@justin.tv\platform\WINNT_x86-msvc\plugins\npjustintvpublish.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -
BHO-{cea18b11-bc29-4514-88c0-181bbc858c9f} - dumibimo.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-SITEguard - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKU-Default-Run-AntiSpyware Service - c:\windows\TEMP\x5q48rt7d.exe
AddRemove-Power Saver - c:\windows\IsUninst.exe -fc:\program files\TOSHIBA\Power Saver\Uninst.isu
AddRemove-{20B30DC1-E423-4939-B51D-05C58B0F9BBB} - c:\program files\HP\Digital Imaging\{20B30DC1-E423-4939-B51D-05C58B0F9BBB}\setup\hpzscr01.exe -datfile hposcr21.dat
AddRemove-Warcraft III - c:\windows\War3Unin.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-21 16:55
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SKYNETqohmnmwx]
"imagepath"="\systemroot\system32\drivers\SKYNETsmykyorn.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SKYNETqohmnmwx]
@DACL=(02 0000)
"start"=dword:00000004
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\SKYNETsmykyorn.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(764)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'lsass.exe'(820)
c:\windows\system32\fahisili.dll
c:\windows\system32\hanelawi.dll
c:\windows\system32\wininet.dll
- - - - - - - > 'explorer.exe'(5388)
c:\windows\system32\WININET.dll
c:\windows\system32\fahisili.dll
c:\windows\system32\fevusota.dll
c:\windows\system32\TDispVol.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\TPSBattM.exe
c:\program files\TOSHIBA\ConfigFree\CFSServ.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2009-09-21 16:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-21 23:59
Pre-Run: 74,675,957,760 bytes free
Post-Run: 75,889,446,912 bytes free
Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
415 --- E O F --- 2009-09-14 10:00
-
MBAM Log
-------------------------------------------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.41
Database version: 2839
Windows 5.1.2600 Service Pack 2
9/21/2009 4:35:53 PM
mbam-log-2009-09-21 (16-35-53).txt
Scan type: Quick Scan
Objects scanned: 112363
Time elapsed: 1 hour(s), 17 minute(s), 15 second(s)
Memory Processes Infected: 3
Memory Modules Infected: 4
Registry Keys Infected: 11
Registry Values Infected: 21
Registry Data Items Infected: 20
Folders Infected: 8
Files Infected: 77
Memory Processes Infected:
C:\WINDOWS\system32\winupdate.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Program Files\AdvancedVirusRemover\PAVRM.exe (Rogue.AdvancedVirusRemover) -> Unloaded process successfully.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Unloaded process successfully.
Memory Modules Infected:
c:\WINDOWS\system32\fevusota.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\BtwSrv.dll (Trojan.Agent) -> Delete on reboot.
\\?\globalroot\systemroot\system32\SKYNETvcbvqpyr.dll (Trojan.FakeAlert) -> Delete on reboot.
c:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{3c72b957-1a9d-489b-8599-9bb96c15d007} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\antiviruspro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AVR (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jidoridow (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{3c72b957-1a9d-489b-8599-9bb96c15d007} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\hevamulaj (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advanced virus remover (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advanced virus remover (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vomiguheme (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\fevusota.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\fevusota.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: c:\windows\system32\cru629.dat -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: system32\cru629.dat -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\Documents and Settings\All Users\Application Data\12106714 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\AdvancedVirusRemover (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.
C:\Program Files\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\data (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stephen Reid\Start Menu\Programs\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
Files Infected:
c:\WINDOWS\system32\fevusota.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\BtwSrv.dll (Trojan.Agent) -> Delete on reboot.
\\?\globalroot\systemroot\system32\SKYNETvcbvqpyr.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\ddbpu.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\ileede.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\kqjopjiq.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\mdnsq.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\ruptbvv.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bisepufi.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\eventlog.dll (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fifiteko.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kri746.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\logevent.dll (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nzfiu3h78di.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winupdate.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wiwow64.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wmdtc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACviuotfunlm.sys (Trojan.TDSS.T) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\nkjnravsej.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\HACMB1BS\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KY0D4B2P\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KY0D4B2P\w[2].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KY0D4B2P\w[3].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KY0D4B2P\w[4].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\R7W1YWYT\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UHCQNW8X\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\12106714\12106714 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\12106714\pc12106714ins (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\AdvancedVirusRemover\PAVRM.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.cfg (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\AVEngn.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\htmlayout.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\pthreadVC2.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Uninstall.exe (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\wscui.cpl (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\data\daily.cvd (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stephen Reid\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stephen Reid\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\danigudu.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stephen Reid\Desktop\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stephen Reid\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stephen Reid\Start Menu\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_scui.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\UACvakomqrgfv.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dumibimo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\UACmyktuwehwe.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stephen Reid\Local Settings\Temp\tmpwr2 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stephen Reid\Local Settings\Temp\tmpwr3 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stephen Reid\Local Settings\Temp\tmpwr4 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stephen Reid\Local Settings\Temp\tmpwr5 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stephen Reid\Local Settings\Temp\tmpwr6 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stephen Reid\Cookies\lajyxyli.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stephen Reid\Local Settings\Temporary Internet Files\zehydybore.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stephen Reid\Desktop\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stephen Reid\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\rhjdpc.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\vhlyrkv.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\joxa.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
I got combofix to run, along with Malwarebytes. Malwarebytes removed a lot of the infections, but if I run the scan again there are a few infections (which were the same ones as last time) that still show up.
What should I do now?
-
I apologize
My computer came under serious attack and I could not access the internet until now. I'll post more information later. -
Still unresponsive.
Would there be any other factors that wouldn't allow it to run? -
I attempted to run 'combofix', but it refuses to open. I disabled my Avira Antivirus, and deleted all my other Antispyware Programs.
-
Hopefully this is what you're looking for
Running from: C:\Documents and Settings\Stephen Reid\desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\Stephen Reid\Desktop\Win32kDiag.txt
Removing all found mount points.
Attempting to reset file permissions.
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Cannot access: C:\WINDOWS\system32\eventlog.dll
Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll
[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\eventlog.dll (Microsoft Corporation)
[1] 2004-08-10 05:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2004-08-10 05:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)
Found mount point : C:\WINDOWS\system32\export\export
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\export\export
Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp
Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT
Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT
Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT
Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrv
Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec
Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup
Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust
Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw
Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg
Found mount point : C:\WINDOWS\system32\oobe\sample\sample
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\oobe\sample\sample
Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt
Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS
Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad
Found mount point : C:\WINDOWS\system32\wbem\mof\good\good
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\wbem\mof\good\good
Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp
Found mount point : C:\WINDOWS\system32\wins\wins
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\wins\wins
Found mount point : C:\WINDOWS\system32\xircom\xircom
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\xircom\xircom
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Finished!
-
Well, I did as you said. Problem is, when the window comes up the text says "Cannot Access: C:\WINDOWS\system32\eventlog.dll" along with some other text, and does nothing else.
-
-
After hours of sitting in front of the computer, downloading all sorts of promising anti-malware/spyware removers, I have resorted to do what no man has done before. Ask for help.
Here's my situation.
I have had Malwarebytes Anti-Malware installed on my computer for a while now, at the recommendation of a friend. Today, it decided it wasn't going to run when "AntivirusPro_2010" showed up on my computer. Total disaster. I tried to run Malwarebytes, but an error message comes up saying that I have no damn right to run it
.I looked through a few websites with miracle cures to removing this "new type of malware". I have since downloaded; STOPZilla, SUPERAntispyware, Avira, and Hijackthis, in order.
I ran a 'STOPzilla' scan and a few Trojans, Spyware, Hijackers and Viruses showed up; Win32kStream, CoolwebSearch, Deviant.C, ExecVariant.C, Tapi.nfo, Antivirus2010 (*shakes fist*
), Skynet, System Policies, Ultimate Cleaner, Host File.B and Explorer Policies something or other, to name a 'few'. I then realized that I had to pay (of course!) to remove these malware/spyware programs etc, which is not going to happen.I then ran a 'SUPERAntispyware' scan, and like the Malwarebytes scan..It shut down after a few moments of scanning.. teasing me by showing me some of the spyware I actually had first though! Hopeless.
Then, I found myself here...and after mindless browsing through the forums I downloaded 'Avira Antivirus Personal' and 'Hijackthis', as some other poor soul was told to by Malwarebyte staff request.
The 'Avira' scan is still running at the moment, with a promising 11 detections found.
I attempted to run the 'Hijackthis' program, to no avail. The window did not even show up. After a few moments of extra browsing, I tried 'Combofix'. As you can imagine with my luck today, it also did not run.
This is the point I'm at right now. Not nearly at boiling point yet though, as I've had to deal with this sort of thing in the past. This situation has perplexed me though, so I may need a little help. ANY help would be wonderful.
Keep in mind that I'm somewhat of a novice when it comes to this sort of thing
Would there be any other factors that wouldn't allow it to run?
Antivirus Soft, among others. Hijackthis Log.
in Resolved Malware Removal Logs
Posted
Thanks for the help!
She seems satisfied with any results I've done to her computer, haha.
Thanks again. Will make her surf more safely next time