Jump to content

Virtumonde/Vundo Spyware


Recommended Posts

Hi, I have been having problems getting this spyware out of my computer for sometime now, I hope you guys can help me with this issue. Here are my logs.

Mbam- Log

Malwarebytes' Anti-Malware 1.31

Database version: 1542

Windows 5.1.2600 Service Pack 3

12/24/2008 11:51:01 PM

mbam-log-2008-12-24 (23-51-01).txt

Scan type: Quick Scan

Objects scanned: 54125

Time elapsed: 4 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 3

Registry Keys Infected: 16

Registry Values Infected: 3

Registry Data Items Infected: 3

Folders Infected: 2

Files Infected: 19

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\kezuroha.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\zerejuhu.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\yejedufi.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e9267b81-64c3-4a62-b661-08a51ac816d4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{e9267b81-64c3-4a62-b661-08a51ac816d4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4534e803-000b-436f-aaf6-4403036e5548} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{4534e803-000b-436f-aaf6-4403036e5548} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{497dddb6-6eee-4561-9621-b77dc82c1f84} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{4e980492-027b-47f1-a7ab-ab086dacbb9e} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{5ead8321-fcbb-4c3f-888c-ac373d366c3f} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{31f3cf6e-a71a-4daa-852b-39ac230940b4} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f0103a93 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kogivomofu (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\SysRestore.dll (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\kezuroha.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\kezuroha.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\kezuroha.dll -> Quarantined and deleted successfully.

Folders Infected:

C:\Program Files\Ascentive (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\Ascentive\ActiveSpeed (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\vgrupw.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\zerejuhu.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\uhujerez.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yejedufi.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\kezuroha.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\bebutepo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\dopejujo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\hidekeli.dll.tmp (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\kivihude.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\moyajamu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\prunnet.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SysRestore.dll (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yesigoju.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\zepepewa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Program Files\Ascentive\ActiveSpeed\AS.exe (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\Ascentive\ActiveSpeed\ascbalon.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\Ascentive\ActiveSpeed\ascIP95.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\Ascentive\ActiveSpeed\ascIPNT.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\Ascentive\ActiveSpeed\ASLOC.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

Panda-Log

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-12-25 02:39:21

PROTECTIONS: 3

MALWARE: 1

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Windows Defender 1.1.4104.0 No Yes

McAfee Internet Security Suite 2007 8.1 No No

McAfee VirusScan Plus 12.1 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00020302 adware/ncase Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\sais

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location ox

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description ox

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

Hijack this -log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:22:27 AM, on 12/25/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Office keyboard utility\1.2\nhksrv.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\McAfee\MBK\MBackMonitor.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Dantz\Retrospect\retrorun.exe

C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Spyware Terminator\sp_rsser.exe

C:\WINDOWS\System32\svchost.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

C:\Program Files\TrojanHunter 5.0\THGuard.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Registry Mechanic\RegMech.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local

O1 - Hosts: 205.238.40.2 www.winmx.com

O1 - Hosts: 205.238.40.2 err.winmx.com

O1 - Hosts: 205.238.40.2 c3310.z1301.winmx.com

O1 - Hosts: 67.18.233.36 c3311.z1301.winmx.com

O1 - Hosts: 82.43.224.20 c3312.z1301.winmx.com

O1 - Hosts: 209.67.209.50 c3313.z1301.winmx.com

O1 - Hosts: 212.227.64.159 c3314.z1301.winmx.com

O1 - Hosts: 205.238.40.2 c3315.z1301.winmx.com

O1 - Hosts: 67.18.233.36 c3316.z1301.winmx.com

O1 - Hosts: 82.43.224.20 c3317.z1301.winmx.com

O1 - Hosts: 209.67.209.50 c3318.z1301.winmx.com

O1 - Hosts: 212.227.64.159 c3319.z1301.winmx.com

O1 - Hosts: 205.238.40.2 c3310.z1302.winmx.com

O1 - Hosts: 67.18.233.36 c3311.z1302.winmx.com

O1 - Hosts: 82.43.224.20 c3312.z1302.winmx.com

O1 - Hosts: 209.67.209.50 c3313.z1302.winmx.com

O1 - Hosts: 212.227.64.159 c3314.z1302.winmx.com

O1 - Hosts: 205.238.40.2 c3315.z1302.winmx.com

O1 - Hosts: 67.18.233.36 c3316.z1302.winmx.com

O1 - Hosts: 82.43.224.20 c3317.z1302.winmx.com

O1 - Hosts: 209.67.209.50 c3318.z1302.winmx.com

O1 - Hosts: 212.227.64.159 c3319.z1302.winmx.com

O1 - Hosts: 82.43.224.20 c3310.z1303.winmx.com

O1 - Hosts: 67.18.233.36 c3311.z1303.winmx.com

O1 - Hosts: 205.238.40.2 c3312.z1303.winmx.com

O1 - Hosts: 82.43.224.20 c3313.z1303.winmx.com

O1 - Hosts: 67.18.233.36 c3314.z1303.winmx.com

O1 - Hosts: 205.238.40.2 c3315.z1303.winmx.com

O1 - Hosts: 82.43.224.20 c3316.z1303.winmx.com

O1 - Hosts: 67.18.233.36 c3317.z1303.winmx.com

O1 - Hosts: 205.238.40.2 c3318.z1303.winmx.com

O1 - Hosts: 82.43.224.20 c3319.z1303.winmx.com

O1 - Hosts: 205.238.40.2 c3310.z1304.winmx.com

O1 - Hosts: 67.18.233.36 c3311.z1304.winmx.com

O1 - Hosts: 82.43.224.20 c3312.z1304.winmx.com

O1 - Hosts: 209.67.209.50 c3313.z1304.winmx.com

O1 - Hosts: 212.227.64.159 c3314.z1304.winmx.com

O1 - Hosts: 205.238.40.2 c3315.z1304.winmx.com

O1 - Hosts: 67.18.233.36 c3316.z1304.winmx.com

O1 - Hosts: 82.43.224.20 c3317.z1304.winmx.com

O1 - Hosts: 209.67.209.50 c3318.z1304.winmx.com

O1 - Hosts: 212.227.64.159 c3319.z1304.winmx.com

O1 - Hosts: 205.238.40.2 c3310.z1305.winmx.com

O1 - Hosts: 67.18.233.36 c3311.z1305.winmx.com

O1 - Hosts: 82.43.224.20 c3312.z1305.winmx.com

O1 - Hosts: 209.67.209.50 c3313.z1305.winmx.com

O1 - Hosts: 212.227.64.159 c3314.z1305.winmx.com

O1 - Hosts: 205.238.40.2 c3315.z1305.winmx.com

O1 - Hosts: 67.18.233.36 c3316.z1305.winmx.com

O1 - Hosts: 82.43.224.20 c3317.z1305.winmx.com

O1 - Hosts: 209.67.209.50 c3318.z1305.winmx.com

O1 - Hosts: 212.227.64.159 c3319.z1305.winmx.com

O1 - Hosts: 205.238.40.2 c3310.z1306.winmx.com

O1 - Hosts: 67.18.233.36 c3311.z1306.winmx.com

O1 - Hosts: 82.43.224.20 c3312.z1306.winmx.com

O1 - Hosts: 209.67.209.50 c3313.z1306.winmx.com

O1 - Hosts: 212.227.64.159 c3314.z1306.winmx.com

O1 - Hosts: 205.238.40.2 c3315.z1306.winmx.com

O1 - Hosts: 67.18.233.36 c3316.z1306.winmx.com

O1 - Hosts: 82.43.224.20 c3317.z1306.winmx.com

O1 - Hosts: 209.67.209.50 c3318.z1306.winmx.com

O1 - Hosts: 212.227.64.159 c3319.z1306.winmx.com

O1 - Hosts: 205.238.40.2 c3520.z1301.winmx.com

O1 - Hosts: 67.18.233.36 c3521.z1301.winmx.com

O1 - Hosts: 82.43.224.20 c3522.z1301.winmx.com

O1 - Hosts: 209.67.209.50 c3523.z1301.winmx.com

O1 - Hosts: 212.227.64.159 c3524.z1301.winmx.com

O1 - Hosts: 205.238.40.2 c3525.z1301.winmx.com

O1 - Hosts: 67.18.233.36 c3526.z1301.winmx.com

O1 - Hosts: 82.43.224.20 c3527.z1301.winmx.com

O1 - Hosts: 209.67.209.50 c3528.z1301.winmx.com

O1 - Hosts: 212.227.64.159 c3529.z1301.winmx.com

O1 - Hosts: 205.238.40.2 c3520.z1302.winmx.com

O1 - Hosts: 67.18.233.36 c3521.z1302.winmx.com

O1 - Hosts: 82.43.224.20 c3522.z1302.winmx.com

O1 - Hosts: 209.67.209.50 c3523.z1302.winmx.com

O1 - Hosts: 212.227.64.159 c3524.z1302.winmx.com

O1 - Hosts: 205.238.40.2 c3525.z1302.winmx.com

O1 - Hosts: 67.18.233.36 c3526.z1302.winmx.com

O1 - Hosts: 82.43.224.20 c3527.z1302.winmx.com

O1 - Hosts: 209.67.209.50 c3528.z1302.winmx.com

O1 - Hosts: 212.227.64.159 c3529.z1302.winmx.com

O1 - Hosts: 205.238.40.2 c3520.z1303.winmx.com

O1 - Hosts: 67.18.233.36 c3521.z1303.winmx.com

O1 - Hosts: 82.43.224.20 c3522.z1303.winmx.com

O1 - Hosts: 209.67.209.50 c3523.z1303.winmx.com

O1 - Hosts: 212.227.64.159 c3524.z1303.winmx.com

O1 - Hosts: 205.238.40.2 c3525.z1303.winmx.com

O1 - Hosts: 67.18.233.36 c3526.z1303.winmx.com

O1 - Hosts: 82.43.224.20 c3527.z1303.winmx.com

O1 - Hosts: 209.67.209.50 c3528.z1303.winmx.com

O1 - Hosts: 212.227.64.159 c3529.z1303.winmx.com

O1 - Hosts: 205.238.40.2 c3520.z1304.winmx.com

O1 - Hosts: 67.18.233.36 c3521.z1304.winmx.com

O1 - Hosts: 82.43.224.20 c3522.z1304.winmx.com

O1 - Hosts: 209.67.209.50 c3523.z1304.winmx.com

O1 - Hosts: 212.227.64.159 c3524.z1304.winmx.com

O1 - Hosts: 205.238.40.2 c3525.z1304.winmx.com

O1 - Hosts: 67.18.233.36 c3526.z1304.winmx.com

O1 - Hosts: 82.43.224.20 c3527.z1304.winmx.com

O1 - Hosts: 209.67.209.50 c3528.z1304.winmx.com

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll

O2 - BHO: (no name) - {4748702A-BD4A-4F71-B888-D795AB635776} - C:\WINDOWS\system32\urqPjIXp.dll (file missing)

O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll

O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - Global Startup: APC UPS Status.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.antispyexpert.com

O15 - Trusted Zone: *.imageservr.com

O15 - Trusted Zone: *.antispyexpert.com (HKLM)

O15 - Trusted Zone: *.imageservr.com (HKLM)

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...83/mcinsctl.cab

O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} -

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,20/mcgdmgr.cab

O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://funeralnet.sharedbook.com/pilot/ImageUploader4.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...307/mcfscan.cab

O20 - AppInit_DLLs: vgrupw.dll,C:\WINDOWS\system32\hidekeli.dll

O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Office keyboard utility\1.2\nhksrv.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe

O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--

End of file - 13736 bytes

Link to post
Share on other sites

Hi.

Empty MalwareBytes Quarantine by clicking the quarantine tab and then click Remove All.

download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Click the Scan All Users checkbox on the toolbar.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessry).

Use the Add Reply button and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt2 folder and named OTScanIt.txt.

I will review it when it comes in.

Link to post
Share on other sites

Open OTScan it and paste this into the fix box:

[Kill Explorer][Registry - Safe List]< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> YN -> HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> %SystemRoot%\system32\blank.htmYN -> HKEY_LOCAL_MACHINE\: Main\\"Security Risk Page" -> about:SecurityRisk< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> YN -> HKEY_CURRENT_USER\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm< Internet Explorer Settings [HKEY_USERS\S-1-5-21-2030536233-1897724468-2278574568-500\] > -> YN -> HKEY_USERS\S-1-5-21-2030536233-1897724468-2278574568-500\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\YN -> {4748702A-BD4A-4F71-B888-D795AB635776} [HKLM] -> %SystemRoot%\system32\urqPjIXp.dll [Reg Error: Value  does not exist or could not be read.]< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\YN -> WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Yahoo! Toolbar]< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2030536233-1897724468-2278574568-500\] > -> HKEY_USERS\S-1-5-21-2030536233-1897724468-2278574568-500\Software\Microsoft\Internet Explorer\Toolbar\YN -> WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Yahoo! Toolbar]< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\YN -> CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] -> [Reg Error: Key does not exist or could not be opened.]< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-2030536233-1897724468-2278574568-500\] > -> HKEY_USERS\S-1-5-21-2030536233-1897724468-2278574568-500\Software\Microsoft\Internet Explorer\Extensions\YN -> CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] -> [Reg Error: Key does not exist or could not be opened.]< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\YN -> antispyexpert.com .[*] -> Trusted sitesYN -> imageservr.com .[*] -> Trusted sites< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\YN -> antispyexpert.com .[*] -> Trusted sitesYN -> imageservr.com .[*] -> Trusted sites< Trusted Sites Domains [HKEY_USERS\S-1-5-21-2030536233-1897724468-2278574568-500\] > -> HKEY_USERS\S-1-5-21-2030536233-1897724468-2278574568-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\YN -> antispyexpert.com .[*] -> Trusted sitesYN -> imageservr.com .[*] -> Trusted sites< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\YN -> {A7EA8AD2-287F-11D3-B120-006008C39542} [HKLM] -> [Reg Error: Key does not exist or could not be opened.]YN -> {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab[Java Plug-in 1.5.0_01]YN -> {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab[Java Plug-in 1.5.0_05]YN -> {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab[Java Plug-in 1.5.0_06]YN -> {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab[Java Plug-in 1.5.0_09]YN -> {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab[Java Plug-in 1.5.0_10]YN -> {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab[Java Plug-in 1.5.0_11]YN -> {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab[Java Plug-in 1.6.0_01]YN -> {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab[Java Plug-in 1.6.0_02]YN -> {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03]YN -> {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab[Java Plug-in 1.6.0_05]< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DllsYN -> vgrupw.dll -> YY -> C:\WINDOWS\system32\hidekeli.dll -> %SystemRoot%\system32\hidekeli.dll< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs< LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages*LSA Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication PackagesYY -> C:\WINDOWS\system32\urqPjIXp -> < LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages[Files/Folders - Created Within 30 Days]NY -> 1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmpNY -> sovutufa.exe -> %SystemRoot%\System32\sovutufa.exeNY -> spuyjdju.job -> %SystemRoot%\tasks\spuyjdju.job[Files/Folders - Modified Within 30 Days]NY -> 10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmpNY -> 4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmpNY -> 1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmpNY -> 17 C:\Documents and Settings\Administrator\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Administrator\Local Settings\Temp\*.tmpNY -> 3 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmpNY -> 3 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmpNY -> spuyjdju.job -> %SystemRoot%\tasks\spuyjdju.jobNY -> Perflib_Perfdata_cbc.dat -> %UserProfile%\Local Settings\Temp\Perflib_Perfdata_cbc.datNY -> optunpfc.cmdline -> %SystemRoot%\Temp\optunpfc.cmdlineNY -> optunpfc.dll -> %SystemRoot%\Temp\optunpfc.dllNY -> sekatuso -> %SystemRoot%\System32\sekatusoNY -> sovutufa.exe -> %SystemRoot%\System32\sovutufa.exe[Alternate Data Streams]NY -> @Alternate Data Stream - 104 bytes -> %AllUsersProfile%\Application Data\TEMP:DFC5A2B2NY -> @Alternate Data Stream - 150 bytes -> %AllUsersProfile%\Application Data\TEMP:D1B5B4F1[Empty Temp Folders][start Explorer]

Then run the fix. A log will be produced; please post it here. :P

Link to post
Share on other sites

The website would not allow me to attach this file so i'm pasting it.

Process Explorer.EXE killed successfully!

[Registry - Safe List]

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\\Local Page deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\\Security Risk Page deleted successfully.

Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\\Local Page deleted successfully.

Registry key HKEY_USERS\1-5-21-2030536233-1897724468-2278574568-500\SOFTWARE\Microsoft\Internet Explorer\Main not found.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4748702A-BD4A-4F71-B888-D795AB635776}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4748702A-BD4A-4F71-B888-D795AB635776}\ deleted successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.

Registry value HKEY_USERS\S-1-5-21-2030536233-1897724468-2278574568-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}\ not found.

Registry value HKEY_USERS\S-1-5-21-2030536233-1897724468-2278574568-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1} not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}\ not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\antispyexpert.com\\* deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imageservr.com\\* deleted successfully.

Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\antispyexpert.com\\* deleted successfully.

Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imageservr.com\\* deleted successfully.

Registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\antispyexpert.com not found.

Registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imageservr.com not found.

Starting removal of ActiveX control {A7EA8AD2-287F-11D3-B120-006008C39542}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{A7EA8AD2-287F-11D3-B120-006008C39542}\Contains\Files\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{A7EA8AD2-287F-11D3-B120-006008C39542}\DownloadInformation\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7EA8AD2-287F-11D3-B120-006008C39542}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA}\Contains\Files\ not found.

not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA}\ deleted successfully.

Starting removal of ActiveX control {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}\Contains\Files\ not found.

not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}\ deleted successfully.

Starting removal of ActiveX control {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\Contains\Files\ not found.

not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.

Starting removal of ActiveX control {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}\Contains\Files\ not found.

not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}\ deleted successfully.

Starting removal of ActiveX control {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\Contains\Files\ not found.

not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ deleted successfully.

Starting removal of ActiveX control {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\Contains\Files\ not found.

not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ deleted successfully.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\Contains\Files\ not found.

not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\Contains\Files\ not found.

not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\Contains\Files\ not found.

not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\Contains\Files\ not found.

not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:vgrupw.dll deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\WINDOWS\system32\hidekeli.dll deleted successfully.

File C:\WINDOWS\system32\hidekeli.dll not found.

Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\WINDOWS\system32\urqPjIXp deleted successfully.

File not found.

[Files/Folders - Created Within 30 Days]

C:\Documents and Settings\All Users\Application Data\MCA120.tmp\vso\en-us\us folder deleted successfully.

C:\Documents and Settings\All Users\Application Data\MCA120.tmp\vso\en-us folder deleted successfully.

C:\Documents and Settings\All Users\Application Data\MCA120.tmp\vso folder deleted successfully.

C:\Documents and Settings\All Users\Application Data\MCA120.tmp\temp folder deleted successfully.

C:\Documents and Settings\All Users\Application Data\MCA120.tmp\shared folder deleted successfully.

C:\Documents and Settings\All Users\Application Data\MCA120.tmp folder deleted successfully.

C:\WINDOWS\System32\sovutufa.exe moved successfully.

C:\WINDOWS\tasks\spuyjdju.job moved successfully.

[Files/Folders - Modified Within 30 Days]

File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\~DF15C9.tmp scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\~DFCA1F.tmp scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\Temp\WFV1.tmp scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\Temp\WFV1.tmp scheduled to be deleted on reboot.

File C:\WINDOWS\tasks\spuyjdju.job not found!

File C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_cbc.dat not found!

C:\WINDOWS\Temp\optunpfc.cmdline moved successfully.

C:\WINDOWS\Temp\optunpfc.dll moved successfully.

C:\WINDOWS\System32\sekatuso moved successfully.

File C:\WINDOWS\System32\sovutufa.exe not found!

[Alternate Data Streams]

ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.

ADS C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1 deleted successfully.

[Empty Temp Folders]

File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_08yU9nb0SYZqLXWHJf0w scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\fb_3488.lck scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\~DF15C9.tmp scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\~DFCA1F.tmp scheduled to be deleted on reboot.

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

Local Service Temp folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

Local Service Temporary Internet Files folder emptied.

File delete failed. C:\WINDOWS\temp\fb_1892.lck scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\mcafee_rz1aLqaIkFnlvaJ scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\mcmsc_a8nDstHrn6857aO scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\mcmsc_OK9TLNRFmYlzajw scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\mcmsc_U0Fqch62egoMgKI scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\WFV1.tmp scheduled to be deleted on reboot.

Windows Temp folder emptied.

Java cache emptied.

File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\et22nepv.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\et22nepv.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\et22nepv.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\et22nepv.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\et22nepv.default\urlclassifier3.sqlite scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\et22nepv.default\XUL.mfl scheduled to be deleted on reboot.

FireFox cache emptied.

RecycleBin -> emptied.

Explorer started successfully

< End of fix log >

OTScanIt2 by OldTimer - Version 1.0.4.0 fix logfile created on 12262008_130101

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:13:02 PM, on 12/26/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Office keyboard utility\1.2\nhksrv.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\McAfee\MBK\MBackMonitor.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Dantz\Retrospect\retrorun.exe

C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Spyware Terminator\sp_rsser.exe

C:\WINDOWS\System32\svchost.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

C:\Program Files\TrojanHunter 5.0\THGuard.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local

O1 - Hosts: 205.238.40.2 www.winmx.com

O1 - Hosts: 205.238.40.2 err.winmx.com

O1 - Hosts: 205.238.40.2 c3310.z1301.winmx.com

O1 - Hosts: 67.18.233.36 c3311.z1301.winmx.com

O1 - Hosts: 82.43.224.20 c3312.z1301.winmx.com

O1 - Hosts: 209.67.209.50 c3313.z1301.winmx.com

O1 - Hosts: 212.227.64.159 c3314.z1301.winmx.com

O1 - Hosts: 205.238.40.2 c3315.z1301.winmx.com

O1 - Hosts: 67.18.233.36 c3316.z1301.winmx.com

O1 - Hosts: 82.43.224.20 c3317.z1301.winmx.com

O1 - Hosts: 209.67.209.50 c3318.z1301.winmx.com

O1 - Hosts: 212.227.64.159 c3319.z1301.winmx.com

O1 - Hosts: 205.238.40.2 c3310.z1302.winmx.com

O1 - Hosts: 67.18.233.36 c3311.z1302.winmx.com

O1 - Hosts: 82.43.224.20 c3312.z1302.winmx.com

O1 - Hosts: 209.67.209.50 c3313.z1302.winmx.com

O1 - Hosts: 212.227.64.159 c3314.z1302.winmx.com

O1 - Hosts: 205.238.40.2 c3315.z1302.winmx.com

O1 - Hosts: 67.18.233.36 c3316.z1302.winmx.com

O1 - Hosts: 82.43.224.20 c3317.z1302.winmx.com

O1 - Hosts: 209.67.209.50 c3318.z1302.winmx.com

O1 - Hosts: 212.227.64.159 c3319.z1302.winmx.com

O1 - Hosts: 82.43.224.20 c3310.z1303.winmx.com

O1 - Hosts: 67.18.233.36 c3311.z1303.winmx.com

O1 - Hosts: 205.238.40.2 c3312.z1303.winmx.com

O1 - Hosts: 82.43.224.20 c3313.z1303.winmx.com

O1 - Hosts: 67.18.233.36 c3314.z1303.winmx.com

O1 - Hosts: 205.238.40.2 c3315.z1303.winmx.com

O1 - Hosts: 82.43.224.20 c3316.z1303.winmx.com

O1 - Hosts: 67.18.233.36 c3317.z1303.winmx.com

O1 - Hosts: 205.238.40.2 c3318.z1303.winmx.com

O1 - Hosts: 82.43.224.20 c3319.z1303.winmx.com

O1 - Hosts: 205.238.40.2 c3310.z1304.winmx.com

O1 - Hosts: 67.18.233.36 c3311.z1304.winmx.com

O1 - Hosts: 82.43.224.20 c3312.z1304.winmx.com

O1 - Hosts: 209.67.209.50 c3313.z1304.winmx.com

O1 - Hosts: 212.227.64.159 c3314.z1304.winmx.com

O1 - Hosts: 205.238.40.2 c3315.z1304.winmx.com

O1 - Hosts: 67.18.233.36 c3316.z1304.winmx.com

O1 - Hosts: 82.43.224.20 c3317.z1304.winmx.com

O1 - Hosts: 209.67.209.50 c3318.z1304.winmx.com

O1 - Hosts: 212.227.64.159 c3319.z1304.winmx.com

O1 - Hosts: 205.238.40.2 c3310.z1305.winmx.com

O1 - Hosts: 67.18.233.36 c3311.z1305.winmx.com

O1 - Hosts: 82.43.224.20 c3312.z1305.winmx.com

O1 - Hosts: 209.67.209.50 c3313.z1305.winmx.com

O1 - Hosts: 212.227.64.159 c3314.z1305.winmx.com

O1 - Hosts: 205.238.40.2 c3315.z1305.winmx.com

O1 - Hosts: 67.18.233.36 c3316.z1305.winmx.com

O1 - Hosts: 82.43.224.20 c3317.z1305.winmx.com

O1 - Hosts: 209.67.209.50 c3318.z1305.winmx.com

O1 - Hosts: 212.227.64.159 c3319.z1305.winmx.com

O1 - Hosts: 205.238.40.2 c3310.z1306.winmx.com

O1 - Hosts: 67.18.233.36 c3311.z1306.winmx.com

O1 - Hosts: 82.43.224.20 c3312.z1306.winmx.com

O1 - Hosts: 209.67.209.50 c3313.z1306.winmx.com

O1 - Hosts: 212.227.64.159 c3314.z1306.winmx.com

O1 - Hosts: 205.238.40.2 c3315.z1306.winmx.com

O1 - Hosts: 67.18.233.36 c3316.z1306.winmx.com

O1 - Hosts: 82.43.224.20 c3317.z1306.winmx.com

O1 - Hosts: 209.67.209.50 c3318.z1306.winmx.com

O1 - Hosts: 212.227.64.159 c3319.z1306.winmx.com

O1 - Hosts: 205.238.40.2 c3520.z1301.winmx.com

O1 - Hosts: 67.18.233.36 c3521.z1301.winmx.com

O1 - Hosts: 82.43.224.20 c3522.z1301.winmx.com

O1 - Hosts: 209.67.209.50 c3523.z1301.winmx.com

O1 - Hosts: 212.227.64.159 c3524.z1301.winmx.com

O1 - Hosts: 205.238.40.2 c3525.z1301.winmx.com

O1 - Hosts: 67.18.233.36 c3526.z1301.winmx.com

O1 - Hosts: 82.43.224.20 c3527.z1301.winmx.com

O1 - Hosts: 209.67.209.50 c3528.z1301.winmx.com

O1 - Hosts: 212.227.64.159 c3529.z1301.winmx.com

O1 - Hosts: 205.238.40.2 c3520.z1302.winmx.com

O1 - Hosts: 67.18.233.36 c3521.z1302.winmx.com

O1 - Hosts: 82.43.224.20 c3522.z1302.winmx.com

O1 - Hosts: 209.67.209.50 c3523.z1302.winmx.com

O1 - Hosts: 212.227.64.159 c3524.z1302.winmx.com

O1 - Hosts: 205.238.40.2 c3525.z1302.winmx.com

O1 - Hosts: 67.18.233.36 c3526.z1302.winmx.com

O1 - Hosts: 82.43.224.20 c3527.z1302.winmx.com

O1 - Hosts: 209.67.209.50 c3528.z1302.winmx.com

O1 - Hosts: 212.227.64.159 c3529.z1302.winmx.com

O1 - Hosts: 205.238.40.2 c3520.z1303.winmx.com

O1 - Hosts: 67.18.233.36 c3521.z1303.winmx.com

O1 - Hosts: 82.43.224.20 c3522.z1303.winmx.com

O1 - Hosts: 209.67.209.50 c3523.z1303.winmx.com

O1 - Hosts: 212.227.64.159 c3524.z1303.winmx.com

O1 - Hosts: 205.238.40.2 c3525.z1303.winmx.com

O1 - Hosts: 67.18.233.36 c3526.z1303.winmx.com

O1 - Hosts: 82.43.224.20 c3527.z1303.winmx.com

O1 - Hosts: 209.67.209.50 c3528.z1303.winmx.com

O1 - Hosts: 212.227.64.159 c3529.z1303.winmx.com

O1 - Hosts: 205.238.40.2 c3520.z1304.winmx.com

O1 - Hosts: 67.18.233.36 c3521.z1304.winmx.com

O1 - Hosts: 82.43.224.20 c3522.z1304.winmx.com

O1 - Hosts: 209.67.209.50 c3523.z1304.winmx.com

O1 - Hosts: 212.227.64.159 c3524.z1304.winmx.com

O1 - Hosts: 205.238.40.2 c3525.z1304.winmx.com

O1 - Hosts: 67.18.233.36 c3526.z1304.winmx.com

O1 - Hosts: 82.43.224.20 c3527.z1304.winmx.com

O1 - Hosts: 209.67.209.50 c3528.z1304.winmx.com

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll

O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll

O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"

O4 - HKLM\..\RunOnce: [OTScanIt] "C:\Documents and Settings\Administrator\Desktop\OTScanIt2\OTScanIt2.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - Global Startup: APC UPS Status.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...83/mcinsctl.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,20/mcgdmgr.cab

O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://funeralnet.sharedbook.com/pilot/ImageUploader4.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...307/mcfscan.cab

O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Office keyboard utility\1.2\nhksrv.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe

O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--

End of file - 13526 bytes

Link to post
Share on other sites

mbam_log_2008_12_24__23_49_23_.txt

ActiveScan.txt

HJT is the only one that wouldn't upload..

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:14:18 AM, on 12/25/2008

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

C:\Program Files (x86)\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Program Files (x86)\uTorrent\uTorrent.exe

C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files (x86)\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files (x86)\Ray Adams\ATI Tray Tools\atitray.exe"

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\npjpi160_07.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\npjpi160_07.dll

O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

O13 - Gopher Prefix:

O17 - HKLM\System\CCS\Services\Tcpip\..\{E803E4A8-0DC1-4A6F-B5C1-CDF9F491C2F8}: NameServer = 68.87.74.162,68.87.68.162

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - (no file)

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

O20 - AppInit_DLLs: C:\PROGRA~2\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~2\KASPER~1\KASPER~1.0\adialhk.dll

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)

O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe

O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVCSer64.exe

O23 - Service: Process Monitor (LVPrcS64) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: QBCFMonitorService - Intuit - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\Win32\RpcDataSrv.exe

O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\RpcSandraSrv.exe

O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe

O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

O23 - Service: Zune Wireless Configuration Service (ZuneWlanCfgSvc) - Unknown owner - C:\Windows\system32\ZuneWlanCfgSvc.exe (file missing)

--

End of file - 9066 bytes

mbam_log_2008_12_24__23_49_23_.txt

ActiveScan.txt

Link to post
Share on other sites

02987188  Generic Trojan					 Virus/Trojan		No		0		 No			 No		   T:\Gothic 2\rld-g2ge.rar[Gothic2.exe]02987188  Generic Trojan					 Virus/Trojan		No		0		 Yes			No		   C:\Program Files (x86)\JoWooD\Gothic II\system\Gothic2.exe02987199  Generic Trojan					 Virus/Trojan		No		0		 No			 No		   T:\Gothic 2\rld-g2ge.rar[reloaded.dll]02987199  Generic Trojan					 Virus/Trojan		No		0		 Yes			No		   C:\Program Files (x86)\JoWooD\Gothic II\system\reloaded.dll03911281  Bck/Hupigon.AZG					Virus/Trojan		No		1		 No			 No		   T:\Gothic 2\rld-g2ge.rar[ar.dll]03911281  Bck/Hupigon.AZG					Virus/Trojan		No		1		 Yes			No		   C:\Program Files (x86)\JoWooD\Gothic II\system\ar.dll03939228  Generic Trojan					 Virus/Trojan		No		0		 Yes			No		   C:\Users\J\Desktop\ALCOHOL 120 1.9.7.Build 6221(NEW-UPDATED Build)\CRACK\patch_ssc.exe03939228  Generic Trojan					 Virus/Trojan		No		0		 Yes			No		   C:\Program Files (x86)\Alcohol Soft\Alcohol 120\patch_ssc.exe03939228  Generic Trojan					 Virus/Trojan		No		0		 No			 No		   C:\Users\J\Documents\Downloads\ALCOHOL 120 1.9.7.Build 6221(NEW-UPDATED Build).rar[ALCOHOL 120 1.9.7.Build 6221(NEW-UPDATED Build)\CRACK\patch_ssc.exe
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.