Jump to content

Trojan.BHO does'nt delete on reeboot


Recommended Posts

Hello everyone, recently i had regular pop-ups and some system slowdown. I have mcafee installed and that picked up no problems. I had MBAM and rogue remover installed also and did a scan with them. i had various infections, mainly vundo and zlob and after some deleting and renaming, i think i have managed to get it down to one last problem, a trojan.BHO in a registry, also something called zivovubele on hjt log. Thankyou for your time in advance.

Malwarebytes' Anti-Malware 1.31

Database version: 1544

Windows 5.1.2600 Service Pack 3

26/12/2008 20:22:18

mbam-log-2008-12-26 (20-22-18).txt

Scan type: Quick Scan

Objects scanned: 61863

Time elapsed: 4 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:17:53, on 26/12/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

c:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\MSK\MskSrver.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\mqsvc.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE

C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe

C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Samsung\Samsung PC Studio 7\LaunchApplication.exe

C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Apple Computer\DVD@ccess\DVDAccess.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe

C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.tesco.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.windowsupdate.com

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229946900953

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{00CEF1C1-01B2-4558-8DE7-E2DBFD808B50}: NameServer = 194.168.4.100 194.168.8.100

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - AppInit_DLLs: c:\windows\system32\yafajawo.dll c:\windows\system32\rarivove.dll c:\windows\system32\duvabova.dll c:\windows\system32\judukowe.dll c:\windows\system32\tusihivi.dll c:\windows\system32\suzisuha.dll c:\windows\system32\disesobe.dll c:\windows\system32\lukosayu.dll c:\windows\system32\zanelupo.dll c:\windows\system32\yizuwedu.dll c:\windows\system32\huzisopo.dll c:\windows\system32\riturifa.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--

End of file - 13057 bytes

Link to post
Share on other sites

Howdy there winter son

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

=========================

Go to Start > Run and copy/paste the following into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply along with the combofix log.

Link to post
Share on other sites

Howdy there winter son

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

=========================

Go to Start > Run and copy/paste the following into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply along with the combofix log.

thanks for the reply sjb007. just so you know, i turned off mcafee in the security centre before i ran combofix and set it to start on restart as it didnt say in the notes that it would reboot after scan and it seems it has been included in the log. apologies for this, if you wish me to run the scan and post a new log then i will. here is the two logs anyway, and again thanks for the help.

ComboFix 08-12-28.04 - Bram 2008-12-29 17:04:00.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1462 [GMT 0:00]

Running from: c:\documents and settings\Bram\My Documents\bram\applications\windiag\ComboFix.exe

AV: McAfee VirusScan *On-access scanning enabled* (Updated)

FW: McAfee Personal Firewall *enabled*

FW: ActiveArmor Firewall *disabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\asapagov.ini

c:\windows\system32\Cache

c:\windows\system32\CMMGR32.EXE

c:\windows\system32\efukujaj.ini

c:\windows\system32\iyelukuv.ini

c:\windows\system32\tmp35.tmp

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_IPRIP

-------\Legacy_TCPSR

-------\Service_Iprip

((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))

.

2008-12-26 20:24 . 2008-12-26 20:24 <DIR> d-------- c:\program files\Panda Security

2008-12-26 20:24 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-12-26 20:11 . 2008-12-26 20:11 <DIR> d-------- c:\program files\Sun

2008-12-26 20:11 . 2008-12-26 20:11 <DIR> d-------- c:\program files\Java

2008-12-26 20:11 . 2008-12-26 20:11 410,984 --a------ c:\windows\system32\deploytk.dll

2008-12-26 20:11 . 2008-12-26 20:11 73,728 --a------ c:\windows\system32\javacpl.cpl

2008-12-26 20:08 . 2008-12-26 20:08 <DIR> d-------- c:\program files\Common Files\Adobe AIR

2008-12-26 20:00 . 2008-12-27 16:50 <DIR> d-------- c:\program files\NOS

2008-12-26 20:00 . 2008-12-27 16:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

2008-12-26 18:12 . 2008-12-26 18:12 <DIR> d-------- c:\documents and settings\Bram\DoctorWeb

2008-12-26 17:51 . 2008-12-26 17:51 142,096 --a------ c:\windows\system32\drivers\tmcomm.sys

2008-12-26 17:08 . 2004-06-11 15:33 290,304 --a------ c:\windows\system32\subinacl.exe

2008-12-25 11:29 . 2008-12-25 11:29 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-25 11:29 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-25 11:29 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-23 17:36 . 2008-12-23 17:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2008-12-23 17:35 . 2008-12-23 17:35 <DIR> d-------- c:\program files\SUPERAntiSpyware

2008-12-23 17:35 . 2008-12-23 17:35 <DIR> d-------- c:\documents and settings\Bram\Application Data\SUPERAntiSpyware.com

2008-12-23 17:34 . 2008-12-23 17:34 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2008-12-23 17:33 . 2008-12-23 17:33 <DIR> d-------- c:\program files\Trend Micro

2008-12-23 11:21 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll

2008-12-23 11:21 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui

2008-12-23 11:20 . 2008-12-23 21:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\_comodo_

2008-12-22 23:04 . 2008-12-22 23:04 249,592 --a------ c:\windows\system32\cssdll32.dll

2008-12-22 23:03 . 2008-12-24 06:16 <DIR> d-------- c:\program files\COMODO

2008-12-22 12:43 . 2008-12-22 12:43 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2

2008-12-21 20:15 . 2008-12-23 16:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2008-12-21 19:39 . 2008-12-21 19:39 33,832 --a------ c:\windows\system32\cmcmamul.exe

2008-12-21 19:31 . 2008-12-21 19:31 33,832 --a------ c:\windows\system32\eaikyzxt.exe

2008-12-21 17:12 . 2008-12-21 17:12 <DIR> d-------- C:\VundoFix Backups

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-29 12:09 --------- d-----w c:\documents and settings\NetworkService\Application Data\SACore

2008-12-26 20:08 --------- d-----w c:\program files\Common Files\Adobe

2008-12-23 18:06 --------- d-----w c:\program files\RogueRemover FREE

2008-12-22 12:43 --------- d-----w c:\program files\Microsoft Works

2008-12-18 11:11 1,950 ----a-w c:\documents and settings\Bram\Application Data\wklnhst.dat

2008-12-15 18:30 --------- d-----w c:\program files\Soulseek

2008-12-12 16:53 --------- d-----w c:\program files\SuperAdBlocker.com

2008-12-10 14:59 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore

2008-12-10 14:54 --------- d-----w c:\program files\McAfee

2008-12-01 09:29 --------- d-----w c:\documents and settings\All Users\Application Data\Digital PixMaster

2008-12-01 09:14 --------- d-----w c:\program files\SpeedFan

2008-12-01 09:13 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-01 09:13 --------- d-----w c:\documents and settings\All Users\Application Data\BVRP Software

2008-12-01 09:11 --------- d-----w c:\program files\ubi.com

2008-11-28 22:18 --------- d-----w c:\program files\Samsung

2008-11-28 22:18 --------- d-----w c:\documents and settings\Bram\Application Data\Samsung

2008-11-28 22:03 --------- d-----w c:\documents and settings\Bram\Application Data\SuperAdBlocker.com

2007-11-23 14:36 22,328 -c--a-w c:\documents and settings\Bram\Application Data\PnkBstrK.sys

2007-01-04 17:23 92,064 ----a-w c:\documents and settings\Bram\mqdmmdm.sys

2007-01-04 17:23 9,232 ----a-w c:\documents and settings\Bram\mqdmmdfl.sys

2007-01-04 17:23 79,328 ----a-w c:\documents and settings\Bram\mqdmserd.sys

2007-01-04 17:23 66,656 ----a-w c:\documents and settings\Bram\mqdmbus.sys

2007-01-04 17:23 6,208 ----a-w c:\documents and settings\Bram\mqdmcmnt.sys

2007-01-04 17:23 5,936 ----a-w c:\documents and settings\Bram\mqdmwhnt.sys

2007-01-04 17:23 4,048 ----a-w c:\documents and settings\Bram\mqdmcr.sys

2007-01-04 17:23 25,600 ----a-w c:\documents and settings\Bram\usbsermptxp.sys

2007-01-04 17:23 22,768 ----a-w c:\documents and settings\Bram\usbsermpt.sys

2008-09-06 09:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090620080907\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"STManager"="c:\program files\SpeedTouch\Dr SpeedTouch\drst.exe" [2003-10-16 118784]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]

"RCSystem"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]

"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]

"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 122880]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]

"nTrayFw"="c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2005-12-21 270336]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-04 267048]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]

"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2008-06-13 1176808]

"SamsungPCSuiteTrayApplication"="c:\program files\Samsung\Samsung PC Studio 7\LaunchApplication.exe" [2008-06-27 278528]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-26 136600]

"nwiz"="nwiz.exe" [2007-10-04 c:\windows\system32\nwiz.exe]

"CTHelper"="CTHELPER.EXE" [2006-12-12 c:\windows\system32\CtHelper.exe]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-12-12 c:\windows\system32\Ctxfihlp.exe]

"MsmqIntCert"="mqrt.dll" [2008-04-14 c:\windows\system32\mqrt.dll]

"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

"Samsung.PCSync"="c:\program files\Samsung\Samsung PC Studio 7\PcSync2.exe" [2007-12-04 1241088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

DVD@ccess.lnk - c:\program files\Apple Computer\DVD@ccess\DVDAccess.exe [2007-05-30 888832]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Vdi51.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Codemasters\\Operation Flashpoint\\FlashpointResistance.exe"=

"c:\\Program Files\\SpeedTouch\\Dr SpeedTouch\\drst.exe"=

"c:\\Program Files\\Digital Spectrum\\Digital PixMaster 6.1\\DigitalPixMaster.exe"=

"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Soulseek\\slsk.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=

"c:\\Program Files\\McAfee\\MSK\\msksrver.exe"=

"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

"c:\\Program Files\\Thomson\\SpeedTouch USB\\dragdiag.exe"=

"c:\\WINDOWS\\system32\\cidaemon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"65436:TCP"= 65436:TCP:*:Disabled:SolidNetworkManager

"65436:UDP"= 65436:UDP:*:Disabled:SolidNetworkManager

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-26 28544]

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]

R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]

R2 DVDAccss;DVDAccss;c:\windows\system32\drivers\DVDAccss.sys [2007-05-30 29156]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-09-05 206096]

R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]

R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]

S0 Vdi51;Vdi51;c:\windows\system32\Drivers\Vdi51.sys []

S1 HCW88AUD;Hauppauge WinTV 88x Audio Capture;c:\windows\system32\drivers\hcw88aud.sys [2005-12-07 11970]

S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys []

S3 DVxplore;NVTV;c:\windows\system32\DRIVERS\DVxplore.sys [2005-12-07 75776]

S3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;c:\windows\system32\drivers\hcw88bda.sys [2005-12-07 133696]

S3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture;c:\windows\system32\drivers\hcw88tse.sys [2005-12-07 296515]

S3 HCW88TUNE;Hauppauge WinTV 88x Tuner;c:\windows\system32\drivers\hcw88tun.sys [2005-12-07 149504]

S3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\hcw88vid.sys [2005-12-07 498176]

S3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;c:\windows\system32\drivers\HCW88BAR.sys [2005-12-07 23552]

S3 nmwcdsa;Samsung USB Phone Parent;c:\windows\system32\drivers\nmwcdsa.sys [2008-09-10 135680]

S3 nmwcdsac;Samsung USB Generic;c:\windows\system32\drivers\nmwcdsac.sys [2008-09-10 8320]

S3 nmwcdsacj;Samsung USB Port;c:\windows\system32\drivers\nmwcdsacj.sys [2008-09-10 12288]

S3 nmwcdsacm;Samsung USB Modem;c:\windows\system32\drivers\nmwcdsacm.sys [2008-09-10 12288]

S3 PciCon;PciCon;\??\D:\PciCon.sys []

S3 pfusb;pfusb;c:\windows\system32\drivers\pfusb.sys [2007-08-29 12272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29d3a98a-59a2-11dd-bbc5-000e5046f16f}]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c64c22b2-e107-11da-9ce0-806d6172696f}]

\Shell\AutoRun\command - E:\AutoRunCD.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de0c2aec-e023-11da-9f34-0013d3cfe452}]

\Shell\AutoRun\command - F:\autorun.exe

.

Contents of the 'Scheduled Tasks' folder

2008-12-26 c:\windows\Tasks\HPpromotions journeysoftware.job

- c:\program files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 17:36]

2008-04-05 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-04-05 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-12-29 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-Uch27.sys

MSConfigStartUp-6c37621e - c:\windows\system32\lubudeyu.dll

MSConfigStartUp-CPM6f045182 - c:\windows\system32\yizuwedu.dll

MSConfigStartUp-zivovubele - c:\windows\system32\pubegadi.dll

.

------- Supplementary Scan -------

.

uStart Page = www.tesco.net/

uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s

LSP: %SYSTEMROOT%\system32\nvappfilter.dll

Trusted Zone: *.windowsupdate.microsoft.com

Trusted Zone: *.windowsupdate.com

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-29 17:09:55

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTHelper = CTHELPER.EXE?

CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(932)

c:\windows\system32\nvappfilter.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\msdtc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe

c:\windows\system32\inetsrv\inetinfo.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\program files\McAfee\MSK\msksrver.exe

c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe

c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

c:\program files\NVIDIA Corporation\nTune\nTuneService.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\HPZipm12.exe

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\windows\system32\tcpsvcs.exe

c:\windows\system32\snmp.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\mqsvc.exe

c:\progra~1\McAfee.com\Agent\mcagent.exe

c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

c:\windows\system32\mqtgsvc.exe

c:\windows\system32\rundll32.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HP\Digital Imaging\bin\hpqste08.exe

c:\program files\PC Connectivity Solution\ServiceLayer.exe

c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe

c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe

c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

c:\program files\McAfee\MPF\MpfSrv.exe

c:\program files\HP\Digital Imaging\bin\hpqimzone.exe

.

**************************************************************************

.

Completion time: 2008-12-29 17:16:40 - machine was rebooted

ComboFix-quarantined-files.txt 2008-12-29 17:16:36

Pre-Run: 191,823,302,656 bytes free

Post-Run: 191,791,980,544 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer

300 --- E O F --- 2008-12-26 19:49:01

2570

2570_Help

2570Trb

Acrobat.com

Adobe AIR

Adobe Flash Player ActiveX

Adobe Reader 9

AiO_Scan_CDA

AiOSoftwareNPI

Apple Mobile Device Support

Apple Software Update

AutoUpdate

BufferChm

CP_AtenaShokunin1Config

CP_CalendarTemplates1

CP_Package_Basic1

CP_Package_Variety1

CP_Package_Variety2

CP_Package_Variety3

CP_Panorama1Config

CueTour

CustomerResearchQFolder

Destinations

DeviceFunctionQFolder

DeviceManagementQFolder

Digital PixMaster 6.1

DivX Codec

DivX Converter Mobile

DivX Player

DivX Web Player

DocProc

DocumentViewer

DocumentViewerQFolder

Dr SpeedTouch

DVD@ccess 2.0.3

Elecard MPEG-2 Decoder&Streaming Plug-in for WMP

Enable S3 for USB Device

eSupportQFolder

Fax_CDA

FullDPAppQFolder

GameShadow

Hauppauge MCE2005 Software Encoder

HijackThis 2.0.2

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 10 (KB903157)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB952287)

HP Document Viewer 5.3

HP Extended Capabilities 5.3

HP Image Zone 5.3

HP Imaging Device Functions 5.3

HP PSC & OfficeJet 5.3.A

HP Software Update

HP Solution Center & Imaging Support Tools 5.3

HPProductAssistant

InstantShareDevices

iPod Updater 2004-08-06

iTunes

Java 6 Update 11

JourneySoftwarePromo

LS_HSI

Malwarebytes' Anti-Malware

MarketResearch

McAfee SecurityCenter

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft .NET Framework 2.0 Service Pack 1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft User-Mode Driver Framework Feature Pack 1.5

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual J# .NET Redistributable Package 1.1

Microsoft Works

Microsoft Works 7.0

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

NewCopy_CDA

NVIDIA Drivers

NVIDIA ForceWare Network Access Manager

NVIDIA nTune

OpenOffice.org Installer 1.0

Panda ActiveScan 2.0

PanoStandAlone

PC Connectivity Solution

PhotoGallery

ProductContextNPI

QuickTime

RandMap

Readme

Realtek AC'97 Audio

SAMSUNG Mobile Modem Driver Set

Samsung Mobile phone USB driver Software

SAMSUNG Mobile USB Modem 1.0 Software

SAMSUNG Mobile USB Modem Software

Samsung PC Studio

Samsung PC Studio 3

Samsung PC Studio 3 USB Driver Installer

Samsung PC Studio 7

Samsung Samples Installer

SamsungConnectivityCableDriver

Scan

ScannerCopy

Security Update for CAPICOM (KB931906)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953155)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

SkinsHP1

Solid State ION Internet Explorer Plugin

SolutionCenter

Sonic_PrimoSDK

SoulSeek Client 156c

Sound Blaster X-Fi

SpeedTouch USB Software

Status

SUPERAntiSpyware Free Edition

System Requirements Lab

TrayApp

Unload

Update for Windows Media Player 10 (KB913800)

Update for Windows Media Player 10 (KB926251)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955839)

Update Rollup 2 for Windows XP Media Center Edition 2005

WebFldrs XP

WebReg

Windows Defender

Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 7

Windows Media Format 11 runtime

Windows XP Media Center Edition 2005 KB888316

Windows XP Media Center Edition 2005 KB890629

Windows XP Media Center Edition 2005 KB890760

Windows XP Media Center Edition 2005 KB894553

Windows XP Media Center Edition 2005 KB895678

Windows XP Media Center Edition 2005 KB925766

Windows XP Service Pack 3

WinRAR archiver

Link to post
Share on other sites

Hi there

Some files I would expect to see in combofix log are not present, can I just ask have you ran any other tools, or deleted any files inbetween posting the HJT log and the combofix log.

I want you to run an online scan with Kaspersky for me.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:

KAS.gif

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs

Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

============================

Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

Double click on RSIT.exe to run.

Click Continue at the disclaimer screen.

Once it has finished, two logs will open.

log.txt <will be maximized and info.txt <will be minimized

Please post the contents of log.txt in your next reply.

Link to post
Share on other sites

Hi there

Some files I would expect to see in combofix log are not present, can I just ask have you ran any other tools, or deleted any files inbetween posting the HJT log and the combofix log.

I want you to run an online scan with Kaspersky for me.

Establish an internet connection & perform an online scan with Internet Explorer at http://*.windowsupdate.com

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229946900953

O17 - HKLM\System\CCS\Services\Tcpip\..\{00CEF1C1-01B2-4558-8DE7-E2DBFD808B50}: NameServer = 194.168.4.100 194.168.8.100

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--

End of file - 11917 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\HPpromotions journeysoftware.job

C:\WINDOWS\tasks\McDefragTask.job

C:\WINDOWS\tasks\McQcTask.job

C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]

Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

Java Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-26 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]

McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2008-11-14 150032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]

Java Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-26 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]

JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-26 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2008-11-14 150032]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-08-05 64512]

"CTDVDDET"=C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE [2003-06-18 45056]

"RCSystem"=C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe [2005-06-16 49152]

"AudioDrvEmulator"=C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe [2005-06-16 49152]

"VolPanel"=C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe [2005-07-11 122880]

"UpdReg"=C:\WINDOWS\UpdReg.EXE [2000-05-11 90112]

"SpeedTouch USB Diagnostics"=C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe [2004-01-26 866816]

"nTrayFw"=C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe [2005-12-21 270336]

"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2007-10-04 8491008]

"nwiz"=nwiz.exe /install []

"CTHelper"=C:\WINDOWS\system32\CTHELPER.EXE [2006-12-12 19456]

"CTxfiHlp"=C:\WINDOWS\system32\CTXFIHLP.EXE [2006-12-12 20480]

"MsmqIntCert"=regsvr32 /s mqrt.dll []

"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2007-10-04 81920]

"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-01-31 385024]

"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-02-04 267048]

"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2007-04-16 577536]

"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2005-05-11 49152]

"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2008-07-11 641208]

"McENUI"=C:\PROGRA~1\McAfee\MHN\McENUI.exe [2008-06-13 1176808]

"SamsungPCSuiteTrayApplication"=C:\Program Files\Samsung\Samsung PC Studio 7\LaunchApplication.exe [2008-06-27 278528]

"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]

"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-26 136600]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"STManager"=C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe [2003-10-16 118784]

"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

"NVIDIA nTune"=C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe [2007-07-03 81920]

"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-12-04 1809648]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

DVD@ccess.lnk - C:\Program Files\Apple Computer\DVD@ccess\DVDAccess.exe

HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-03 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-14 239616]

WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Vdi51.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Vdi51.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveTypeAutoRun"=323

"NoDriveAutoRun"=67108863

"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveAutoRun"=

"NoDriveTypeAutoRun"=

"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"

"C:\Program Files\Codemasters\Operation Flashpoint\FlashpointResistance.exe"="C:\Program Files\Codemasters\Operation Flashpoint\FlashpointResistance.exe:*:Enabled:Operation Flashpoint"

"C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe"="C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe:*:Enabled:Dr SpeedTouch"

"C:\Program Files\Digital Spectrum\Digital PixMaster 6.1\DigitalPixMaster.exe"="C:\Program Files\Digital Spectrum\Digital PixMaster 6.1\DigitalPixMaster.exe:*:Enabled:Main executable for slide manager application"

"C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe:*:Enabled:Apache HTTP Server"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\WINDOWS\system32\mqsvc.exe"="C:\WINDOWS\system32\mqsvc.exe:*:Enabled:Message Queuing"

"C:\Program Files\CyberLink\PCM4Everio\PCM4Everio.exe"="C:\Program Files\CyberLink\PCM4Everio\PCM4Everio.exe:*:Disabled:CyberLink PowerCinema NE for Everio"

"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"

"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"

"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"

"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"

"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"

"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"

"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"

"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe"

"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe"

"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"

"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"

"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe"

"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"

"C:\Program Files\Soulseek\slsk.exe"="C:\Program Files\Soulseek\slsk.exe:*:Enabled:SoulSeek"

"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"

"C:\WINDOWS\system32\wbem\wmiprvse.exe"="C:\WINDOWS\system32\wbem\wmiprvse.exe:*:Enabled:wmiprvse"

"C:\Program Files\McAfee\MSK\msksrver.exe"="C:\Program Files\McAfee\MSK\msksrver.exe:*:Enabled:MskSrver"

"C:\Program Files\iPod\bin\iPodService.exe"="C:\Program Files\iPod\bin\iPodService.exe:*:Enabled:iPodService"

"C:\Program Files\Thomson\SpeedTouch USB\dragdiag.exe"="C:\Program Files\Thomson\SpeedTouch USB\dragdiag.exe:*:Enabled:Dragdiag"

"C:\WINDOWS\system32\cidaemon.exe"="C:\WINDOWS\system32\cidaemon.exe:*:Enabled:cidaemon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\WINDOWS\system32\mqsvc.exe"="C:\WINDOWS\system32\mqsvc.exe:*:Enabled:Message Queuing"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29d3a98a-59a2-11dd-bbc5-000e5046f16f}]

shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c64c22b2-e107-11da-9ce0-806d6172696f}]

shell\AutoRun\command - E:\AutoRunCD.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de0c2aec-e023-11da-9f34-0013d3cfe452}]

shell\AutoRun\command - F:\autorun.exe

======List of files/folders created in the last 1 months======

2008-12-29 19:23:07 ----D---- C:\rsit

2008-12-29 19:00:02 ----D---- C:\WINDOWS\Sun

2008-12-29 17:16:41 ----A---- C:\ComboFix.txt

2008-12-29 17:02:24 ----A---- C:\Boot.bak

2008-12-29 17:02:21 ----RASHD---- C:\cmdcons

2008-12-29 16:53:12 ----A---- C:\WINDOWS\zip.exe

2008-12-29 16:53:12 ----A---- C:\WINDOWS\VFIND.exe

2008-12-29 16:53:12 ----A---- C:\WINDOWS\SWXCACLS.exe

2008-12-29 16:53:12 ----A---- C:\WINDOWS\SWSC.exe

2008-12-29 16:53:12 ----A---- C:\WINDOWS\SWREG.exe

2008-12-29 16:53:12 ----A---- C:\WINDOWS\sed.exe

2008-12-29 16:53:12 ----A---- C:\WINDOWS\NIRCMD.exe

2008-12-29 16:53:12 ----A---- C:\WINDOWS\grep.exe

2008-12-29 16:53:12 ----A---- C:\WINDOWS\fdsv.exe

2008-12-29 16:52:57 ----D---- C:\WINDOWS\ERDNT

2008-12-29 16:52:57 ----D---- C:\Qoobox

2008-12-29 16:52:57 ----D---- C:\ComboFix

2008-12-26 20:24:15 ----D---- C:\Program Files\Panda Security

2008-12-26 20:11:48 ----D---- C:\Program Files\Sun

2008-12-26 20:11:23 ----A---- C:\WINDOWS\system32\javaws.exe

2008-12-26 20:11:23 ----A---- C:\WINDOWS\system32\javaw.exe

2008-12-26 20:11:23 ----A---- C:\WINDOWS\system32\java.exe

2008-12-26 20:11:23 ----A---- C:\WINDOWS\system32\deploytk.dll

2008-12-26 20:11:05 ----D---- C:\Program Files\Java

2008-12-26 20:10:36 ----D---- C:\Documents and Settings\Bram\Application Data\Sun

2008-12-26 20:08:32 ----D---- C:\Program Files\Common Files\Adobe AIR

2008-12-26 20:00:05 ----D---- C:\Program Files\NOS

2008-12-26 20:00:05 ----D---- C:\Documents and Settings\All Users\Application Data\NOS

2008-12-26 17:08:36 ----A---- C:\WINDOWS\system32\subinacl.exe

2008-12-25 13:17:05 ----A---- C:\WINDOWS\system32\MRT.exe

2008-12-25 11:29:04 ----D---- C:\Program Files\Malwarebytes' Anti-Malware

2008-12-23 17:36:56 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2008-12-23 17:35:33 ----D---- C:\Program Files\SUPERAntiSpyware

2008-12-23 17:35:33 ----D---- C:\Documents and Settings\Bram\Application Data\SUPERAntiSpyware.com

2008-12-23 17:34:24 ----D---- C:\Program Files\Common Files\Wise Installation Wizard

2008-12-23 17:33:11 ----D---- C:\Program Files\Trend Micro

2008-12-23 11:21:57 ----A---- C:\WINDOWS\system32\mucltui.dll.mui

2008-12-23 11:21:57 ----A---- C:\WINDOWS\system32\mucltui.dll

2008-12-23 11:20:34 ----D---- C:\Documents and Settings\All Users\Application Data\_comodo_

2008-12-22 23:04:38 ----A---- C:\WINDOWS\system32\cssdll32.dll

2008-12-22 23:03:57 ----D---- C:\Program Files\COMODO

2008-12-22 12:43:55 ----D---- C:\Program Files\Microsoft CAPICOM 2.1.0.2

2008-12-22 12:17:53 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$

2008-12-22 12:17:28 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$

2008-12-22 12:17:24 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$

2008-12-22 12:17:17 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$

2008-12-21 20:15:41 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-12-21 19:39:52 ----A---- C:\WINDOWS\system32\cmcmamul.exe

2008-12-21 19:31:05 ----A---- C:\WINDOWS\system32\eaikyzxt.exe

2008-12-21 17:12:40 ----A---- C:\VundoFix.txt

2008-12-21 17:12:39 ----D---- C:\VundoFix Backups

2008-12-14 18:29:08 ----A---- C:\WINDOWS\system32\6714a660-.txt

======List of files/folders modified in the last 1 months======

2008-12-29 19:04:06 ----D---- C:\WINDOWS\Temp

2008-12-29 19:01:03 ----D---- C:\WINDOWS

2008-12-29 17:16:43 ----D---- C:\WINDOWS\system32\drivers

2008-12-29 17:16:43 ----D---- C:\WINDOWS\system32

2008-12-29 17:15:52 ----D---- C:\WINDOWS\system32\CatRoot2

2008-12-29 17:13:25 ----D---- C:\WINDOWS\system32\inetsrv

2008-12-29 17:12:31 ----SD---- C:\WINDOWS\Tasks

2008-12-29 17:10:11 ----A---- C:\WINDOWS\system.ini

2008-12-29 17:07:05 ----D---- C:\WINDOWS\system32\config

2008-12-29 17:05:19 ----D---- C:\WINDOWS\AppPatch

2008-12-29 17:05:19 ----D---- C:\Program Files\Common Files

2008-12-29 17:02:24 ----RASH---- C:\boot.ini

2008-12-29 17:01:01 ----A---- C:\WINDOWS\SchedLgU.Txt

2008-12-29 16:52:51 ----D---- C:\WINDOWS\Prefetch

2008-12-28 18:31:54 ----SHD---- C:\WINDOWS\CSC

2008-12-27 16:50:15 ----SD---- C:\WINDOWS\Downloaded Program Files

2008-12-27 16:49:13 ----HD---- C:\Config.Msi

2008-12-26 20:53:29 ----SHD---- C:\WINDOWS\Installer

2008-12-26 20:24:15 ----RD---- C:\Program Files

2008-12-26 20:24:15 ----HD---- C:\WINDOWS\inf

2008-12-26 20:08:50 ----D---- C:\Program Files\Adobe

2008-12-26 20:08:23 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe

2008-12-26 20:08:05 ----D---- C:\Program Files\Common Files\Adobe

2008-12-26 20:07:46 ----D---- C:\WINDOWS\WinSxS

2008-12-26 20:00:58 ----SHD---- C:\System Volume Information

2008-12-26 20:00:58 ----D---- C:\WINDOWS\system32\Restore

2008-12-26 17:58:32 ----A---- C:\WINDOWS\ntbtlog.txt

2008-12-25 12:47:20 ----A---- C:\WINDOWS\win.ini

2008-12-23 18:06:51 ----D---- C:\Program Files\RogueRemover FREE

2008-12-23 18:06:20 ----A---- C:\WINDOWS\imsins.BAK

2008-12-23 18:05:11 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

2008-12-23 18:04:19 ----D---- C:\Program Files\Online Services

2008-12-23 18:04:11 ----D---- C:\WINDOWS\addins

2008-12-23 16:41:45 ----D---- C:\WINDOWS\Minidump

2008-12-22 12:43:20 ----D---- C:\Program Files\Microsoft Works

2008-12-22 12:17:45 ----RSHDC---- C:\WINDOWS\system32\dllcache

2008-12-22 12:17:44 ----D---- C:\Program Files\Internet Explorer

2008-12-22 12:17:37 ----HD---- C:\WINDOWS\$hf_mig$

2008-12-22 12:02:35 ----D---- C:\WINDOWS\system32\CatRoot

2008-12-15 18:30:32 ----D---- C:\Program Files\Soulseek

2008-12-13 06:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll

2008-12-12 16:53:41 ----D---- C:\Program Files\SuperAdBlocker.com

2008-12-10 14:54:38 ----D---- C:\Program Files\McAfee

2008-12-09 14:26:55 ----A---- C:\WINDOWS\WORDPAD.INI

2008-12-01 09:29:18 ----D---- C:\Documents and Settings\All Users\Application Data\Digital PixMaster

2008-12-01 09:14:59 ----D---- C:\Program Files\SpeedFan

2008-12-01 09:13:31 ----HD---- C:\Program Files\InstallShield Installation Information

2008-12-01 09:13:27 ----D---- C:\Documents and Settings\All Users\Application Data\BVRP Software

2008-12-01 09:11:17 ----D---- C:\Program Files\ubi.com

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2008-06-27 207656]

R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2008-06-02 120136]

R1 NVTCP;NVIDIA TCP/IP Protocol Driver; C:\WINDOWS\System32\DRIVERS\NVTcp.sys [2006-04-14 101888]

R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []

R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []

R1 StarOpen;StarOpen; C:\WINDOWS\system32\drivers\StarOpen.sys [2006-07-24 5632]

R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:\WINDOWS\system32\DRIVERS\tcpip6.sys [2008-06-20 225856]

R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-10 12032]

R2 DVDAccss;DVDAccss; C:\WINDOWS\system32\drivers\DVDAccss.sys [2003-11-21 29156]

R3 alcan5wn;SpeedTouch USB ADSL PPP Networking Driver (NDISWAN); C:\WINDOWS\system32\DRIVERS\alcan5wn.sys [2003-12-08 53600]

R3 alcaudsl;SpeedTouch ADSL Modem ATM Transport; C:\WINDOWS\system32\DRIVERS\alcaudsl.sys [2003-12-08 70688]

R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2008-01-24 4127488]

R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]

R3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2006-09-19 15664]

R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2005-03-08 51120]

R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2005-03-08 16496]

R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-03-08 21744]

R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2008-06-27 79240]

R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2008-06-27 35240]

R3 MQAC;Message Queuing access control; \??\C:\WINDOWS\system32\drivers\mqac.sys []

R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]

R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-10-04 6854464]

R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-04-14 34176]

R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-04-14 13056]

R3 NVR0Dev;NVR0Dev; \??\C:\WINDOWS\nvoclock.sys []

R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2002-02-11 14572]

R3 RMCAST;Reliable Multicast Protocol driver; \??\C:\WINDOWS\system32\drivers\RMCast.sys []

R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []

R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:\WINDOWS\system32\DRIVERS\tunmp.sys [2008-04-13 12288]

R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]

R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]

R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]

R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]

R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]

R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]

R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]

S1 AmdK8;AMD Athlon64 Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2004-05-08 35840]

S1 HCW88AUD;Hauppauge WinTV 88x Audio Capture; C:\WINDOWS\system32\drivers\hcw88aud.sys [2005-11-23 11970]

S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]

S1 SABKUTIL;SABKUTIL; \??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys []

S3 AmdLLD;AMD Low Level Device Driver; C:\WINDOWS\system32\DRIVERS\AmdLLD.sys []

S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]

S3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\system32\drivers\ctac32k.sys [2006-12-19 511288]

S3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2007-06-18 514560]

S3 ctdvda2k;Creative DVD-Audio Device Driver; C:\WINDOWS\system32\drivers\ctdvda2k.sys [2005-07-13 340704]

S3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\system32\drivers\ctprxy2k.sys [2006-12-19 14648]

S3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\drivers\ctsfm2k.sys [2006-12-19 156984]

S3 DVxplore;NVTV; C:\WINDOWS\system32\DRIVERS\DVxplore.sys [2004-09-07 75776]

S3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\system32\drivers\emupia2k.sys [2006-12-19 90936]

S3 ha20x2k;Creative 20X HAL Driver; C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-12-19 1160504]

S3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod; C:\WINDOWS\system32\drivers\hcw88bda.sys [2005-11-23 133696]

S3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture; C:\WINDOWS\system32\drivers\hcw88tse.sys [2005-11-23 296515]

S3 HCW88TUNE;Hauppauge WinTV 88x Tuner; C:\WINDOWS\system32\drivers\hcw88tun.sys [2007-01-24 149504]

S3 hcw88vid;Hauppauge WinTV 88x Video; C:\WINDOWS\system32\drivers\hcw88vid.sys [2007-01-24 498176]

S3 HCW88XBAR;Hauppauge WinTV 88x Crossbar; C:\WINDOWS\system32\drivers\HCW88BAR.sys [2007-01-24 23552]

S3 HidIr;Microsoft Infrared HID Driver; C:\WINDOWS\system32\DRIVERS\hidir.sys [2008-04-13 19200]

S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]

S3 IrBus;Infrared bus filter driver for eHome remote controls; C:\WINDOWS\system32\DRIVERS\IrBus.sys [2008-04-13 46592]

S3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2008-06-20 34152]

S3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2008-06-27 40488]

S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]

S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]

S3 MPE;BDA MPE Filter; C:\WINDOWS\system32\DRIVERS\MPE.sys [2008-04-13 15232]

S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]

S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]

S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]

S3 nmwcdsa;Samsung USB Phone Parent; C:\WINDOWS\system32\drivers\nmwcdsa.sys [2007-05-02 135680]

S3 nmwcdsac;Samsung USB Generic; C:\WINDOWS\system32\drivers\nmwcdsac.sys [2007-05-02 8320]

S3 nmwcdsacj;Samsung USB Port; C:\WINDOWS\system32\drivers\nmwcdsacj.sys [2007-05-02 12288]

S3 nmwcdsacm;Samsung USB Modem; C:\WINDOWS\system32\drivers\nmwcdsacm.sys [2007-05-02 12288]

S3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2006-12-19 128312]

S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2007-09-17 21632]

S3 PciCon;PciCon; \??\D:\PciCon.sys []

S3 pfusb;pfusb; C:\WINDOWS\system32\drivers\pfusb.sys [2005-09-01 12272]

S3 SABProcEnum;SABProcEnum; \??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABProcEnum.sys []

S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]

S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM); C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-01-24 52384]

S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter; C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-01-24 6064]

S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers; C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-01-24 84512]

S3 sscdbus;SAMSUNG USB Composite Device driver (WDM); C:\WINDOWS\system32\DRIVERS\sscdbus.sys [2007-07-03 80552]

S3 sscdmdfl;SAMSUNG Mobile Modem Filter; C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys [2007-07-03 11944]

S3 sscdmdm;SAMSUNG Mobile Modem Drivers; C:\WINDOWS\system32\DRIVERS\sscdmdm.sys [2007-07-03 106792]

S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]

S3 TVICHW32;TVICHW32; \??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS []

S3 usbsermptxp;Motorola USB Modem Driver for MPT XP; C:\WINDOWS\system32\DRIVERS\usbsermptxp.sys [2007-01-04 25600]

S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]

S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]

S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-15 82688]

S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 6to4;IPv6 Helper Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-09-06 110592]

R2 ForceWare Intelligent Application Manager (IAM);ForceWare Intelligent Application Manager (IAM); C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe [2005-12-21 139264]

R2 ForcewareWebInterface;Forceware Web Interface; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe [2005-09-23 20543]

R2 IISADMIN;IIS Admin; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]

R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-26 152984]

R2 LightScribeService;LightScribeService Direct Disc Labeling Service; c:\Program Files\Common Files\LightScribe\LSSrvc.exe [2005-03-17 38912]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-11-20 206096]

R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2008-10-10 792696]

R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2008-07-18 2482848]

R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2008-07-09 358736]

R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]

R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2008-06-20 144704]

R2 MSK80Service;McAfee Anti-Spam Service; C:\Program Files\McAfee\MSK\MskSrver.exe [2008-07-09 25416]

R2 MSMQ;Message Queuing; C:\WINDOWS\system32\mqsvc.exe [2008-04-14 4608]

R2 MSMQTriggers;Message Queuing Triggers; C:\WINDOWS\system32\mqtgsvc.exe [2008-04-14 117248]

R2 nSvcIp;ForceWare IP service; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe [2005-12-21 127035]

R2 nSvcLog;ForceWare user log service; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe [2005-12-21 61503]

R2 nTuneService;nTune Service; C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe [2007-07-03 131072]

R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-10-04 155716]

R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]

R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2006-09-29 266343]

R2 SimpTcp;Simple TCP/IP Services; C:\WINDOWS\system32\tcpsvcs.exe [2004-08-10 19456]

R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP); C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]

R2 SNMP;SNMP Service; C:\WINDOWS\System32\snmp.exe [2008-04-14 33280]

R2 W3SVC;World Wide Web Publishing; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]

R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]

R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-02-04 504104]

R3 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2008-07-09 884360]

R3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2008-04-07 430592]

S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]

S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]

S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]

S3 LPDSVC;TCP/IP Print Server; C:\WINDOWS\system32\tcpsvcs.exe [2004-08-10 19456]

S3 MBackMonitor;MBackMonitor; C:\Program Files\McAfee\MBK\MBackMonitor.exe [2008-07-10 66848]

S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2008-06-20 361800]

S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]

S3 p2pgasvc;Peer Networking Group Authentication; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

S3 p2pimsvc;Peer Networking Identity Manager; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

S3 p2psvc;Peer Networking; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

S3 PNRPSvc;Peer Name Resolution Protocol; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

S3 SNMPTRAP;SNMP Trap Service; C:\WINDOWS\System32\snmptrap.exe [2008-04-14 8704]

S4 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2008-09-16 605512]

-----------------EOF-----------------

Link to post
Share on other sites

Hi there winter son

Great work, so far so good

Just two files I am curious about that I want you to check....

Please go to: VirusTotal

  • In the middle of the page you'll find a "Browse" button.
    virustotal2.jpg
    Click the "Browse" button and browse to this file in RED:
    C:\WINDOWS\system32\cmcmamul.exe
  • Click "Open".
  • Then click the "Send File" button at the bottom of the VirusTotal page.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analysed: click Reanalyse file now
  • Once scanned, copy and paste the results in your next reply.

Please do the same with:

C:\WINDOWS\system32\eaikyzxt.exe

Post back with the results from both files in your next reply

Apart from that how are things running now, any more problems to report?

Link to post
Share on other sites

Hi there winter son

Great work, so far so good

Just two files I am curious about that I want you to check....

Please go to: VirusTotal

  • In the middle of the page you'll find a "Browse" button.

    virustotal2.jpg

    Click the "Browse" button and browse to this file in RED:

    C:\WINDOWS\system32\cmcmamul.exe

  • Click "Open".

  • Then click the "Send File" button at the bottom of the VirusTotal page.

  • This will scan the file. Please be patient.

  • If you get a message saying File has already been analysed: click Reanalyse file now

  • Once scanned, copy and paste the results in your next reply.

Please do the same with:

C:\WINDOWS\system32\eaikyzxt.exe

Post back with the results from both files in your next reply

Apart from that how are things running now, any more problems to report?

File cmcmamul.exe received on 12.29.2008 22:59:48 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 1/39 (2.57%)

Loading server information...

Your file is queued in position: ___.

Estimated start time is between ___ and ___ .

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

a-squared 4.0.0.73 2008.12.29 -

AhnLab-V3 2008.12.25.0 2008.12.29 -

AntiVir 7.9.0.45 2008.12.29 -

Authentium 5.1.0.4 2008.12.29 -

Avast 4.8.1281.0 2008.12.29 -

AVG 8.0.0.199 2008.12.29 -

BitDefender 7.2 2008.12.29 -

CAT-QuickHeal 10.00 2008.12.27 -

ClamAV 0.94.1 2008.12.29 -

Comodo 837 2008.12.29 -

DrWeb 4.44.0.09170 2008.12.29 -

eSafe 7.0.17.0 2008.12.28 -

eTrust-Vet 31.6.6280 2008.12.29 -

Ewido 4.0 2008.12.29 -

F-Prot 4.4.4.56 2008.12.29 -

F-Secure 8.0.14470.0 2008.12.29 -

Fortinet 3.117.0.0 2008.12.29 -

GData 19 2008.12.29 -

Ikarus T3.1.1.45.0 2008.12.29 -

K7AntiVirus 7.10.569 2008.12.29 -

Kaspersky 7.0.0.125 2008.12.29 -

McAfee 5478 2008.12.29 -

McAfee+Artemis 5478 2008.12.29 -

Microsoft 1.4205 2008.12.29 -

NOD32 3722 2008.12.29 -

Norman 5.80.02 2008.12.29 -

Panda 9.0.0.4 2008.12.29 -

PCTools 4.4.2.0 2008.12.29 -

Prevx1 V2 2008.12.29 Malicious Software

Rising 21.10.02.00 2008.12.29 -

SecureWeb-Gateway 6.7.6 2008.12.29 -

Sophos 4.37.0 2008.12.29 -

Sunbelt 3.2.1809.2 2008.12.22 -

Symantec 10 2008.12.29 -

TheHacker 6.3.1.4.201 2008.12.28 -

TrendMicro 8.700.0.1004 2008.12.29 -

VBA32 3.12.8.10 2008.12.28 -

ViRobot 2008.12.29.1538 2008.12.29 -

VirusBuster 4.5.11.0 2008.12.29 -

Additional information

File size: 33832 bytes

MD5...: 826b165dfdc241143717dfaef03aea8f

SHA1..: 99c96d0cbf07d24c40f960c88610fd7ae64428c2

SHA256: ef81239ee5736cbe4930c2fcf7dd2b42cb4214ad6ecacd4c0c7760bdb56316a6

SHA512: 814b5a242182cdc7c74caa8c30d9a7072e840c1ce159a8df8c1ccd2f5d75d244

0965e7e83be50538c8f8c6d80611b2bc3a9f18c82a2f7e64e79db11f49ba59a3

ssdeep: 384:ySwHp2dZApt1qz5hfReSCxY6pcYiw5vyy1MxWM6W4nELKt8Cy/jp:y0iZVpc

sKy1M5ZU8Cy/jp

PEiD..: -

TrID..: File type identification

Win32 Executable Generic (68.0%)

Generic Win/DOS Executable (15.9%)

DOS Executable Generic (15.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x1005b39

timedatestamp.....: 0x483473fa (Wed May 21 19:11:54 2008)

machinetype.......: 0x14c (I386)

( 4 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x50da 0x5200 6.08 b62a27b31ff6c85d478ba3252b370db8

.data 0x7000 0x35c 0x200 0.57 30b4e9caedfc5cc61ae43b4b10fb9ef7

.rsrc 0x8000 0x3c0 0x400 3.07 718782eb2d32dc40bff7f3f12e927fe8

.reloc 0x9000 0x292 0x400 3.78 23251461e59726ca2731a319e8a47999

( 1 imports )

> ntdll.dll: wcslen, memset, _vsnwprintf, RtlCreateHeap, RtlFreeHeap, RtlDestroyHeap, RtlAllocateHeap, ZwClose, ZwFlushKey, ZwDeleteKey, ZwOpenKey, memcpy, ZwCreateKey, RtlInitUnicodeString, ZwDeleteValueKey, ZwSetValueKey, ZwQueryValueKey, ZwReadFile, ZwSetInformationFile, ZwCreateFile, ZwDeleteFile, ZwOpenFile, ZwQueryInformationFile, ZwWriteFile, NtTerminateProcess, RtlUnhandledExceptionFilter, RtlUnwind, DbgBreakPoint, RtlNormalizeProcessParams

( 0 exports )

Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=C267504B283B6285843B0077A8178F0094226FB2' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=C267504B283B6285843B0077A8178F0094226FB2</a>

CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=826b165dfdc241143717dfaef03aea8f' target='_blank'>http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=826b165dfdc241143717dfaef03aea8f</a>

File eaikyzxt.exe received on 12.29.2008 23:01:06 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 1/39 (2.57%)

Loading server information...

Your file is queued in position: ___.

Estimated start time is between ___ and ___ .

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

a-squared 4.0.0.73 2008.12.29 -

AhnLab-V3 2008.12.25.0 2008.12.29 -

AntiVir 7.9.0.45 2008.12.29 -

Authentium 5.1.0.4 2008.12.29 -

Avast 4.8.1281.0 2008.12.29 -

AVG 8.0.0.199 2008.12.29 -

BitDefender 7.2 2008.12.29 -

CAT-QuickHeal 10.00 2008.12.27 -

ClamAV 0.94.1 2008.12.29 -

Comodo 837 2008.12.29 -

DrWeb 4.44.0.09170 2008.12.29 -

eSafe 7.0.17.0 2008.12.28 -

eTrust-Vet 31.6.6280 2008.12.29 -

Ewido 4.0 2008.12.29 -

F-Prot 4.4.4.56 2008.12.29 -

F-Secure 8.0.14470.0 2008.12.29 -

Fortinet 3.117.0.0 2008.12.29 -

GData 19 2008.12.29 -

Ikarus T3.1.1.45.0 2008.12.29 -

K7AntiVirus 7.10.569 2008.12.29 -

Kaspersky 7.0.0.125 2008.12.29 -

McAfee 5478 2008.12.29 -

McAfee+Artemis 5478 2008.12.29 -

Microsoft 1.4205 2008.12.29 -

NOD32 3722 2008.12.29 -

Norman 5.80.02 2008.12.29 -

Panda 9.0.0.4 2008.12.29 -

PCTools 4.4.2.0 2008.12.29 -

Prevx1 V2 2008.12.29 Malicious Software

Rising 21.10.02.00 2008.12.29 -

SecureWeb-Gateway 6.7.6 2008.12.29 -

Sophos 4.37.0 2008.12.29 -

Sunbelt 3.2.1809.2 2008.12.22 -

Symantec 10 2008.12.29 -

TheHacker 6.3.1.4.201 2008.12.28 -

TrendMicro 8.700.0.1004 2008.12.29 -

VBA32 3.12.8.10 2008.12.28 -

ViRobot 2008.12.29.1538 2008.12.29 -

VirusBuster 4.5.11.0 2008.12.29 -

Additional information

File size: 33832 bytes

MD5...: 826b165dfdc241143717dfaef03aea8f

SHA1..: 99c96d0cbf07d24c40f960c88610fd7ae64428c2

SHA256: ef81239ee5736cbe4930c2fcf7dd2b42cb4214ad6ecacd4c0c7760bdb56316a6

SHA512: 814b5a242182cdc7c74caa8c30d9a7072e840c1ce159a8df8c1ccd2f5d75d244

0965e7e83be50538c8f8c6d80611b2bc3a9f18c82a2f7e64e79db11f49ba59a3

ssdeep: 384:ySwHp2dZApt1qz5hfReSCxY6pcYiw5vyy1MxWM6W4nELKt8Cy/jp:y0iZVpc

sKy1M5ZU8Cy/jp

PEiD..: -

TrID..: File type identification

Win32 Executable Generic (68.0%)

Generic Win/DOS Executable (15.9%)

DOS Executable Generic (15.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x1005b39

timedatestamp.....: 0x483473fa (Wed May 21 19:11:54 2008)

machinetype.......: 0x14c (I386)

( 4 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x50da 0x5200 6.08 b62a27b31ff6c85d478ba3252b370db8

.data 0x7000 0x35c 0x200 0.57 30b4e9caedfc5cc61ae43b4b10fb9ef7

.rsrc 0x8000 0x3c0 0x400 3.07 718782eb2d32dc40bff7f3f12e927fe8

.reloc 0x9000 0x292 0x400 3.78 23251461e59726ca2731a319e8a47999

( 1 imports )

> ntdll.dll: wcslen, memset, _vsnwprintf, RtlCreateHeap, RtlFreeHeap, RtlDestroyHeap, RtlAllocateHeap, ZwClose, ZwFlushKey, ZwDeleteKey, ZwOpenKey, memcpy, ZwCreateKey, RtlInitUnicodeString, ZwDeleteValueKey, ZwSetValueKey, ZwQueryValueKey, ZwReadFile, ZwSetInformationFile, ZwCreateFile, ZwDeleteFile, ZwOpenFile, ZwQueryInformationFile, ZwWriteFile, NtTerminateProcess, RtlUnhandledExceptionFilter, RtlUnwind, DbgBreakPoint, RtlNormalizeProcessParams

( 0 exports )

CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=826b165dfdc241143717dfaef03aea8f' target='_blank'>http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=826b165dfdc241143717dfaef03aea8f</a>

Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=C267504B283B6285843B0077A8178F0094226FB2' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=C267504B283B6285843B0077A8178F0094226FB2</a>

regarding performance, this pc is just for internet, use my other for demanding things like multimedia and games so cant really push it, but i had regular pop ups before and severe slow down. managed to get rid of vundo and zlobs, but for a while they kept regenerating after afew turn ons. last 7-8 times though nothing has happend and all im seeing in malwarebytes anti malware is the bho. i can see the file in the registry but i cant modify or delete. also windows updates remains on after restarts now, and windows defender updates. thanks for the help so far sjb007.

Link to post
Share on other sites

Hi there

Please update and generate a fresh MBAM log for me

  • Start MalwareBytes AntiMalware
  • Update Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Update
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Post this back in your next reply

Link to post
Share on other sites

Hi there

Please update and generate a fresh MBAM log for me

  • Start MalwareBytes AntiMalware

  • Update Malwarebytes' Anti-Malware

  • Select the Update tab

  • Click Update

  • When the update is complete, select the Scanner tab

  • Select Perform quick scan, then click Scan.

  • When the scan is complete, click OK, then Show Results to view the results.

  • Be sure that everything is checked, and click Remove Selected.

  • When completed, a log will open in Notepad. please copy and paste the log into your next reply

  • If you accidently close it, the log file is saved here and will be named like this:

  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Post this back in your next reply

Malwarebytes' Anti-Malware 1.31

Database version: 1565

Windows 5.1.2600 Service Pack 3

29/12/2008 22:56:50

mbam-log-2008-12-29 (22-56-48).txt

Scan type: Quick Scan

Objects scanned: 65237

Time elapsed: 6 minute(s), 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hi there

Go to start menu - Select Run and in the command box type in notepad

Next - copy/paste the text in the code box below into it:

Killall::

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}]

- Save this to your desktop as CFScript.txt

- Drag the CFScript.txt over onto Combofix.exe and release.

CFScript.gif

Combofix will then execute the script and produce a fresh log

Download GMER Rootkit Scanner from here or here.

  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    th_Gmer_initScan.gif
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

    [*] Then click the Scan button & wait for it to finish.

    [*] Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

    [*]Save it where you can easily find it, such as your desktop and add this to your next post as an attachment

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Post back with both logs

Link to post
Share on other sites

Hi there

Go to start menu - Select Run and in the command box type in notepad

Next - copy/paste the text in the code box below into it:

- Save this to your desktop as CFScript.txt

- Drag the CFScript.txt over onto Combofix.exe and release.

CFScript.gif

Combofix will then execute the script and produce a fresh log

Download GMER Rootkit Scanner from here or here.

  • Extract the contents of the zipped file to desktop.

  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .

  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    th_Gmer_initScan.gif

    Click the image to enlarge it

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections

    • IAT/EAT

    • Drives/Partition other than Systemdrive (typically C:\)

    • Show All (don't miss this one)

    [*] Then click the Scan button & wait for it to finish.

    [*] Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

    [*]Save it where you can easily find it, such as your desktop and add this to your next post as an attachment

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Post back with both logs

hi, dragged the file to combofix, it then updated itself but then the pc went off without warning and rebooted. everything is fine but the file is no longer on the desktop and no sign of a log. would you like me to repeat the process?

Link to post
Share on other sites

i can find no results for combofix, it was as though the application didnt finish last time and just rebooted. i did a search for combofix.txt just to make sure and no results were found. here is the GMER though;

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2008-12-30 10:33:17

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB2BD4F20]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB14619CA]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB1461978]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB146198C]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB1461A0A]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB1461950]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB1461964]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB14619DE]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB14619B6]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB14619A2]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB1461A39]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB1461A20]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB14619F4]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdePort2 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdePort3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-a sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-12 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\nvata \Device\00000088 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\nvata \Device\NvAta0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Classes\CLSID\{B6A930A0-A4F5-43A5-9B4E-6189A6C2B9E8}@r!s!d!t!r!t!r!\30!y!t!{!i!d!d!d!\24! 71230

Reg HKLM\SOFTWARE\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32@ c:\windows\system32\riturifa.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32@ThreadingModel Both

---- EOF - GMER 1.0.14 ----

Link to post
Share on other sites

Hi there winter son

Please download & install - ERUNT (This is a utility that will replicate a copy of your Registry)

  1. Start ERUNT, confirm the Welcome message.
  2. Next, select the backup options:
    • System registry
    • Current User Registry
    • Other open user registry

[*] Click "OK" and wait until the backup process is complete. (Note that depending on your system configuration this may take some time, and that the first bar is NOT a progress bar, just an indicator that the program is still running.)

# Note: To ensure proper operation of ERUNT, you should be logged in as a system administrator.

Once done.....

  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:c:\windows\system32\riturifa.dll
    Registry keys to delete:HKLM\SOFTWARE\Classes\CLSID\{B6A930A0-A4F5-43A5-9B4E-6189A6C2B9E8}HKLM\SOFTWARE\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}


  • In the avenger window, click the Paste Script from Clipboard, pastets4.png button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log, along with a new HijackThis log in your next reply.
Link to post
Share on other sites

Logfile of The Avenger Version 2.0, © by Swandog46

http://*.windowsupdate.com

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229946900953

O17 - HKLM\System\CCS\Services\Tcpip\..\{00CEF1C1-01B2-4558-8DE7-E2DBFD808B50}: NameServer = 194.168.4.100 194.168.8.100

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--

End of file - 11862 bytes

Link to post
Share on other sites

Howdy there

Now I want you to rescan with MBAM. You must make sure you update it,

I notice that in your last MBAM log the definitions were out of date. The current definitions should show Database version 1577

  • Start MalwareBytes AntiMalware
  • Update Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Update
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Post the resulting log back to me, also let me know how things are running now.

Link to post
Share on other sites

everything seems to be running fine thanks, just a quick question before the log, are there any programs you would recommend for security etc. we have tesco broadband, and have a tesco homepage which also handles emails. after reading more on trojans vundos etc and its effect through emails, would you recommend something like thunderbird and maybe a move to mozillla firefox from internet explorer?

also, again after heavy reading, how would you rate mcafee in terms of security, as ive seen its not the best in many polls and tests. i know you will be very busy and you wont really want to be answering questions of this type, but thanks for your time (and patience).

Malwarebytes' Anti-Malware 1.31

Database version: 1577

Windows 5.1.2600 Service Pack 3

2008-12-30 11:43:54

mbam-log-2008-12-30 (11-43-54).txt

Scan type: Quick Scan

Objects scanned: 66352

Time elapsed: 6 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hi winter son

I have included some recommendations for staying clear in this reply which will help point you in the right direction.

As regards to email software then you can try thunderbird by all means, I myself use windows mail (Vista) which is an updated version of outlook express. As far as browser are concerned then firefox may be slightly more secure than explorer due to the fact of it not using active x objects, but please note that this does not make the browser infailable or provide you with a ring of steel on the net. The best way of staying clear is by adapting safer surfing habits on a whole, ie) for example not clicking links in pop ups, downloading from sites that support activities such as keygens, cracked software etc.

Regarding McAfee, to be honest I have not had the pleasure of owning it myself so I cannot really comment on the program itself. If you are not happy with your current setup then you may wish to look at other solutions such as Antivir or ESET Nod32. Antivir comes in 2 flavours, free and premium. The main difference between them is that the free version does not provide email scanning and the updates come from a slower server than the premium version but both version run the same virus definitions. ESET Nod32 is another respected Antivirus, NOD32 like Antivir is antivirus software only and does not come with a firewall. ESET also do a package which incorporates a firewall called ESS, both version or ESET's software are avaialbe on trial so you can try before you buy. I have included a couple of links below for the above mentioend software

Antivir (free & Premium)

ESET (Nod32 & ESS)

Lets tidy up after ourselves

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Now that you appear to be free from malware lets help you stay that way!

Update windows on a regular basis - If you do not have automatic updates enabled then

Visit Microsoft's Update Page and update your computer from there

Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions.

Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here

Make your Internet Explorer more secure - This can be done by following these simple instructions:

Open Internet Explorer, click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialise and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Safer Browsing

Use software such as Trendprotect or Sitehound to help you stay away from unsuspecting sites that have malicious purposes.

Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects)

Use an alternative browser

Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser.

Computer Maintenance

Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis.

Scan your computer regularly for malware

Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy and Adaware 2007 Free by Lavasoft can help you keep clear. These products are scan on demand and do not have active back ground scanning. These two products can be installed together without any complications.

Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) - Please note that this product can also be run as free without a licience but the background protection will not be active.

I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet.

-> So How Did I Get Infected In First Place - By TonyKlein

-> How to prevent Malware - By miekiemoes

-> I'm not pulling your leg, honest - By Sandi Hardmeie

**Kindly respond one more time and let me know if we may consider this thread resolved.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.