Deleting Registry Key: BHO Trojan

ihatetrojans · December 18, 2008

Hello.

I posted another topic below: http://www.malwarebytes.org/forums/index.php?showtopic=8472

I apologize for the double post, however there was no response - I am sure you are all quite busy - but my question has changed somewhat. I am now looking for help in changing the permissions of a registry key so I can delete the source of my BHO trojan.

This is the registry key infected:

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO)

When I go into regedit, I can locate it with ease but cannot rename or delete the file. I cannot even modify the data. I backed up my registry just in case prior to attempting to delete it. I am wondering if anyone has any idea of what else I can do to delete this key and remove this trojan from my life once and for all! I have tried this both in normal and safe mode, and none of the malware software I have can remove (it just resets at winlogin).

Thanks in advance

PS - Here are my previous logs. I have not been using my computer at all except to attempt to delete this registry key and complete the scans.

Malwarebytes' Anti-Malware 1.31

Database version: 1500

Windows 5.1.2600 Service Pack 3

14/12/2008 9:55:21 PM

mbam-log-2008-12-14 (21-55-21).txt

Scan type: Quick Scan

Objects scanned: 75111

Time elapsed: 21 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Panda Scan:

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-12-15 17:40:12

PROTECTIONS: 1

MALWARE: 8

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

McAfee VirusScan 9.0 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00047863 adware/ieplugin Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{886DDE35-E585-11D0-A707-000000521958}

00158271 dialer.asl Dialers No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}

00167672 Cookie/DomainSponsor TrackingCookie No 0 Yes No C:\Documents and Settings\Shains\Local Settings\Temp\Cookies\shains@landing.domainsponsor[1].txt

00173545 Cookie/Rn11 TrackingCookie No 0 Yes No C:\Documents and Settings\Shains\Local Settings\Temp\Cookies\shains@rn11[2].txt

00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Shains\Local Settings\Temp\Cookies\shains@did-it[1].txt

00252281 Adware/Trymedia Adware No 0 Yes No C:\Downloads\FamilyFeudSetup-dm[1].exe

00335980 Application/MyWay HackTools No 0 Yes No C:\Config.Msi\38acf.rbf

00482743 Adware/MxLiveMedia Adware No 0 Yes No C:\Documents and Settings\All Users\Desktop\TrendMicro_TISPro_17.00_en-US_32-bit\Setup\Function\32bit\213\TmpxCfg.dll

00482743 Adware/MxLiveMedia Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1076\A0070595.dll

00482743 Adware/MxLiveMedia Adware No 0 No No C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G9AB0LMR\iTunes[1].msi[unk_0058][gearaspi.dll.2F677E68_1565_4E02_8961_92B66820BA1A]

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location <d

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description <d

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:44:46 PM, on 15/12/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18241)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Sonic\Product\Media Experience\DMXLauncher.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\iPod\bin\iPodService.exe

c:\progra~1\mcafee.com\vso\mcvsftsn.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.davidsuzuki.org/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Java

Maurice Naggar · December 19, 2008

Hello,

This system does have remains of Vundo, and that could be why that one key is not gone on a permanent basis.

Kindly do not try to remove it by using Regedit. In the same vain, do not run any tools other than what I ask for, and also do not make changes on your own without checking here.

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

=

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from here:

http://cid-6aaab341ce47c5c2.skydrive.live....FixPolicies.exe

Double-click FixPolicies.exe.
Click the "Install" button on the bottom toolbar of the box that will open.
The program will create a new Folder called FixPolicies.
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
A black box will briefly appear and then close.
This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

=

For the time being, disable your McAfee antivirus. Just so it does not get in the way of the following tools.

=

Download The Avenger by Swandog46 from here.

Unzip/extract it to a folder on your desktop.
Double click on avenger.exe to run The Avenger.
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.

Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.

Files to delete:C:\WINDOWS\system32\gajijide.dllc:\windows\system32\vilohora.dll
Drivers to delete:refufuzuva

In the avenger window, click the Paste Script from Clipboard icon, button.
:!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.
Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

=

Please download the attached file named CFScript_for_IHT.txt which you will find at the bottom of this post, and Save it to your Desktop.

The procedure to SAVE it is: Right-click on the CFScript_for_IHT.txt text, select Save target as, name it CFScript.txt, and save it to your DESKTOP.

Do not do a standard click on the link to start download. Doing that will result in an unusable text file.

If you are not this member, do NOT follow these directions as they could damage the workings of your system.

Delete any prior copy of ComboFix.exe and download a fresh copy.

Download and SAVE ComboFix to your Desktop Do NOT run the program straight away from download.

Download this file -- And RENAME it to Combo-fix.exe from either of these two sources:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://subs.geekstogo.com/ComboFix.exe

Referring to the picture above, drag CFScript.txt onto ComboFix.exe (on your Desktop)

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

When finished, it will produce a log for you at C:\ComboFix.txt which I will need in your next reply.

* Note: The above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

=

Download DDS and save it to your desktop from http://www.techsupportforum.com/sectools/sUBs/dds here or

http://download.bleepingcomputer.com/sUBs/dds.scr or

http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then double click dds.scr to run the tool.

When done, DDS.txt will open.

Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
[*]Save both reports to your desktop.

Please include the following logs in your next reply:

copy of C:\Avenger.txt,

a copy of the C:\Combofix.txt log,

DDS.txt

Re-enable your McAfee AV.

ihatetrojans · December 21, 2008

Here is my avenger file:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "C:\WINDOWS\system32\gajijide.dll" not found!

Deletion of file "C:\WINDOWS\system32\gajijide.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\vilohora.dll" not found!

Deletion of file "c:\windows\system32\vilohora.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\refufuzuva" not found!

Deletion of driver "refufuzuva" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

When I tried to run the CFScript + ComboFix, ConboFix asked me to download the Windows Recovery Console, and then it didn't seem to do anything (even my driver light was not flashing so I'm not sure if it did anything). I waited 45 minutes and nothing happened. No log was produced. I am not sure if I am doing something wrong, but I do not want to click on it again since you discouraged me from doing that. Please advise me on my next action. Thanks for your help!!

Maurice Naggar · December 21, 2008

You can elect to decline getting the Recovery Console. You already have the CFScript and Combofix

{To simplify for you a bit, disconnect the cable that connects your pc to the internet)

Re-do the steps at "drag & drop" of CFScript onto Combofix on Desktop (red lion icon)

Pay close attention to the run of Combofix and have much patience. Combofix should complete within 30 minutes or less.

After it is done, reconnect your pc to the internet.

ihatetrojans · December 22, 2008

ComboFix 08-12-21.03 - Shains 2008-12-21 16:36:55.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.168 [GMT -8:00]

Running from: c:\documents and settings\Shains\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Shains\Desktop\CFScript.txt

* Created a new restore point

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\amitikey.ini

c:\windows\system32\ipupajir.ini

.

((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))

.

2008-12-21 16:30 . 2008-12-21 16:30 <DIR> d-------- C:\Combo-Fix

2008-12-21 13:54 . 2008-12-21 13:54 3,968 --a------ C:\ZB20081221135401001.xml

2008-12-17 23:05 . 2008-12-17 23:05 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

2008-12-17 22:57 . 2005-09-07 10:51 <DIR> d-------- c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver

2008-12-17 22:57 . 2005-09-07 10:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc

2008-12-17 22:57 . 2005-09-07 10:45 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intel

2008-12-17 22:57 . 2007-12-14 20:36 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Gtek

2008-12-17 22:57 . 2008-12-17 22:57 <DIR> d-------- c:\documents and settings\Administrator

2008-12-17 21:28 . 2008-12-17 21:28 6,320 --a------ C:\ZB20081217212726001.xml

2008-12-15 17:55 . 2008-12-15 17:55 32 --a------ c:\windows\Smenu.INI

2008-12-14 23:13 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-12-14 23:12 . 2008-12-14 23:12 <DIR> d-------- c:\program files\Panda Security

2008-12-14 21:12 . 2008-12-14 21:12 <DIR> d-------- c:\program files\Trend Micro

2008-12-14 21:08 . 2008-12-14 21:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-12-14 21:08 . 2008-12-14 21:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-14 18:41 . 2008-12-14 18:40 410,984 --a------ c:\windows\system32\deploytk.dll

2008-12-14 18:20 . 2008-12-14 18:20 <DIR> d-------- c:\documents and settings\Shains\Application Data\Malwarebytes

2008-12-14 18:19 . 2008-12-17 23:55 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-14 18:19 . 2008-12-14 18:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-14 18:19 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-14 18:19 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-14 16:36 . 2008-12-14 16:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2008-12-14 16:35 . 2008-12-14 16:35 <DIR> d-------- c:\program files\SUPERAntiSpyware

2008-12-14 16:35 . 2008-12-14 16:35 <DIR> d-------- c:\documents and settings\Shains\Application Data\SUPERAntiSpyware.com

2008-12-14 16:34 . 2008-12-14 16:34 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2008-12-14 16:28 . 2008-12-14 16:32 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2008-12-14 15:44 . 2008-12-14 15:44 <DIR> d--hs---- c:\documents and settings\Shains\PrivacIE

2008-12-14 15:25 . 2008-12-14 15:29 <DIR> d--h-c--- c:\windows\ie8

2008-12-14 11:21 . 2008-02-10 16:07 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys

2008-12-13 12:46 . 2008-12-13 12:46 <DIR> d-------- c:\documents and settings\Shains\Application Data\McAfee.com

2008-12-13 12:42 . 2002-03-13 08:50 23,296 --a------ c:\windows\system32\drivers\NaiFiltr.sys

2008-12-13 12:31 . 2008-12-13 12:31 <DIR> d--h----- c:\windows\system32\WLANProfiles

2008-12-13 12:31 . 2008-12-13 12:31 <DIR> d--h----- C:\Settings

2008-12-13 12:31 . 2008-12-13 12:31 516 --a------ C:\Settings.ini

2008-11-23 00:23 . 2008-11-23 00:25 <DIR> d-------- c:\program files\iTunes

2008-11-23 00:23 . 2008-11-23 00:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-11-23 00:17 . 2008-11-23 00:18 <DIR> d-------- c:\program files\QuickTime

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-15 02:40 --------- d-----w c:\program files\Java

2008-12-15 00:06 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-15 00:06 --------- d-----w c:\program files\Logitech

2008-12-13 20:42 --------- d-----w c:\program files\McAfee.com

2008-12-13 20:42 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com

2008-12-13 10:04 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall

2008-11-23 08:24 --------- d-----w c:\program files\iPod

2008-11-23 08:24 --------- d-----w c:\program files\Common Files\Apple

2008-11-12 02:05 --------- d-----w c:\program files\MSXML 4.0

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-04 06:12 53,936 ----a-w c:\documents and settings\Shains\Application Data\GDIPFONTCACHEV1.DAT

2008-01-10 02:47 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat

2006-11-01 03:57 186 ----a-w c:\program files\oct 1.txt

2005-10-01 19:47 56 --sh--r c:\windows\system32\0A3433A41B.sys

2008-09-17 05:07 104 --sh--r c:\windows\system32\C19E680D52.sys

2008-09-17 05:07 4,860 --sha-w c:\windows\system32\KGyGaAvL.sys

2008-08-24 08:37 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082420080825\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Update Manager"="c:\program files\Rogers\Update Manager\UpdateManager.exe" [2007-04-25 136768]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"WeatherEye"="c:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2008-05-30 4501912]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-15 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-15 126976]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-14 136600]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]

"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]

"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 1005096]

"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-02-25 221184]

"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-02-25 454656]

"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-02-25 212992]

"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-05 24576]

"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 28738]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"DMXLauncher"="c:\program files\Sonic\Product\Media Experience\DMXLauncher.exe" [2007-04-02 113400]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-09-21 127036]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-03-28 593920]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2004-07-01 139264]

"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2004-08-17 180224]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-09-07 24576]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-12 83360]

Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 24633]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 13:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"= c:\windows\system32\vilohora.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.enc"= ITIG726.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\StubInstaller.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-14 28544]

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]

R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]

R3 NaiFiltr;NaiFiltr;c:\windows\system32\DRIVERS\NaiFiltr.sys [2008-12-13 23296]

R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be27996b-3d54-11db-a588-0013ce29aeed}]

\Shell\AutoRun\command - E:\setupSNK.exe

*Newly Created Service* - PROCEXP90

.

Contents of the 'Scheduled Tasks' folder

2008-12-11 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-22 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (SHAINA-Shains).job

- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2004-07-01 15:15]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.davidsuzuki.org/

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\contactx.dll - O16 -: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C}

hxxp://www.facebook.com/controls/contactx.dll

FF - ProfilePath - c:\documents and settings\Shains\Application Data\Mozilla\Firefox\Profiles\i0pt45dz.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.davidsuzuki.org

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-21 16:45:25

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

Completion time: 2008-12-21 16:50:28

ComboFix-quarantined-files.txt 2008-12-22 00:49:29

Pre-Run: 18,011,676,672 bytes free

Post-Run: 18,285,744,128 bytes free

194 --- E O F --- 2008-12-11 17:16:20

ihatetrojans · December 22, 2008

DDS (Version 1.1.0) - NTFSx86

Run by Shains at 17:01:43.31 on 21/12/2008

Internet Explorer: 8.0.6001.18241

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.140 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)

FW: McAfee Personal Firewall Plus *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Canon\CAL\CALMAIN.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Sonic\Product\Media Experience\DMXLauncher.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Digital Line Detect\DLG.exe

c:\progra~1\mcafee.com\vso\mcvsftsn.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Shains\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.davidsuzuki.org/

BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee VirusScan: {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

uRun: [update Manager] "c:\program files\rogers\update manager\UpdateManager.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup

uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background

uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

uRun: [WeatherEye] c:\program files\theweathernetwork\weathereye\WeatherEye.exe

uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [intelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe

mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe

mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe

mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE

mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe

mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe

mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe

mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers

mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe

mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"

mRun: [DMXLauncher] "c:\program files\sonic\product\media experience\DMXLauncher.exe"

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

mRun: [sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

mRun: [VirusScan Online] "c:\progra~1\mcafee.com\vso\mcvsshld.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

Notify: igfxcui - igfxsrvc.dll

Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

AppInit_DLLs: c:\windows\system32\vilohora.dll

SEH: SABShellExecuteHook Class: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shains\applic~1\mozilla\firefox\profiles\i0pt45dz.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.davidsuzuki.org

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-14 28544]

R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 8944]

R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-4 55024]

R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\mcdetect.exe [2005-9-15 126976]

R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2005-9-15 122368]

R2 MCVSRte;McAfee.com VirusScan Online Realtime Engine;c:\progra~1\mcafee.com\vso\mcvsrte.exe /Embedding [2008-12-13 122880]

R3 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2008-12-13 225375]

R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2008-12-13 23296]

R3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]

S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-9-7 245760]

=============== Created Last 30 ================

2008-12-21 16:30 <DIR> --d----- C:\Combo-Fix

2008-12-21 13:54 3,968 a------- C:\ZB20081221135401001.xml

2008-12-20 01:04 <DIR> a-dshr-- C:\cmdcons

2008-12-20 00:59 161,792 a------- c:\windows\SWREG.exe

2008-12-20 00:59 98,816 a------- c:\windows\sed.exe

2008-12-17 21:28 6,320 a------- C:\ZB20081217212726001.xml

2008-12-15 17:55 32 a------- c:\windows\Smenu.INI

2008-12-14 23:13 28,544 a------- c:\windows\system32\drivers\pavboot.sys

2008-12-14 23:12 <DIR> --d----- c:\program files\Panda Security

2008-12-14 21:12 <DIR> --d----- c:\program files\Trend Micro

2008-12-14 21:08 <DIR> --d----- c:\program files\Spybot - Search & Destroy

2008-12-14 21:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2008-12-14 18:41 410,984 a------- c:\windows\system32\deploytk.dll

2008-12-14 18:20 <DIR> --d----- c:\docume~1\shains\applic~1\Malwarebytes

2008-12-14 18:19 15,504 a------- c:\windows\system32\drivers\mbam.sys

2008-12-14 18:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-14 18:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2008-12-14 18:19 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2008-12-14 16:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2008-12-14 16:35 <DIR> --d----- c:\program files\SUPERAntiSpyware

2008-12-14 16:35 <DIR> --d----- c:\docume~1\shains\applic~1\SUPERAntiSpyware.com

2008-12-14 16:34 <DIR> --d----- c:\program files\common files\Wise Installation Wizard

2008-12-14 15:44 <DIR> --dsh--- c:\documents and settings\shains\PrivacIE

2008-12-14 15:25 <DIR> -cd-h--- c:\windows\ie8

2008-12-14 11:21 102,664 a------- c:\windows\system32\drivers\tmcomm.sys

2008-12-13 12:46 <DIR> --d----- c:\docume~1\shains\applic~1\McAfee.com

2008-12-13 12:42 23,296 a------- c:\windows\system32\drivers\NaiFiltr.sys

2008-12-13 12:31 516 a------- C:\Settings.ini

2008-12-13 12:31 <DIR> --d-h--- c:\windows\system32\WLANProfiles

2008-12-13 12:31 <DIR> --d-h--- C:\Settings

2008-11-23 00:23 <DIR> --d----- c:\program files\iTunes

2008-11-23 00:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

==================== Find3M ====================

2008-10-24 03:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys

2008-10-24 03:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys

2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll

2008-10-23 04:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll

2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll

2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll

2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll

2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll

2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll

2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe

2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll

2008-10-16 12:38 133,120 a------- c:\windows\system32\dllcache\extmgr.dll

2008-10-16 05:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe

2008-10-15 08:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll

2008-10-03 22:12 53,936 a------- c:\docume~1\shains\applic~1\GDIPFONTCACHEV1.DAT

2008-10-03 02:02 247,326 a------- c:\windows\system32\strmdll.dll

2008-10-03 02:02 247,326 -------- c:\windows\system32\dllcache\strmdll.dll

2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll

2008-01-09 18:47 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

2006-10-31 19:57 186 a------- c:\program files\oct 1.txt

2005-10-01 11:47 56 ---shr-- c:\windows\system32\0A3433A41B.sys

2008-09-16 21:07 104 ---shr-- c:\windows\system32\C19E680D52.sys

2008-09-16 21:07 4,860 a--sh--- c:\windows\system32\KGyGaAvL.sys

2008-08-24 00:37 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082420080825\index.dat

============= FINISH: 17:02:39.34 ===============

Maurice Naggar · December 22, 2008

Start your MBAM.

Click the Settings Tab. Make sure all option lines have a checkmark.

Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.

Do a FULL Scan. Let it quarantine or remove tagged items. Get a copy of that log in your next reply.

Using Internet Explorer browser only, go to ESET Online Scanner website:

Accept the Terms of Use and press Start button;
Approve the install of the required ActiveX Control, then follow on-screen instructions;
Enable (check) the Remove found threats option, and run the scan.
After the scan completes, the Details tab in the Results window will display what was found and removed.
- A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.
Look at contents of this file using Notepad or Wordpad.
The Frequently Asked Questions for ESET Online Scanner can be viewed here
http://www.eset.com/onlinescan/cac4.php?page=faq
- From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
  Otherwise the scan will take twice as long to do:
  everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
- It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
  (And the prompt re-enabling when finished.)
- If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

=

Reply with copy of MBAM log, Eset scan log, and advise me, How is your system now ?

ihatetrojans · December 23, 2008

Malwarebytes' Anti-Malware 1.31

Database version: 1535

Windows 5.1.2600 Service Pack 3

23/12/2008 7:56:58 AM

mbam-log-2008-12-23 (07-56-58).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 151548

Time elapsed: 2 hour(s), 0 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1076\A0070293.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1076\A0070316.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1077\A0070924.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

I will have to wait until after to work to run the online scan. Thanks again for your help - it seems like the BHO is gone. I hope it is! The system is running a bit better; it seems like my internet is much slower but that might not have anything to do with this.

ihatetrojans · December 24, 2008

For some reason, the eset active x control is not downloading in IE. Is there anything I'm missing (i.e. blocking/unblocking cookies, adding it to my trusted sites, etc.)? I might also mention that I am unable to login to hotmail or facebook, but everything else is fine.

Maurice Naggar · December 24, 2008

You could add the eset site to your trusted list. But mainly, make sure to temporarily disable your McAfee just before you go for the Eset scan.

After the scan is all done, then re-enable McAfee.

BTW, the last MBAM scan is essentially clean. The only items found were only in the restore points, which will be cleared later on.

Give the Eset scan just one more try.

ihatetrojans · December 24, 2008

Hi Maurice,

I tried again - but no avail. I have attempted in both Internet Explorer and Firefox with the IE tab add-on. In both browsers, I am able to agree to the terms and conditions but when I press start, it takes me to the online scanner but the active x control never loads. Instead, it comes up with a small "x" image in the corner as if a graphic failed to load. I have tried a few times now.... I had added it to my trusted sites and also added it to my exceptions list (warn me if sites try to install add ons) but nothing has worked. I also mentioned previously that I cannot get onto facebook or hotmail from this computer. I can get onto them fine from my desktop but when I attempt to login from this computer, it seems to get stuck. I am not sure if something has now hijacked my browser? Perhaps there is another online scanner (i.e. trend micro) that you could recommend that may achieve a similar result? I apologize for the many replies!

ihatetrojans · December 24, 2008

http://support.mozilla.com/en-US/kb/Firefo...ertain+websites

I believe this is what's happening. Seems like it's a side effect of the Vundo, but MWB is reporting that it's gone. Any suggestions? I've already attempted to clear my cache, clear cookies, etc.

Maurice Naggar · December 24, 2008

Let's set aside, for now, the online scans. Let's have you do the following.

Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference! Perhaps also save the file on your pc.

Then, next, get and run FixIEDef:

Use this URL to Download the latest version, and SAVE it to your Desktop !

http://downloads.malwareteks.com/FixIEDef.exe

Double click FixIEdef.exe on your Desktop to start it.

Click OK when you get the 1st FixIEDef window.

Next, at 2nd message-window, press SCAN button.

Click OK when you see a FixIEDef alert window.

Let it scan the file system and the resgistry. Do not touch keyboard or mouse while utility is running.

Click Exit once FixIEDef displays the !!! All Finished message !!! window.

WARNING: FixIEDef will kill all copies of Internet Explorer and Explorer that are running, during removal of malicious files. The icons and Start Menu on your Desktop will not be visible while FixIEDef is removing malicious files. This is necessary to remove parts of the infection that would otherwise not be removed.

Click Exit once FixIEDef displays the All Finished message.

Post the FixIEDef log file, located on the Desktop.

=

Close all browsers and all open windows & programs.

1. Please download SmitfraudFix (by S!Ri) and SAVE it to your Desktop.

It's very important that you be using the most recent version (v2.387 as of this post).

2. Reboot into Safe Mode (Restart your computer, then continually tap F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. More at http://service1.symantec.com/SUPPORT/tsgen...001052409420406.)

3. Once in Safe Mode:

Double click the SmitFruadfix.exe file. It will create a folder named SmitfraudFix) on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Have plenty of patience as a Command prompt window opens. You'll eventually see a message and a "press any key to continue".

Press the space bar or any other key on the keyboard.

4. Select option #2 - Clean by typing 2 and pressing Enter to delete infected files.

5. You will be prompted: "Registry cleaning - Do you want to clean the registry ?" Answer "Yes" by typing Y and pressing Enter in order to remove the desktop background and clean registry keys associated with the infection.

6. The tool will then check if wininet.dll is infected. If prompted to replace the infected file (if found), answer "Yes" by typing Y and pressing Enter.

7. The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

8. A text file will appear onscreen with results from the cleaning process. Please copy/paste the content of that report into your next reply.

The report also may be found at the root of the system drive, usually at C:\rapport.txt

Notes:

process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. More on this at http://www.beyondlogic.org/consulting/proc...processutil.htm
Running option #2 on a non-infected computer will remove your Desktop background. No need to worry, you're infected

Reply with copies of the FixIEDef log & the Rapport.txt

ihatetrojans · December 25, 2008

********************************************************************************

* *

* FixIEDef Log *

* Version 1.7.20.6874 *

* *

********************************************************************************

Created at 17:33:55 on Wednesday, December 24, 2008

Time Zone : (GMT-08:00) Pacific Time (US & Canada)

Logged On User : Shains

Operating System : Microsoft Windows XP Home Edition Service Pack 3

OS Version : 5.1.2600

System Langauge : English (United States)

Keyboard Layout : English (United States)

Processor : X86 Intel® Pentium® M processor 1.60GHz

System Drive : C:\

Windows Directory : C:\WINDOWS

System Directory : C:\WINDOWS\system32

System Drive Type : Fixed

System Drive Status : READY

System Drive Label :

System Drive Size : 73.17 GB

System Drive Free : 17.32 GB

Total Physical Memory: 503 MB

Free Physical Memory : 257 MB

Total Page File : 503 MB

Free Page File : 851 MB

Total Virtual Memory : 2048 MB

Free Virtual Memory : 1973 MB

Boot State : Normal boot

--------------------------------------------------------------------------------

!!! userinit.exe is Clean !!!

--------------------------------------------------------------------------------

!!! Files that have been deleted !!!

C:\WINDOWS\system32\actskn45.ocx

--------------------------------------------------------------------------------

!!! Directories that have been removed !!!

No malicious directories to be removed

--------------------------------------------------------------------------------

!!! Registry entries that have been removed !!!

No malicious Registry entries found

================================================================================

All Done

ShadowPuterDude

Safe Surfing!!!

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

SmitFraudFix v2.387

Scan done at 17:40:16.82, 24/12/2008

Run from C:\Documents and Settings\Shains\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

ihatetrojans · December 25, 2008

Facebook and hotmail are still not working, and the fixes didn't seem to detect any virus', so I am wondering if it's possible that something was altered in a previous scanning process? It doesn't make sense to me to be able to get onto most other websites except for those two. Any thoughts? I'm sure you've said all you can think of, so it's possible that I may just need to do a reformat, but I thought I'd toss it out there just in case.

Merry Christmas Maurice, thanks for all of your help the last few days. I really appreciate it.

Maurice Naggar · December 25, 2008

Merry Christmas to you.

I'd say have patience and faith as I think we were getting near to finishing here. No, nothing removed (and they were very minimal) so far would cause the issues with hotmail or Facebook.

I'd like for you to do the following:

Close all applications and windows.

If you have an older copy of SDFix, delete it now.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual user account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back in a Reply here.

Get a new/fresh DDS report:

Disable any script blocker if your antivirus/antimalware has it.

Then double click dds.scr to run the tool.

When done, DDS.txt will open.

Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
[*]Save both reports to your desktop.

Please include the following logs in your next reply:

report.txt

DDS.txt

I won't need the Attach.txt

I would like some detail as to which browser you use (Internet Exploerer or Firefox or ...) when you try to get to Facebook or Hotmail , and more important, How far you get into the site .... and at what point you have "a problem"

To briefly recap, your main issue of the leftover trojan trace in registry is cleared up.

And I'd regret to see you reformat the system at this point.

ihatetrojans · December 26, 2008

SDFix: Version 1.240

Run by Shains on 25/12/2008 at 20:30

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Checking Services :

Restoring Default Security Values

Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-25 22:10:01

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"="C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe:*:Enabled:wmiprvse"

"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :

Files with Hidden Attributes :

Fri 22 Aug 2008 637,984 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"

Sun 13 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"

Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"

Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"

Mon 7 Jul 2008 2,156,368 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

Sun 13 Apr 2008 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"

Wed 15 Sep 2004 73,728 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"

Sat 1 Oct 2005 56 ..SHR --- "C:\WINDOWS\system32\0A3433A41B.sys"

Tue 16 Sep 2008 104 ..SHR --- "C:\WINDOWS\system32\C19E680D52.sys"

Tue 16 Sep 2008 4,860 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"

Sat 18 Nov 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Wed 11 Apr 2007 109,056 ...H. --- "C:\Documents and Settings\Shains\Application Data\Microsoft\Templates\~WRL2324.tmp"

Sun 15 Apr 2007 111,616 ...H. --- "C:\Documents and Settings\Shains\Application Data\Microsoft\Word\~WRL0339.tmp"

Fri 3 Feb 2006 51,200 A..H. --- "C:\Documents and Settings\Shains\Application Data\Microsoft\Word\~WRL0895.tmp"

Tue 29 Nov 2005 43,008 A..H. --- "C:\Documents and Settings\Shains\Application Data\Microsoft\Word\~WRL1040.tmp"

Tue 21 Mar 2006 64,512 A..H. --- "C:\Documents and Settings\Shains\Application Data\Microsoft\Word\~WRL1313.tmp"

Sat 18 Nov 2006 4,348 ...H. --- "C:\Documents and Settings\Shains\My Documents\My Music\License Backup\drmv1key.bak"

Wed 13 Jun 2007 20 A..H. --- "C:\Documents and Settings\Shains\My Documents\My Music\License Backup\drmv1lic.bak"

Sat 18 Nov 2006 400 A.SH. --- "C:\Documents and Settings\Shains\My Documents\My Music\License Backup\drmv2key.bak"

Mon 12 Feb 2007 28,160 ...H. --- "C:\Documents and Settings\Shains\My Documents\School\Canadian Seminar\~WRL2083.tmp"

Tue 13 Feb 2007 30,208 ...H. --- "C:\Documents and Settings\Shains\My Documents\School\Canadian Seminar\~WRL4071.tmp"

Sun 15 Apr 2007 39,936 ...H. --- "C:\Documents and Settings\Shains\My Documents\School\Elizabethan Shakespeare\~WRL0347.tmp"

Sun 15 Apr 2007 25,088 ...H. --- "C:\Documents and Settings\Shains\My Documents\School\Elizabethan Shakespeare\~WRL1093.tmp"

Sun 15 Apr 2007 46,592 ...H. --- "C:\Documents and Settings\Shains\My Documents\School\Elizabethan Shakespeare\~WRL3201.tmp"

Sun 15 Apr 2007 37,888 ...H. --- "C:\Documents and Settings\Shains\My Documents\School\Elizabethan Shakespeare\~WRL3779.tmp"

Mon 26 Mar 2007 32,768 ...H. --- "C:\Documents and Settings\Shains\My Documents\School\Sixteenth Century Literature\~WRL0248.tmp"

Sun 29 Apr 2007 34,816 ...H. --- "C:\Documents and Settings\Shains\My Documents\School\Sixteenth Century Literature\~WRL1789.tmp"

Sun 29 Apr 2007 38,400 ...H. --- "C:\Documents and Settings\Shains\My Documents\School\Sixteenth Century Literature\~WRL2378.tmp"

Sun 29 Apr 2007 35,840 ...H. --- "C:\Documents and Settings\Shains\My Documents\School\Sixteenth Century Literature\~WRL2945.tmp"

Sun 29 Apr 2007 35,840 ...H. --- "C:\Documents and Settings\Shains\My Documents\School\Sixteenth Century Literature\~WRL3097.tmp"

Mon 26 Mar 2007 32,256 ...H. --- "C:\Documents and Settings\Shains\My Documents\School\Sixteenth Century Literature\~WRL3712.tmp"

Sat 14 Apr 2007 39,424 ...H. --- "C:\Documents and Settings\Shains\My Documents\School\Witchcraft and the Occult Tradition\~WRL0997.tmp"

Sat 14 Apr 2007 27,648 ...H. --- "C:\Documents and Settings\Shains\My Documents\School\Witchcraft and the Occult Tradition\~WRL1053.tmp"

Sat 14 Apr 2007 32,768 ...H. --- "C:\Documents and Settings\Shains\My Documents\School\Witchcraft and the Occult Tradition\~WRL1551.tmp"

Sat 14 Apr 2007 58,368 ...H. --- "C:\Documents and Settings\Shains\My Documents\School\Witchcraft and the Occult Tradition\~WRL1881.tmp"

Sat 14 Apr 2007 59,392 ...H. --- "C:\Documents and Settings\Shains\My Documents\School\Witchcraft and the Occult Tradition\~WRL2011.tmp"

Sat 14 Apr 2007 68,096 ...H. --- "C:\Documents and Settings\Shains\My Documents\School\Witchcraft and the Occult Tradition\~WRL2323.tmp"

Fri 13 Apr 2007 103,424 ...H. --- "C:\Documents and Settings\Shains\My Documents\School\Witchcraft and the Occult Tradition\~WRL2446.tmp"

Sat 14 Apr 2007 24,064 ...H. --- "C:\Documents and Settings\Shains\My Documents\School\Witchcraft and the Occult Tradition\~WRL2453.tmp"

Sat 14 Apr 2007 47,616 ...H. --- "C:\Documents and Settings\Shains\My Documents\School\Witchcraft and the Occult Tradition\~WRL2567.tmp"

Wed 7 Dec 2005 44,032 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Chaucer I\~WRL0074.tmp"

Wed 7 Dec 2005 42,496 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Chaucer I\~WRL0640.tmp"

Tue 29 Nov 2005 38,912 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Chaucer I\~WRL0861.tmp"

Tue 29 Nov 2005 36,864 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Chaucer I\~WRL1126.tmp"

Wed 7 Dec 2005 44,544 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Chaucer I\~WRL1204.tmp"

Wed 30 Nov 2005 43,008 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Chaucer I\~WRL1352.tmp"

Tue 29 Nov 2005 38,912 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Chaucer I\~WRL1681.tmp"

Wed 7 Dec 2005 45,056 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Chaucer I\~WRL1739.tmp"

Wed 7 Dec 2005 45,568 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Chaucer I\~WRL1777.tmp"

Wed 7 Dec 2005 42,496 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Chaucer I\~WRL2088.tmp"

Mon 28 Nov 2005 34,304 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Chaucer I\~WRL2267.tmp"

Mon 28 Nov 2005 34,816 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Chaucer I\~WRL2680.tmp"

Wed 7 Dec 2005 41,472 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Chaucer I\~WRL2733.tmp"

Wed 7 Dec 2005 44,032 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Chaucer I\~WRL2874.tmp"

Wed 30 Nov 2005 41,472 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Chaucer I\~WRL2930.tmp"

Tue 29 Nov 2005 39,424 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Chaucer I\~WRL3182.tmp"

Wed 7 Dec 2005 45,056 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Chaucer I\~WRL3242.tmp"

Mon 28 Nov 2005 29,184 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Chaucer I\~WRL3411.tmp"

Tue 29 Nov 2005 39,424 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Chaucer I\~WRL3518.tmp"

Tue 29 Nov 2005 40,960 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Chaucer I\~WRL3806.tmp"

Tue 29 Nov 2005 36,352 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Chaucer I\~WRL3947.tmp"

Tue 29 Nov 2005 36,352 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Chaucer I\~WRL3995.tmp"

Thu 8 Dec 2005 45,056 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Chaucer I\~WRL4020.tmp"

Mon 28 Nov 2005 23,552 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Chaucer I\~WRL4091.tmp"

Sun 20 Nov 2005 23,552 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Eighteenth Century Lit\~WRL0336.tmp"

Sun 20 Nov 2005 20,992 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Eighteenth Century Lit\~WRL2521.tmp"

Mon 6 Feb 2006 24,576 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Fiction of Horror\~WRL0111.tmp"

Mon 6 Feb 2006 25,088 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Fiction of Horror\~WRL1234.tmp"

Sun 5 Feb 2006 22,528 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Fiction of Horror\~WRL1444.tmp"

Sun 5 Feb 2006 23,040 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Fiction of Horror\~WRL1610.tmp"

Sun 5 Feb 2006 21,504 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Fiction of Horror\~WRL2611.tmp"

Sun 5 Feb 2006 23,040 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Fiction of Horror\~WRL2893.tmp"

Sun 5 Feb 2006 21,504 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Fiction of Horror\~WRL3314.tmp"

Mon 30 Oct 2006 59,904 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Hardy Seminar\~WRL0052.tmp"

Thu 30 Nov 2006 35,328 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Hardy Seminar\~WRL0214.tmp"

Thu 30 Nov 2006 31,232 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Hardy Seminar\~WRL0257.tmp"

Thu 30 Nov 2006 35,328 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Hardy Seminar\~WRL0523.tmp"

Mon 30 Oct 2006 60,416 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Hardy Seminar\~WRL0675.tmp"

Thu 30 Nov 2006 34,816 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Hardy Seminar\~WRL1815.tmp"

Sun 29 Oct 2006 61,440 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Hardy Seminar\~WRL2071.tmp"

Mon 30 Oct 2006 63,488 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Hardy Seminar\~WRL2743.tmp"

Thu 30 Nov 2006 34,816 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Hardy Seminar\~WRL3022.tmp"

Thu 30 Nov 2006 31,744 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Hardy Seminar\~WRL3249.tmp"

Thu 30 Nov 2006 32,256 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Hardy Seminar\~WRL3262.tmp"

Thu 30 Nov 2006 32,256 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Hardy Seminar\~WRL3425.tmp"

Thu 30 Nov 2006 32,256 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Hardy Seminar\~WRL3479.tmp"

Mon 30 Oct 2006 60,416 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Hardy Seminar\~WRL4041.tmp"

Tue 7 Feb 2006 22,528 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Rise of the Novel\~WRL0288.tmp"

Wed 8 Mar 2006 23,040 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Rise of the Novel\~WRL0311.tmp"

Fri 24 Mar 2006 24,576 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Rise of the Novel\~WRL0342.tmp"

Fri 24 Mar 2006 24,064 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Rise of the Novel\~WRL1619.tmp"

Fri 24 Mar 2006 26,624 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Rise of the Novel\~WRL2701.tmp"

Fri 24 Mar 2006 22,016 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Rise of the Novel\~WRL3139.tmp"

Fri 24 Mar 2006 29,696 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Rise of the Novel\~WRL3152.tmp"

Fri 24 Mar 2006 22,528 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Rise of the Novel\~WRL3699.tmp"

Thu 23 Mar 2006 31,744 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Victorian Literature\~WRL1442.tmp"

Sat 25 Mar 2006 34,304 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\Victorian Literature\~WRL2001.tmp"

Mon 6 Feb 2006 23,552 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\World Literatures in English\~WRL0265.tmp"

Tue 7 Feb 2006 26,624 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\World Literatures in English\~WRL0438.tmp"

Tue 7 Feb 2006 27,136 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\World Literatures in English\~WRL0439.tmp"

Mon 6 Feb 2006 20,480 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\World Literatures in English\~WRL0787.tmp"

Tue 7 Feb 2006 26,112 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\World Literatures in English\~WRL0801.tmp"

Mon 6 Feb 2006 25,600 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\World Literatures in English\~WRL1986.tmp"

Mon 6 Feb 2006 23,552 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\World Literatures in English\~WRL2385.tmp"

Mon 6 Feb 2006 22,016 A..H. --- "C:\Documents and Settings\Shains\My Documents\School\Other Years\World Literatures in English\~WRL3571.tmp"

Fri 14 Dec 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"

Fri 14 Dec 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch6\lock.tmp"

Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Shains\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"

Mon 16 Apr 2007 8 A..H. --- "C:\Documents and Settings\Shains\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"

Wed 18 Apr 2007 8 A..H. --- "C:\Documents and Settings\Shains\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Fri 14 Dec 2007 8 A..H. --- "C:\Documents and Settings\Shains\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u5\lock.tmp"

Fri 14 Dec 2007 8 A..H. --- "C:\Documents and Settings\Shains\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u6\lock.tmp"

Finished!

ihatetrojans · December 26, 2008

DDS (Version 1.1.0) - NTFSx86

Run by Shains at 23:00:45.25 on 25/12/2008

Internet Explorer: 8.0.6001.18241

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.24 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)

FW: McAfee Personal Firewall Plus *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Canon\CAL\CALMAIN.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Apoint\Apntex.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Sonic\Product\Media Experience\DMXLauncher.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\WINDOWS\system32\ctfmon.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

c:\progra~1\mcafee.com\vso\mcvsftsn.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Shains\Desktop\dds.com

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll