Trojan.BHO does'nt delete on reeboot

winter son · December 26, 2008

Hello everyone, recently i had regular pop-ups and some system slowdown. I have mcafee installed and that picked up no problems. I had MBAM and rogue remover installed also and did a scan with them. i had various infections, mainly vundo and zlob and after some deleting and renaming, i think i have managed to get it down to one last problem, a trojan.BHO in a registry, also something called zivovubele on hjt log. Thankyou for your time in advance.

Malwarebytes' Anti-Malware 1.31

Database version: 1544

Windows 5.1.2600 Service Pack 3

26/12/2008 20:22:18

mbam-log-2008-12-26 (20-22-18).txt

Scan type: Quick Scan

Objects scanned: 61863

Time elapsed: 4 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:17:53, on 26/12/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

c:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\MSK\MskSrver.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\mqsvc.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE

C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe

C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Samsung\Samsung PC Studio 7\LaunchApplication.exe

C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Apple Computer\DVD@ccess\DVDAccess.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe

C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.tesco.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.windowsupdate.com

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229946900953

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{00CEF1C1-01B2-4558-8DE7-E2DBFD808B50}: NameServer = 194.168.4.100 194.168.8.100

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - AppInit_DLLs: c:\windows\system32\yafajawo.dll c:\windows\system32\rarivove.dll c:\windows\system32\duvabova.dll c:\windows\system32\judukowe.dll c:\windows\system32\tusihivi.dll c:\windows\system32\suzisuha.dll c:\windows\system32\disesobe.dll c:\windows\system32\lukosayu.dll c:\windows\system32\zanelupo.dll c:\windows\system32\yizuwedu.dll c:\windows\system32\huzisopo.dll c:\windows\system32\riturifa.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--

End of file - 13057 bytes

sjb007 · December 29, 2008

Howdy there winter son

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

=========================

Go to Start > Run and copy/paste the following into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply along with the combofix log.

winter son · December 29, 2008

Howdy there winter son
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please include the C:\ComboFix.txt in your next reply for further review.
=========================
Go to Start > Run and copy/paste the following into the Run box and click OK:
C:\Qoobox\Add-Remove Programs.txt
A text file should open. Please post the contents of that file in your next reply along with the combofix log.

thanks for the reply sjb007. just so you know, i turned off mcafee in the security centre before i ran combofix and set it to start on restart as it didnt say in the notes that it would reboot after scan and it seems it has been included in the log. apologies for this, if you wish me to run the scan and post a new log then i will. here is the two logs anyway, and again thanks for the help.

ComboFix 08-12-28.04 - Bram 2008-12-29 17:04:00.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1462 [GMT 0:00]

Running from: c:\documents and settings\Bram\My Documents\bram\applications\windiag\ComboFix.exe

AV: McAfee VirusScan *On-access scanning enabled* (Updated)

FW: McAfee Personal Firewall *enabled*

FW: ActiveArmor Firewall *disabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\asapagov.ini

c:\windows\system32\Cache

c:\windows\system32\CMMGR32.EXE

c:\windows\system32\efukujaj.ini

c:\windows\system32\iyelukuv.ini

c:\windows\system32\tmp35.tmp

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_IPRIP

-------\Legacy_TCPSR

-------\Service_Iprip

((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))

.

2008-12-26 20:24 . 2008-12-26 20:24 <DIR> d-------- c:\program files\Panda Security

2008-12-26 20:24 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-12-26 20:11 . 2008-12-26 20:11 <DIR> d-------- c:\program files\Sun

2008-12-26 20:11 . 2008-12-26 20:11 <DIR> d-------- c:\program files\Java

2008-12-26 20:11 . 2008-12-26 20:11 410,984 --a------ c:\windows\system32\deploytk.dll

2008-12-26 20:11 . 2008-12-26 20:11 73,728 --a------ c:\windows\system32\javacpl.cpl

2008-12-26 20:08 . 2008-12-26 20:08 <DIR> d-------- c:\program files\Common Files\Adobe AIR

2008-12-26 20:00 . 2008-12-27 16:50 <DIR> d-------- c:\program files\NOS

2008-12-26 20:00 . 2008-12-27 16:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

2008-12-26 18:12 . 2008-12-26 18:12 <DIR> d-------- c:\documents and settings\Bram\DoctorWeb

2008-12-26 17:51 . 2008-12-26 17:51 142,096 --a------ c:\windows\system32\drivers\tmcomm.sys

2008-12-26 17:08 . 2004-06-11 15:33 290,304 --a------ c:\windows\system32\subinacl.exe

2008-12-25 11:29 . 2008-12-25 11:29 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-25 11:29 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-25 11:29 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-23 17:36 . 2008-12-23 17:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2008-12-23 17:35 . 2008-12-23 17:35 <DIR> d-------- c:\program files\SUPERAntiSpyware

2008-12-23 17:35 . 2008-12-23 17:35 <DIR> d-------- c:\documents and settings\Bram\Application Data\SUPERAntiSpyware.com

2008-12-23 17:34 . 2008-12-23 17:34 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2008-12-23 17:33 . 2008-12-23 17:33 <DIR> d-------- c:\program files\Trend Micro

2008-12-23 11:21 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll

2008-12-23 11:21 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui

2008-12-23 11:20 . 2008-12-23 21:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\_comodo_

2008-12-22 23:04 . 2008-12-22 23:04 249,592 --a------ c:\windows\system32\cssdll32.dll

2008-12-22 23:03 . 2008-12-24 06:16 <DIR> d-------- c:\program files\COMODO

2008-12-22 12:43 . 2008-12-22 12:43 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2

2008-12-21 20:15 . 2008-12-23 16:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2008-12-21 19:39 . 2008-12-21 19:39 33,832 --a------ c:\windows\system32\cmcmamul.exe

2008-12-21 19:31 . 2008-12-21 19:31 33,832 --a------ c:\windows\system32\eaikyzxt.exe

2008-12-21 17:12 . 2008-12-21 17:12 <DIR> d-------- C:\VundoFix Backups

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-29 12:09 --------- d-----w c:\documents and settings\NetworkService\Application Data\SACore

2008-12-26 20:08 --------- d-----w c:\program files\Common Files\Adobe

2008-12-23 18:06 --------- d-----w c:\program files\RogueRemover FREE

2008-12-22 12:43 --------- d-----w c:\program files\Microsoft Works

2008-12-18 11:11 1,950 ----a-w c:\documents and settings\Bram\Application Data\wklnhst.dat

2008-12-15 18:30 --------- d-----w c:\program files\Soulseek

2008-12-12 16:53 --------- d-----w c:\program files\SuperAdBlocker.com

2008-12-10 14:59 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore

2008-12-10 14:54 --------- d-----w c:\program files\McAfee

2008-12-01 09:29 --------- d-----w c:\documents and settings\All Users\Application Data\Digital PixMaster

2008-12-01 09:14 --------- d-----w c:\program files\SpeedFan

2008-12-01 09:13 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-01 09:13 --------- d-----w c:\documents and settings\All Users\Application Data\BVRP Software

2008-12-01 09:11 --------- d-----w c:\program files\ubi.com

2008-11-28 22:18 --------- d-----w c:\program files\Samsung

2008-11-28 22:18 --------- d-----w c:\documents and settings\Bram\Application Data\Samsung

2008-11-28 22:03 --------- d-----w c:\documents and settings\Bram\Application Data\SuperAdBlocker.com

2007-11-23 14:36 22,328 -c--a-w c:\documents and settings\Bram\Application Data\PnkBstrK.sys

2007-01-04 17:23 92,064 ----a-w c:\documents and settings\Bram\mqdmmdm.sys

2007-01-04 17:23 9,232 ----a-w c:\documents and settings\Bram\mqdmmdfl.sys

2007-01-04 17:23 79,328 ----a-w c:\documents and settings\Bram\mqdmserd.sys

2007-01-04 17:23 66,656 ----a-w c:\documents and settings\Bram\mqdmbus.sys

2007-01-04 17:23 6,208 ----a-w c:\documents and settings\Bram\mqdmcmnt.sys

2007-01-04 17:23 5,936 ----a-w c:\documents and settings\Bram\mqdmwhnt.sys

2007-01-04 17:23 4,048 ----a-w c:\documents and settings\Bram\mqdmcr.sys

2007-01-04 17:23 25,600 ----a-w c:\documents and settings\Bram\usbsermptxp.sys

2007-01-04 17:23 22,768 ----a-w c:\documents and settings\Bram\usbsermpt.sys

2008-09-06 09:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090620080907\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"STManager"="c:\program files\SpeedTouch\Dr SpeedTouch\drst.exe" [2003-10-16 118784]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]

"RCSystem"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]

"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]

"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 122880]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]

"nTrayFw"="c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2005-12-21 270336]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-04 267048]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]

"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2008-06-13 1176808]

"SamsungPCSuiteTrayApplication"="c:\program files\Samsung\Samsung PC Studio 7\LaunchApplication.exe" [2008-06-27 278528]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-26 136600]

"nwiz"="nwiz.exe" [2007-10-04 c:\windows\system32\nwiz.exe]

"CTHelper"="CTHELPER.EXE" [2006-12-12 c:\windows\system32\CtHelper.exe]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-12-12 c:\windows\system32\Ctxfihlp.exe]

"MsmqIntCert"="mqrt.dll" [2008-04-14 c:\windows\system32\mqrt.dll]

"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

"Samsung.PCSync"="c:\program files\Samsung\Samsung PC Studio 7\PcSync2.exe" [2007-12-04 1241088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

DVD@ccess.lnk - c:\program files\Apple Computer\DVD@ccess\DVDAccess.exe [2007-05-30 888832]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Vdi51.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Codemasters\\Operation Flashpoint\\FlashpointResistance.exe"=

"c:\\Program Files\\SpeedTouch\\Dr SpeedTouch\\drst.exe"=

"c:\\Program Files\\Digital Spectrum\\Digital PixMaster 6.1\\DigitalPixMaster.exe"=

"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Soulseek\\slsk.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=

"c:\\Program Files\\McAfee\\MSK\\msksrver.exe"=

"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

"c:\\Program Files\\Thomson\\SpeedTouch USB\\dragdiag.exe"=

"c:\\WINDOWS\\system32\\cidaemon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"65436:TCP"= 65436:TCP:*:Disabled:SolidNetworkManager

"65436:UDP"= 65436:UDP:*:Disabled:SolidNetworkManager

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-26 28544]

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]

R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]

R2 DVDAccss;DVDAccss;c:\windows\system32\drivers\DVDAccss.sys [2007-05-30 29156]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-09-05 206096]

R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]

R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]

S0 Vdi51;Vdi51;c:\windows\system32\Drivers\Vdi51.sys []

S1 HCW88AUD;Hauppauge WinTV 88x Audio Capture;c:\windows\system32\drivers\hcw88aud.sys [2005-12-07 11970]

S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys []

S3 DVxplore;NVTV;c:\windows\system32\DRIVERS\DVxplore.sys [2005-12-07 75776]

S3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;c:\windows\system32\drivers\hcw88bda.sys [2005-12-07 133696]

S3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture;c:\windows\system32\drivers\hcw88tse.sys [2005-12-07 296515]

S3 HCW88TUNE;Hauppauge WinTV 88x Tuner;c:\windows\system32\drivers\hcw88tun.sys [2005-12-07 149504]

S3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\hcw88vid.sys [2005-12-07 498176]

S3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;c:\windows\system32\drivers\HCW88BAR.sys [2005-12-07 23552]

S3 nmwcdsa;Samsung USB Phone Parent;c:\windows\system32\drivers\nmwcdsa.sys [2008-09-10 135680]

S3 nmwcdsac;Samsung USB Generic;c:\windows\system32\drivers\nmwcdsac.sys [2008-09-10 8320]

S3 nmwcdsacj;Samsung USB Port;c:\windows\system32\drivers\nmwcdsacj.sys [2008-09-10 12288]

S3 nmwcdsacm;Samsung USB Modem;c:\windows\system32\drivers\nmwcdsacm.sys [2008-09-10 12288]

S3 PciCon;PciCon;\??\D:\PciCon.sys []

S3 pfusb;pfusb;c:\windows\system32\drivers\pfusb.sys [2007-08-29 12272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29d3a98a-59a2-11dd-bbc5-000e5046f16f}]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c64c22b2-e107-11da-9ce0-806d6172696f}]

\Shell\AutoRun\command - E:\AutoRunCD.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de0c2aec-e023-11da-9f34-0013d3cfe452}]

\Shell\AutoRun\command - F:\autorun.exe

.

Contents of the 'Scheduled Tasks' folder

2008-12-26 c:\windows\Tasks\HPpromotions journeysoftware.job

- c:\program files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 17:36]

2008-04-05 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-04-05 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-12-29 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-Uch27.sys

MSConfigStartUp-6c37621e - c:\windows\system32\lubudeyu.dll

MSConfigStartUp-CPM6f045182 - c:\windows\system32\yizuwedu.dll

MSConfigStartUp-zivovubele - c:\windows\system32\pubegadi.dll

.

------- Supplementary Scan -------

.

uStart Page = www.tesco.net/

uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s

LSP: %SYSTEMROOT%\system32\nvappfilter.dll

Trusted Zone: *.windowsupdate.microsoft.com

Trusted Zone: *.windowsupdate.com

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-29 17:09:55

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTHelper = CTHELPER.EXE?

CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(932)

c:\windows\system32\nvappfilter.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\msdtc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe

c:\windows\system32\inetsrv\inetinfo.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\program files\McAfee\MSK\msksrver.exe

c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe

c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

c:\program files\NVIDIA Corporation\nTune\nTuneService.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\HPZipm12.exe

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\windows\system32\tcpsvcs.exe

c:\windows\system32\snmp.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\mqsvc.exe

c:\progra~1\McAfee.com\Agent\mcagent.exe

c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

c:\windows\system32\mqtgsvc.exe

c:\windows\system32\rundll32.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HP\Digital Imaging\bin\hpqste08.exe

c:\program files\PC Connectivity Solution\ServiceLayer.exe

c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe

c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe

c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

c:\program files\McAfee\MPF\MpfSrv.exe

c:\program files\HP\Digital Imaging\bin\hpqimzone.exe

.

**************************************************************************

.

Completion time: 2008-12-29 17:16:40 - machine was rebooted

ComboFix-quarantined-files.txt 2008-12-29 17:16:36

Pre-Run: 191,823,302,656 bytes free

Post-Run: 191,791,980,544 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer

300 --- E O F --- 2008-12-26 19:49:01

2570

2570_Help

2570Trb

Acrobat.com

Adobe AIR

Adobe Flash Player ActiveX

Adobe Reader 9

AiO_Scan_CDA

AiOSoftwareNPI

Apple Mobile Device Support

Apple Software Update

AutoUpdate

BufferChm

CP_AtenaShokunin1Config

CP_CalendarTemplates1

CP_Package_Basic1

CP_Package_Variety1

CP_Package_Variety2

CP_Package_Variety3

CP_Panorama1Config

CueTour

CustomerResearchQFolder

Destinations

DeviceFunctionQFolder

DeviceManagementQFolder

Digital PixMaster 6.1

DivX Codec

DivX Converter Mobile

DivX Player

DivX Web Player

DocProc

DocumentViewer

DocumentViewerQFolder

Dr SpeedTouch

DVD@ccess 2.0.3

Elecard MPEG-2 Decoder&Streaming Plug-in for WMP

Enable S3 for USB Device

eSupportQFolder

Fax_CDA

FullDPAppQFolder

GameShadow

Hauppauge MCE2005 Software Encoder

HijackThis 2.0.2

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 10 (KB903157)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB952287)

HP Document Viewer 5.3

HP Extended Capabilities 5.3

HP Image Zone 5.3

HP Imaging Device Functions 5.3

HP PSC & OfficeJet 5.3.A

HP Software Update

HP Solution Center & Imaging Support Tools 5.3

HPProductAssistant

InstantShareDevices

iPod Updater 2004-08-06

iTunes

Java 6 Update 11

JourneySoftwarePromo

LS_HSI

Malwarebytes' Anti-Malware

MarketResearch

McAfee SecurityCenter

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft .NET Framework 2.0 Service Pack 1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft User-Mode Driver Framework Feature Pack 1.5

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual J# .NET Redistributable Package 1.1

Microsoft Works

Microsoft Works 7.0

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

NewCopy_CDA

NVIDIA Drivers

NVIDIA ForceWare Network Access Manager

NVIDIA nTune

OpenOffice.org Installer 1.0

Panda ActiveScan 2.0

PanoStandAlone

PC Connectivity Solution

PhotoGallery

ProductContextNPI

QuickTime

RandMap

Readme

Realtek AC'97 Audio

SAMSUNG Mobile Modem Driver Set

Samsung Mobile phone USB driver Software

SAMSUNG Mobile USB Modem 1.0 Software

SAMSUNG Mobile USB Modem Software

Samsung PC Studio

Samsung PC Studio 3

Samsung PC Studio 3 USB Driver Installer

Samsung PC Studio 7

Samsung Samples Installer

SamsungConnectivityCableDriver

Scan

ScannerCopy

Security Update for CAPICOM (KB931906)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953155)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

SkinsHP1

Solid State ION Internet Explorer Plugin

SolutionCenter

Sonic_PrimoSDK

SoulSeek Client 156c

Sound Blaster X-Fi

SpeedTouch USB Software

Status

SUPERAntiSpyware Free Edition

System Requirements Lab

TrayApp

Unload

Update for Windows Media Player 10 (KB913800)

Update for Windows Media Player 10 (KB926251)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955839)

Update Rollup 2 for Windows XP Media Center Edition 2005

WebFldrs XP

WebReg

Windows Defender

Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 7

Windows Media Format 11 runtime

Windows XP Media Center Edition 2005 KB888316

Windows XP Media Center Edition 2005 KB890629

Windows XP Media Center Edition 2005 KB890760

Windows XP Media Center Edition 2005 KB894553

Windows XP Media Center Edition 2005 KB895678

Windows XP Media Center Edition 2005 KB925766

Windows XP Service Pack 3

WinRAR archiver

sjb007 · December 29, 2008

Hi there

Some files I would expect to see in combofix log are not present, can I just ask have you ran any other tools, or deleted any files inbetween posting the HJT log and the combofix log.

I want you to run an online scan with Kaspersky for me.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs

Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

============================

Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

Double click on RSIT.exe to run.

Click Continue at the disclaimer screen.

Once it has finished, two logs will open.

log.txt <will be maximized and info.txt <will be minimized

Please post the contents of log.txt in your next reply.

winter son · December 29, 2008

Hi there
Some files I would expect to see in combofix log are not present, can I just ask have you ran any other tools, or deleted any files inbetween posting the HJT log and the combofix log.
I want you to run an online scan with Kaspersky for me.
Establish an internet connection & perform an online scan with Internet Explorer at http://*.windowsupdate.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229946900953
O17 - HKLM\System\CCS\Services\Tcpip\..\{00CEF1C1-01B2-4558-8DE7-E2DBFD808B50}: NameServer = 194.168.4.100 194.168.8.100
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 11917 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\HPpromotions journeysoftware.job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-26 320920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2008-11-14 150032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-26 34816]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-26 73728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2008-11-14 150032]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-08-05 64512]
"CTDVDDET"=C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE [2003-06-18 45056]
"RCSystem"=C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe [2005-06-16 49152]
"AudioDrvEmulator"=C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe [2005-06-16 49152]
"VolPanel"=C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe [2005-07-11 122880]
"UpdReg"=C:\WINDOWS\UpdReg.EXE [2000-05-11 90112]
"SpeedTouch USB Diagnostics"=C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe [2004-01-26 866816]
"nTrayFw"=C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe [2005-12-21 270336]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2007-10-04 8491008]
"nwiz"=nwiz.exe /install []
"CTHelper"=C:\WINDOWS\system32\CTHELPER.EXE [2006-12-12 19456]
"CTxfiHlp"=C:\WINDOWS\system32\CTXFIHLP.EXE [2006-12-12 20480]
"MsmqIntCert"=regsvr32 /s mqrt.dll []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2007-10-04 81920]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-01-31 385024]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-02-04 267048]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2007-04-16 577536]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2005-05-11 49152]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2008-07-11 641208]
"McENUI"=C:\PROGRA~1\McAfee\MHN\McENUI.exe [2008-06-13 1176808]
"SamsungPCSuiteTrayApplication"=C:\Program Files\Samsung\Samsung PC Studio 7\LaunchApplication.exe [2008-06-27 278528]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-26 136600]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"STManager"=C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe [2003-10-16 118784]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"NVIDIA nTune"=C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe [2007-07-03 81920]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-12-04 1809648]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
DVD@ccess.lnk - C:\Program Files\Apple Computer\DVD@ccess\DVDAccess.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-03 352256]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-14 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Vdi51.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Vdi51.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Codemasters\Operation Flashpoint\FlashpointResistance.exe"="C:\Program Files\Codemasters\Operation Flashpoint\FlashpointResistance.exe:*:Enabled:Operation Flashpoint"
"C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe"="C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe:*:Enabled:Dr SpeedTouch"
"C:\Program Files\Digital Spectrum\Digital PixMaster 6.1\DigitalPixMaster.exe"="C:\Program Files\Digital Spectrum\Digital PixMaster 6.1\DigitalPixMaster.exe:*:Enabled:Main executable for slide manager application"
"C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe:*:Enabled:Apache HTTP Server"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\mqsvc.exe"="C:\WINDOWS\system32\mqsvc.exe:*:Enabled:Message Queuing"
"C:\Program Files\CyberLink\PCM4Everio\PCM4Everio.exe"="C:\Program Files\CyberLink\PCM4Everio\PCM4Everio.exe:*:Disabled:CyberLink PowerCinema NE for Everio"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\Soulseek\slsk.exe"="C:\Program Files\Soulseek\slsk.exe:*:Enabled:SoulSeek"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\WINDOWS\system32\wbem\wmiprvse.exe"="C:\WINDOWS\system32\wbem\wmiprvse.exe:*:Enabled:wmiprvse"
"C:\Program Files\McAfee\MSK\msksrver.exe"="C:\Program Files\McAfee\MSK\msksrver.exe:*:Enabled:MskSrver"
"C:\Program Files\iPod\bin\iPodService.exe"="C:\Program Files\iPod\bin\iPodService.exe:*:Enabled:iPodService"
"C:\Program Files\Thomson\SpeedTouch USB\dragdiag.exe"="C:\Program Files\Thomson\SpeedTouch USB\dragdiag.exe:*:Enabled:Dragdiag"
"C:\WINDOWS\system32\cidaemon.exe"="C:\WINDOWS\system32\cidaemon.exe:*:Enabled:cidaemon"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\mqsvc.exe"="C:\WINDOWS\system32\mqsvc.exe:*:Enabled:Message Queuing"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29d3a98a-59a2-11dd-bbc5-000e5046f16f}]
shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c64c22b2-e107-11da-9ce0-806d6172696f}]
shell\AutoRun\command - E:\AutoRunCD.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de0c2aec-e023-11da-9f34-0013d3cfe452}]
shell\AutoRun\command - F:\autorun.exe
======List of files/folders created in the last 1 months======
2008-12-29 19:23:07 ----D---- C:\rsit
2008-12-29 19:00:02 ----D---- C:\WINDOWS\Sun
2008-12-29 17:16:41 ----A---- C:\ComboFix.txt
2008-12-29 17:02:24 ----A---- C:\Boot.bak
2008-12-29 17:02:21 ----RASHD---- C:\cmdcons
2008-12-29 16:53:12 ----A---- C:\WINDOWS\zip.exe
2008-12-29 16:53:12 ----A---- C:\WINDOWS\VFIND.exe
2008-12-29 16:53:12 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-12-29 16:53:12 ----A---- C:\WINDOWS\SWSC.exe
2008-12-29 16:53:12 ----A---- C:\WINDOWS\SWREG.exe
2008-12-29 16:53:12 ----A---- C:\WINDOWS\sed.exe
2008-12-29 16:53:12 ----A---- C:\WINDOWS\NIRCMD.exe
2008-12-29 16:53:12 ----A---- C:\WINDOWS\grep.exe
2008-12-29 16:53:12 ----A---- C:\WINDOWS\fdsv.exe
2008-12-29 16:52:57 ----D---- C:\WINDOWS\ERDNT
2008-12-29 16:52:57 ----D---- C:\Qoobox
2008-12-29 16:52:57 ----D---- C:\ComboFix
2008-12-26 20:24:15 ----D---- C:\Program Files\Panda Security
2008-12-26 20:11:48 ----D---- C:\Program Files\Sun
2008-12-26 20:11:23 ----A---- C:\WINDOWS\system32\javaws.exe
2008-12-26 20:11:23 ----A---- C:\WINDOWS\system32\javaw.exe
2008-12-26 20:11:23 ----A---- C:\WINDOWS\system32\java.exe
2008-12-26 20:11:23 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-12-26 20:11:05 ----D---- C:\Program Files\Java
2008-12-26 20:10:36 ----D---- C:\Documents and Settings\Bram\Application Data\Sun
2008-12-26 20:08:32 ----D---- C:\Program Files\Common Files\Adobe AIR
2008-12-26 20:00:05 ----D---- C:\Program Files\NOS
2008-12-26 20:00:05 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2008-12-26 17:08:36 ----A---- C:\WINDOWS\system32\subinacl.exe
2008-12-25 13:17:05 ----A---- C:\WINDOWS\system32\MRT.exe
2008-12-25 11:29:04 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-23 17:36:56 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-23 17:35:33 ----D---- C:\Program Files\SUPERAntiSpyware
2008-12-23 17:35:33 ----D---- C:\Documents and Settings\Bram\Application Data\SUPERAntiSpyware.com
2008-12-23 17:34:24 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-23 17:33:11 ----D---- C:\Program Files\Trend Micro
2008-12-23 11:21:57 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2008-12-23 11:21:57 ----A---- C:\WINDOWS\system32\mucltui.dll
2008-12-23 11:20:34 ----D---- C:\Documents and Settings\All Users\Application Data\_comodo_
2008-12-22 23:04:38 ----A---- C:\WINDOWS\system32\cssdll32.dll
2008-12-22 23:03:57 ----D---- C:\Program Files\COMODO
2008-12-22 12:43:55 ----D---- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-12-22 12:17:53 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-22 12:17:28 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-22 12:17:24 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-22 12:17:17 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-21 20:15:41 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-12-21 19:39:52 ----A---- C:\WINDOWS\system32\cmcmamul.exe
2008-12-21 19:31:05 ----A---- C:\WINDOWS\system32\eaikyzxt.exe
2008-12-21 17:12:40 ----A---- C:\VundoFix.txt
2008-12-21 17:12:39 ----D---- C:\VundoFix Backups
2008-12-14 18:29:08 ----A---- C:\WINDOWS\system32\6714a660-.txt
======List of files/folders modified in the last 1 months======
2008-12-29 19:04:06 ----D---- C:\WINDOWS\Temp
2008-12-29 19:01:03 ----D---- C:\WINDOWS
2008-12-29 17:16:43 ----D---- C:\WINDOWS\system32\drivers
2008-12-29 17:16:43 ----D---- C:\WINDOWS\system32
2008-12-29 17:15:52 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-29 17:13:25 ----D---- C:\WINDOWS\system32\inetsrv
2008-12-29 17:12:31 ----SD---- C:\WINDOWS\Tasks
2008-12-29 17:10:11 ----A---- C:\WINDOWS\system.ini
2008-12-29 17:07:05 ----D---- C:\WINDOWS\system32\config
2008-12-29 17:05:19 ----D---- C:\WINDOWS\AppPatch
2008-12-29 17:05:19 ----D---- C:\Program Files\Common Files
2008-12-29 17:02:24 ----RASH---- C:\boot.ini
2008-12-29 17:01:01 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-29 16:52:51 ----D---- C:\WINDOWS\Prefetch
2008-12-28 18:31:54 ----SHD---- C:\WINDOWS\CSC
2008-12-27 16:50:15 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-12-27 16:49:13 ----HD---- C:\Config.Msi
2008-12-26 20:53:29 ----SHD---- C:\WINDOWS\Installer
2008-12-26 20:24:15 ----RD---- C:\Program Files
2008-12-26 20:24:15 ----HD---- C:\WINDOWS\inf
2008-12-26 20:08:50 ----D---- C:\Program Files\Adobe
2008-12-26 20:08:23 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-12-26 20:08:05 ----D---- C:\Program Files\Common Files\Adobe
2008-12-26 20:07:46 ----D---- C:\WINDOWS\WinSxS
2008-12-26 20:00:58 ----SHD---- C:\System Volume Information
2008-12-26 20:00:58 ----D---- C:\WINDOWS\system32\Restore
2008-12-26 17:58:32 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-25 12:47:20 ----A---- C:\WINDOWS\win.ini
2008-12-23 18:06:51 ----D---- C:\Program Files\RogueRemover FREE
2008-12-23 18:06:20 ----A---- C:\WINDOWS\imsins.BAK
2008-12-23 18:05:11 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-23 18:04:19 ----D---- C:\Program Files\Online Services
2008-12-23 18:04:11 ----D---- C:\WINDOWS\addins
2008-12-23 16:41:45 ----D---- C:\WINDOWS\Minidump
2008-12-22 12:43:20 ----D---- C:\Program Files\Microsoft Works
2008-12-22 12:17:45 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-22 12:17:44 ----D---- C:\Program Files\Internet Explorer
2008-12-22 12:17:37 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-22 12:02:35 ----D---- C:\WINDOWS\system32\CatRoot
2008-12-15 18:30:32 ----D---- C:\Program Files\Soulseek
2008-12-13 06:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-12 16:53:41 ----D---- C:\Program Files\SuperAdBlocker.com
2008-12-10 14:54:38 ----D---- C:\Program Files\McAfee
2008-12-09 14:26:55 ----A---- C:\WINDOWS\WORDPAD.INI
2008-12-01 09:29:18 ----D---- C:\Documents and Settings\All Users\Application Data\Digital PixMaster
2008-12-01 09:14:59 ----D---- C:\Program Files\SpeedFan
2008-12-01 09:13:31 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-01 09:13:27 ----D---- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-12-01 09:11:17 ----D---- C:\Program Files\ubi.com
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2008-06-27 207656]
R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2008-06-02 120136]
R1 NVTCP;NVIDIA TCP/IP Protocol Driver; C:\WINDOWS\System32\DRIVERS\NVTcp.sys [2006-04-14 101888]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 StarOpen;StarOpen; C:\WINDOWS\system32\drivers\StarOpen.sys [2006-07-24 5632]
R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:\WINDOWS\system32\DRIVERS\tcpip6.sys [2008-06-20 225856]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-10 12032]
R2 DVDAccss;DVDAccss; C:\WINDOWS\system32\drivers\DVDAccss.sys [2003-11-21 29156]
R3 alcan5wn;SpeedTouch USB ADSL PPP Networking Driver (NDISWAN); C:\WINDOWS\system32\DRIVERS\alcan5wn.sys [2003-12-08 53600]
R3 alcaudsl;SpeedTouch ADSL Modem ATM Transport; C:\WINDOWS\system32\DRIVERS\alcaudsl.sys [2003-12-08 70688]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2008-01-24 4127488]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2006-09-19 15664]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2005-03-08 51120]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2005-03-08 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-03-08 21744]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2008-06-27 79240]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2008-06-27 35240]
R3 MQAC;Message Queuing access control; \??\C:\WINDOWS\system32\drivers\mqac.sys []
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-10-04 6854464]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-04-14 34176]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-04-14 13056]
R3 NVR0Dev;NVR0Dev; \??\C:\WINDOWS\nvoclock.sys []
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2002-02-11 14572]
R3 RMCAST;Reliable Multicast Protocol driver; \??\C:\WINDOWS\system32\drivers\RMCast.sys []
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:\WINDOWS\system32\DRIVERS\tunmp.sys [2008-04-13 12288]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S1 AmdK8;AMD Athlon64 Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2004-05-08 35840]
S1 HCW88AUD;Hauppauge WinTV 88x Audio Capture; C:\WINDOWS\system32\drivers\hcw88aud.sys [2005-11-23 11970]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S1 SABKUTIL;SABKUTIL; \??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys []
S3 AmdLLD;AMD Low Level Device Driver; C:\WINDOWS\system32\DRIVERS\AmdLLD.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\system32\drivers\ctac32k.sys [2006-12-19 511288]
S3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2007-06-18 514560]
S3 ctdvda2k;Creative DVD-Audio Device Driver; C:\WINDOWS\system32\drivers\ctdvda2k.sys [2005-07-13 340704]
S3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\system32\drivers\ctprxy2k.sys [2006-12-19 14648]
S3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\drivers\ctsfm2k.sys [2006-12-19 156984]
S3 DVxplore;NVTV; C:\WINDOWS\system32\DRIVERS\DVxplore.sys [2004-09-07 75776]
S3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\system32\drivers\emupia2k.sys [2006-12-19 90936]
S3 ha20x2k;Creative 20X HAL Driver; C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-12-19 1160504]
S3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod; C:\WINDOWS\system32\drivers\hcw88bda.sys [2005-11-23 133696]
S3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture; C:\WINDOWS\system32\drivers\hcw88tse.sys [2005-11-23 296515]
S3 HCW88TUNE;Hauppauge WinTV 88x Tuner; C:\WINDOWS\system32\drivers\hcw88tun.sys [2007-01-24 149504]
S3 hcw88vid;Hauppauge WinTV 88x Video; C:\WINDOWS\system32\drivers\hcw88vid.sys [2007-01-24 498176]
S3 HCW88XBAR;Hauppauge WinTV 88x Crossbar; C:\WINDOWS\system32\drivers\HCW88BAR.sys [2007-01-24 23552]
S3 HidIr;Microsoft Infrared HID Driver; C:\WINDOWS\system32\DRIVERS\hidir.sys [2008-04-13 19200]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 IrBus;Infrared bus filter driver for eHome remote controls; C:\WINDOWS\system32\DRIVERS\IrBus.sys [2008-04-13 46592]
S3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2008-06-20 34152]
S3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2008-06-27 40488]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MPE;BDA MPE Filter; C:\WINDOWS\system32\DRIVERS\MPE.sys [2008-04-13 15232]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 nmwcdsa;Samsung USB Phone Parent; C:\WINDOWS\system32\drivers\nmwcdsa.sys [2007-05-02 135680]
S3 nmwcdsac;Samsung USB Generic; C:\WINDOWS\system32\drivers\nmwcdsac.sys [2007-05-02 8320]
S3 nmwcdsacj;Samsung USB Port; C:\WINDOWS\system32\drivers\nmwcdsacj.sys [2007-05-02 12288]
S3 nmwcdsacm;Samsung USB Modem; C:\WINDOWS\system32\drivers\nmwcdsacm.sys [2007-05-02 12288]
S3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2006-12-19 128312]
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2007-09-17 21632]
S3 PciCon;PciCon; \??\D:\PciCon.sys []
S3 pfusb;pfusb; C:\WINDOWS\system32\drivers\pfusb.sys [2005-09-01 12272]
S3 SABProcEnum;SABProcEnum; \??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABProcEnum.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM); C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-01-24 52384]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter; C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-01-24 6064]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers; C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-01-24 84512]
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM); C:\WINDOWS\system32\DRIVERS\sscdbus.sys [2007-07-03 80552]
S3 sscdmdfl;SAMSUNG Mobile Modem Filter; C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys [2007-07-03 11944]
S3 sscdmdm;SAMSUNG Mobile Modem Drivers; C:\WINDOWS\system32\DRIVERS\sscdmdm.sys [2007-07-03 106792]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 TVICHW32;TVICHW32; \??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS []
S3 usbsermptxp;Motorola USB Modem Driver for MPT XP; C:\WINDOWS\system32\DRIVERS\usbsermptxp.sys [2007-01-04 25600]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-15 82688]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 6to4;IPv6 Helper Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-09-06 110592]
R2 ForceWare Intelligent Application Manager (IAM);ForceWare Intelligent Application Manager (IAM); C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe [2005-12-21 139264]
R2 ForcewareWebInterface;Forceware Web Interface; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe [2005-09-23 20543]
R2 IISADMIN;IIS Admin; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-26 152984]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; c:\Program Files\Common Files\LightScribe\LSSrvc.exe [2005-03-17 38912]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-11-20 206096]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2008-10-10 792696]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2008-07-18 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2008-07-09 358736]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2008-06-20 144704]
R2 MSK80Service;McAfee Anti-Spam Service; C:\Program Files\McAfee\MSK\MskSrver.exe [2008-07-09 25416]
R2 MSMQ;Message Queuing; C:\WINDOWS\system32\mqsvc.exe [2008-04-14 4608]
R2 MSMQTriggers;Message Queuing Triggers; C:\WINDOWS\system32\mqtgsvc.exe [2008-04-14 117248]
R2 nSvcIp;ForceWare IP service; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe [2005-12-21 127035]
R2 nSvcLog;ForceWare user log service; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe [2005-12-21 61503]
R2 nTuneService;nTune Service; C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe [2007-07-03 131072]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-10-04 155716]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2006-09-29 266343]
R2 SimpTcp;Simple TCP/IP Services; C:\WINDOWS\system32\tcpsvcs.exe [2004-08-10 19456]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP); C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]
R2 SNMP;SNMP Service; C:\WINDOWS\System32\snmp.exe [2008-04-14 33280]
R2 W3SVC;World Wide Web Publishing; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-02-04 504104]
R3 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2008-07-09 884360]
R3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2008-04-07 430592]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 LPDSVC;TCP/IP Print Server; C:\WINDOWS\system32\tcpsvcs.exe [2004-08-10 19456]
S3 MBackMonitor;MBackMonitor; C:\Program Files\McAfee\MBK\MBackMonitor.exe [2008-07-10 66848]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2008-06-20 361800]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S3 p2pgasvc;Peer Networking Group Authentication; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 p2pimsvc;Peer Networking Identity Manager; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 p2psvc;Peer Networking; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 PNRPSvc;Peer Name Resolution Protocol; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 SNMPTRAP;SNMP Trap Service; C:\WINDOWS\System32\snmptrap.exe [2008-04-14 8704]
S4 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2008-09-16 605512]
-----------------EOF-----------------

sjb007 · December 29, 2008

Hi there winter son

Great work, so far so good

Just two files I am curious about that I want you to check....

Please go to: VirusTotal

In the middle of the page you'll find a "Browse" button.

Click the "Browse" button and browse to this file in RED:
C:\WINDOWS\system32\cmcmamul.exe
Click "Open".
Then click the "Send File" button at the bottom of the VirusTotal page.
This will scan the file. Please be patient.
If you get a message saying File has already been analysed: click Reanalyse file now
Once scanned, copy and paste the results in your next reply.

Please do the same with:

C:\WINDOWS\system32\eaikyzxt.exe

Post back with the results from both files in your next reply

Apart from that how are things running now, any more problems to report?

winter son · December 29, 2008

Hi there winter son
Great work, so far so good
Just two files I am curious about that I want you to check....
Please go to: VirusTotal
In the middle of the page you'll find a "Browse" button.
Click the "Browse" button and browse to this file in RED:
C:\WINDOWS\system32\cmcmamul.exe
Click "Open".
Then click the "Send File" button at the bottom of the VirusTotal page.
This will scan the file. Please be patient.
If you get a message saying File has already been analysed: click Reanalyse file now
Once scanned, copy and paste the results in your next reply.
Please do the same with:
C:\WINDOWS\system32\eaikyzxt.exe
Post back with the results from both files in your next reply
Apart from that how are things running now, any more problems to report?

File cmcmamul.exe received on 12.29.2008 22:59:48 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 1/39 (2.57%)

Loading server information...

Your file is queued in position: ___.

Estimated start time is between ___ and ___ .

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

a-squared 4.0.0.73 2008.12.29 -

AhnLab-V3 2008.12.25.0 2008.12.29 -

AntiVir 7.9.0.45 2008.12.29 -

Authentium 5.1.0.4 2008.12.29 -

Avast 4.8.1281.0 2008.12.29 -

AVG 8.0.0.199 2008.12.29 -

BitDefender 7.2 2008.12.29 -

CAT-QuickHeal 10.00 2008.12.27 -

ClamAV 0.94.1 2008.12.29 -

Comodo 837 2008.12.29 -

DrWeb 4.44.0.09170 2008.12.29 -

eSafe 7.0.17.0 2008.12.28 -

eTrust-Vet 31.6.6280 2008.12.29 -

Ewido 4.0 2008.12.29 -

F-Prot 4.4.4.56 2008.12.29 -

F-Secure 8.0.14470.0 2008.12.29 -

Fortinet 3.117.0.0 2008.12.29 -

GData 19 2008.12.29 -

Ikarus T3.1.1.45.0 2008.12.29 -

K7AntiVirus 7.10.569 2008.12.29 -

Kaspersky 7.0.0.125 2008.12.29 -

McAfee 5478 2008.12.29 -

McAfee+Artemis 5478 2008.12.29 -

Microsoft 1.4205 2008.12.29 -

NOD32 3722 2008.12.29 -

Norman 5.80.02 2008.12.29 -

Panda 9.0.0.4 2008.12.29 -

PCTools 4.4.2.0 2008.12.29 -

Prevx1 V2 2008.12.29 Malicious Software

Rising 21.10.02.00 2008.12.29 -

SecureWeb-Gateway 6.7.6 2008.12.29 -

Sophos 4.37.0 2008.12.29 -

Sunbelt 3.2.1809.2 2008.12.22 -

Symantec 10 2008.12.29 -

TheHacker 6.3.1.4.201 2008.12.28 -

TrendMicro 8.700.0.1004 2008.12.29 -

VBA32 3.12.8.10 2008.12.28 -

ViRobot 2008.12.29.1538 2008.12.29 -

VirusBuster 4.5.11.0 2008.12.29 -

Additional information

File size: 33832 bytes

MD5...: 826b165dfdc241143717dfaef03aea8f

SHA1..: 99c96d0cbf07d24c40f960c88610fd7ae64428c2

SHA256: ef81239ee5736cbe4930c2fcf7dd2b42cb4214ad6ecacd4c0c7760bdb56316a6

SHA512: 814b5a242182cdc7c74caa8c30d9a7072e840c1ce159a8df8c1ccd2f5d75d244

0965e7e83be50538c8f8c6d80611b2bc3a9f18c82a2f7e64e79db11f49ba59a3

ssdeep: 384:ySwHp2dZApt1qz5hfReSCxY6pcYiw5vyy1MxWM6W4nELKt8Cy/jp:y0iZVpc

sKy1M5ZU8Cy/jp

PEiD..: -

TrID..: File type identification

Win32 Executable Generic (68.0%)

Generic Win/DOS Executable (15.9%)

DOS Executable Generic (15.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x1005b39

timedatestamp.....: 0x483473fa (Wed May 21 19:11:54 2008)

machinetype.......: 0x14c (I386)

( 4 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x50da 0x5200 6.08 b62a27b31ff6c85d478ba3252b370db8

.data 0x7000 0x35c 0x200 0.57 30b4e9caedfc5cc61ae43b4b10fb9ef7

.rsrc 0x8000 0x3c0 0x400 3.07 718782eb2d32dc40bff7f3f12e927fe8

.reloc 0x9000 0x292 0x400 3.78 23251461e59726ca2731a319e8a47999

( 1 imports )

> ntdll.dll: wcslen, memset, _vsnwprintf, RtlCreateHeap, RtlFreeHeap, RtlDestroyHeap, RtlAllocateHeap, ZwClose, ZwFlushKey, ZwDeleteKey, ZwOpenKey, memcpy, ZwCreateKey, RtlInitUnicodeString, ZwDeleteValueKey, ZwSetValueKey, ZwQueryValueKey, ZwReadFile, ZwSetInformationFile, ZwCreateFile, ZwDeleteFile, ZwOpenFile, ZwQueryInformationFile, ZwWriteFile, NtTerminateProcess, RtlUnhandledExceptionFilter, RtlUnwind, DbgBreakPoint, RtlNormalizeProcessParams

( 0 exports )

Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=C267504B283B6285843B0077A8178F0094226FB2' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=C267504B283B6285843B0077A8178F0094226FB2</a>

CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=826b165dfdc241143717dfaef03aea8f' target='_blank'>http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=826b165dfdc241143717dfaef03aea8f</a>

File eaikyzxt.exe received on 12.29.2008 23:01:06 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 1/39 (2.57%)

Loading server information...

Your file is queued in position: ___.

Estimated start time is between ___ and ___ .

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

a-squared 4.0.0.73 2008.12.29 -

AhnLab-V3 2008.12.25.0 2008.12.29 -

AntiVir 7.9.0.45 2008.12.29 -

Authentium 5.1.0.4 2008.12.29 -

Avast 4.8.1281.0 2008.12.29 -

AVG 8.0.0.199 2008.12.29 -

BitDefender 7.2 2008.12.29 -

CAT-QuickHeal 10.00 2008.12.27 -

ClamAV 0.94.1 2008.12.29 -

Comodo 837 2008.12.29 -

DrWeb 4.44.0.09170 2008.12.29 -

eSafe 7.0.17.0 2008.12.28 -

eTrust-Vet 31.6.6280 2008.12.29 -

Ewido 4.0 2008.12.29 -

F-Prot 4.4.4.56 2008.12.29 -

F-Secure 8.0.14470.0 2008.12.29 -

Fortinet 3.117.0.0 2008.12.29 -

GData 19 2008.12.29 -

Ikarus T3.1.1.45.0 2008.12.29 -

K7AntiVirus 7.10.569 2008.12.29 -

Kaspersky 7.0.0.125 2008.12.29 -

McAfee 5478 2008.12.29 -

McAfee+Artemis 5478 2008.12.29 -

Microsoft 1.4205 2008.12.29 -

NOD32 3722 2008.12.29 -

Norman 5.80.02 2008.12.29 -

Panda 9.0.0.4 2008.12.29 -

PCTools 4.4.2.0 2008.12.29 -

Prevx1 V2 2008.12.29 Malicious Software

Rising 21.10.02.00 2008.12.29 -

SecureWeb-Gateway 6.7.6 2008.12.29 -

Sophos 4.37.0 2008.12.29 -

Sunbelt 3.2.1809.2 2008.12.22 -

Symantec 10 2008.12.29 -

TheHacker 6.3.1.4.201 2008.12.28 -

TrendMicro 8.700.0.1004 2008.12.29 -

VBA32 3.12.8.10 2008.12.28 -

ViRobot 2008.12.29.1538 2008.12.29 -

VirusBuster 4.5.11.0 2008.12.29 -

Additional information

File size: 33832 bytes

MD5...: 826b165dfdc241143717dfaef03aea8f

SHA1..: 99c96d0cbf07d24c40f960c88610fd7ae64428c2

SHA256: ef81239ee5736cbe4930c2fcf7dd2b42cb4214ad6ecacd4c0c7760bdb56316a6

SHA512: 814b5a242182cdc7c74caa8c30d9a7072e840c1ce159a8df8c1ccd2f5d75d244

0965e7e83be50538c8f8c6d80611b2bc3a9f18c82a2f7e64e79db11f49ba59a3

ssdeep: 384:ySwHp2dZApt1qz5hfReSCxY6pcYiw5vyy1MxWM6W4nELKt8Cy/jp:y0iZVpc

sKy1M5ZU8Cy/jp

PEiD..: -

TrID..: File type identification

Win32 Executable Generic (68.0%)

Generic Win/DOS Executable (15.9%)

DOS Executable Generic (15.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x1005b39

timedatestamp.....: 0x483473fa (Wed May 21 19:11:54 2008)

machinetype.......: 0x14c (I386)

( 4 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x50da 0x5200 6.08 b62a27b31ff6c85d478ba3252b370db8

.data 0x7000 0x35c 0x200 0.57 30b4e9caedfc5cc61ae43b4b10fb9ef7

.rsrc 0x8000 0x3c0 0x400 3.07 718782eb2d32dc40bff7f3f12e927fe8

.reloc 0x9000 0x292 0x400 3.78 23251461e59726ca2731a319e8a47999

( 1 imports )

> ntdll.dll: wcslen, memset, _vsnwprintf, RtlCreateHeap, RtlFreeHeap, RtlDestroyHeap, RtlAllocateHeap, ZwClose, ZwFlushKey, ZwDeleteKey, ZwOpenKey, memcpy, ZwCreateKey, RtlInitUnicodeString, ZwDeleteValueKey, ZwSetValueKey, ZwQueryValueKey, ZwReadFile, ZwSetInformationFile, ZwCreateFile, ZwDeleteFile, ZwOpenFile, ZwQueryInformationFile, ZwWriteFile, NtTerminateProcess, RtlUnhandledExceptionFilter, RtlUnwind, DbgBreakPoint, RtlNormalizeProcessParams

( 0 exports )

CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=826b165dfdc241143717dfaef03aea8f' target='_blank'>http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=826b165dfdc241143717dfaef03aea8f</a>

Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=C267504B283B6285843B0077A8178F0094226FB2' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=C267504B283B6285843B0077A8178F0094226FB2</a>

regarding performance, this pc is just for internet, use my other for demanding things like multimedia and games so cant really push it, but i had regular pop ups before and severe slow down. managed to get rid of vundo and zlobs, but for a while they kept regenerating after afew turn ons. last 7-8 times though nothing has happend and all im seeing in malwarebytes anti malware is the bho. i can see the file in the registry but i cant modify or delete. also windows updates remains on after restarts now, and windows defender updates. thanks for the help so far sjb007.

sjb007 · December 29, 2008

Hi there

Please update and generate a fresh MBAM log for me

Start MalwareBytes AntiMalware
Update Malwarebytes' Anti-Malware
Select the Update tab
Click Update
When the update is complete, select the Scanner tab
Select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Post this back in your next reply

winter son · December 29, 2008

Hi there
Please update and generate a fresh MBAM log for me
Start MalwareBytes AntiMalware
Update Malwarebytes' Anti-Malware
Select the Update tab
Click Update
When the update is complete, select the Scanner tab
Select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Post this back in your next reply

Malwarebytes' Anti-Malware 1.31

Database version: 1565

Windows 5.1.2600 Service Pack 3

29/12/2008 22:56:50

mbam-log-2008-12-29 (22-56-48).txt

Scan type: Quick Scan

Objects scanned: 65237

Time elapsed: 6 minute(s), 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

sjb007 · December 30, 2008

Hi there

Go to start menu - Select Run and in the command box type in notepad

Next - copy/paste the text in the code box below into it:

Killall::
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}]

- Save this to your desktop as CFScript.txt

- Drag the CFScript.txt over onto Combofix.exe and release.

Combofix will then execute the script and produce a fresh log

Download GMER Rootkit Scanner from here or here.

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
[*]Save it where you can easily find it, such as your desktop and add this to your next post as an attachment

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Post back with both logs

winter son · December 30, 2008

Hi there
Go to start menu - Select Run and in the command box type in notepad
Next - copy/paste the text in the code box below into it:
- Save this to your desktop as CFScript.txt
- Drag the CFScript.txt over onto Combofix.exe and release.
Combofix will then execute the script and produce a fresh log
Download GMER Rootkit Scanner from here or here.
Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
Sections
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
[*]Save it where you can easily find it, such as your desktop and add this to your next post as an attachment
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Post back with both logs

hi, dragged the file to combofix, it then updated itself but then the pc went off without warning and rebooted. everything is fine but the file is no longer on the desktop and no sign of a log. would you like me to repeat the process?

sjb007 · December 30, 2008

Hi there

Carry on with the gmer scan first, once done post the gmer results along with the latest set of combofix results that was procduced. This can be found here - c:\combofix.txt

winter son · December 30, 2008

i can find no results for combofix, it was as though the application didnt finish last time and just rebooted. i did a search for combofix.txt just to make sure and no results were found. here is the GMER though;

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2008-12-30 10:33:17

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB2BD4F20]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB14619CA]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB1461978]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB146198C]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB1461A0A]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB1461950]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB1461964]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB14619DE]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB14619B6]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB14619A2]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB1461A39]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB1461A20]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB14619F4]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdePort2 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdePort3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-a sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-12 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\nvata \Device\00000088 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\nvata \Device\NvAta0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Classes\CLSID\{B6A930A0-A4F5-43A5-9B4E-6189A6C2B9E8}@r!s!d!t!r!t!r!\30!y!t!{!i!d!d!d!\24! 71230

Reg HKLM\SOFTWARE\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32@ c:\windows\system32\riturifa.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32@ThreadingModel Both

---- EOF - GMER 1.0.14 ----

sjb007 · December 30, 2008

Hi there winter son

Please download & install - ERUNT (This is a utility that will replicate a copy of your Registry)

Start ERUNT, confirm the Welcome message.
Next, select the backup options:
- System registry
- Current User Registry
- Other open user registry

[*] Click "OK" and wait until the backup process is complete. (Note that depending on your system configuration this may take some time, and that the first bar is NOT a progress bar, just an indicator that the program is still running.)

# Note: To ensure proper operation of ERUNT, you should be logged in as a system administrator.

Once done.....

Download The Avenger by Swandog46 from here.
Unzip/extract it to a folder on your desktop.
Double click on avenger.exe to run The Avenger.
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.

Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.

Files to delete:c:\windows\system32\riturifa.dll
Registry keys to delete:HKLM\SOFTWARE\Classes\CLSID\{B6A930A0-A4F5-43A5-9B4E-6189A6C2B9E8}HKLM\SOFTWARE\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}

In the avenger window, click the Paste Script from Clipboard, button.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.
Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
Please post this log, along with a new HijackThis log in your next reply.

winter son · December 30, 2008

http://*.windowsupdate.com

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab