Jump to content

Leviathan Mist

Members
 View Profile  See their activity

  • Posts

    9

  • Joined

  • Last visited

 Content Type 

Everything posted by Leviathan Mist

  1. Leviathan Mist
    Hey, I just wanted to say thanks for the assistance. The tutorial worked and I was able to run malwarebytes, ran multiple scans until there were no threats found, then ran Kaspersky's online scanner and found no infected objects, so I believe I'm clean.
  2. Leviathan Mist
    So, I'm trying to fix a laptop that's infected with a trojan, and I'm pretty sure that this program called "Personal Antivirus" is the culprit. I can't uninstall it, and I can't install Malwarebytes or HijackThis, as when I try to run the install files, nothing happens. The laptop has AVG Antivirus on it already so I'm running that for now. First, I need to figure out how to get Malwarebytes and HijackThis installed so I can post the logs.
  3. Leviathan Mist
    Done, thanks
  4. Leviathan Mist
    Thanks for all the help, best customer service I've ever received - you made it simple and easy to understand, and nothing unexpected occurred. Best of all, my problem is fixed! You really are a professional!
  5. Leviathan Mist
    I have used a proxy before, but it was only for testing. I haven't used it in months, and don't intend to use one any time in the near future. The system looks pretty clean now and is running well. Here are the logs you requested: SDFix logs: -- SDFix: Version 1.240 Run by User on Wed 12/10/2008 at 08:25 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-10 20:45:01 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:2df9c43f "s2"=dword:110480d0 "h0"=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "p0"="C:\Program Files\Alcohol Soft\Alcohol 120\" "h0"=dword:00000001 "ujdew"=hex:dd,90,50,8b,6b,9b,46,6f,53,bf,2c,fd,ff,bf,a8,fd,b3,7c,8e,22,97,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:4a,72,03,74,35,c8,2d,21,70,1b,02,e4,ef,d2,26,a5,30,a0,61,b9,89,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,4e,84,15,7c,a7,d1,55,60,3a,bb,02,bf,ee,b2,3b,02,a0,.. "khjeh"=hex:48,ea,8a,f3,37,b1,bd,58,8e,00,5f,b1,6b,4b,b7,27,8f,f2,94,22,31,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:32,99,46,15,2d,44,9e,7f,d9,31,e9,8c,45,47,ac,b0,13,e9,79,dd,b6,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "p0"="C:\Program Files\Alcohol Soft\Alcohol 120\" "h0"=dword:00000001 "ujdew"=hex:dd,90,50,8b,6b,9b,46,6f,53,bf,2c,fd,ff,bf,a8,fd,b3,7c,8e,22,97,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:75,6a,d3,1e,15,a7,ed,96,5f,28,ee,96,e3,c9,e1,07,95,c2,a7,13,af,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,4e,84,15,7c,a7,d1,55,60,3a,bb,02,bf,ee,b2,3b,02,a0,.. "khjeh"=hex:48,ea,8a,f3,37,b1,bd,58,8e,00,5f,b1,6b,4b,b7,27,8f,f2,94,22,31,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:be,c0,a7,29,37,93,63,f2,83,24,e9,af,19,be,71,5c,e8,20,d4,28,cb,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "p0"="C:\Program Files\Alcohol Soft\Alcohol 120\" "h0"=dword:00000001 "ujdew"=hex:dd,90,50,8b,6b,9b,46,6f,53,bf,2c,fd,ff,bf,a8,fd,b3,7c,8e,22,97,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:4a,72,03,74,35,c8,2d,21,70,1b,02,e4,ef,d2,26,a5,30,a0,61,b9,89,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,4e,84,15,7c,a7,d1,55,60,3a,bb,02,bf,ee,b2,3b,02,a0,.. "khjeh"=hex:48,ea,8a,f3,37,b1,bd,58,8e,00,5f,b1,6b,4b,b7,27,8f,f2,94,22,31,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:32,99,46,15,2d,44,9e,7f,d9,31,e9,8c,45,47,ac,b0,13,e9,79,dd,b6,.. scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\User\\My Documents\\ROMs\\SNES\\netplay\\zsnesw.exe"="C:\\Documents and Settings\\User\\My Documents\\ROMs\\SNES\\netplay\\zsnesw.exe:*:Enabled:zsnesw" "C:\\Documents and Settings\\User\\My Documents\\ROMs\\SNES\\zbattle\\ZSNESW.EXE"="C:\\Documents and Settings\\User\\My Documents\\ROMs\\SNES\\zbattle\\ZSNESW.EXE:*:Enabled:ZSNESW" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire" "C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"="C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe:*:Enabled:PlayOnline Viewer" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" "C:\\Program Files\\EasyPHP 2\\apache\\bin\\Apache.exe"="C:\\Program Files\\EasyPHP 2\\apache\\bin\\Apache.exe:*:Enabled:Apache HTTP Server" "C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC" "C:\\Documents and Settings\\User\\My Documents\\ROMs\\NES\\UberNES\\UberNES.exe"="C:\\Documents and Settings\\User\\My Documents\\ROMs\\NES\\UberNES\\UberNES.exe:*:Enabled:UberNES" "C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui" "C:\\Documents and Settings\\User\\My Documents\\ROMs\\GBC\\Emulator\\bgb.exe"="C:\\Documents and Settings\\User\\My Documents\\ROMs\\GBC\\Emulator\\bgb.exe:*:Enabled:bgb" "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice" "C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" Remaining Files : Files with Hidden Attributes : Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll" Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe" Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll" Tue 9 Jan 2007 56 ..SHR --- "C:\WINDOWS\system32\B6B1B609E1.sys" Tue 9 Sep 2008 64,517 A.SH. --- "C:\WINDOWS\system32\dojevabi.dll.tmp" Thu 31 Jul 2008 1,838 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys" Wed 9 Apr 2008 28,672 A..H. --- "C:\WINDOWS\system32\pkmShellMenu.dll" Tue 9 Sep 2008 64,517 A.SH. --- "C:\WINDOWS\system32\womaduzo.dll.tmp" Tue 9 Sep 2008 64,517 A.SH. --- "C:\WINDOWS\system32\zirifaye.dll.tmp" Tue 6 May 2008 88 ..SHR --- "C:\Documents and Settings\All Users\Application Data\A9983EFB3E.sys" Thu 27 Nov 2008 1,682 A.SH. --- "C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys" Sat 12 May 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Fri 2 May 2008 198 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti1131.tmp" Mon 15 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Finished! -- Kaspersky logs: -- -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Thursday, December 11, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Thursday, December 11, 2008 02:43:58 Records in database: 1451237 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ G:\ Scan statistics: Files scanned: 120944 Threat name: 2 Infected objects: 2 Suspicious objects: 0 Duration of the scan: 03:37:41 File name / Threat name / Threats count C:\Documents and Settings\User\My Documents\sakura emi kimi omou off vocal.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1 The selected area was scanned. -- Malwarebytes scan log: -- Malwarebytes' Anti-Malware 1.31 Database version: 1489 Windows 5.1.2600 Service Pack 3 12/11/2008 7:36:39 AM mbam-log-2008-12-11 (07-36-39).txt Scan type: Quick Scan Objects scanned: 56988 Time elapsed: 7 minute(s), 19 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  6. Leviathan Mist
    Combofix seems to have fixed the issue, but I'm not gonna jump to conclusions. Here are the logs you requested: -- ComboFix 08-12-09.03 - User 2008-12-10 16:19:16.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.131 [GMT -8:00] Running from: c:\documents and settings\User\Desktop\CF1.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\User\Local Settings\Temporary Internet Files\fbk.sts c:\program files\Windows Live\Messenger\msimg32.dll c:\windows\system32\command.pif c:\windows\system32\gitenayi.dll c:\windows\system32\lokadewe.dll c:\windows\system32\srecorder.dll c:\windows\Tasks\ukcwtdbe.job c:\windows\wiaserviv.log . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ISODRIVE -------\Service_ISODrive ((((((((((((((((((((((((( Files Created from 2008-11-11 to 2008-12-11 ))))))))))))))))))))))))))))))) . 2008-12-10 15:00 . 2008-12-10 15:00 <DIR> d-------- C:\rsit 2008-12-10 10:05 . 2008-12-10 10:05 95 --a------ c:\windows\wininit.ini 2008-12-10 00:22 . 2008-12-10 00:24 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-12-10 00:22 . 2008-12-10 00:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-09 23:44 . 2008-12-10 00:00 <DIR> d-------- c:\program files\Common Files\Nero 2008-12-09 23:44 . 2008-12-10 00:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero 2008-12-09 23:43 . 2008-12-09 23:43 <DIR> d-------- c:\program files\Common Files\LightScribe 2008-12-09 22:41 . 2008-12-09 22:41 <DIR> d-------- c:\program files\Panda Security 2008-12-09 22:41 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys 2008-12-05 22:54 . 2008-12-07 16:29 <DIR> d-------- c:\program files\Common Files\AOL 2008-11-25 20:28 . 2008-12-09 23:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-25 20:28 . 2008-11-25 20:28 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes 2008-11-25 20:28 . 2008-11-25 20:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-25 20:28 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-11-25 20:28 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-11-25 06:25 . 2008-11-25 06:25 <DIR> d-------- c:\program files\Trend Micro 2008-11-22 18:23 . 2008-11-22 18:23 <DIR> d-------- c:\windows\speech 2008-11-22 18:23 . 2008-11-22 18:23 <DIR> d-------- c:\windows\lhsp 2008-11-22 18:23 . 2008-11-22 18:23 <DIR> d-------- c:\program files\CFS-Technologies 2008-11-19 15:55 . 2008-11-19 16:03 <DIR> d-------- c:\program files\Toolkit3 2008-11-11 13:18 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-11 13:17 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-10 08:11 --------- d-----w c:\documents and settings\All Users\Application Data\LightScribe 2008-12-10 07:46 --------- d-----w c:\program files\Nero 2008-12-08 05:50 --------- d-----w c:\documents and settings\User\Application Data\AVG7 2008-12-06 06:54 --------- d-----w c:\program files\Viewpoint 2008-12-06 06:54 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint 2008-11-27 10:54 1,682 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys 2008-11-26 06:30 --------- d-----w c:\program files\IrfanView 2008-11-25 14:26 --------- d-----w c:\documents and settings\User\Application Data\Free Download Manager 2008-11-01 20:56 --------- d-----w c:\program files\Diablo II 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-18 03:07 --------- d-----w c:\program files\MSN Messenger 2008-10-18 03:07 --------- d-----w c:\program files\Messenger Plus! Live 2008-10-16 02:22 --------- d-----w c:\program files\Safari 2008-10-16 02:22 --------- d-----w c:\documents and settings\User\Application Data\Apple Computer 2008-10-16 02:21 --------- d-----w c:\program files\Apple Software Update 2008-09-20 01:53 94,208 ----a-w c:\windows\DIIUnin.exe 2008-09-20 01:53 2,829 ----a-w c:\windows\DIIUnin.pif 2008-05-06 10:23 88 --sh--r c:\documents and settings\All Users\Application Data\A9983EFB3E.sys 2008-01-06 05:21 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat 2007-01-09 17:56 56 --sh--r c:\windows\system32\B6B1B609E1.sys 2008-07-31 09:20 1,838 --sha-w c:\windows\system32\KGyGaAvL.sys 2008-08-19 07:39 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-11-21 219136] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.ZDSV"= scrvid.dll "msacm.l3codec"= l3codecp.acm "msacm.ac3filter"= ac3filter.acm [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Nintendo Wi-Fi USB Connector Registration Tool.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk backup=c:\windows\pss\Run Nintendo Wi-Fi USB Connector Registration Tool.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Shortcut to MS-DOS Prompt.pif] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Shortcut to MS-DOS Prompt.pif backup=c:\windows\pss\Shortcut to MS-DOS Prompt.pifCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=c:\documents and settings\User\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=c:\windows\pss\Adobe Gamma.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Shortcut to Leviathan Mist [Expodrine].pq.lnk] path=c:\documents and settings\User\Start Menu\Programs\Startup\Shortcut to Leviathan Mist [Expodrine].pq.lnk backup=c:\windows\pss\Shortcut to Leviathan Mist [Expodrine].pq.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Shortcut to Leviathan Mist [Oobag].pq.lnk] path=c:\documents and settings\User\Start Menu\Programs\Startup\Shortcut to Leviathan Mist [Oobag].pq.lnk backup=c:\windows\pss\Shortcut to Leviathan Mist [Oobag].pq.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Shortcut to Leviathan Mist [Pemptus].pq.lnk] path=c:\documents and settings\User\Start Menu\Programs\Startup\Shortcut to Leviathan Mist [Pemptus].pq.lnk backup=c:\windows\pss\Shortcut to Leviathan Mist [Pemptus].pq.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Shortcut to Penguin [Pemptus].pq.lnk] path=c:\documents and settings\User\Start Menu\Programs\Startup\Shortcut to Penguin [Pemptus].pq.lnk backup=c:\windows\pss\Shortcut to Penguin [Pemptus].pq.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 20:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] --a------ 2008-09-20 07:30 579584 c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray] --a------ 2006-09-28 11:21 57344 c:\program files\SlySoft\CloneCD\CloneCDTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a------ 2007-04-03 14:29 165784 c:\program files\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager] --a------ 2006-08-20 23:24 2068527 c:\program files\Free Download Manager\fdm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] --a----t- 2008-09-02 13:43 133104 c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2007-03-02 14:24 257088 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel] --a------ 2008-06-09 10:16 2363392 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2007-06-28 23:43 8466432 c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a------ 2007-06-28 23:43 81920 c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-02-16 10:54 282624 c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] -ra------ 2007-12-07 15:08 21686568 c:\program files\Skype\Phone\Skype.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVRemote] -ra------ 2006-02-13 17:59 24576 c:\program files\SVRemote\USB20Remote.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2008-08-03 15:02 36352 c:\program files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDVR SchSvr] --a------ 2005-08-15 21:31 106496 c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinRemote] --a------ 2005-08-15 21:30 208896 c:\program files\InterVideo\WinDVR3\WinRemote.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2007-06-28 23:43 1626112 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Documents and Settings\\User\\My Documents\\ROMs\\SNES\\netplay\\zsnesw.exe"= "c:\\Documents and Settings\\User\\My Documents\\ROMs\\SNES\\zbattle\\ZSNESW.EXE"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\EasyPHP 2\\apache\\bin\\Apache.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\Documents and Settings\\User\\My Documents\\ROMs\\NES\\UberNES\\UberNES.exe"= "c:\\Program Files\\BitTornado\\btdownloadgui.exe"= "c:\\Documents and Settings\\User\\My Documents\\ROMs\\GBC\\Emulator\\bgb.exe"= "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "7845:UDP"= 7845:UDP:ZSNES R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-09 28544] R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe [2008-09-30 935208] R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-12-05 24652] R3 scrcap;scrcap;c:\windows\system32\DRIVERS\scrcap.sys [2006-12-27 9006] S3 TridVid;USB TV Tuner Analog Video;c:\windows\system32\DRIVERS\TridVid.sys [2007-05-25 77824] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "c:\program files\Common Files\LightScribe\LSRunOnce.exe" . Contents of the 'Scheduled Tasks' folder 2008-12-11 c:\windows\Tasks\GoogleUpdateTaskUser.job - c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 13:43] . - - - - ORPHANS REMOVED - - - - BHO-{ecb4235c-30e5-4772-b5a6-78c55cce228b} - c:\windows\system32\bikemowo.dll HKLM-Run-wunejidapa - c:\windows\system32\tubivepo.dll MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe MSConfigStartUp-Computer Alarm Clock - c:\program files\Computer Alarm Clock\cac.exe MSConfigStartUp-CPMc39f7954 - c:\windows\system32\noyutumi.dll MSConfigStartUp-Desktop Architect - c:\progra~1\DESKTO~1\datray.exe MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Ahead\Lib\NeroCheck.exe MSConfigStartUp-Orb - c:\program files\Winamp Remote\bin\OrbTray.exe MSConfigStartUp-wunejidapa - c:\windows\system32\tubivepo.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyServer = 85.12.72.196:8080 IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm IE: {{846F69C6-AEFA-45F7-ADF8-3550D72373BA} - c:\program files\TamperIE\TIECP.exe IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk IE: {{846F69C6-AEFA-45F7-ADF8-3550D72373BA} - c:\program files\TamperIE\TIECP.exe - IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk - FireFox -: Profile - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\zp97ixph.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ FF -: plugin - c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-10 16:24:29 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\progra~1\Grisoft\AVGFRE~1\avgamsvr.exe c:\progra~1\Grisoft\AVGFRE~1\avgupsvc.exe c:\progra~1\Grisoft\AVGFRE~1\avgemc.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe c:\windows\system32\nvsvc32.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe . ************************************************************************** . Completion time: 2008-12-10 16:30:47 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-11 00:30:27 Pre-Run: 11,276,001,280 bytes free Post-Run: 11,180,433,408 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 253 --- E O F --- 2008-11-11 21:28:14 -- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:36:43 PM, on 12/10/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe C:\WINDOWS\system32\nvsvc32.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 85.12.72.196:8080 O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7Pro\IE7Pro.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: TamperIE - {7F09A208-7569-46DB-94E5-1E385E68F77A} - C:\PROGRA~1\TamperIE\IETamper.dll O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: TamperIE Control Panel - {846F69C6-AEFA-45F7-ADF8-3550D72373BA} - C:\Program Files\TamperIE\TIECP.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 7848 bytes
  7. Leviathan Mist
    5. Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop. info.txt: -- info.txt logfile of random's system information tool 1.04 2008-12-10 15:00:56 ======Uninstall list====== -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf 7-Zip 4.56 beta-->"C:\Program Files\7-Zip\Uninstall.exe" Ad-Aware SE Personal-->C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7} Adobe Bridge 1.0-->MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103} Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39} Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe Adobe Help Center 1.0-->MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001} Adobe Photoshop CS2-->msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D} Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003} Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log Adobe Stock Photos 1.0-->MsiExec.exe /I{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A} AIM Pro-->MsiExec.exe /X{D3A04D2F-28C4-4D9C-8487-DAB75992AE09} Anvil Studio-->C:\WINDOWS\system32\AsUninst.exe Apple Mobile Device Support-->MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543} Apple Software Update-->MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F} Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe" AutoHotkey 1.0.47.05-->C:\Program Files\AutoHotkey\uninst.exe AVG Free Edition-->C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL Bayden TamperIE (remove only)-->"C:\Program Files\TamperIE\uninst.exe" Bink and Smacker-->C:\PROGRA~1\RADVideo\UNWISE.EXE C:\PROGRA~1\RADVideo\INSTALL.LOG BitTornado 0.3.17-->C:\Program Files\BitTornado\uninst.exe blueMSX-->MsiExec.exe /I{E932D883-BFCF-4A40-8AC7-5C0384582D90} Boilsoft Video Splitter 5.01-->"C:\Program Files\Boilsoft Video Splitter\unins000.exe" Bulent's Screen Recorder 4-->C:\Program Files\Bulent's Screen Recorder 4\Uninstall Screen Recorder 4.exe CamStudio-->C:\Program Files\CamStudio\uninstall.exe Cartman's Authoritah 1.3-->"C:\Program Files\CartmansAuthoritah\unins000.exe" CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe" CloneCD-->"C:\Program Files\SlySoft\CloneCD\ccd-uninst.exe" /D="C:\Program Files\SlySoft\CloneCD" Comcast High-Speed Internet Install Wizard-->C:\Program Files\support.com\uninstall\chsi_uninstaller.exe Common RTP 1.0-->C:\WINDOWS\iun506.exe C:\Program Files\Enterbrain\RPG2003\RTP\\irunin.ini Console Classix 3.8-->"C:\Program Files\ConsoleClassix.com\unins000.exe" Daimonin Client 0.9.7-->"C:\Program Files\daimonin\client\unins000.exe" Dev-C++ 4-->C:\WINDOWS\uninst.exe -fC:\Dev-C++\DeIsL1.isu -cC:\Dev-C++\_ISREG32.DLL Diablo II-->C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat EasyPHP 2.0b1-->"C:\Program Files\EasyPHP 2\unins000.exe" ffdshow [rev 1324] [2007-07-01]-->"C:\Program Files\K-Lite Codec Pack\ffdshow\unins000.exe" FileZilla Client 3.1.1.1-->C:\Program Files\FileZilla Client\uninstall.exe FileZilla Server (remove only)-->"C:\Program Files\FileZilla Server\uninstall.exe" Free Download Manager 2.1-->"C:\Program Files\Free Download Manager\unins000.exe" GoldWave v5.20-->"C:\Program Files\GoldWave\unstall.exe" "GoldWave v5.20" "C:\Program Files\GoldWave\unstall.log" HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe" Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe" Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe" IE7Pro-->"C:\Program Files\IE7Pro\unins000.exe" ImageMagick 6.3.6-4 Q16 (11/01/07)-->"C:\Program Files\ImageMagick-6.3.6-Q16\unins000.exe" IndigoMail 3.10-->c:\sendmail\uninst.exe Install Creator-->C:\Documents and Settings\User\Desktop\games\RPG Maker utilities\Installer Creator\Uninstal.exe InterActual Player-->C:\Program Files\InterActual\InterActual Player\inuninst.exe InterVideo WinDVR 3-->"C:\Program Files\InstallShield Installation Information\{6BF4613C-0A46-43AA-8FA8-0CB9F2C1A548}\setup.exe" REMOVEALL IrfanView (remove only)-->C:\Program Files\IrfanView\iv_uninstall.exe iTunes-->MsiExec.exe /I{01B51908-02EF-453B-87A9-815182E8C2F2} J2SE Runtime Environment 5.0 Update 10-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100} J2SE Runtime Environment 5.0 Update 11-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110} Java SE Runtime Environment 6 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010} K-Lite Codec Pack 3.3.0 Full-->"C:\Program Files\K-Lite Codec Pack\unins000.exe" Lernout & Hauspie TruVoice American English TTS Engine-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall LightScribe System Software 1.14.17.1-->MsiExec.exe /X{0E7DBD52-B097-4F2B-A7C7-F105B0D20FDB} LimeWire 4.16.6-->"C:\Program Files\LimeWire\uninstall.exe" Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe" Meridian Advance (remove only)-->"C:\Program Files\Meridian Advance\uninstall.exe" Messenger Plus! Live-->"C:\Program Files\Messenger Plus! Live\Uninstall.exe" Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28} Microsoft .NET Framework 3.0 Service Pack 1-->MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783} Microsoft .NET Framework 3.5-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\setup.exe Microsoft .NET Framework 3.5-->MsiExec.exe /I{2FC099BD-AC9B-33EB-809C-D332E1B27C40} Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe" Microsoft MPEG-4 VKI Video Codec V1/V2/V3-->rundll32.exe setupapi,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\mpg4c32.inf Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe" Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9} Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00} Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)-->MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F} Microsoft SQL Server 2005 Tools Express Edition-->MsiExec.exe /I{2750B389-A2D2-4953-99CA-27C1F2A8E6FD} Microsoft SQL Server 2005-->"c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove Microsoft SQL Server Native Client-->MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D} Microsoft SQL Server Setup Support Files (English)-->MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE} Microsoft SQL Server VSS Writer-->MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3} Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Microsoft Windows SDK for Visual Studio 2008 Express Tools for .NET Framework-->MsiExec.exe /X{B4C0A315-07FB-39F9-85CD-8CE20C019350} Microsoft Windows SDK for Visual Studio 2008 Express Tools for Win32-->MsiExec.exe /X{07FCBED5-94C3-4F94-B9D3-360FA27C7B06} Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries-->MsiExec.exe /X{842FAF7C-50EF-4463-9B8F-6222E1384D7D} mIRC-->"C:\Program Files\mIRC\mirc.exe" -uninstall Mozilla Firefox (3.0.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe MS Access 97 SP2-->C:\Program Files\Microsoft Office\setup\setup.exe MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF} MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71} MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E} Multitrack Stopwatch-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Multitrack Stopwatch\Uninst.isu" -c"C:\Program Files\Multitrack Stopwatch\setupsub.dll" MWSnap 3-->"C:\Program Files\MWSnap\uninstall.exe" neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B} Nintendo Wi-Fi USB Connector Registration Tool-->C:\Program Files\WiFiConnector\SoftAPUninst.exe NJStar Japanese WP-->C:\Program Files\NJStar Japanese WP\uninst.exe NoClone 2007 Free Edition-->MsiExec.exe /I{F9626821-177C-4698-B74D-B783152647F1} NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe PHP 5.2.2-->MsiExec.exe /I{0D6BC279-CAD9-4BF8-85B7-6E33157D1261} PlayOnline Viewer & Tetra Master-->C:\Program Files\InstallShield Installation Information\{47004155-7376-403E-89E9-4C9F44AAF0D0}\setup.exe -runfromtemp -l0x0409 Project64 1.6-->MsiExec.exe /X{9559F7CA-5E34-4237-A2D9-D856464AD727} QuickTime-->MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F} Real Alternative 1.8.2-->"C:\Program Files\Real Alternative\unins000.exe" RGSS-RTP Standard-->MsiExec.exe /I{5A9FE525-8B8F-4701-A937-7F6745A4E9C7} RPG Maker 2000 1.05-->C:\WINDOWS\UnGins.exe "C:\Program Files\ASCII\RPG2000\install.log" RPG Maker 2003 v1.08-->"C:\Program Files\rpg2003\unins000.exe" RPG Maker 95+ (Translated by Don Miguel)-->C:\WINDOWS\uninst.exe -f"C:\Program Files\ASCII\RPG Maker 95+\DeIsL1.isu" RPG Maker VX RTP-->"C:\Program Files\Common Files\Enterbrain\RGSS2\RPGVX\unins000.exe" RPG Maker VX-->"C:\Program Files\Enterbrain\RPGVX\unins000.exe" RPGToolkit, Version 3.1.0-->C:\Program Files\Toolkit3\uninstall.exe RPGXP-->MsiExec.exe /I{9B34CAC6-738F-4A20-B428-A115C3E3474C} RTP 1.32 Add-On for RM2k-->C:\WINDOWS\UnGins.exe "C:\Program Files\ASCII\RPG2000\RTP\install.log" RTP for RM2K (Png, Wav, Midi, Fonts)-->C:\WINDOWS\UnGins.exe "C:\Program Files\ASCII\RPG2000\RTP\install.log" Safari-->MsiExec.exe /X{C9D96682-5A4D-45FA-BA3E-DDCB2B0CB868} Screensavers Installer Version 2-->"C:\Program Files\Screensavers.com\SSSInst\bin\SSSUninst.exe" Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe" Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe" Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe" Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe" Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe" Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe" Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe" Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe" Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe" Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe" Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe" Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe" Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe" Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe" Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe" Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe" Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe" Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe" Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe" Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe" Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe" Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe" Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe" Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe" Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe" Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe" Skype
  8. Leviathan Mist
    Hi, first I'd like to thank you for your assistance. I went through each step you gave me and here are the logs you requested: 1. Set Windows to show all files and all folders. Done. 2. Take out the trash (temporary files & temporary internet files) Done. Only thing is, the Safari section was grayed out, so I manually cleared all personal data in Safari's browser. 3. Download The Avenger by Swandog46 from here.[.i] Here are the logs from Avenger -- Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Error: file "C:\WINDOWS\system32\tubivepo.dll" not found! Deletion of file "C:\WINDOWS\system32\tubivepo.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\wunejidapa" not found! Deletion of driver "wunejidapa" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|wunejidapa" not found! Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|wunejidapa" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices|wunejidapa" not found! Deletion of registry key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices|wunejidapa" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ******************* Finished! Terminate. -- 4. Start your MBAM. Click the Update tab. Press the "Check for Updates" button. I started the full check before updating on accident, so I canceled it, cleared out all the infected files it caught right off, then updated and ran the full check completely. Here are the logs from both checks: -- Malwarebytes' Anti-Malware 1.31 Database version: 1481 Windows 5.1.2600 Service Pack 3 12/10/2008 1:00:23 PM mbam-log-2008-12-10 (13-00-23).txt Scan type: Full Scan (C:\|) Objects scanned: 17270 Time elapsed: 1 minute(s), 33 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 3 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ecb4235c-30e5-4772-b5a6-78c55cce228b} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{ecb4235c-30e5-4772-b5a6-78c55cce228b} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wunejidapa (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) -- Malwarebytes' Anti-Malware 1.31 Database version: 1483 Windows 5.1.2600 Service Pack 3 12/10/2008 2:56:56 PM mbam-log-2008-12-10 (14-56-56).txt Scan type: Full Scan (C:\|) Objects scanned: 156438 Time elapsed: 1 hour(s), 54 minute(s), 48 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ecb4235c-30e5-4772-b5a6-78c55cce228b} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{ecb4235c-30e5-4772-b5a6-78c55cce228b} (Trojan.Vundo.H) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wunejidapa (Trojan.Vundo.H) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\System Volume Information\_restore{F8D271AF-C88C-474F-ACDA-C226F9E66E35}\RP699\A0085415.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{F8D271AF-C88C-474F-ACDA-C226F9E66E35}\RP699\A0085416.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\rekomeve.dll (Trojan.Vundo) -> Quarantined and deleted successfully. -- -Continued in second post-
  9. Leviathan Mist
    This is the third time I've had serious malware issues in the past week. All three times I got rid of at least 10 infected files, and one of the three times involved a really nasty trojan that disabled my automatic updates. I think this regenerating registry key is the culprit, because I haven't downloaded anything at all, or visited any sites other than Gmail and Youtube since the last scan. Malwarebytes' Anti-Malware 1.30Database version: 1423Windows 5.1.2600 Service Pack 3 12/9/2008 10:17:23 PMmbam-log-2008-12-09 (22-17-23).txt Scan type: Full Scan (C:\|)Objects scanned: 166464Time elapsed: 2 hour(s), 3 minute(s), 45 second(s) Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0 Memory Processes Infected:(No malicious items detected) Memory Modules Infected:(No malicious items detected) Registry Keys Infected:(No malicious items detected) Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wunejidapa (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected:(No malicious items detected) Folders Infected:(No malicious items detected) Files Infected:(No malicious items detected)Says it's deleted, but it just regenerates. Here's my HijackThis log: Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:27:50 PM, on 12/9/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: Normal Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\nvsvc32.exec:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\MSN Messenger\usnsvc.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 85.12.72.196:8080O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7Pro\IE7Pro.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO2 - BHO: TamperIE - {7F09A208-7569-46DB-94E5-1E385E68F77A} - C:\PROGRA~1\TamperIE\IETamper.dllO2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dllO2 - BHO: (no name) - {ecb4235c-30e5-4772-b5a6-78c55cce228b} - C:\WINDOWS\system32\bikemowo.dll (file missing)O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [wunejidapa] Rundll32.exe "C:\WINDOWS\system32\tubivepo.dll",sO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htmO8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htmO8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htmO9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dllO9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dllO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra button: TamperIE Control Panel - {846F69C6-AEFA-45F7-ADF8-3550D72373BA} - C:\Program Files\TamperIE\TIECP.exeO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htmO9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htmO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cabO16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabO16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cabO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - AppInit_DLLs: C:\WINDOWS\system32\gitenayi.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe --End of file - 7724 bytes
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.