Jump to content

Leviathan Mist

Members
 View Profile  See their activity

  • Posts

    9

  • Joined

  • Last visited

 Content Type 

Posts posted by Leviathan Mist

    Infected laptop

    in Resolved Malware Removal Logs

    Posted

    So, I'm trying to fix a laptop that's infected with a trojan, and I'm pretty sure that this program called "Personal Antivirus" is the culprit. I can't uninstall it, and I can't install Malwarebytes or HijackThis, as when I try to run the install files, nothing happens. The laptop has AVG Antivirus on it already so I'm running that for now. First, I need to figure out how to get Malwarebytes and HijackThis installed so I can post the logs.

    Registry key won't go away!

    in Resolved Malware Removal Logs

    Posted

    I have used a proxy before, but it was only for testing. I haven't used it in months, and don't intend to use one any time in the near future. The system looks pretty clean now and is running well. Here are the logs you requested:

    SDFix logs:

    --

    SDFix: Version 1.240

    Run by User on Wed 12/10/2008 at 08:25 PM

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Checking Services :

    Restoring Default Security Values

    Restoring Default Hosts File

    Rebooting

    Checking Files :

    No Trojan Files Found

    Removing Temp Files

    ADS Check :

    Final Check :

    catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2008-12-10 20:45:01

    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]

    "s1"=dword:2df9c43f

    "s2"=dword:110480d0

    "h0"=dword:00000002

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

    "p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"

    "h0"=dword:00000001

    "ujdew"=hex:dd,90,50,8b,6b,9b,46,6f,53,bf,2c,fd,ff,bf,a8,fd,b3,7c,8e,22,97,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

    "p0"="C:\Program Files\DAEMON Tools\"

    "h0"=dword:00000000

    "khjeh"=hex:4a,72,03,74,35,c8,2d,21,70,1b,02,e4,ef,d2,26,a5,30,a0,61,b9,89,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

    "a0"=hex:20,01,00,00,4e,84,15,7c,a7,d1,55,60,3a,bb,02,bf,ee,b2,3b,02,a0,..

    "khjeh"=hex:48,ea,8a,f3,37,b1,bd,58,8e,00,5f,b1,6b,4b,b7,27,8f,f2,94,22,31,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

    "khjeh"=hex:32,99,46,15,2d,44,9e,7f,d9,31,e9,8c,45,47,ac,b0,13,e9,79,dd,b6,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

    "p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"

    "h0"=dword:00000001

    "ujdew"=hex:dd,90,50,8b,6b,9b,46,6f,53,bf,2c,fd,ff,bf,a8,fd,b3,7c,8e,22,97,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

    "p0"="C:\Program Files\DAEMON Tools\"

    "h0"=dword:00000000

    "khjeh"=hex:75,6a,d3,1e,15,a7,ed,96,5f,28,ee,96,e3,c9,e1,07,95,c2,a7,13,af,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

    "a0"=hex:20,01,00,00,4e,84,15,7c,a7,d1,55,60,3a,bb,02,bf,ee,b2,3b,02,a0,..

    "khjeh"=hex:48,ea,8a,f3,37,b1,bd,58,8e,00,5f,b1,6b,4b,b7,27,8f,f2,94,22,31,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

    "khjeh"=hex:be,c0,a7,29,37,93,63,f2,83,24,e9,af,19,be,71,5c,e8,20,d4,28,cb,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

    "p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"

    "h0"=dword:00000001

    "ujdew"=hex:dd,90,50,8b,6b,9b,46,6f,53,bf,2c,fd,ff,bf,a8,fd,b3,7c,8e,22,97,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

    "p0"="C:\Program Files\DAEMON Tools\"

    "h0"=dword:00000000

    "khjeh"=hex:4a,72,03,74,35,c8,2d,21,70,1b,02,e4,ef,d2,26,a5,30,a0,61,b9,89,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

    "a0"=hex:20,01,00,00,4e,84,15,7c,a7,d1,55,60,3a,bb,02,bf,ee,b2,3b,02,a0,..

    "khjeh"=hex:48,ea,8a,f3,37,b1,bd,58,8e,00,5f,b1,6b,4b,b7,27,8f,f2,94,22,31,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

    "khjeh"=hex:32,99,46,15,2d,44,9e,7f,d9,31,e9,8c,45,47,ac,b0,13,e9,79,dd,b6,..

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully

    hidden processes: 0

    hidden services: 0

    hidden files: 0

    Remaining Services :

    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

    "C:\\Documents and Settings\\User\\My Documents\\ROMs\\SNES\\netplay\\zsnesw.exe"="C:\\Documents and Settings\\User\\My Documents\\ROMs\\SNES\\netplay\\zsnesw.exe:*:Enabled:zsnesw"

    "C:\\Documents and Settings\\User\\My Documents\\ROMs\\SNES\\zbattle\\ZSNESW.EXE"="C:\\Documents and Settings\\User\\My Documents\\ROMs\\SNES\\zbattle\\ZSNESW.EXE:*:Enabled:ZSNESW"

    "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

    "C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"="C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe:*:Enabled:PlayOnline Viewer"

    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

    "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

    "C:\\Program Files\\EasyPHP 2\\apache\\bin\\Apache.exe"="C:\\Program Files\\EasyPHP 2\\apache\\bin\\Apache.exe:*:Enabled:Apache HTTP Server"

    "C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"

    "C:\\Documents and Settings\\User\\My Documents\\ROMs\\NES\\UberNES\\UberNES.exe"="C:\\Documents and Settings\\User\\My Documents\\ROMs\\NES\\UberNES\\UberNES.exe:*:Enabled:UberNES"

    "C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"

    "C:\\Documents and Settings\\User\\My Documents\\ROMs\\GBC\\Emulator\\bgb.exe"="C:\\Documents and Settings\\User\\My Documents\\ROMs\\GBC\\Emulator\\bgb.exe:*:Enabled:bgb"

    "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"

    "C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

    "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

    Remaining Files :

    Files with Hidden Attributes :

    Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"

    Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"

    Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"

    Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"

    Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

    Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"

    Tue 9 Jan 2007 56 ..SHR --- "C:\WINDOWS\system32\B6B1B609E1.sys"

    Tue 9 Sep 2008 64,517 A.SH. --- "C:\WINDOWS\system32\dojevabi.dll.tmp"

    Thu 31 Jul 2008 1,838 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"

    Wed 9 Apr 2008 28,672 A..H. --- "C:\WINDOWS\system32\pkmShellMenu.dll"

    Tue 9 Sep 2008 64,517 A.SH. --- "C:\WINDOWS\system32\womaduzo.dll.tmp"

    Tue 9 Sep 2008 64,517 A.SH. --- "C:\WINDOWS\system32\zirifaye.dll.tmp"

    Tue 6 May 2008 88 ..SHR --- "C:\Documents and Settings\All Users\Application Data\A9983EFB3E.sys"

    Thu 27 Nov 2008 1,682 A.SH. --- "C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys"

    Sat 12 May 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

    Fri 2 May 2008 198 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti1131.tmp"

    Mon 15 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

    Finished!

    --

    Kaspersky logs:

    --

    --------------------------------------------------------------------------------

    KASPERSKY ONLINE SCANNER 7 REPORT

    Thursday, December 11, 2008

    Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    Kaspersky Online Scanner 7 version: 7.0.25.0

    Program database last update: Thursday, December 11, 2008 02:43:58

    Records in database: 1451237

    --------------------------------------------------------------------------------

    Scan settings:

    Scan using the following database: extended

    Scan archives: yes

    Scan mail databases: yes

    Scan area - My Computer:

    A:\

    C:\

    D:\

    E:\

    G:\

    Scan statistics:

    Files scanned: 120944

    Threat name: 2

    Infected objects: 2

    Suspicious objects: 0

    Duration of the scan: 03:37:41

    File name / Threat name / Threats count

    C:\Documents and Settings\User\My Documents\sakura emi kimi omou off vocal.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1

    C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1

    The selected area was scanned.

    --

    Malwarebytes scan log:

    --

    Malwarebytes' Anti-Malware 1.31

    Database version: 1489

    Windows 5.1.2600 Service Pack 3

    12/11/2008 7:36:39 AM

    mbam-log-2008-12-11 (07-36-39).txt

    Scan type: Quick Scan

    Objects scanned: 56988

    Time elapsed: 7 minute(s), 19 second(s)

    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 0

    Registry Values Infected: 0

    Registry Data Items Infected: 0

    Folders Infected: 0

    Files Infected: 0

    Memory Processes Infected:

    (No malicious items detected)

    Memory Modules Infected:

    (No malicious items detected)

    Registry Keys Infected:

    (No malicious items detected)

    Registry Values Infected:

    (No malicious items detected)

    Registry Data Items Infected:

    (No malicious items detected)

    Folders Infected:

    (No malicious items detected)

    Files Infected:

    (No malicious items detected)

    Registry key won't go away!

    in Resolved Malware Removal Logs

    Posted

    Combofix seems to have fixed the issue, but I'm not gonna jump to conclusions. Here are the logs you requested:

    --

    ComboFix 08-12-09.03 - User 2008-12-10 16:19:16.1 - NTFSx86

    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.131 [GMT -8:00]

    Running from: c:\documents and settings\User\Desktop\CF1.exe

    * Created a new restore point

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    .

    c:\documents and settings\User\Local Settings\Temporary Internet Files\fbk.sts

    c:\program files\Windows Live\Messenger\msimg32.dll

    c:\windows\system32\command.pif

    c:\windows\system32\gitenayi.dll

    c:\windows\system32\lokadewe.dll

    c:\windows\system32\srecorder.dll

    c:\windows\Tasks\ukcwtdbe.job

    c:\windows\wiaserviv.log

    .

    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .

    -------\Legacy_ISODRIVE

    -------\Service_ISODrive

    ((((((((((((((((((((((((( Files Created from 2008-11-11 to 2008-12-11 )))))))))))))))))))))))))))))))

    .

    2008-12-10 15:00 . 2008-12-10 15:00 <DIR> d-------- C:\rsit

    2008-12-10 10:05 . 2008-12-10 10:05 95 --a------ c:\windows\wininit.ini

    2008-12-10 00:22 . 2008-12-10 00:24 <DIR> d-------- c:\program files\Spybot - Search & Destroy

    2008-12-10 00:22 . 2008-12-10 00:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

    2008-12-09 23:44 . 2008-12-10 00:00 <DIR> d-------- c:\program files\Common Files\Nero

    2008-12-09 23:44 . 2008-12-10 00:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero

    2008-12-09 23:43 . 2008-12-09 23:43 <DIR> d-------- c:\program files\Common Files\LightScribe

    2008-12-09 22:41 . 2008-12-09 22:41 <DIR> d-------- c:\program files\Panda Security

    2008-12-09 22:41 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

    2008-12-05 22:54 . 2008-12-07 16:29 <DIR> d-------- c:\program files\Common Files\AOL

    2008-11-25 20:28 . 2008-12-09 23:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

    2008-11-25 20:28 . 2008-11-25 20:28 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes

    2008-11-25 20:28 . 2008-11-25 20:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

    2008-11-25 20:28 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

    2008-11-25 20:28 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys

    2008-11-25 06:25 . 2008-11-25 06:25 <DIR> d-------- c:\program files\Trend Micro

    2008-11-22 18:23 . 2008-11-22 18:23 <DIR> d-------- c:\windows\speech

    2008-11-22 18:23 . 2008-11-22 18:23 <DIR> d-------- c:\windows\lhsp

    2008-11-22 18:23 . 2008-11-22 18:23 <DIR> d-------- c:\program files\CFS-Technologies

    2008-11-19 15:55 . 2008-11-19 16:03 <DIR> d-------- c:\program files\Toolkit3

    2008-11-11 13:18 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

    2008-11-11 13:17 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

    .

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2008-12-10 08:11 --------- d-----w c:\documents and settings\All Users\Application Data\LightScribe

    2008-12-10 07:46 --------- d-----w c:\program files\Nero

    2008-12-08 05:50 --------- d-----w c:\documents and settings\User\Application Data\AVG7

    2008-12-06 06:54 --------- d-----w c:\program files\Viewpoint

    2008-12-06 06:54 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint

    2008-11-27 10:54 1,682 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys

    2008-11-26 06:30 --------- d-----w c:\program files\IrfanView

    2008-11-25 14:26 --------- d-----w c:\documents and settings\User\Application Data\Free Download Manager

    2008-11-01 20:56 --------- d-----w c:\program files\Diablo II

    2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

    2008-10-18 03:07 --------- d-----w c:\program files\MSN Messenger

    2008-10-18 03:07 --------- d-----w c:\program files\Messenger Plus! Live

    2008-10-16 02:22 --------- d-----w c:\program files\Safari

    2008-10-16 02:22 --------- d-----w c:\documents and settings\User\Application Data\Apple Computer

    2008-10-16 02:21 --------- d-----w c:\program files\Apple Software Update

    2008-09-20 01:53 94,208 ----a-w c:\windows\DIIUnin.exe

    2008-09-20 01:53 2,829 ----a-w c:\windows\DIIUnin.pif

    2008-05-06 10:23 88 --sh--r c:\documents and settings\All Users\Application Data\A9983EFB3E.sys

    2008-01-06 05:21 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat

    2007-01-09 17:56 56 --sh--r c:\windows\system32\B6B1B609E1.sys

    2008-07-31 09:20 1,838 --sha-w c:\windows\system32\KGyGaAvL.sys

    2008-08-19 07:39 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat

    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    *Note* empty entries & legit default entries are not shown

    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

    "AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-11-21 219136]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

    "VIDC.ZDSV"= scrvid.dll

    "msacm.l3codec"= l3codecp.acm

    "msacm.ac3filter"= ac3filter.acm

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]

    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk

    backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Nintendo Wi-Fi USB Connector Registration Tool.lnk]

    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk

    backup=c:\windows\pss\Run Nintendo Wi-Fi USB Connector Registration Tool.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Shortcut to MS-DOS Prompt.pif]

    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Shortcut to MS-DOS Prompt.pif

    backup=c:\windows\pss\Shortcut to MS-DOS Prompt.pifCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Adobe Gamma.lnk]

    path=c:\documents and settings\User\Start Menu\Programs\Startup\Adobe Gamma.lnk

    backup=c:\windows\pss\Adobe Gamma.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Shortcut to Leviathan Mist [Expodrine].pq.lnk]

    path=c:\documents and settings\User\Start Menu\Programs\Startup\Shortcut to Leviathan Mist [Expodrine].pq.lnk

    backup=c:\windows\pss\Shortcut to Leviathan Mist [Expodrine].pq.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Shortcut to Leviathan Mist [Oobag].pq.lnk]

    path=c:\documents and settings\User\Start Menu\Programs\Startup\Shortcut to Leviathan Mist [Oobag].pq.lnk

    backup=c:\windows\pss\Shortcut to Leviathan Mist [Oobag].pq.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Shortcut to Leviathan Mist [Pemptus].pq.lnk]

    path=c:\documents and settings\User\Start Menu\Programs\Startup\Shortcut to Leviathan Mist [Pemptus].pq.lnk

    backup=c:\windows\pss\Shortcut to Leviathan Mist [Pemptus].pq.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Shortcut to Penguin [Pemptus].pq.lnk]

    path=c:\documents and settings\User\Start Menu\Programs\Startup\Shortcut to Penguin [Pemptus].pq.lnk

    backup=c:\windows\pss\Shortcut to Penguin [Pemptus].pq.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

    --a------ 2008-01-11 20:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

    --a------ 2008-09-20 07:30 579584 c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]

    --a------ 2006-09-28 11:21 57344 c:\program files\SlySoft\CloneCD\CloneCDTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

    --a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

    --a------ 2007-04-03 14:29 165784 c:\program files\DAEMON Tools\daemon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]

    --a------ 2006-08-20 23:24 2068527 c:\program files\Free Download Manager\fdm.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

    --a----t- 2008-09-02 13:43 133104 c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

    --a------ 2007-03-02 14:24 257088 c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]

    --a------ 2008-06-09 10:16 2363392 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

    --a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

    --a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

    --a------ 2007-06-28 23:43 8466432 c:\windows\system32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

    --a------ 2007-06-28 23:43 81920 c:\windows\system32\nvmctray.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

    --a------ 2007-02-16 10:54 282624 c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

    -ra------ 2007-12-07 15:08 21686568 c:\program files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

    --a------ 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVRemote]

    -ra------ 2006-02-13 17:59 24576 c:\program files\SVRemote\USB20Remote.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

    --a------ 2008-08-03 15:02 36352 c:\program files\Winamp\winampa.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDVR SchSvr]

    --a------ 2005-08-15 21:31 106496 c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinRemote]

    --a------ 2005-08-15 21:30 208896 c:\program files\InterVideo\WinDVR3\WinRemote.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

    --a------ 2007-06-28 23:43 1626112 c:\windows\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]

    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

    "%windir%\\system32\\sessmgr.exe"=

    "c:\\Documents and Settings\\User\\My Documents\\ROMs\\SNES\\netplay\\zsnesw.exe"=

    "c:\\Documents and Settings\\User\\My Documents\\ROMs\\SNES\\zbattle\\ZSNESW.EXE"=

    "c:\\Program Files\\LimeWire\\LimeWire.exe"=

    "c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

    "c:\\Program Files\\MSN Messenger\\livecall.exe"=

    "c:\\Program Files\\EasyPHP 2\\apache\\bin\\Apache.exe"=

    "c:\\Program Files\\mIRC\\mirc.exe"=

    "c:\\Documents and Settings\\User\\My Documents\\ROMs\\NES\\UberNES\\UberNES.exe"=

    "c:\\Program Files\\BitTornado\\btdownloadgui.exe"=

    "c:\\Documents and Settings\\User\\My Documents\\ROMs\\GBC\\Emulator\\bgb.exe"=

    "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=

    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

    "7845:UDP"= 7845:UDP:ZSNES

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-09 28544]

    R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe [2008-09-30 935208]

    R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-12-05 24652]

    R3 scrcap;scrcap;c:\windows\system32\DRIVERS\scrcap.sys [2006-12-27 9006]

    S3 TridVid;USB TV Tuner Analog Video;c:\windows\system32\DRIVERS\TridVid.sys [2007-05-25 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

    "c:\program files\Common Files\LightScribe\LSRunOnce.exe"

    .

    Contents of the 'Scheduled Tasks' folder

    2008-12-11 c:\windows\Tasks\GoogleUpdateTaskUser.job

    - c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 13:43]

    .

    - - - - ORPHANS REMOVED - - - -

    BHO-{ecb4235c-30e5-4772-b5a6-78c55cce228b} - c:\windows\system32\bikemowo.dll

    HKLM-Run-wunejidapa - c:\windows\system32\tubivepo.dll

    MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe

    MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

    MSConfigStartUp-Computer Alarm Clock - c:\program files\Computer Alarm Clock\cac.exe

    MSConfigStartUp-CPMc39f7954 - c:\windows\system32\noyutumi.dll

    MSConfigStartUp-Desktop Architect - c:\progra~1\DESKTO~1\datray.exe

    MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

    MSConfigStartUp-Orb - c:\program files\Winamp Remote\bin\OrbTray.exe

    MSConfigStartUp-wunejidapa - c:\windows\system32\tubivepo.dll

    .

    ------- Supplementary Scan -------

    .

    uStart Page = hxxp://www.google.com/

    uInternet Connection Wizard,ShellNext = iexplore

    uInternet Settings,ProxyServer = 85.12.72.196:8080

    IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm

    IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm

    IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm

    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

    IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

    IE: {{846F69C6-AEFA-45F7-ADF8-3550D72373BA} - c:\program files\TamperIE\TIECP.exe

    IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk

    IE: {{846F69C6-AEFA-45F7-ADF8-3550D72373BA} - c:\program files\TamperIE\TIECP.exe -

    IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk -

    FireFox -: Profile - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\zp97ixph.default\

    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/

    FF -: plugin - c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll

    FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll

    FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

    FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

    FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2008-12-10 16:24:29

    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully

    hidden files: 0

    **************************************************************************

    .

    ------------------------ Other Running Processes ------------------------

    .

    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

    c:\progra~1\Grisoft\AVGFRE~1\avgamsvr.exe

    c:\progra~1\Grisoft\AVGFRE~1\avgupsvc.exe

    c:\progra~1\Grisoft\AVGFRE~1\avgemc.exe

    c:\program files\Common Files\LightScribe\LSSrvc.exe

    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

    c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

    c:\windows\system32\nvsvc32.exe

    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

    .

    **************************************************************************

    .

    Completion time: 2008-12-10 16:30:47 - machine was rebooted

    ComboFix-quarantined-files.txt 2008-12-11 00:30:27

    Pre-Run: 11,276,001,280 bytes free

    Post-Run: 11,180,433,408 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

    [boot loader]

    timeout=2

    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

    [operating systems]

    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    253 --- E O F --- 2008-11-11 21:28:14

    --

    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 4:36:43 PM, on 12/10/2008

    Platform: Windows XP SP3 (WinNT 5.01.2600)

    MSIE: Internet Explorer v7.00 (7.00.6000.16735)

    Boot mode: Normal

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

    C:\Program Files\Common Files\LightScribe\LSSrvc.exe

    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

    C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

    C:\WINDOWS\system32\nvsvc32.exe

    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

    C:\WINDOWS\system32\svchost.exe

    C:\Program Files\Viewpoint\Common\ViewpointService.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\WINDOWS\explorer.exe

    C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 85.12.72.196:8080

    O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7Pro\IE7Pro.dll

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

    O2 - BHO: TamperIE - {7F09A208-7569-46DB-94E5-1E385E68F77A} - C:\PROGRA~1\TamperIE\IETamper.dll

    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')

    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')

    O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

    O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

    O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

    O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll

    O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

    O9 - Extra button: TamperIE Control Panel - {846F69C6-AEFA-45F7-ADF8-3550D72373BA} - C:\Program Files\TamperIE\TIECP.exe

    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)

    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

    O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

    O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab

    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

    O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe

    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

    O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --

    End of file - 7848 bytes

    Registry key won't go away!

    in Resolved Malware Removal Logs

    Posted

    5. Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.

    info.txt:

    --

    info.txt logfile of random's system information tool 1.04 2008-12-10 15:00:56

    ======Uninstall list======

    -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

    7-Zip 4.56 beta-->"C:\Program Files\7-Zip\Uninstall.exe"

    Ad-Aware SE Personal-->C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG

    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}

    Adobe Bridge 1.0-->MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}

    Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}

    Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete

    Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe

    Adobe Help Center 1.0-->MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}

    Adobe Photoshop CS2-->msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}

    Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}

    Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log

    Adobe Stock Photos 1.0-->MsiExec.exe /I{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}

    AIM Pro-->MsiExec.exe /X{D3A04D2F-28C4-4D9C-8487-DAB75992AE09}

    Anvil Studio-->C:\WINDOWS\system32\AsUninst.exe

    Apple Mobile Device Support-->MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}

    Apple Software Update-->MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}

    Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"

    AutoHotkey 1.0.47.05-->C:\Program Files\AutoHotkey\uninst.exe

    AVG Free Edition-->C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL

    Bayden TamperIE (remove only)-->"C:\Program Files\TamperIE\uninst.exe"

    Bink and Smacker-->C:\PROGRA~1\RADVideo\UNWISE.EXE C:\PROGRA~1\RADVideo\INSTALL.LOG

    BitTornado 0.3.17-->C:\Program Files\BitTornado\uninst.exe

    blueMSX-->MsiExec.exe /I{E932D883-BFCF-4A40-8AC7-5C0384582D90}

    Boilsoft Video Splitter 5.01-->"C:\Program Files\Boilsoft Video Splitter\unins000.exe"

    Bulent's Screen Recorder 4-->C:\Program Files\Bulent's Screen Recorder 4\Uninstall Screen Recorder 4.exe

    CamStudio-->C:\Program Files\CamStudio\uninstall.exe

    Cartman's Authoritah 1.3-->"C:\Program Files\CartmansAuthoritah\unins000.exe"

    CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"

    CloneCD-->"C:\Program Files\SlySoft\CloneCD\ccd-uninst.exe" /D="C:\Program Files\SlySoft\CloneCD"

    Comcast High-Speed Internet Install Wizard-->C:\Program Files\support.com\uninstall\chsi_uninstaller.exe

    Common RTP 1.0-->C:\WINDOWS\iun506.exe C:\Program Files\Enterbrain\RPG2003\RTP\\irunin.ini

    Console Classix 3.8-->"C:\Program Files\ConsoleClassix.com\unins000.exe"

    Daimonin Client 0.9.7-->"C:\Program Files\daimonin\client\unins000.exe"

    Dev-C++ 4-->C:\WINDOWS\uninst.exe -fC:\Dev-C++\DeIsL1.isu -cC:\Dev-C++\_ISREG32.DLL

    Diablo II-->C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat

    EasyPHP 2.0b1-->"C:\Program Files\EasyPHP 2\unins000.exe"

    ffdshow [rev 1324] [2007-07-01]-->"C:\Program Files\K-Lite Codec Pack\ffdshow\unins000.exe"

    FileZilla Client 3.1.1.1-->C:\Program Files\FileZilla Client\uninstall.exe

    FileZilla Server (remove only)-->"C:\Program Files\FileZilla Server\uninstall.exe"

    Free Download Manager 2.1-->"C:\Program Files\Free Download Manager\unins000.exe"

    GoldWave v5.20-->"C:\Program Files\GoldWave\unstall.exe" "GoldWave v5.20" "C:\Program Files\GoldWave\unstall.log"

    HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall

    Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"

    Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"

    Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"

    Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"

    IE7Pro-->"C:\Program Files\IE7Pro\unins000.exe"

    ImageMagick 6.3.6-4 Q16 (11/01/07)-->"C:\Program Files\ImageMagick-6.3.6-Q16\unins000.exe"

    IndigoMail 3.10-->c:\sendmail\uninst.exe

    Install Creator-->C:\Documents and Settings\User\Desktop\games\RPG Maker utilities\Installer Creator\Uninstal.exe

    InterActual Player-->C:\Program Files\InterActual\InterActual Player\inuninst.exe

    InterVideo WinDVR 3-->"C:\Program Files\InstallShield Installation Information\{6BF4613C-0A46-43AA-8FA8-0CB9F2C1A548}\setup.exe" REMOVEALL

    IrfanView (remove only)-->C:\Program Files\IrfanView\iv_uninstall.exe

    iTunes-->MsiExec.exe /I{01B51908-02EF-453B-87A9-815182E8C2F2}

    J2SE Runtime Environment 5.0 Update 10-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}

    J2SE Runtime Environment 5.0 Update 11-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}

    Java SE Runtime Environment 6 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}

    K-Lite Codec Pack 3.3.0 Full-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"

    Lernout & Hauspie TruVoice American English TTS Engine-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall

    LightScribe System Software 1.14.17.1-->MsiExec.exe /X{0E7DBD52-B097-4F2B-A7C7-F105B0D20FDB}

    LimeWire 4.16.6-->"C:\Program Files\LimeWire\uninstall.exe"

    Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"

    Meridian Advance (remove only)-->"C:\Program Files\Meridian Advance\uninstall.exe"

    Messenger Plus! Live-->"C:\Program Files\Messenger Plus! Live\Uninstall.exe"

    Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}

    Microsoft .NET Framework 3.0 Service Pack 1-->MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}

    Microsoft .NET Framework 3.5-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\setup.exe

    Microsoft .NET Framework 3.5-->MsiExec.exe /I{2FC099BD-AC9B-33EB-809C-D332E1B27C40}

    Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"

    Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"

    Microsoft MPEG-4 VKI Video Codec V1/V2/V3-->rundll32.exe setupapi,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\mpg4c32.inf

    Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"

    Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}

    Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}

    Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)-->MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}

    Microsoft SQL Server 2005 Tools Express Edition-->MsiExec.exe /I{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}

    Microsoft SQL Server 2005-->"c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove

    Microsoft SQL Server Native Client-->MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}

    Microsoft SQL Server Setup Support Files (English)-->MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}

    Microsoft SQL Server VSS Writer-->MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}

    Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"

    Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}

    Microsoft Windows SDK for Visual Studio 2008 Express Tools for .NET Framework-->MsiExec.exe /X{B4C0A315-07FB-39F9-85CD-8CE20C019350}

    Microsoft Windows SDK for Visual Studio 2008 Express Tools for Win32-->MsiExec.exe /X{07FCBED5-94C3-4F94-B9D3-360FA27C7B06}

    Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries-->MsiExec.exe /X{842FAF7C-50EF-4463-9B8F-6222E1384D7D}

    mIRC-->"C:\Program Files\mIRC\mirc.exe" -uninstall

    Mozilla Firefox (3.0.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe

    MS Access 97 SP2-->C:\Program Files\Microsoft Office\setup\setup.exe

    MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}

    MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}

    MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}

    Multitrack Stopwatch-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Multitrack Stopwatch\Uninst.isu" -c"C:\Program Files\Multitrack Stopwatch\setupsub.dll"

    MWSnap 3-->"C:\Program Files\MWSnap\uninstall.exe"

    neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}

    Nintendo Wi-Fi USB Connector Registration Tool-->C:\Program Files\WiFiConnector\SoftAPUninst.exe

    NJStar Japanese WP-->C:\Program Files\NJStar Japanese WP\uninst.exe

    NoClone 2007 Free Edition-->MsiExec.exe /I{F9626821-177C-4698-B74D-B783152647F1}

    NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI

    Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe

    PHP 5.2.2-->MsiExec.exe /I{0D6BC279-CAD9-4BF8-85B7-6E33157D1261}

    PlayOnline Viewer & Tetra Master-->C:\Program Files\InstallShield Installation Information\{47004155-7376-403E-89E9-4C9F44AAF0D0}\setup.exe -runfromtemp -l0x0409

    Project64 1.6-->MsiExec.exe /X{9559F7CA-5E34-4237-A2D9-D856464AD727}

    QuickTime-->MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F}

    Real Alternative 1.8.2-->"C:\Program Files\Real Alternative\unins000.exe"

    RGSS-RTP Standard-->MsiExec.exe /I{5A9FE525-8B8F-4701-A937-7F6745A4E9C7}

    RPG Maker 2000 1.05-->C:\WINDOWS\UnGins.exe "C:\Program Files\ASCII\RPG2000\install.log"

    RPG Maker 2003 v1.08-->"C:\Program Files\rpg2003\unins000.exe"

    RPG Maker 95+ (Translated by Don Miguel)-->C:\WINDOWS\uninst.exe -f"C:\Program Files\ASCII\RPG Maker 95+\DeIsL1.isu"

    RPG Maker VX RTP-->"C:\Program Files\Common Files\Enterbrain\RGSS2\RPGVX\unins000.exe"

    RPG Maker VX-->"C:\Program Files\Enterbrain\RPGVX\unins000.exe"

    RPGToolkit, Version 3.1.0-->C:\Program Files\Toolkit3\uninstall.exe

    RPGXP-->MsiExec.exe /I{9B34CAC6-738F-4A20-B428-A115C3E3474C}

    RTP 1.32 Add-On for RM2k-->C:\WINDOWS\UnGins.exe "C:\Program Files\ASCII\RPG2000\RTP\install.log"

    RTP for RM2K (Png, Wav, Midi, Fonts)-->C:\WINDOWS\UnGins.exe "C:\Program Files\ASCII\RPG2000\RTP\install.log"

    Safari-->MsiExec.exe /X{C9D96682-5A4D-45FA-BA3E-DDCB2B0CB868}

    Screensavers Installer Version 2-->"C:\Program Files\Screensavers.com\SSSInst\bin\SSSUninst.exe"

    Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"

    Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"

    Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"

    Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"

    Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"

    Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"

    Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"

    Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"

    Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"

    Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"

    Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"

    Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"

    Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"

    Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"

    Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"

    Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"

    Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"

    Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"

    Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"

    Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"

    Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"

    Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"

    Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"

    Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"

    Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"

    Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"

    Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"

    Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"

    Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"

    Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"

    Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"

    Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"

    Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"

    Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"

    Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"

    Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"

    Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"

    Skype

    Registry key won't go away!

    in Resolved Malware Removal Logs

    Posted

    Hi, first I'd like to thank you for your assistance. I went through each step you gave me and here are the logs you requested:

    1. Set Windows to show all files and all folders.

    Done.

    2. Take out the trash (temporary files & temporary internet files)

    Done. Only thing is, the Safari section was grayed out, so I manually cleared all personal data in Safari's browser.

    3. Download The Avenger by Swandog46 from here.[.i]

    Here are the logs from Avenger

    --

    Logfile of The Avenger Version 2.0, © by Swandog46

    http://swandog46.geekstogo.com

    Platform: Windows XP

    *******************

    Script file opened successfully.

    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.

    No rootkits found!

    Error: file "C:\WINDOWS\system32\tubivepo.dll" not found!

    Deletion of file "C:\WINDOWS\system32\tubivepo.dll" failed!

    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

    --> the object does not exist

    Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\wunejidapa" not found!

    Deletion of driver "wunejidapa" failed!

    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

    --> the object does not exist

    Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|wunejidapa" not found!

    Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|wunejidapa" failed!

    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

    --> the object does not exist

    Error: registry key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices|wunejidapa" not found!

    Deletion of registry key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices|wunejidapa" failed!

    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

    --> the object does not exist

    Completed script processing.

    *******************

    Finished! Terminate.

    --

    4. Start your MBAM. Click the Update tab. Press the "Check for Updates" button.

    I started the full check before updating on accident, so I canceled it, cleared out all the infected files it caught right off, then updated and ran the full check completely. Here are the logs from both checks:

    --

    Malwarebytes' Anti-Malware 1.31

    Database version: 1481

    Windows 5.1.2600 Service Pack 3

    12/10/2008 1:00:23 PM

    mbam-log-2008-12-10 (13-00-23).txt

    Scan type: Full Scan (C:\|)

    Objects scanned: 17270

    Time elapsed: 1 minute(s), 33 second(s)

    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 3

    Registry Values Infected: 3

    Registry Data Items Infected: 0

    Folders Infected: 0

    Files Infected: 0

    Memory Processes Infected:

    (No malicious items detected)

    Memory Modules Infected:

    (No malicious items detected)

    Registry Keys Infected:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ecb4235c-30e5-4772-b5a6-78c55cce228b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

    HKEY_CLASSES_ROOT\CLSID\{ecb4235c-30e5-4772-b5a6-78c55cce228b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

    HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.

    Registry Values Infected:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wunejidapa (Trojan.Vundo.H) -> Quarantined and deleted successfully.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

    Registry Data Items Infected:

    (No malicious items detected)

    Folders Infected:

    (No malicious items detected)

    Files Infected:

    (No malicious items detected)

    --

    Malwarebytes' Anti-Malware 1.31

    Database version: 1483

    Windows 5.1.2600 Service Pack 3

    12/10/2008 2:56:56 PM

    mbam-log-2008-12-10 (14-56-56).txt

    Scan type: Full Scan (C:\|)

    Objects scanned: 156438

    Time elapsed: 1 hour(s), 54 minute(s), 48 second(s)

    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 2

    Registry Values Infected: 1

    Registry Data Items Infected: 0

    Folders Infected: 0

    Files Infected: 3

    Memory Processes Infected:

    (No malicious items detected)

    Memory Modules Infected:

    (No malicious items detected)

    Registry Keys Infected:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ecb4235c-30e5-4772-b5a6-78c55cce228b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

    HKEY_CLASSES_ROOT\CLSID\{ecb4235c-30e5-4772-b5a6-78c55cce228b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

    Registry Values Infected:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wunejidapa (Trojan.Vundo.H) -> Quarantined and deleted successfully.

    Registry Data Items Infected:

    (No malicious items detected)

    Folders Infected:

    (No malicious items detected)

    Files Infected:

    C:\System Volume Information\_restore{F8D271AF-C88C-474F-ACDA-C226F9E66E35}\RP699\A0085415.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

    C:\System Volume Information\_restore{F8D271AF-C88C-474F-ACDA-C226F9E66E35}\RP699\A0085416.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

    C:\WINDOWS\system32\rekomeve.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

    --

    -Continued in second post-

    Registry key won't go away!

    in Resolved Malware Removal Logs

    Posted

    This is the third time I've had serious malware issues in the past week. All three times I got rid of at least 10 infected files, and one of the three times involved a really nasty trojan that disabled my automatic updates. I think this regenerating registry key is the culprit, because I haven't downloaded anything at all, or visited any sites other than Gmail and Youtube since the last scan.

    Malwarebytes' Anti-Malware 1.30Database version: 1423Windows 5.1.2600 Service Pack 3
12/9/2008 10:17:23 PMmbam-log-2008-12-09 (22-17-23).txt
Scan type: Full Scan (C:\|)Objects scanned: 166464Time elapsed: 2 hour(s), 3 minute(s), 45 second(s)
Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0
Memory Processes Infected:(No malicious items detected)
Memory Modules Infected:(No malicious items detected)
Registry Keys Infected:(No malicious items detected)
Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wunejidapa (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:(No malicious items detected)
Folders Infected:(No malicious items detected)
Files Infected:(No malicious items detected)

    Says it's deleted, but it just regenerates. Here's my HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:27:50 PM, on 12/9/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: Normal
Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\nvsvc32.exec:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\MSN Messenger\usnsvc.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 85.12.72.196:8080O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7Pro\IE7Pro.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO2 - BHO: TamperIE - {7F09A208-7569-46DB-94E5-1E385E68F77A} - C:\PROGRA~1\TamperIE\IETamper.dllO2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dllO2 - BHO: (no name) - {ecb4235c-30e5-4772-b5a6-78c55cce228b} - C:\WINDOWS\system32\bikemowo.dll (file missing)O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [wunejidapa] Rundll32.exe "C:\WINDOWS\system32\tubivepo.dll",sO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htmO8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htmO8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htmO9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dllO9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dllO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra button: TamperIE Control Panel - {846F69C6-AEFA-45F7-ADF8-3550D72373BA} - C:\Program Files\TamperIE\TIECP.exeO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htmO9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htmO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cabO16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabO16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cabO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - AppInit_DLLs: C:\WINDOWS\system32\gitenayi.dll  O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--End of file - 7724 bytes
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.