![](http://content.invisioncic.com/Mmalware/set_resources_28/84c1e40ea0e759e3f1505eb1788ddf3c_pattern.png)
Leviathan Mist
-
Posts
9 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by Leviathan Mist
-
-
So, I'm trying to fix a laptop that's infected with a trojan, and I'm pretty sure that this program called "Personal Antivirus" is the culprit. I can't uninstall it, and I can't install Malwarebytes or HijackThis, as when I try to run the install files, nothing happens. The laptop has AVG Antivirus on it already so I'm running that for now. First, I need to figure out how to get Malwarebytes and HijackThis installed so I can post the logs.
-
Done, thanks
-
Thanks for all the help, best customer service I've ever received - you made it simple and easy to understand, and nothing unexpected occurred. Best of all, my problem is fixed!
You really are a professional!
-
I have used a proxy before, but it was only for testing. I haven't used it in months, and don't intend to use one any time in the near future. The system looks pretty clean now and is running well. Here are the logs you requested:
SDFix logs:
--
SDFix: Version 1.240
Run by User on Wed 12/10/2008 at 08:25 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 20:45:01
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:dd,90,50,8b,6b,9b,46,6f,53,bf,2c,fd,ff,bf,a8,fd,b3,7c,8e,22,97,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:4a,72,03,74,35,c8,2d,21,70,1b,02,e4,ef,d2,26,a5,30,a0,61,b9,89,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,4e,84,15,7c,a7,d1,55,60,3a,bb,02,bf,ee,b2,3b,02,a0,..
"khjeh"=hex:48,ea,8a,f3,37,b1,bd,58,8e,00,5f,b1,6b,4b,b7,27,8f,f2,94,22,31,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:32,99,46,15,2d,44,9e,7f,d9,31,e9,8c,45,47,ac,b0,13,e9,79,dd,b6,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:dd,90,50,8b,6b,9b,46,6f,53,bf,2c,fd,ff,bf,a8,fd,b3,7c,8e,22,97,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:75,6a,d3,1e,15,a7,ed,96,5f,28,ee,96,e3,c9,e1,07,95,c2,a7,13,af,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,4e,84,15,7c,a7,d1,55,60,3a,bb,02,bf,ee,b2,3b,02,a0,..
"khjeh"=hex:48,ea,8a,f3,37,b1,bd,58,8e,00,5f,b1,6b,4b,b7,27,8f,f2,94,22,31,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:be,c0,a7,29,37,93,63,f2,83,24,e9,af,19,be,71,5c,e8,20,d4,28,cb,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:dd,90,50,8b,6b,9b,46,6f,53,bf,2c,fd,ff,bf,a8,fd,b3,7c,8e,22,97,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:4a,72,03,74,35,c8,2d,21,70,1b,02,e4,ef,d2,26,a5,30,a0,61,b9,89,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,4e,84,15,7c,a7,d1,55,60,3a,bb,02,bf,ee,b2,3b,02,a0,..
"khjeh"=hex:48,ea,8a,f3,37,b1,bd,58,8e,00,5f,b1,6b,4b,b7,27,8f,f2,94,22,31,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:32,99,46,15,2d,44,9e,7f,d9,31,e9,8c,45,47,ac,b0,13,e9,79,dd,b6,..
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\User\\My Documents\\ROMs\\SNES\\netplay\\zsnesw.exe"="C:\\Documents and Settings\\User\\My Documents\\ROMs\\SNES\\netplay\\zsnesw.exe:*:Enabled:zsnesw"
"C:\\Documents and Settings\\User\\My Documents\\ROMs\\SNES\\zbattle\\ZSNESW.EXE"="C:\\Documents and Settings\\User\\My Documents\\ROMs\\SNES\\zbattle\\ZSNESW.EXE:*:Enabled:ZSNESW"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"="C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe:*:Enabled:PlayOnline Viewer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\EasyPHP 2\\apache\\bin\\Apache.exe"="C:\\Program Files\\EasyPHP 2\\apache\\bin\\Apache.exe:*:Enabled:Apache HTTP Server"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Documents and Settings\\User\\My Documents\\ROMs\\NES\\UberNES\\UberNES.exe"="C:\\Documents and Settings\\User\\My Documents\\ROMs\\NES\\UberNES\\UberNES.exe:*:Enabled:UberNES"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Documents and Settings\\User\\My Documents\\ROMs\\GBC\\Emulator\\bgb.exe"="C:\\Documents and Settings\\User\\My Documents\\ROMs\\GBC\\Emulator\\bgb.exe:*:Enabled:bgb"
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files :
Files with Hidden Attributes :
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Tue 9 Jan 2007 56 ..SHR --- "C:\WINDOWS\system32\B6B1B609E1.sys"
Tue 9 Sep 2008 64,517 A.SH. --- "C:\WINDOWS\system32\dojevabi.dll.tmp"
Thu 31 Jul 2008 1,838 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Wed 9 Apr 2008 28,672 A..H. --- "C:\WINDOWS\system32\pkmShellMenu.dll"
Tue 9 Sep 2008 64,517 A.SH. --- "C:\WINDOWS\system32\womaduzo.dll.tmp"
Tue 9 Sep 2008 64,517 A.SH. --- "C:\WINDOWS\system32\zirifaye.dll.tmp"
Tue 6 May 2008 88 ..SHR --- "C:\Documents and Settings\All Users\Application Data\A9983EFB3E.sys"
Thu 27 Nov 2008 1,682 A.SH. --- "C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys"
Sat 12 May 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 2 May 2008 198 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti1131.tmp"
Mon 15 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Finished!
--
Kaspersky logs:
--
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, December 11, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, December 11, 2008 02:43:58
Records in database: 1451237
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
G:\
Scan statistics:
Files scanned: 120944
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 03:37:41
File name / Threat name / Threats count
C:\Documents and Settings\User\My Documents\sakura emi kimi omou off vocal.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
The selected area was scanned.
--
Malwarebytes scan log:
--
Malwarebytes' Anti-Malware 1.31
Database version: 1489
Windows 5.1.2600 Service Pack 3
12/11/2008 7:36:39 AM
mbam-log-2008-12-11 (07-36-39).txt
Scan type: Quick Scan
Objects scanned: 56988
Time elapsed: 7 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
Combofix seems to have fixed the issue, but I'm not gonna jump to conclusions. Here are the logs you requested:
--
ComboFix 08-12-09.03 - User 2008-12-10 16:19:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.131 [GMT -8:00]
Running from: c:\documents and settings\User\Desktop\CF1.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\User\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Windows Live\Messenger\msimg32.dll
c:\windows\system32\command.pif
c:\windows\system32\gitenayi.dll
c:\windows\system32\lokadewe.dll
c:\windows\system32\srecorder.dll
c:\windows\Tasks\ukcwtdbe.job
c:\windows\wiaserviv.log
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ISODRIVE
-------\Service_ISODrive
((((((((((((((((((((((((( Files Created from 2008-11-11 to 2008-12-11 )))))))))))))))))))))))))))))))
.
2008-12-10 15:00 . 2008-12-10 15:00 <DIR> d-------- C:\rsit
2008-12-10 10:05 . 2008-12-10 10:05 95 --a------ c:\windows\wininit.ini
2008-12-10 00:22 . 2008-12-10 00:24 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-10 00:22 . 2008-12-10 00:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-09 23:44 . 2008-12-10 00:00 <DIR> d-------- c:\program files\Common Files\Nero
2008-12-09 23:44 . 2008-12-10 00:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2008-12-09 23:43 . 2008-12-09 23:43 <DIR> d-------- c:\program files\Common Files\LightScribe
2008-12-09 22:41 . 2008-12-09 22:41 <DIR> d-------- c:\program files\Panda Security
2008-12-09 22:41 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-05 22:54 . 2008-12-07 16:29 <DIR> d-------- c:\program files\Common Files\AOL
2008-11-25 20:28 . 2008-12-09 23:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-25 20:28 . 2008-11-25 20:28 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2008-11-25 20:28 . 2008-11-25 20:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-25 20:28 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-25 20:28 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-25 06:25 . 2008-11-25 06:25 <DIR> d-------- c:\program files\Trend Micro
2008-11-22 18:23 . 2008-11-22 18:23 <DIR> d-------- c:\windows\speech
2008-11-22 18:23 . 2008-11-22 18:23 <DIR> d-------- c:\windows\lhsp
2008-11-22 18:23 . 2008-11-22 18:23 <DIR> d-------- c:\program files\CFS-Technologies
2008-11-19 15:55 . 2008-11-19 16:03 <DIR> d-------- c:\program files\Toolkit3
2008-11-11 13:18 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 13:17 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-10 08:11 --------- d-----w c:\documents and settings\All Users\Application Data\LightScribe
2008-12-10 07:46 --------- d-----w c:\program files\Nero
2008-12-08 05:50 --------- d-----w c:\documents and settings\User\Application Data\AVG7
2008-12-06 06:54 --------- d-----w c:\program files\Viewpoint
2008-12-06 06:54 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-27 10:54 1,682 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-11-26 06:30 --------- d-----w c:\program files\IrfanView
2008-11-25 14:26 --------- d-----w c:\documents and settings\User\Application Data\Free Download Manager
2008-11-01 20:56 --------- d-----w c:\program files\Diablo II
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 03:07 --------- d-----w c:\program files\MSN Messenger
2008-10-18 03:07 --------- d-----w c:\program files\Messenger Plus! Live
2008-10-16 02:22 --------- d-----w c:\program files\Safari
2008-10-16 02:22 --------- d-----w c:\documents and settings\User\Application Data\Apple Computer
2008-10-16 02:21 --------- d-----w c:\program files\Apple Software Update
2008-09-20 01:53 94,208 ----a-w c:\windows\DIIUnin.exe
2008-09-20 01:53 2,829 ----a-w c:\windows\DIIUnin.pif
2008-05-06 10:23 88 --sh--r c:\documents and settings\All Users\Application Data\A9983EFB3E.sys
2008-01-06 05:21 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-01-09 17:56 56 --sh--r c:\windows\system32\B6B1B609E1.sys
2008-07-31 09:20 1,838 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-08-19 07:39 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-11-21 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ZDSV"= scrvid.dll
"msacm.l3codec"= l3codecp.acm
"msacm.ac3filter"= ac3filter.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Nintendo Wi-Fi USB Connector Registration Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk
backup=c:\windows\pss\Run Nintendo Wi-Fi USB Connector Registration Tool.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Shortcut to MS-DOS Prompt.pif]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Shortcut to MS-DOS Prompt.pif
backup=c:\windows\pss\Shortcut to MS-DOS Prompt.pifCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Shortcut to Leviathan Mist [Expodrine].pq.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\Shortcut to Leviathan Mist [Expodrine].pq.lnk
backup=c:\windows\pss\Shortcut to Leviathan Mist [Expodrine].pq.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Shortcut to Leviathan Mist [Oobag].pq.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\Shortcut to Leviathan Mist [Oobag].pq.lnk
backup=c:\windows\pss\Shortcut to Leviathan Mist [Oobag].pq.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Shortcut to Leviathan Mist [Pemptus].pq.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\Shortcut to Leviathan Mist [Pemptus].pq.lnk
backup=c:\windows\pss\Shortcut to Leviathan Mist [Pemptus].pq.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Shortcut to Penguin [Pemptus].pq.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\Shortcut to Penguin [Pemptus].pq.lnk
backup=c:\windows\pss\Shortcut to Penguin [Pemptus].pq.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 20:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-09-20 07:30 579584 c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-28 11:21 57344 c:\program files\SlySoft\CloneCD\CloneCDTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 14:29 165784 c:\program files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
--a------ 2006-08-20 23:24 2068527 c:\program files\Free Download Manager\fdm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-02 13:43 133104 c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-03-02 14:24 257088 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2008-06-09 10:16 2363392 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-06-28 23:43 8466432 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-06-28 23:43 81920 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-12-07 15:08 21686568 c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVRemote]
-ra------ 2006-02-13 17:59 24576 c:\program files\SVRemote\USB20Remote.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-03 15:02 36352 c:\program files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDVR SchSvr]
--a------ 2005-08-15 21:31 106496 c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinRemote]
--a------ 2005-08-15 21:30 208896 c:\program files\InterVideo\WinDVR3\WinRemote.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-06-28 23:43 1626112 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\User\\My Documents\\ROMs\\SNES\\netplay\\zsnesw.exe"=
"c:\\Documents and Settings\\User\\My Documents\\ROMs\\SNES\\zbattle\\ZSNESW.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\EasyPHP 2\\apache\\bin\\Apache.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Documents and Settings\\User\\My Documents\\ROMs\\NES\\UberNES\\UberNES.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Documents and Settings\\User\\My Documents\\ROMs\\GBC\\Emulator\\bgb.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7845:UDP"= 7845:UDP:ZSNES
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-09 28544]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe [2008-09-30 935208]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-12-05 24652]
R3 scrcap;scrcap;c:\windows\system32\DRIVERS\scrcap.sys [2006-12-27 9006]
S3 TridVid;USB TV Tuner Analog Video;c:\windows\system32\DRIVERS\TridVid.sys [2007-05-25 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2008-12-11 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 13:43]
.
- - - - ORPHANS REMOVED - - - -
BHO-{ecb4235c-30e5-4772-b5a6-78c55cce228b} - c:\windows\system32\bikemowo.dll
HKLM-Run-wunejidapa - c:\windows\system32\tubivepo.dll
MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
MSConfigStartUp-Computer Alarm Clock - c:\program files\Computer Alarm Clock\cac.exe
MSConfigStartUp-CPMc39f7954 - c:\windows\system32\noyutumi.dll
MSConfigStartUp-Desktop Architect - c:\progra~1\DESKTO~1\datray.exe
MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
MSConfigStartUp-Orb - c:\program files\Winamp Remote\bin\OrbTray.exe
MSConfigStartUp-wunejidapa - c:\windows\system32\tubivepo.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 85.12.72.196:8080
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
IE: {{846F69C6-AEFA-45F7-ADF8-3550D72373BA} - c:\program files\TamperIE\TIECP.exe
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk
IE: {{846F69C6-AEFA-45F7-ADF8-3550D72373BA} - c:\program files\TamperIE\TIECP.exe -
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk -
FireFox -: Profile - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\zp97ixph.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 16:24:29
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\Grisoft\AVGFRE~1\avgamsvr.exe
c:\progra~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\progra~1\Grisoft\AVGFRE~1\avgemc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
.
**************************************************************************
.
Completion time: 2008-12-10 16:30:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-11 00:30:27
Pre-Run: 11,276,001,280 bytes free
Post-Run: 11,180,433,408 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
253 --- E O F --- 2008-11-11 21:28:14
--
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:36:43 PM, on 12/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 85.12.72.196:8080
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7Pro\IE7Pro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: TamperIE - {7F09A208-7569-46DB-94E5-1E385E68F77A} - C:\PROGRA~1\TamperIE\IETamper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: TamperIE Control Panel - {846F69C6-AEFA-45F7-ADF8-3550D72373BA} - C:\Program Files\TamperIE\TIECP.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 7848 bytes
-
5. Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.
info.txt:
--
info.txt logfile of random's system information tool 1.04 2008-12-10 15:00:56
======Uninstall list======
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.56 beta-->"C:\Program Files\7-Zip\Uninstall.exe"
Ad-Aware SE Personal-->C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Bridge 1.0-->MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0-->MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2-->msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos 1.0-->MsiExec.exe /I{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}
AIM Pro-->MsiExec.exe /X{D3A04D2F-28C4-4D9C-8487-DAB75992AE09}
Anvil Studio-->C:\WINDOWS\system32\AsUninst.exe
Apple Mobile Device Support-->MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update-->MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"
AutoHotkey 1.0.47.05-->C:\Program Files\AutoHotkey\uninst.exe
AVG Free Edition-->C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL
Bayden TamperIE (remove only)-->"C:\Program Files\TamperIE\uninst.exe"
Bink and Smacker-->C:\PROGRA~1\RADVideo\UNWISE.EXE C:\PROGRA~1\RADVideo\INSTALL.LOG
BitTornado 0.3.17-->C:\Program Files\BitTornado\uninst.exe
blueMSX-->MsiExec.exe /I{E932D883-BFCF-4A40-8AC7-5C0384582D90}
Boilsoft Video Splitter 5.01-->"C:\Program Files\Boilsoft Video Splitter\unins000.exe"
Bulent's Screen Recorder 4-->C:\Program Files\Bulent's Screen Recorder 4\Uninstall Screen Recorder 4.exe
CamStudio-->C:\Program Files\CamStudio\uninstall.exe
Cartman's Authoritah 1.3-->"C:\Program Files\CartmansAuthoritah\unins000.exe"
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
CloneCD-->"C:\Program Files\SlySoft\CloneCD\ccd-uninst.exe" /D="C:\Program Files\SlySoft\CloneCD"
Comcast High-Speed Internet Install Wizard-->C:\Program Files\support.com\uninstall\chsi_uninstaller.exe
Common RTP 1.0-->C:\WINDOWS\iun506.exe C:\Program Files\Enterbrain\RPG2003\RTP\\irunin.ini
Console Classix 3.8-->"C:\Program Files\ConsoleClassix.com\unins000.exe"
Daimonin Client 0.9.7-->"C:\Program Files\daimonin\client\unins000.exe"
Dev-C++ 4-->C:\WINDOWS\uninst.exe -fC:\Dev-C++\DeIsL1.isu -cC:\Dev-C++\_ISREG32.DLL
Diablo II-->C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat
EasyPHP 2.0b1-->"C:\Program Files\EasyPHP 2\unins000.exe"
ffdshow [rev 1324] [2007-07-01]-->"C:\Program Files\K-Lite Codec Pack\ffdshow\unins000.exe"
FileZilla Client 3.1.1.1-->C:\Program Files\FileZilla Client\uninstall.exe
FileZilla Server (remove only)-->"C:\Program Files\FileZilla Server\uninstall.exe"
Free Download Manager 2.1-->"C:\Program Files\Free Download Manager\unins000.exe"
GoldWave v5.20-->"C:\Program Files\GoldWave\unstall.exe" "GoldWave v5.20" "C:\Program Files\GoldWave\unstall.log"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
IE7Pro-->"C:\Program Files\IE7Pro\unins000.exe"
ImageMagick 6.3.6-4 Q16 (11/01/07)-->"C:\Program Files\ImageMagick-6.3.6-Q16\unins000.exe"
IndigoMail 3.10-->c:\sendmail\uninst.exe
Install Creator-->C:\Documents and Settings\User\Desktop\games\RPG Maker utilities\Installer Creator\Uninstal.exe
InterActual Player-->C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVR 3-->"C:\Program Files\InstallShield Installation Information\{6BF4613C-0A46-43AA-8FA8-0CB9F2C1A548}\setup.exe" REMOVEALL
IrfanView (remove only)-->C:\Program Files\IrfanView\iv_uninstall.exe
iTunes-->MsiExec.exe /I{01B51908-02EF-453B-87A9-815182E8C2F2}
J2SE Runtime Environment 5.0 Update 10-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java SE Runtime Environment 6 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
K-Lite Codec Pack 3.3.0 Full-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Lernout & Hauspie TruVoice American English TTS Engine-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
LightScribe System Software 1.14.17.1-->MsiExec.exe /X{0E7DBD52-B097-4F2B-A7C7-F105B0D20FDB}
LimeWire 4.16.6-->"C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Meridian Advance (remove only)-->"C:\Program Files\Meridian Advance\uninstall.exe"
Messenger Plus! Live-->"C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0 Service Pack 1-->MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}
Microsoft .NET Framework 3.5-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\setup.exe
Microsoft .NET Framework 3.5-->MsiExec.exe /I{2FC099BD-AC9B-33EB-809C-D332E1B27C40}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft MPEG-4 VKI Video Codec V1/V2/V3-->rundll32.exe setupapi,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\mpg4c32.inf
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)-->MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005 Tools Express Edition-->MsiExec.exe /I{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}
Microsoft SQL Server 2005-->"c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server Native Client-->MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English)-->MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer-->MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Windows SDK for Visual Studio 2008 Express Tools for .NET Framework-->MsiExec.exe /X{B4C0A315-07FB-39F9-85CD-8CE20C019350}
Microsoft Windows SDK for Visual Studio 2008 Express Tools for Win32-->MsiExec.exe /X{07FCBED5-94C3-4F94-B9D3-360FA27C7B06}
Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries-->MsiExec.exe /X{842FAF7C-50EF-4463-9B8F-6222E1384D7D}
mIRC-->"C:\Program Files\mIRC\mirc.exe" -uninstall
Mozilla Firefox (3.0.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MS Access 97 SP2-->C:\Program Files\Microsoft Office\setup\setup.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Multitrack Stopwatch-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Multitrack Stopwatch\Uninst.isu" -c"C:\Program Files\Multitrack Stopwatch\setupsub.dll"
MWSnap 3-->"C:\Program Files\MWSnap\uninstall.exe"
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Nintendo Wi-Fi USB Connector Registration Tool-->C:\Program Files\WiFiConnector\SoftAPUninst.exe
NJStar Japanese WP-->C:\Program Files\NJStar Japanese WP\uninst.exe
NoClone 2007 Free Edition-->MsiExec.exe /I{F9626821-177C-4698-B74D-B783152647F1}
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PHP 5.2.2-->MsiExec.exe /I{0D6BC279-CAD9-4BF8-85B7-6E33157D1261}
PlayOnline Viewer & Tetra Master-->C:\Program Files\InstallShield Installation Information\{47004155-7376-403E-89E9-4C9F44AAF0D0}\setup.exe -runfromtemp -l0x0409
Project64 1.6-->MsiExec.exe /X{9559F7CA-5E34-4237-A2D9-D856464AD727}
QuickTime-->MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F}
Real Alternative 1.8.2-->"C:\Program Files\Real Alternative\unins000.exe"
RGSS-RTP Standard-->MsiExec.exe /I{5A9FE525-8B8F-4701-A937-7F6745A4E9C7}
RPG Maker 2000 1.05-->C:\WINDOWS\UnGins.exe "C:\Program Files\ASCII\RPG2000\install.log"
RPG Maker 2003 v1.08-->"C:\Program Files\rpg2003\unins000.exe"
RPG Maker 95+ (Translated by Don Miguel)-->C:\WINDOWS\uninst.exe -f"C:\Program Files\ASCII\RPG Maker 95+\DeIsL1.isu"
RPG Maker VX RTP-->"C:\Program Files\Common Files\Enterbrain\RGSS2\RPGVX\unins000.exe"
RPG Maker VX-->"C:\Program Files\Enterbrain\RPGVX\unins000.exe"
RPGToolkit, Version 3.1.0-->C:\Program Files\Toolkit3\uninstall.exe
RPGXP-->MsiExec.exe /I{9B34CAC6-738F-4A20-B428-A115C3E3474C}
RTP 1.32 Add-On for RM2k-->C:\WINDOWS\UnGins.exe "C:\Program Files\ASCII\RPG2000\RTP\install.log"
RTP for RM2K (Png, Wav, Midi, Fonts)-->C:\WINDOWS\UnGins.exe "C:\Program Files\ASCII\RPG2000\RTP\install.log"
Safari-->MsiExec.exe /X{C9D96682-5A4D-45FA-BA3E-DDCB2B0CB868}
Screensavers Installer Version 2-->"C:\Program Files\Screensavers.com\SSSInst\bin\SSSUninst.exe"
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Skype
-
Hi, first I'd like to thank you for your assistance. I went through each step you gave me and here are the logs you requested:
1. Set Windows to show all files and all folders.
Done.
2. Take out the trash (temporary files & temporary internet files)
Done. Only thing is, the Safari section was grayed out, so I manually cleared all personal data in Safari's browser.
3. Download The Avenger by Swandog46 from here.[.i]
Here are the logs from Avenger
--
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: file "C:\WINDOWS\system32\tubivepo.dll" not found!
Deletion of file "C:\WINDOWS\system32\tubivepo.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\wunejidapa" not found!
Deletion of driver "wunejidapa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|wunejidapa" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|wunejidapa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices|wunejidapa" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices|wunejidapa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Completed script processing.
*******************
Finished! Terminate.
--
4. Start your MBAM. Click the Update tab. Press the "Check for Updates" button.
I started the full check before updating on accident, so I canceled it, cleared out all the infected files it caught right off, then updated and ran the full check completely. Here are the logs from both checks:
--
Malwarebytes' Anti-Malware 1.31
Database version: 1481
Windows 5.1.2600 Service Pack 3
12/10/2008 1:00:23 PM
mbam-log-2008-12-10 (13-00-23).txt
Scan type: Full Scan (C:\|)
Objects scanned: 17270
Time elapsed: 1 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ecb4235c-30e5-4772-b5a6-78c55cce228b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ecb4235c-30e5-4772-b5a6-78c55cce228b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wunejidapa (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
--
Malwarebytes' Anti-Malware 1.31
Database version: 1483
Windows 5.1.2600 Service Pack 3
12/10/2008 2:56:56 PM
mbam-log-2008-12-10 (14-56-56).txt
Scan type: Full Scan (C:\|)
Objects scanned: 156438
Time elapsed: 1 hour(s), 54 minute(s), 48 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ecb4235c-30e5-4772-b5a6-78c55cce228b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ecb4235c-30e5-4772-b5a6-78c55cce228b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wunejidapa (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{F8D271AF-C88C-474F-ACDA-C226F9E66E35}\RP699\A0085415.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F8D271AF-C88C-474F-ACDA-C226F9E66E35}\RP699\A0085416.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rekomeve.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
--
-Continued in second post-
-
This is the third time I've had serious malware issues in the past week. All three times I got rid of at least 10 infected files, and one of the three times involved a really nasty trojan that disabled my automatic updates. I think this regenerating registry key is the culprit, because I haven't downloaded anything at all, or visited any sites other than Gmail and Youtube since the last scan.
Malwarebytes' Anti-Malware 1.30Database version: 1423Windows 5.1.2600 Service Pack 3 12/9/2008 10:17:23 PMmbam-log-2008-12-09 (22-17-23).txt Scan type: Full Scan (C:\|)Objects scanned: 166464Time elapsed: 2 hour(s), 3 minute(s), 45 second(s) Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0 Memory Processes Infected:(No malicious items detected) Memory Modules Infected:(No malicious items detected) Registry Keys Infected:(No malicious items detected) Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wunejidapa (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected:(No malicious items detected) Folders Infected:(No malicious items detected) Files Infected:(No malicious items detected)
Says it's deleted, but it just regenerates. Here's my HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:27:50 PM, on 12/9/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: Normal Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\nvsvc32.exec:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\MSN Messenger\usnsvc.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 85.12.72.196:8080O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7Pro\IE7Pro.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO2 - BHO: TamperIE - {7F09A208-7569-46DB-94E5-1E385E68F77A} - C:\PROGRA~1\TamperIE\IETamper.dllO2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dllO2 - BHO: (no name) - {ecb4235c-30e5-4772-b5a6-78c55cce228b} - C:\WINDOWS\system32\bikemowo.dll (file missing)O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [wunejidapa] Rundll32.exe "C:\WINDOWS\system32\tubivepo.dll",sO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htmO8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htmO8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htmO9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dllO9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dllO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra button: TamperIE Control Panel - {846F69C6-AEFA-45F7-ADF8-3550D72373BA} - C:\Program Files\TamperIE\TIECP.exeO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htmO9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htmO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cabO16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabO16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cabO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - AppInit_DLLs: C:\WINDOWS\system32\gitenayi.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe --End of file - 7724 bytes
Infected laptop
in Resolved Malware Removal Logs
Posted
Hey, I just wanted to say thanks for the assistance. The tutorial worked and I was able to run malwarebytes, ran multiple scans until there were no threats found, then ran Kaspersky's online scanner and found no infected objects, so I believe I'm clean.