fsdoubleflip Posted January 31, 2009 ID:52260 Share Posted January 31, 2009 I have unfortunately succumbed to the Superjuan/ msjuan virus. I'm sure you guys are familiar with it by now, as I've seen a lot of users asking for help with it. Please forgive me if I post incorrectly, as I'm not used to having to ask for help in removing viruses - the programs usually do it for me. But this one is tricky. I dunno if it is part of the msjuan virus, but I get popups from time to time, even though i have popupblocker turned on. Ironically, one of them is for an anti-spyware program .okay so here's the HijackThis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:21:06 AM, on 1/31/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Dell\Media Experience\DMXLauncher.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Common Files\Real\Update_OB\realsched.exeE:\iTunes\iTunesHelper.exeC:\Program Files\D-Tools\daemon.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Windows Media Player\WMPNSCFG.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\iPod\bin\iPodService.exeE:\Widgets\YahooWidgets.exeE:\Widgets\YahooWidgets.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - URLSearchHook: (no name) - - (no file)O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dllO2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {140A896B-B87C-4482-BCB1-FD2BAC5B2409} - C:\WINDOWS\system32\iiFuSMCU.dll (file missing)O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Weather Studio - {849CC480-5983-4D30-A12C-774E8E8D8291} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dllO2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dllO3 - Toolbar: Weather Studio - {C6139A57-16FB-4FA4-8045-A847FBFFD695} - (no file)O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeO4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exeO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"O4 - HKLM\..\Run: [iPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckRegO4 - HKLM\..\Run: [PhilipsDM] "C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exeO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [bearShare] "E:\Program Files\BearShare Test\BearShare.exe" /pauseO4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbyloginO4 - HKLM\..\Run: [iTunesHelper] "E:\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silentO4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [steam] "c:\program files\valve\steam\steam.exe" -silentO4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exeO4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')O4 - Startup: Yahoo! Widgets.lnk = E:\Widgets\YahooWidgets.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dllO9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Devin\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL kpdcol.dll irdugo.dllO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO20 - Winlogon Notify: mLeDTnlJ - mLeDTnlJ.dll (file missing)O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Fix-It Task Manager - Avanquest Software USA, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exeO23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exeO23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe--End of file - 11040 bytesand, if needed, malwarebytes:Registry Values Infected: 2Registry Data Items Infected: 0Folders Infected: 3Files Infected: 26Memory Processes Infected:C:\Program Files\Antispyware\Antispyware.exe (Rogue.Antispyware) -> Unloaded process successfully.Memory Modules Infected:C:\WINDOWS\SYSTEM32\jrpfdvbq.dll (Trojan.Vundo.H) -> Delete on reboot.C:\WINDOWS\SYSTEM32\irdugo.dll (Trojan.Vundo) -> Delete on reboot.C:\Program Files\Antispyware\SpyCleaner.dll (Rogue.SpyCleaner) -> Delete on reboot.Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{85e0b171-04fa-11d1-b7da-00a0c90348a7} (Adware.SmartShopper) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antispyware (Rogue.Antispyware) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:C:\Documents and Settings\All Users\Start Menu\Programs\Antispyware (Rogue.Antispyware) -> Quarantined and deleted successfully.C:\Documents and Settings\Owner\Application Data\Starware (Adware.Starware) -> Quarantined and deleted successfully.C:\Documents and Settings\Owner\Application Data\Starware\Manager (Adware.Starware) -> Quarantined and deleted successfully.Files Infected:C:\WINDOWS\SYSTEM32\jrpfdvbq.dll (Trojan.Vundo.H) -> Delete on reboot.C:\WINDOWS\SYSTEM32\irdugo.dll (Trojan.Vundo) -> Delete on reboot.C:\Program Files\Antispyware\SpyCleaner.dll (Rogue.SpyCleaner) -> Delete on reboot.C:\Documents and Settings\Devin\Local Settings\Application Data\Mozilla\Firefox\Profiles\05jty80b.default\Cache\96490AAAd01 (Rogue.Installer) -> Quarantined and deleted successfully.C:\Documents and Settings\Devin\Local Settings\Temporary Internet Files\Content.IE5\JXRNFXHZ\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Devin\Local Settings\Temporary Internet Files\Content.IE5\R96MMDRL\apstpldr.dll[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Devin\Local Settings\Temporary Internet Files\Content.IE5\R96MMDRL\CATSU91R (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Devin\Local Settings\Temporary Internet Files\Content.IE5\R96MMDRL\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\Documents and Settings\Owner\My Documents\Downloads\Sony DVD Architect Studio 4.5c build 91\keygen.exe (Backdoor.SDBot) -> Quarantined and deleted successfully.C:\RECYCLER\S-1-5-18\Dc3744.exe (Adware.SmartShopper) -> Quarantined and deleted successfully.C:\RECYCLER\S-1-5-21-2985862323-1253851296-254320386-1006\Dc2110.exe (Rogue.Installer) -> Quarantined and deleted successfully.C:\RECYCLER\S-1-5-21-2985862323-1253851296-254320386-1006\Dc2111.exe (Rogue.Installer) -> Quarantined and deleted successfully.C:\RECYCLER\S-1-5-21-2985862323-1253851296-254320386-1006\Dc2214.exe (Adware.Agent) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP394\A0185501.dll (Adware.SmartShopper) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP394\A0185502.exe (Adware.SmartShopper) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP427\A0190731.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\ggbyxxms.dll (Trojan.Vundo) -> Quarantined and deleted successfully.E:\setupxv.exe (Rogue.Installer) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Start Menu\Programs\Antispyware\Antispyware on the Web.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Start Menu\Programs\Antispyware\Antispyware.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.C:\Documents and Settings\Owner\Application Data\Starware\Manager\ManagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.C:\Documents and Settings\Owner\Application Data\Starware\Manager\ManagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.C:\Program Files\Antispyware\Antispyware.exe (Rogue.Antispyware) -> Delete on reboot.C:\WINDOWS\Tasks\Antispyware Scheduled Scan.job (Rogue.Antispyware) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Desktop\Antispyware.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\ijjistarter2.exe (Trojan.Agent) -> Quarantined and deleted successfully.once again, I apologize if i posted incorrectly. Any help at all would be appreciated!!! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 1, 2009 Root Admin ID:52402 Share Posted February 1, 2009 Please uninstall Bearshare file sharing utility.File sharing involves using technology that allows internet users to share files that are housed on their individual computers. Peer-to-peer (P2P) applications, such as those used to share music files, are some of the most common forms of file-sharing technology. However, P2P applications introduce security risks that may put your information or your computer in jeopardy. Risks of File-Sharing TechnologyPlease disable the Steam game engine temporarily while we clean your system.Not mandatory, but I'd recommend removing Viewpoint Manager ServicePlease go into the Control Panel, Add/Remove and for now remove ALL versions of JAVAWhen we're done you can go back and install the latest version but for now please do not install any.Then run this tool to help cleanup any left over JavaYour Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.Please download JavaRa and unzip it to your desktop.***Please close any instances of Internet Explorer (or other web browser) before continuing!***Double-click on JavaRa.exe to start the program.From the drop-down menu, choose English and click on Select.JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.A logfile will pop up. Please save it to a convenient location and post it back when you replyThen look for the following Java folders and if found delete them.C:\Program Files\JavaC:\Program Files\Common Files\JavaC:\Documents and Settings\All Users\Application Data\JavaC:\Documents and Settings\All Users\Application Data\Sun\JavaC:\Documents and Settings\username\Application Data\JavaC:\Documents and Settings\username\Application Data\Sun\JavaSTARTThe following instructions are only for this Forum member fsdoubleflipPlease do not use these instructions on another computer system. You can seriously damage your system by following the instructions below without guided assistance. You assuredly will make a cleanup of your system more difficult.Please DO NOT use the Attachment feature for any log files. Do a Copy/Paste of the entire contents of the log file and submit it inside your reply post.STEP 01Download FixPolicies.exe by Bill Castner and save it to your desktop.Double click on FixPolicies.exe to run it.Click on Install. It will create a folder named FixPolicies on your desktop.Open the FixPolicies folder.Double click on Fix_policies.cmd to run it.A black box will briefly appear and then close, it only takes a second and it's done. This will enable your Control Panel and stop the Administrative warnings, at least until the malware infection resets the registry policy keys again. You can run this as many times as you like. A permanent fix requires removing the infection.STEP 02Download and install CCleanerCCleaner Double-click on the downloaded file "ccsetup215.exe" and install the application.Keep the default installation folder "C:\Program Files\CCleaner"Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"Click finish when done and close ALL PROGRAMSStart the CCleaner program.Click on Registry and Uncheck Registry Integrity so that it does not runClick on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log FilesClick on Run Cleaner button on the bottom right side of the program.Click OK to any promptsSTEP 03Reconfigure Windows XP to show hidden files:To enable the viewing of Hidden files follow these steps: * Close all programs so that you are at your desktop. * Double-click on the My Computer icon. * Select the Tools menu and click Folder Options. * After the new window appears select the View tab. * Put a checkmark in the checkbox labeled Display the contents of system folders. * Under the Hidden files and folders section select the radio button labeled Show hidden files and folders. * Remove the checkmark from the checkbox labeled Hide file extensions for known file types. * Remove the checkmark from the checkbox labeled Hide protected operating system files. * Press the Apply button and then the OK button and exit My Computer. * Now your computer is configured to show all hidden files.STEP 04With all other applications closed (Taskbar empty), open HijackThis againand run Do a system scan only and place a check mark on the following items.R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - URLSearchHook: (no name) - - (no file)O2 - BHO: (no name) - {140A896B-B87C-4482-BCB1-FD2BAC5B2409} - C:\WINDOWS\system32\iiFuSMCU.dll (file missing)O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Weather Studio - {849CC480-5983-4D30-A12C-774E8E8D8291} - (no file)O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dllO3 - Toolbar: Weather Studio - {C6139A57-16FB-4FA4-8045-A847FBFFD695} - (no file)O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO4 - HKLM\..\Run: [bearShare] "E:\Program Files\BearShare Test\BearShare.exe" /pauseO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Devin\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL kpdcol.dll irdugo.dllO20 - Winlogon Notify: mLeDTnlJ - mLeDTnlJ.dll (file missing)Then Quit All Browsers including the one you're reading this in now.Then click on Fix checked and then quit HJTSTEP 05Download but do not yet run ComboFixIf you have a previous version of Combofix.exe, delete it and download a fresh copy.Download it to your DESKTOP - it MUST run from the Desktopdownload.bleepingcomputer.com/sUBs/ComboFix.exesubs.geekstogo.com/ComboFix.exeUsing your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank linesKILLALL::RegLock::[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System]Registry::[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System]Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.Disconnect from the Internet. Disable your Antivirus software. If it has Script Blocking features, please disable these as well. A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed. When the scan completes Notepad will open with with your results log open. Do a File, Exit.A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.STEP 06Run HijackThis again, System scan only, and save the log file.STEP 07Please post back to the Forum:Your last MBAM log resultsThe contents of C:\Combofix.txtYour new HijackThis log Link to post Share on other sites More sharing options...
fsdoubleflip Posted February 1, 2009 Author ID:52587 Share Posted February 1, 2009 MBAMRegistry Values Infected: 2Registry Data Items Infected: 0Folders Infected: 3Files Infected: 26Memory Processes Infected:C:\Program Files\Antispyware\Antispyware.exe (Rogue.Antispyware) -> Unloaded process successfully.Memory Modules Infected:C:\WINDOWS\SYSTEM32\jrpfdvbq.dll (Trojan.Vundo.H) -> Delete on reboot.C:\WINDOWS\SYSTEM32\irdugo.dll (Trojan.Vundo) -> Delete on reboot.C:\Program Files\Antispyware\SpyCleaner.dll (Rogue.SpyCleaner) -> Delete on reboot.Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{85e0b171-04fa-11d1-b7da-00a0c90348a7} (Adware.SmartShopper) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antispyware (Rogue.Antispyware) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:C:\Documents and Settings\All Users\Start Menu\Programs\Antispyware (Rogue.Antispyware) -> Quarantined and deleted successfully.C:\Documents and Settings\Owner\Application Data\Starware (Adware.Starware) -> Quarantined and deleted successfully.C:\Documents and Settings\Owner\Application Data\Starware\Manager (Adware.Starware) -> Quarantined and deleted successfully.Files Infected:C:\WINDOWS\SYSTEM32\jrpfdvbq.dll (Trojan.Vundo.H) -> Delete on reboot.C:\WINDOWS\SYSTEM32\irdugo.dll (Trojan.Vundo) -> Delete on reboot.C:\Program Files\Antispyware\SpyCleaner.dll (Rogue.SpyCleaner) -> Delete on reboot.C:\Documents and Settings\Devin\Local Settings\Application Data\Mozilla\Firefox\Profiles\05jty80b.default\Cache\96490AAAd01 (Rogue.Installer) -> Quarantined and deleted successfully.C:\Documents and Settings\Devin\Local Settings\Temporary Internet Files\Content.IE5\JXRNFXHZ\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Devin\Local Settings\Temporary Internet Files\Content.IE5\R96MMDRL\apstpldr.dll[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Devin\Local Settings\Temporary Internet Files\Content.IE5\R96MMDRL\CATSU91R (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Devin\Local Settings\Temporary Internet Files\Content.IE5\R96MMDRL\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\Documents and Settings\Owner\My Documents\Downloads\Sony DVD Architect Studio 4.5c build 91\keygen.exe (Backdoor.SDBot) -> Quarantined and deleted successfully.C:\RECYCLER\S-1-5-18\Dc3744.exe (Adware.SmartShopper) -> Quarantined and deleted successfully.C:\RECYCLER\S-1-5-21-2985862323-1253851296-254320386-1006\Dc2110.exe (Rogue.Installer) -> Quarantined and deleted successfully.C:\RECYCLER\S-1-5-21-2985862323-1253851296-254320386-1006\Dc2111.exe (Rogue.Installer) -> Quarantined and deleted successfully.C:\RECYCLER\S-1-5-21-2985862323-1253851296-254320386-1006\Dc2214.exe (Adware.Agent) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP394\A0185501.dll (Adware.SmartShopper) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP394\A0185502.exe (Adware.SmartShopper) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP427\A0190731.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\ggbyxxms.dll (Trojan.Vundo) -> Quarantined and deleted successfully.E:\setupxv.exe (Rogue.Installer) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Start Menu\Programs\Antispyware\Antispyware on the Web.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Start Menu\Programs\Antispyware\Antispyware.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.C:\Documents and Settings\Owner\Application Data\Starware\Manager\ManagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.C:\Documents and Settings\Owner\Application Data\Starware\Manager\ManagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.C:\Program Files\Antispyware\Antispyware.exe (Rogue.Antispyware) -> Delete on reboot.C:\WINDOWS\Tasks\Antispyware Scheduled Scan.job (Rogue.Antispyware) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Desktop\Antispyware.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\ijjistarter2.exe (Trojan.Agent) -> Quarantined and deleted successfully.HJT:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:29:22 PM, on 2/1/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Dell\Media Experience\DMXLauncher.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeE:\iTunes\iTunesHelper.exeC:\Program Files\D-Tools\daemon.exeC:\Program Files\Windows Media Player\WMPNSCFG.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\iPod\bin\iPodService.exeE:\Widgets\YahooWidgets.exeC:\WINDOWS\system32\ctfmon.exeE:\Widgets\YahooWidgets.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\notepad.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Program Files\Mozilla Firefox\firefox.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dllO2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dllO4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeO4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exeO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"O4 - HKLM\..\Run: [iPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckRegO4 - HKLM\..\Run: [PhilipsDM] "C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exeO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbyloginO4 - HKLM\..\Run: [iTunesHelper] "E:\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033O4 - HKCU\..\Run: [steam] "c:\program files\valve\steam\steam.exe" -silentO4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exeO4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')O4 - Startup: Yahoo! Widgets.lnk = E:\Widgets\YahooWidgets.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dllO9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Fix-It Task Manager - Avanquest Software USA, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exeO23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exeO23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe--End of file - 9321 bytesComboFix:ComboFix 09-02-01.01 - Devin 2009-02-01 13:47:16.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.204 [GMT -5:00]Running from: c:\documents and settings\Devin\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\Devin\Desktop\CFscript.txt * Created a new restore point.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\Owner\Local Settings\Temporary Internet Files\ijjistarter_verinfo.datc:\documents and settings\Owner\Local Settings\Temporary Internet Files\temp.dmfc:\program files\Antispywarec:\program files\Antispyware\Antispyware.urlc:\program files\Antispyware\DataBase.refc:\program files\Antispyware\TCL.dllc:\program files\Antispyware\vistaCPtasks.xmlc:\program files\Antispyware\zlib.dllc:\program files\winupdatesc:\program files\winupdates\a.zipc:\windows\a3kebook.inic:\windows\akebook.inic:\windows\ANS2000.INIc:\windows\system32\AutoRun.infc:\windows\system32\fo-remove.exec:\windows\system32\irdugo.dllc:\windows\system32\jrpfdvbq.dllc:\windows\system32\qbvdfprj.inic:\windows\system32\tlfjofrm.inic:\windows\system32\UCMSuFii.inic:\windows\SYSTEM32\UCMSuFii.ini2c:\windows\Tasks\rsjjvitp.job.((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 ))))))))))))))))))))))))))))))).2009-02-01 13:09 . 2009-02-01 13:09 <DIR> d-------- c:\program files\CCleaner2009-01-31 10:20 . 2009-01-31 10:20 <DIR> d-------- c:\program files\Trend Micro2009-01-30 22:26 . 2009-01-30 22:26 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2009-01-30 22:26 . 2009-01-30 22:26 <DIR> d-------- c:\documents and settings\Devin\Application Data\Malwarebytes2009-01-30 22:26 . 2009-01-30 22:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes2009-01-30 22:26 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys2009-01-30 22:26 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys2009-01-30 22:15 . 2009-01-30 22:22 <DIR> d-------- c:\documents and settings\Devin\Application Data\Antispyware2009-01-29 21:42 . 2009-01-29 21:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com2009-01-29 21:41 . 2009-01-29 21:41 <DIR> d-------- c:\program files\SUPERAntiSpyware2009-01-29 21:41 . 2009-01-29 21:41 <DIR> d-------- c:\documents and settings\Devin\Application Data\SUPERAntiSpyware.com2009-01-29 21:10 . 2009-01-29 21:16 <DIR> d-------- c:\documents and settings\Devin\eee2009-01-29 21:07 . 2009-01-29 21:07 45,984 --a------ c:\windows\SYSTEM32\ins2.exe2009-01-23 01:19 . 2009-01-23 01:26 <DIR> d-------- c:\documents and settings\Devin\Application Data\U32009-01-15 01:52 . 2009-01-15 01:52 <DIR> d-------- c:\documents and settings\Devin\Application Data\vlc2009-01-15 00:34 . 2009-01-15 00:37 <DIR> d-------- c:\program files\DivX2009-01-15 00:28 . 2009-01-15 00:28 <DIR> d-------- c:\program files\D-Tools2009-01-15 00:28 . 2004-08-22 16:31 155,136 --a------ c:\windows\SYSTEM32\DRIVERS\d347bus.sys2009-01-15 00:28 . 2004-08-22 16:31 5,248 --a------ c:\windows\SYSTEM32\DRIVERS\d347prt.sys2009-01-13 09:53 . 2006-06-14 03:47 172,416 -----c--- c:\windows\SYSTEM32\DLLCACHE\kmixer.sys2009-01-13 09:53 . 2006-06-01 13:47 163,840 -----c--- c:\windows\SYSTEM32\DLLCACHE\jgdw400.dll2009-01-13 09:53 . 2006-06-14 04:00 82,944 -----c--- c:\windows\SYSTEM32\DLLCACHE\wdmaud.sys2009-01-13 09:53 . 2006-06-01 13:47 27,648 -----c--- c:\windows\SYSTEM32\DLLCACHE\jgpl400.dll2009-01-13 09:53 . 2006-06-14 03:47 6,400 -----c--- c:\windows\SYSTEM32\DLLCACHE\splitter.sys2009-01-11 14:40 . 2009-01-11 14:40 <DIR> d-------- c:\program files\tamasoftware2009-01-01 01:56 . 2009-01-01 01:56 <DIR> d-------- c:\program files\Magic Morph2009-01-01 01:51 . 2009-01-01 01:53 <DIR> d-------- c:\program files\Total Video Converter.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-02-01 18:24 --------- d-----w c:\program files\GoogleAFE2009-02-01 18:24 --------- d-----w c:\program files\Google2009-02-01 17:59 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint2009-02-01 17:56 --------- d-----w c:\program files\BearShare Test2009-02-01 13:55 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater2009-01-30 02:40 --------- d-----w c:\program files\Common Files\Wise Installation Wizard2009-01-28 21:25 --------- d-----w c:\documents and settings\Devin\Application Data\LimeWire2009-01-15 05:32 --------- d-----w c:\program files\VideoLAN2008-12-31 20:56 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}2008-12-31 04:59 --------- d-----w c:\program files\iPod2008-12-31 04:58 --------- d-----w c:\program files\Bonjour2008-12-31 04:57 --------- d-----w c:\program files\QuickTime2008-12-30 23:20 --------- d-----w c:\documents and settings\Devin\Application Data\My Sam's Club Digital Photo Center2008-12-29 19:39 --------- d-----w c:\program files\Guitar Pro 52008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys2008-12-11 02:17 384 -c--a-w c:\documents and settings\Owner\Application Data\internaldb6334.dat2008-12-11 00:33 86,016 ----a-w c:\windows\SYSTEM32\dpl100.dll2008-12-11 00:33 200,704 ----a-w c:\windows\SYSTEM32\dtu100.dll2008-12-10 21:30 555 -c--a-w c:\documents and settings\Owner\Application Data\internaldb8467.dat2008-12-10 21:30 18,432 -c--a-w c:\documents and settings\Owner\Application Data\internaldb41.dat2008-12-09 02:28 593,920 ----a-w c:\windows\SYSTEM32\dpuGUI11.dll2008-12-09 02:28 57,344 ----a-w c:\windows\SYSTEM32\dpv11.dll2008-12-09 02:28 344,064 ----a-w c:\windows\SYSTEM32\dpus11.dll2008-12-09 02:28 294,912 ----a-w c:\windows\SYSTEM32\dpu11.dll2008-11-06 16:37 524,288 ----a-w c:\windows\SYSTEM32\DivXsm.exe2008-11-06 16:37 3,596,288 ----a-w c:\windows\SYSTEM32\qt-dx331.dll2008-11-06 16:37 129,784 ------w c:\windows\SYSTEM32\pxafs.dll2008-11-06 16:37 120,056 -c----w c:\windows\SYSTEM32\pxcpyi64.exe2008-11-06 16:37 118,520 -c----w c:\windows\SYSTEM32\pxinsi64.exe2008-11-06 16:35 200,704 ----a-w c:\windows\SYSTEM32\ssldivx.dll2008-11-06 16:35 1,044,480 ----a-w c:\windows\SYSTEM32\libdivx.dll2008-11-06 16:33 823,296 ----a-w c:\windows\SYSTEM32\divx_xx0c.dll2008-11-06 16:33 823,296 ----a-w c:\windows\SYSTEM32\divx_xx07.dll2008-11-06 16:33 815,104 ----a-w c:\windows\SYSTEM32\divx_xx0a.dll2008-11-06 16:33 802,816 ----a-w c:\windows\SYSTEM32\divx_xx11.dll2008-11-06 16:33 684,032 ----a-w c:\windows\SYSTEM32\DivX.dll2008-11-06 16:33 12,288 -c--a-w c:\windows\SYSTEM32\DivXWMPExtType.dll2006-08-22 03:29 31,514 -c--a-w c:\program files\startup.8xk2006-08-22 03:02 710,374 -c--a-w c:\program files\TI84Plus_OS.8Xu2006-08-22 03:01 552,604 -c--a-w c:\program files\TI83Plus_OS.8Xu2006-08-14 23:55 3,455,625 -c--a-w c:\program files\APD.zip2006-07-12 15:15 10,245,279 -c--a-w c:\program files\XBOXAR_USsetup1_31.zip2006-06-07 03:50 19,968 -c--a-w c:\program files\adresses.doc2006-02-03 16:37 710,374 -c--a-w c:\program files\TI84Plus_OS240.8xu2006-01-07 14:14 688,128 -c--a-w c:\program files\autostitch.exe2005-12-05 23:28 916,806 -c--a-w c:\program files\Dec2005_MDX1_x86.cab2005-12-05 23:28 86,925 -c--a-w c:\program files\Oct2005_xinput_x64.cab2005-12-05 23:28 46,247 -c--a-w c:\program files\Oct2005_xinput_x86.cab2005-12-05 23:28 41,888 -c--a-w c:\program files\dxdllreg_x86.cab2005-12-05 23:28 3,673,932 -c--a-w c:\program files\Dec2005_MDX1_x86_Archive.cab2005-12-05 23:28 1,358,864 -c--a-w c:\program files\Dec2005_d3dx9_28_x64.cab2005-12-05 23:27 1,080,344 -c--a-w c:\program files\Dec2005_d3dx9_28_x86.cab2005-04-04 18:11 3,218 -c--a-w c:\program files\README.TXT2005-04-04 18:10 636 -c--a-w c:\program files\LICENSE.TXT2002-10-04 19:09 204,800 -c--a-w c:\windows\INF\FXPlugin.dll2007-11-15 20:05 89,088 ----a-w c:\program files\mozilla firefox\plugins\atl71.dll2007-11-15 20:05 53,248 ----a-w c:\program files\mozilla firefox\plugins\boost_filesystem-vc71-mt-1_33_1.dll2007-11-15 20:05 499,712 ----a-w c:\program files\mozilla firefox\plugins\msvcp71.dll2007-11-15 20:05 348,160 ----a-w c:\program files\mozilla firefox\plugins\msvcr71.dll2007-11-15 20:05 110,592 ----a-w c:\program files\mozilla firefox\plugins\v22_base.dll2007-11-15 20:05 114,688 ----a-w c:\program files\mozilla firefox\plugins\v22_compression.dll2007-11-15 20:05 106,496 ----a-w c:\program files\mozilla firefox\plugins\v22_connect.dll2007-11-15 20:05 229,376 ----a-w c:\program files\mozilla firefox\plugins\v22_update.dll2007-11-15 20:05 196,608 ----a-w c:\program files\mozilla firefox\plugins\v22_utility.dll2007-11-15 20:05 159,744 ----a-w c:\program files\mozilla firefox\plugins\v22_winapplib.dll2008-12-16 01:41 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll.------- Sigcheck -------2008-04-13 19:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\svchost.exe2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\SYSTEM32\svchost.exe2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\SYSTEM32\DLLCACHE\svchost.exe2008-04-13 19:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\SYSTEM32\ws2_32.dll2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\SYSTEM32\DLLCACHE\ws2_32.dll2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\winlogon.exe2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe c:\windows\SYSTEM32\winlogon.exe2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe c:\windows\SYSTEM32\DLLCACHE\winlogon.exe2008-04-13 14:20 182656 1df7f42665c94b825322fae71721130d c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ndis.sys2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\SYSTEM32\DLLCACHE\ndis.sys2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\SYSTEM32\DRIVERS\ndis.sys2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ip6fw.sys2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\SYSTEM32\DLLCACHE\ip6fw.sys2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\SYSTEM32\DRIVERS\ip6fw.sys2008-04-13 19:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\services.exe2004-08-04 07:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\SYSTEM32\services.exe2004-08-04 07:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\SYSTEM32\DLLCACHE\services.exe2008-04-13 19:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\lsass.exe2004-08-04 07:00 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\SYSTEM32\lsass.exe2004-08-04 07:00 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\SYSTEM32\DLLCACHE\lsass.exe2008-04-13 19:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ctfmon.exe2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\SYSTEM32\ctfmon.exe2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\SYSTEM32\DLLCACHE\ctfmon.exe2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\userinit.exe2004-08-04 07:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\SYSTEM32\userinit.exe2004-08-04 07:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\SYSTEM32\DLLCACHE\userinit.exe2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\termsrv.dll2004-08-04 06:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\SYSTEM32\TERMSRV.DLL2004-08-04 06:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\SYSTEM32\DLLCACHE\termsrv.dll2008-04-13 19:12 17408 50a166237a0fa771261275a405646cc0 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\powrprof.dll2004-08-04 07:00 17408 1b5f6923abb450692e9fe0672c897aed c:\windows\SYSTEM32\powrprof.dll2004-08-04 07:00 17408 1b5f6923abb450692e9fe0672c897aed c:\windows\SYSTEM32\DLLCACHE\powrprof.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Steam"="c:\program files\valve\steam\steam.exe" [2008-10-13 1410296]"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520]"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-15 29744]"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]"EPSON Stylus C88 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" [2005-01-27 98304]"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]"PhilipsDM"="c:\program files\Philips\Philips Device Manager\Bin\DeviceManager.exe" [2005-09-14 520192]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]"VirusScannerPro"="c:\progra~1\AVANQU~1\Fix-It\MemCheck.exe" [2007-09-01 173312]"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-25 185896]"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]"iTunesHelper"="e:\itunes\iTunesHelper.exe" [2008-11-20 290088]"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]"nwiz"="nwiz.exe" [2006-10-22 c:\windows\SYSTEM32\nwiz.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2006-05-15 67264]c:\documents and settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-08-19 110592]Rainlendar.lnk - c:\program files\Rainlendar\Rainlendar.exe [2006-01-21 118784]Registration Myst V [2006-02-07 0]c:\documents and settings\Devin\Start Menu\Programs\Startup\Yahoo! Widgets.lnk - e:\widgets\YahooWidgets.exe [2007-12-11 3746856]c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-08-19 110592]HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"vidc.I420"= vdrcodec.dll"VIDC.MJPG"= Pvmjpg21.dll"VIDC.PIM1"= pclepim1.dll[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Google\\Google Talk\\googletalk.exe"="c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="c:\\Program Files\\Common Files\\AOL\\1153170047\\ee\\aolsoftware.exe"="c:\\Program Files\\Common Files\\AOL\\1153170047\\ee\\aim6.exe"="c:\\Program Files\\utorrent\\utorrent.exe"="c:\\Program Files\\Shareaza\\Shareaza.exe"="c:\\Program Files\\Valve\\Steam\\SteamApps\\rustyn90\\garrysmod\\hl2.exe"="c:\\Program Files\\Valve\\Steam\\SteamApps\\rustyn90\\source sdk base\\hl2.exe"="c:\\Program Files\\Valve\\Steam\\Steam.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="c:\\Program Files\\AIM6\\aim6.exe"="c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"="c:\\Program Files\\Valve\\Steam\\SteamApps\\rustyn90\\counter-strike source\\hl2.exe"="c:\\Program Files\\LimeWire\\LimeWire.exe"="c:\\ijji\\ENGLISH\\u_gunz.exe"="c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="e:\\iTunes\\iTunes.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724"5353:TCP"= 5353:TCP:Adobe CSI CS4R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]R2 tmpreflt;tmpreflt;c:\progra~1\AVANQU~1\Fix-It\tmpreflt.sys [2007-08-31 32528]R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-11 24652]R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]R3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\SYSTEM32\DRIVERS\netusbxp.sys [2006-01-03 72576]S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2005-12-28 29744]S3 idmc1aud;Intel® Play USB Audio Filter (WDM);c:\windows\SYSTEM32\DRIVERS\idmc1aud.sys [2006-07-27 15188]S3 IDMC1Blk;Intel Play DMC Download Driver;c:\windows\SYSTEM32\DRIVERS\IDMC1Blk.sys [2006-07-27 14628]S3 IDMC1Vxp;Intel® Play DMC Camera;c:\windows\SYSTEM32\DRIVERS\idmc1vme.sys [2006-07-27 416564]S3 MailScan;MailScan;c:\progra~1\AVANQU~1\Fix-It\MailScan.sys [2007-09-01 20496]S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\SYSTEM32\DRIVERS\xbreader.sys [2001-01-02 19677][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]\Shell\AutoRun\command - H:\LaunchU3.exe -a[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6db20963-bbcd-11dd-966f-000625271ce6}]\Shell\AutoRun\command - H:\LaunchU3.exe -a.Contents of the 'Scheduled Tasks' folder2009-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe []2009-01-27 c:\windows\Tasks\Scheduled Checkpoint.job- c:\program files\VCOM\Recovery Commander\RCSCHED.EXE [].- - - - ORPHANS REMOVED - - - -WebBrowser-{08FCF7E3-5F7D-444E-8554-76A516EB3C6C} - (no file)HKCU-Run-Aim6 - (no file).------- Supplementary Scan -------.uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000FF - ProfilePath - c:\documents and settings\Devin\Application Data\Mozilla\Firefox\Profiles\05jty80b.default\FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dllFF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npampx3.0.84.2.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\NPView22.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dllFF - plugin: c:\program files\Picasa2\npPicasa2.dllFF - plugin: c:\program files\view22\version_4\NPView22.dllFF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dllFF - plugin: e:\itunes\Mozilla Plugins\npitunes.dll.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-02-01 13:52:09Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_USERS\S-1-5-21-2985862323-1253851296-254320386-1006\Software\SecuROM\License information*]"datasecu"=hex:7b,51,6f,97,5a,13,79,92,2e,fb,31,fc,6f,9e,81,e5,d7,66,b1,06,8e, 57,b0,3e,dd,c6,2f,2f,08,94,68,dd,f3,96,95,15,0b,7a,cd,83,22,a7,22,e6,e4,ca,\"rkeysecu"=hex:54,2e,7f,23,dd,68,8d,01,71,68,9d,e4,cc,86,f1,18[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]"ThreadingModel"="Apartment"@="c:\\WINDOWS\\system32\\OLE32.DLL""cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,4f,e4,22,01,5e, 8a,09,22,c8,28,51,af,b0,29,a3,98,01,96,8c,ba,2b,73,a0,3f,e2,63,26,f1,3f,c8,\[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]"ThreadingModel"="Apartment"@="c:\\WINDOWS\\system32\\OLE32.DLL""bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,b9,70,46,4b,44, 29,96,ed,71,3b,04,66,8b,46,0d,96,98,ac,d5,06,fa,b5,bb,b0,6a,9c,d6,61,af,45,\[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]"ThreadingModel"="Apartment"@="c:\\WINDOWS\\system32\\OLE32.DLL""2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,1b,eb,f5,49,87, e7,43,6b,25,da,ec,7e,55,20,c9,26,bd,7c,5b,6a,77,03,4b,a0,ff,7c,85,e0,43,d4,\[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]"ThreadingModel"="Apartment"@="c:\\WINDOWS\\system32\\OLE32.DLL""2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,f8,b1,21,99,b9, 02,fa,cf,3e,1e,9e,e0,57,5a,93,61,03,3d,46,42,b1,3c,52,8b,86,8c,21,01,be,91,\[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]"ThreadingModel"="Apartment"@="c:\\WINDOWS\\system32\\OLE32.DLL""caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,bb,7c,9d,5a,8f, 9e,0a,d8,cd,44,cd,b9,a6,33,6c,cd,d3,ca,c0,75,3c,2a,fd,e9,f5,1d,4d,73,a8,13,\[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348A7}\Implemented Categories]@DACL=(02 0000)[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348A7}\InprocServer32]@DACL=(02 0000)@="c:\\WINDOWS\\system32\\UpMedia\\SearchTool.dll""ThreadingModel"="Apartment"[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]"ThreadingModel"="Apartment"@="c:\\WINDOWS\\system32\\OLE32.DLL""a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,47,c2,80,c1,fb, ee,79,79,b0,18,ed,a7,3f,8d,37,a4,80,9d,0d,96,f1,d8,95,51,df,20,58,62,78,6b,\[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]"ThreadingModel"="Apartment"@="c:\\WINDOWS\\system32\\OLE32.DLL""4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,94,14,b7,a3,b9, 28,f3,f4,31,77,e1,ba,b1,f8,68,02,af,56,62,a4,6d,84,f0,89,fb,a7,78,e6,12,2f,\[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]"ThreadingModel"="Apartment"@="c:\\WINDOWS\\system32\\OLE32.DLL""1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,b7,2f,19,0a,9f, 16,23,97,83,6c,56,8b,a0,85,96,ab,65,82,da,14,bd,28,e5,ee,01,3a,48,fc,e8,04,\[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]"ThreadingModel"="Apartment"@="c:\\WINDOWS\\system32\\OLE32.DLL""1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,58,e7,86,65,3a, 32,e6,7b,51,fa,6e,91,28,9e,14,cc,b8,d3,85,ff,37,b3,90,f3,f6,0f,4e,58,98,5b,\[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]"ThreadingModel"="Apartment"@="c:\\WINDOWS\\system32\\OLE32.DLL""f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,19,ad,20,22,10, fb,15,90,b1,cd,45,5a,a8,c4,f8,b9,57,6f,e1,5d,cc,36,d2,5c,3d,ce,ea,26,2d,45,\[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]"ThreadingModel"="Apartment"@="c:\\WINDOWS\\system32\\OLE32.DLL""fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,f2,1a,46,d0,34, 2c,f9,91,e3,0e,66,d5,eb,bc,2f,6b,9d,5d,48,e0,59,cd,4b,bd,2a,b7,cc,b5,b9,7f,\[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]"ThreadingModel"="Apartment"@="c:\\WINDOWS\\system32\\OLE32.DLL""8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,1c,7c,f6,e8,87, 3c,b3,7f,fa,ea,66,7f,d4,3b,6b,70,6e,2d,70,3a,59,c1,2e,e9,6c,43,2d,1e,aa,22,\.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(912)c:\program files\SUPERAntiSpyware\SASWINLO.dllc:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll.------------------------ Other Running Processes ------------------------.c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exec:\program files\Bonjour\mDNSResponder.exec:\progra~1\AVANQU~1\Fix-It\mxtask.exec:\program files\Google\Common\Google Updater\GoogleUpdaterService.exec:\windows\SYSTEM32\nvsvc32.exec:\progra~1\AVANQU~1\Fix-It\mxtask.exec:\program files\Windows Media Player\wmpnetwk.exec:\program files\iPod\bin\iPodService.exe.**************************************************************************.Completion time: 2009-02-01 14:03:09 - machine was rebootedComboFix-quarantined-files.txt 2009-02-01 19:03:05Pre-Run: 7,013,859,328 bytes freePost-Run: 6,968,066,048 bytes freeWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect403 --- E O F --- 2009-01-15 08:02:03 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 3, 2009 Root Admin ID:52892 Share Posted February 3, 2009 RootRepeal - Rootkit DetectorPlease download the following tool: RootRepeal - Rootkit DetectorDirect download link is here: RootRepeal.rarIf you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRARExtract the program file to a new folder such as C:\RootRepealRun the program RootRepeal.exe and go to the REPORT tab and click on the Scan buttonSelect ALL of the checkboxes and then click OK and it will start scanning your system.If you have multiple drives you only need to check the C: drive or the one Windows is installed on.When done, click on Save ReportSave it to the same location where you ran it from, such as C:\RootRepealSave it as your_name_rootrepeal.txt - where your_name is your forum nameThis makes it more easy to track who the log belongs to.Then open that log and select all and copy/paste it back on your next reply please.Quit the RootRepeal program. Link to post Share on other sites More sharing options...
fsdoubleflip Posted February 3, 2009 Author ID:53154 Share Posted February 3, 2009 rootrepeal keeps crashing on me. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 4, 2009 Root Admin ID:53317 Share Posted February 4, 2009 Okay, please run the following and we'll take a look and see what's currently going on.Please download this tool and run it and then post back the results. reglooks.exeUpdate and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen RESTART the computerAFTER the reboot run HJT Do a system scan and save a logfileThe post back NEW MBAM and HJT logs in that order please. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 11, 2009 Root Admin ID:55498 Share Posted February 11, 2009 Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you. Link to post Share on other sites More sharing options...
Recommended Posts