Help unable to update

RyanTrahan · Sep 11, 2009

Vista Ultimate i try to load the updater and it just stops working ive tryed stopping wuauclt but it says it doesnt exist and ive stopped bits but it wont let me start it again
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:03 PM, on 10/09/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Chaos Productions\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

--
End of file - 2387 bytes

Blade81 · Sep 14, 2009

Hi there,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save both reports to your desktop. Post them back to your topic.

Download GMER here by clicking download exe -button and then saving it your desktop:

Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.

RyanTrahan · Sep 16, 2009

GMER

Code:

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-16 13:12:40
Windows 6.0.6000 
Running: eu80ymiz.exe; Driver: C:\Users\CHAOSP~1\AppData\Local\Temp\pxrdypow.sys


---- User code sections - GMER 1.0.15 ----

.text           C:\Program Files\Internet Explorer\iexplore.exe[1816] USER32.dll!DialogBoxIndirectParamW  76FC14DA 5 Bytes  JMP 6FFDFEBF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[1816] USER32.dll!MessageBoxExA            76FD570D 5 Bytes  JMP 6FFDFE06 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[1816] USER32.dll!DialogBoxParamA          76FD65BF 5 Bytes  JMP 6FFDFE84 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[1816] USER32.dll!MessageBoxIndirectW      76FDF1B3 5 Bytes  JMP 6FE715DA C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[1816] USER32.dll!DialogBoxParamW          76FE129F 5 Bytes  JMP 6FE4F205 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[1816] USER32.dll!DialogBoxIndirectParamA  770029B1 5 Bytes  JMP 6FFDFEFA C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[1816] USER32.dll!MessageBoxIndirectA      7700FAB7 5 Bytes  JMP 6FFDFE40 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[1816] USER32.dll!MessageBoxExW            7700FBB1 5 Bytes  JMP 6FFDFDCC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                    fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                    fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3                                                    fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \FileSystem\fastfat \Fat                                                                  fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

DDS

Code:

DDS (Ver_09-07-30.01) - NTFSx86  
Run by Chaos Productions at 12:58:48.31 on 16/09/2009
Internet Explorer: 7.0.6000.16386
Microsoft® Windows Vista™ Ultimate   6.0.6000.0.1252.2.1033.18.2037.1418 [GMT -7:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Chaos Productions\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mPolicies-system: EnableLUA = 0 (0x0)
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

============= SERVICES / DRIVERS ===============

R2 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2009-8-24 185640]
R3 netr28u;Belkin USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2007-8-16 552448]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]

=============== Created Last 30 ================

2009-09-11 16:39	<DIR>	--d-----	c:\program files\Gravity
2009-09-11 16:38	65,536	a-------	c:\windows\IFinst27.exe
2009-09-10 19:35	<DIR>	--d-----	c:\program files\common files\Windows Live
2009-09-10 19:28	<DIR>	--d-----	c:\program files\Belkin
2009-09-10 19:28	<DIR>	--dsh---	c:\windows\Installer
2009-09-10 19:28	<DIR>	--d-----	c:\windows\{7B355114-7439-42B6-AB50-516834796D4D}
2009-09-10 19:07	<DIR>	--d-----	c:\users\chaosp~1\appdata\roaming\TeamViewer
2009-09-10 19:07	<DIR>	--d-----	c:\program files\TeamViewer
2009-09-10 19:07	<DIR>	--d-----	c:\users\chaos productions\temp
2009-09-10 18:58	<DIR>	--d-----	c:\program files\AhnLab
2009-09-10 18:35	249,273,812	a-------	c:\windows\MEMORY.DMP
2009-09-10 18:31	<DIR>	--d-----	c:\windows\Panther
2009-09-10 18:12	<DIR>	--d-----	C:\Windows.old
2009-09-10 17:59	<DIR>	--d-----	c:\users\Chaos Productions
2009-09-10 16:41	1,524,736	a-------	c:\windows\system32\wucltux.dll
2009-09-10 16:40	83,456	a-------	c:\windows\system32\wudriver.dll
2009-09-10 16:40	162,064	a-------	c:\windows\system32\wuwebv.dll
2009-09-10 16:40	31,232	a-------	c:\windows\system32\wuapp.exe
2009-09-10 14:07	8,192	a--s-r--	C:\BOOTSECT.BAK

==================== Find3M  ====================

2009-09-10 19:29	86,016	a-------	c:\windows\inf\infstrng.dat
2009-09-10 19:29	86,016	a-------	c:\windows\inf\infstor.dat
2009-09-10 19:29	51,200	a-------	c:\windows\inf\infpub.dat
2006-11-02 05:49	174	a--sh---	c:\program files\desktop.ini
2006-11-02 05:40	287,440	a-------	c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:40	287,440	a-------	c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:40	30,674	a-------	c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:40	30,674	a-------	c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 03:32	665,600	a-------	c:\windows\inf\drvindex.dat
2006-11-02 02:20	287,440	a-------	c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20	287,440	a-------	c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20	30,674	a-------	c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20	30,674	a-------	c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 12:59:16.05 ===============

Attach

Code:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft® Windows Vista™ Ultimate 
Boot Device: \Device\HarddiskVolume3
Install Date: 10/09/2009 5:51:06 PM
System Uptime: 15/09/2009 8:36:03 PM (16 hours ago)

Motherboard: Dell Inc. |  | 0CU409
Processor: Intel(R) Pentium(R) Dual  CPU  E2200  @ 2.20GHz | Socket 775 | 2200/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 139 GiB total, 91.785 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 5.229 GiB free.
E: is CDROM (UDF)

==== Disabled Device Manager Items =============

Class GUID: 
Description: Ethernet Controller
Device ID: PCI\VEN_8086&DEV_10C0&SUBSYS_02381028&REV_02\3&2411E6FE&0&C8
Manufacturer: 
Name: Ethernet Controller
PNP Device ID: PCI\VEN_8086&DEV_10C0&SUBSYS_02381028&REV_02\3&2411E6FE&0&C8
Service: 

Class GUID: 
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_02381028&REV_02\3&2411E6FE&0&FB
Manufacturer: 
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_02381028&REV_02\3&2411E6FE&0&FB
Service: 

==== System Restore Points ===================

RP4: 10/09/2009 4:40:20 PM - Windows Update
RP3: 10/09/2009 7:28:24 PM - Installed Belkin F5D8053 N Wireless USB Adapter
RP5: 12/09/2009 7:48:55 AM - Scheduled Checkpoint
RP6: 13/09/2009 7:43:03 AM - Scheduled Checkpoint

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Belkin F5D8053 N Wireless USB Adapter
HijackThis 2.0.2
Ragnarok Online
Ragnarok Sakray
TeamViewer 4
WinRAR archiver

==== Event Viewer Messages From Past Week ========

15/09/2009 8:36:17 PM, Error: EventLog [6008]  - The previous system shutdown at 12:35:29 PM on 14/09/2009 was unexpected.
12/09/2009 7:14:36 AM, Error: VDS Dynamic Provider 2.0 [10]  - The provider failed while storing notifications from the driver. The Virtual Disk Service should be restarted. hr=80042505 
12/09/2009 7:08:58 AM, Error: Service Control Manager [7034]  - The TeamViewer 4 service terminated unexpectedly.  It has done this 1 time(s).
10/09/2009 7:07:44 PM, Error: Service Control Manager [7030]  - The TeamViewer 4 service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
10/09/2009 6:58:04 PM, Error: Service Control Manager [7031]  - The Software Licensing service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
10/09/2009 6:35:52 PM, Error: Microsoft-Windows-Kernel-General [5]  - {Registry Hive Recovered} Registry hive (file): '\??\C:\Users\Chaos Productions\AppData\Local\Microsoft\Windows\UsrClass.dat' was corrupted and it has been recovered. Some data might have been lost.
10/09/2009 6:35:29 PM, Error: EventLog [6008]  - The previous system shutdown at 6:32:52 PM on 10/09/2009 was unexpected.
10/09/2009 5:57:26 PM, Error: Service Control Manager [7043]  - The Group Policy Client service did not shut down properly after receiving a preshutdown control.
10/09/2009 5:48:54 PM, Error: Service Control Manager [7043]  - The Windows Update service did not shut down properly after receiving a preshutdown control.
10/09/2009 5:20:18 PM, Error: Microsoft-Windows-Bits-Client [16392]  - The BITS service failed to start.  Error 2147942522.
10/09/2009 5:06:47 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD CSC DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr Tcpip tdx Wanarpv6
10/09/2009 5:06:47 PM, Error: Service Control Manager [7001]  - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
10/09/2009 5:06:47 PM, Error: Service Control Manager [7001]  - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error:  A device attached to the system is not functioning.
10/09/2009 5:06:47 PM, Error: Service Control Manager [7001]  - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error:  The dependency service or group failed to start.
10/09/2009 5:06:47 PM, Error: Service Control Manager [7001]  - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
10/09/2009 5:06:47 PM, Error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
10/09/2009 5:06:47 PM, Error: Service Control Manager [7001]  - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error:  A device attached to the system is not functioning.
10/09/2009 5:06:47 PM, Error: Service Control Manager [7001]  - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
10/09/2009 5:06:47 PM, Error: Service Control Manager [7001]  - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
10/09/2009 5:06:47 PM, Error: Service Control Manager [7001]  - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error:  A device attached to the system is not functioning.
10/09/2009 5:06:47 PM, Error: Service Control Manager [7001]  - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
10/09/2009 5:06:47 PM, Error: Service Control Manager [7001]  - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:  The dependency service or group failed to start.
10/09/2009 5:06:47 PM, Error: Service Control Manager [7001]  - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
10/09/2009 5:06:47 PM, Error: Service Control Manager [7001]  - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
10/09/2009 5:06:47 PM, Error: Service Control Manager [7001]  - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
10/09/2009 5:06:47 PM, Error: Service Control Manager [7001]  - The Computer Browser service depends on the Server service which failed to start because of the following error:  The dependency service or group failed to start.
10/09/2009 5:06:37 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
10/09/2009 5:06:37 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
10/09/2009 5:06:03 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
10/09/2009 5:06:03 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
10/09/2009 5:06:03 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
10/09/2009 5:06:01 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/09/2009 5:05:52 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
10/09/2009 5:05:32 PM, Error: EventLog [6008]  - The previous system shutdown at 5:03:43 PM on 10/09/2009 was unexpected.
10/09/2009 5:01:11 PM, Error: Microsoft-Windows-Servicing [4385]  - Windows Servicing failed to complete the process of changing update 925902-4_RTM_GDR from package KB925902(Security Update) into Staging(Staging) state
10/09/2009 5:01:11 PM, Error: Microsoft-Windows-Servicing [4385]  - Windows Servicing failed to complete the process of changing update 925902-3_RTM_LDR from package KB925902(Security Update) into Staging(Staging) state
10/09/2009 5:01:11 PM, Error: Microsoft-Windows-Servicing [4385]  - Windows Servicing failed to complete the process of changing update 925902-2_RTM_LDR from package KB925902(Security Update) into Staging(Staging) state
10/09/2009 5:01:11 PM, Error: Microsoft-Windows-Servicing [4385]  - Windows Servicing failed to complete the process of changing update 925902-1_RTM_GDR from package KB925902(Security Update) into Staging(Staging) state
10/09/2009 5:01:11 PM, Error: Microsoft-Windows-Servicing [4375]  - Windows Servicing failed to complete the process of setting package KB925902 (Security Update) into Staging(Staging) state
10/09/2009 4:54:47 PM, Error: Microsoft-Windows-Servicing [4385]  - Windows Servicing failed to complete the process of changing update 973768-9_neutral_PACKAGE from package KB973768(Update) into Staging(Staging) state
10/09/2009 4:54:47 PM, Error: Microsoft-Windows-Servicing [4385]  - Windows Servicing failed to complete the process of changing update 973768-8_neutral_GDR from package KB973768(Update) into Staging(Staging) state
10/09/2009 4:54:47 PM, Error: Microsoft-Windows-Servicing [4385]  - Windows Servicing failed to complete the process of changing update 973768-7_neutral_LDR from package KB973768(Update) into Staging(Staging) state
10/09/2009 4:54:47 PM, Error: Microsoft-Windows-Servicing [4385]  - Windows Servicing failed to complete the process of changing update 973768-6_neutral_PACKAGE from package KB973768(Update) into Staging(Staging) state
10/09/2009 4:54:47 PM, Error: Microsoft-Windows-Servicing [4385]  - Windows Servicing failed to complete the process of changing update 973768-5_neutral_GDR from package KB973768(Update) into Staging(Staging) state
10/09/2009 4:54:47 PM, Error: Microsoft-Windows-Servicing [4385]  - Windows Servicing failed to complete the process of changing update 973768-4_neutral_LDR from package KB973768(Update) into Staging(Staging) state
10/09/2009 4:54:47 PM, Error: Microsoft-Windows-Servicing [4385]  - Windows Servicing failed to complete the process of changing update 973768-3_neutral_PACKAGE from package KB973768(Update) into Staging(Staging) state
10/09/2009 4:54:47 PM, Error: Microsoft-Windows-Servicing [4385]  - Windows Servicing failed to complete the process of changing update 973768-2_neutral_GDR from package KB973768(Update) into Staging(Staging) state
10/09/2009 4:54:47 PM, Error: Microsoft-Windows-Servicing [4385]  - Windows Servicing failed to complete the process of changing update 973768-13_neutral_PACKAGE from package KB973768(Update) into Staging(Staging) state
10/09/2009 4:54:47 PM, Error: Microsoft-Windows-Servicing [4385]  - Windows Servicing failed to complete the process of changing update 973768-12_neutral_PACKAGE from package KB973768(Update) into Staging(Staging) state
10/09/2009 4:54:47 PM, Error: Microsoft-Windows-Servicing [4385]  - Windows Servicing failed to complete the process of changing update 973768-11_neutral_PACKAGE from package KB973768(Update) into Staging(Staging) state
10/09/2009 4:54:47 PM, Error: Microsoft-Windows-Servicing [4385]  - Windows Servicing failed to complete the process of changing update 973768-10_neutral_PACKAGE from package KB973768(Update) into Staging(Staging) state
10/09/2009 4:54:47 PM, Error: Microsoft-Windows-Servicing [4385]  - Windows Servicing failed to complete the process of changing update 973768-1_neutral_LDR from package KB973768(Update) into Staging(Staging) state
10/09/2009 4:54:47 PM, Error: Microsoft-Windows-Servicing [4375]  - Windows Servicing failed to complete the process of setting package KB973768 (Update) into Staging(Staging) state
10/09/2009 4:53:49 PM, Error: Microsoft-Windows-Servicing [4385]  - Windows Servicing failed to complete the process of changing update 939159-2_RTM_neutral_LDR from package KB939159(Update) into Staging(Staging) state
10/09/2009 4:53:49 PM, Error: Microsoft-Windows-Servicing [4385]  - Windows Servicing failed to complete the process of changing update 939159-1_RTM_neutral_GDR from package KB939159(Update) into Staging(Staging) state
10/09/2009 4:53:49 PM, Error: Microsoft-Windows-Servicing [4375]  - Windows Servicing failed to complete the process of setting package KB939159 (Update) into Staging(Staging) state

==== End Of File ===========================

Blade81 · Sep 17, 2009

Hi,

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
Please post contents of that file in your next reply.

RyanTrahan · Sep 18, 2009

Malwarebytes' Anti-Malware 1.41
Database version: 2817
Windows 6.0.6000

17/09/2009 8:08:39 PM
mbam-log-2009-09-17 (20-08-30).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 178339
Time elapsed: 32 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\install.exe (Trojan.Agent) -> No action taken.

i did click on remove selected

Blade81 · Sep 18, 2009

Hi,

Click start->run (or press window button+R)->write services.msc. See what are startup types and states (stopped/running) for these services:
BITS
Windows Update

RyanTrahan · Sep 19, 2009

BITS isnt running and is automatic (delayed start)
Windows Update is Started and is also Automatic (delayed start)

Blade81 · Sep 19, 2009

And you're not able to start those services?

Download & extract this file to it's own folder - Registry Search

Launch Registry Search
In the search box, enter (on separate lines)

CurrentControlSet\services\BITS
CurrentControlSet\services\wuauserv

Under Search, make sure only the Value box is checked in the first row of checkboxes. All other checkboxes should be checked.
& click Ok.
Notepad will open with some text in it (the file will also be saved in the program's folder as well).
Post this text as an attachment in your next reply.

RyanTrahan · Sep 21, 2009

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0

; Results at 21/09/2009 1:21:58 PM for strings:
; 'currentcontrolset\services\bits'
; 'currentcontrolset\services\wuauserv'
; Strings excluded from search:
; (None)
; Search in:
; Registry Values
; HKEY_LOCAL_MACHINE HKEY_USERS

; End Of The Log...

Blade81 · Sep 21, 2009

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

RyanTrahan · Sep 21, 2009

DDS (Ver_09-07-30.01) - NTFSx86
Run by Chaos Productions at 13:56:01.69 on 21/09/2009
Internet Explorer: 7.0.6000.16386
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.2.1033.18.2037.1171 [GMT -4:00]

SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\explorer.exe
C:\Users\Chaos Productions\Desktop\New Folder (2)\Core Temp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Chaos Productions\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://forums.spybot.info/showthread.php?p=337619
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mPolicies-system: EnableLUA = 0 (0x0)
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
STS: RspyramiEve.Rspyrami: {06bae9ef-082f-4d2c-b706-de967ffa43f1} - c:\windows\system32\rspyrami.dll

============= SERVICES / DRIVERS ===============

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-9-19 47640]
R2 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2009-8-24 185640]
R3 netr28u;Belkin USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2007-8-16 552448]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]

=============== Created Last 30 ================

2009-09-19 01:15 <DIR> --d----- c:\program files\Essentials Codec Pack
2009-09-19 01:08 <DIR> --d----- c:\programdata\VistaCodecPack
2009-09-19 01:08 <DIR> --d----- c:\progra~2\VistaCodecPack
2009-09-19 01:04 <DIR> --d----- c:\program files\Fusion Media Player
2009-09-19 00:56 <DIR> --d----- c:\program files\common files\PX Storage Engine
2009-09-19 00:55 <DIR> --d----- c:\program files\DivX
2009-09-19 00:55 <DIR> --d----- c:\program files\common files\DivX Shared
2009-09-19 00:37 <DIR> --d----- c:\programdata\LogMeIn
2009-09-19 00:37 <DIR> --d----- c:\progra~2\LogMeIn
2009-09-19 00:37 28,984 a------- c:\windows\system32\LMIport.dll
2009-09-19 00:37 83,288 a------- c:\windows\system32\LMIRfsClientNP.dll
2009-09-19 00:37 47,640 a------- c:\windows\system32\drivers\LMIRfsDriver.sys
2009-09-19 00:37 87,352 a------- c:\windows\system32\LMIinit.dll
2009-09-19 00:37 <DIR> --d----- c:\program files\LogMeIn
2009-09-19 00:20 <DIR> --d----- c:\program files\VistaCodecPack
2009-09-17 16:10 <DIR> --d----- c:\users\chaosp~1\appdata\roaming\Malwarebytes
2009-09-17 16:10 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-17 16:10 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-17 16:10 <DIR> --d----- c:\programdata\Malwarebytes
2009-09-17 16:10 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-17 16:10 <DIR> --d----- c:\progra~2\Malwarebytes
2009-09-11 19:39 <DIR> --d----- c:\program files\Gravity
2009-09-11 19:38 65,536 a------- c:\windows\IFinst27.exe
2009-09-10 22:35 <DIR> --d----- c:\program files\common files\Windows Live
2009-09-10 22:28 <DIR> --d----- c:\program files\Belkin
2009-09-10 22:28 <DIR> --dsh--- c:\windows\Installer
2009-09-10 22:28 <DIR> --d----- c:\windows\{7B355114-7439-42B6-AB50-516834796D4D}
2009-09-10 22:07 <DIR> --d----- c:\users\chaosp~1\appdata\roaming\TeamViewer
2009-09-10 22:07 <DIR> --d----- c:\program files\TeamViewer
2009-09-10 22:07 <DIR> --d----- c:\users\chaos productions\temp
2009-09-10 21:58 <DIR> --d----- c:\program files\AhnLab
2009-09-10 21:35 249,273,812 a------- c:\windows\MEMORY.DMP
2009-09-10 21:31 <DIR> --d----- c:\windows\Panther
2009-09-10 21:12 <DIR> --d----- C:\Windows.old
2009-09-10 20:59 <DIR> --d----- c:\users\Chaos Productions
2009-09-10 19:41 1,524,736 a------- c:\windows\system32\wucltux.dll
2009-09-10 19:40 83,456 a------- c:\windows\system32\wudriver.dll
2009-09-10 19:40 162,064 a------- c:\windows\system32\wuwebv.dll
2009-09-10 19:40 31,232 a------- c:\windows\system32\wuapp.exe
2009-09-10 17:07 8,192 a--s-r-- C:\BOOTSECT.BAK

==================== Find3M ====================

2009-09-21 13:54 51,200 a------- c:\windows\inf\infpub.dat
2009-09-10 22:29 86,016 a------- c:\windows\inf\infstrng.dat
2009-09-10 22:29 86,016 a------- c:\windows\inf\infstor.dat
2009-07-13 20:15 90,112 a------- c:\windows\system32\dpl100.dll
2009-07-13 20:15 685,056 a------- c:\windows\system32\DivX.dll
2006-11-02 08:49 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 06:32 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2001-03-30 12:24 32,768 a--shr-- c:\windows\system32\eahdc.dll
2001-03-30 12:24 372,736 a--shr-- c:\windows\system32\rspyrami.dll

============= FINISH: 13:56:31.29 ===============

ComboFix 09-09-20.04 - Chaos Productions 21/09/2009 14:04.1.2 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.2.1033.18.2037.1194 [GMT -4:00]
Running from: c:\users\Chaos Productions\Desktop\ComboFix.exe
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-51003140-4199384537-3980697693-500

.
((((((((((((((((((((((((( Files Created from 2009-08-21 to 2009-09-21 )))))))))))))))))))))))))))))))
.

2009-09-21 18:09 . 2009-09-21 18:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-19 05:15 . 2009-09-19 05:15 -------- d-----w- c:\users\Chaos Productions\AppData\Roaming\Media Player Classic
2009-09-19 05:15 . 2009-09-19 05:15 -------- d-----w- c:\program files\Essentials Codec Pack
2009-09-19 05:08 . 2009-09-19 05:08 -------- d-----w- c:\programdata\VistaCodecPack
2009-09-19 05:04 . 2009-09-19 05:04 -------- d-----w- c:\program files\Fusion Media Player
2009-09-19 04:56 . 2009-09-19 04:57 -------- d-----w- c:\users\Chaos Productions\AppData\Roaming\DivX
2009-09-19 04:56 . 2009-09-19 04:56 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-09-19 04:55 . 2009-09-19 05:06 -------- d-----w- c:\program files\DivX
2009-09-19 04:55 . 2009-09-19 04:56 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-09-19 04:37 . 2009-09-19 04:37 -------- d-----w- c:\users\Chaos Productions\AppData\Local\LogMeIn
2009-09-19 04:37 . 2009-09-19 04:37 -------- d-----w- c:\programdata\LogMeIn
2009-09-19 04:37 . 2009-09-05 18:23 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-09-19 04:37 . 2009-09-05 18:23 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-09-19 04:37 . 2008-08-11 19:41 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2009-09-19 04:37 . 2009-09-05 18:23 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-09-19 04:37 . 2009-09-21 04:00 -------- d-----w- c:\program files\LogMeIn
2009-09-19 04:32 . 2009-09-19 04:35 -------- d-----w- c:\users\Chaos Productions\AppData\Local\Deployment
2009-09-19 04:32 . 2009-09-19 04:32 -------- d-----w- c:\users\Chaos Productions\AppData\Local\Apps
2009-09-19 04:20 . 2009-09-19 04:20 -------- d-----w- c:\program files\VistaCodecPack
2009-09-17 20:10 . 2009-09-17 20:10 -------- d-----w- c:\users\Chaos Productions\AppData\Roaming\Malwarebytes
2009-09-17 20:10 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-17 20:10 . 2009-09-17 20:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-17 20:10 . 2009-09-17 20:10 -------- d-----w- c:\programdata\Malwarebytes
2009-09-17 20:10 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-11 23:39 . 2009-09-11 23:39 -------- d-----w- c:\program files\Gravity
2009-09-11 23:38 . 2009-09-11 23:50 65536 ----a-w- c:\windows\IFinst27.exe
2009-09-11 02:35 . 2009-09-11 02:35 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-11 02:29 . 2009-09-11 02:29 -------- d-----w- c:\program files\InstallShield Installation Information
2009-09-11 02:28 . 2009-09-11 02:28 -------- d-----w- c:\program files\Belkin
2009-09-11 02:28 . 2009-09-11 02:28 552 ----a-w- c:\users\Chaos Productions\AppData\Local\d3d8caps.dat
2009-09-11 02:28 . 2009-09-19 05:15 -------- d-sh--w- c:\windows\Installer
2009-09-11 02:28 . 2009-09-11 02:28 -------- d-----w- c:\windows\{7B355114-7439-42B6-AB50-516834796D4D}
2009-09-11 02:07 . 2009-09-11 02:07 -------- d-----w- c:\users\Chaos Productions\AppData\Roaming\TeamViewer
2009-09-11 02:07 . 2009-09-11 02:07 -------- d-----w- c:\program files\TeamViewer
2009-09-11 02:07 . 2009-09-11 02:07 -------- d-----w- c:\users\Chaos Productions\temp
2009-09-11 01:58 . 2009-09-11 01:58 -------- d-----w- c:\program files\AhnLab
2009-09-11 01:31 . 2009-09-11 00:51 -------- d-----w- c:\windows\Panther
2009-09-11 01:12 . 2009-09-11 01:51 -------- d-----w- C:\Windows.old
2009-09-11 00:41 . 2009-09-11 00:54 -------- d-----w- c:\windows\Debug
2009-09-10 23:54 . 2009-09-10 23:54 -------- d-----w- c:\windows\system32\Macromed
2009-09-10 23:43 . 2009-09-10 23:43 -------- d-----w- c:\users\Chaos Productions\AppData\Local\WindowsUpdate
2009-09-10 23:41 . 2009-09-10 23:41 51224 ----a-w- c:\windows\system32\wuauclt.exe
2009-09-10 23:41 . 2009-09-10 23:41 43544 ----a-w- c:\windows\system32\wups2.dll
2009-09-10 23:41 . 2009-09-10 23:41 1809944 ----a-w- c:\windows\system32\wuaueng.dll
2009-09-10 23:41 . 2009-09-10 23:41 1524736 ----a-w- c:\windows\system32\wucltux.dll
2009-09-10 23:40 . 2009-09-10 23:40 83456 ----a-w- c:\windows\system32\wudriver.dll
2009-09-10 23:40 . 2009-09-10 23:40 561688 ----a-w- c:\windows\system32\wuapi.dll
2009-09-10 23:40 . 2009-09-10 23:40 34328 ----a-w- c:\windows\system32\wups.dll
2009-09-10 23:40 . 2009-09-10 23:40 31232 ----a-w- c:\windows\system32\wuapp.exe
2009-09-10 23:40 . 2009-09-10 23:40 162064 ----a-w- c:\windows\system32\wuwebv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-19 05:15 . 2009-09-11 00:59 680 ----a-w- c:\users\Chaos Productions\AppData\Local\d3d9caps.dat
2009-09-11 00:59 . 2009-09-11 00:59 48600 ----a-w- c:\users\Chaos Productions\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-14 00:15 . 2009-07-14 00:15 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-07-14 00:15 . 2009-07-14 00:15 685056 ----a-w- c:\windows\system32\DivX.dll
2001-03-30 16:24 . 2001-03-30 16:24 32768 --sha-r- c:\windows\System32\eahdc.dll
2001-03-30 16:24 . 2001-03-30 16:24 372736 --sha-r- c:\windows\System32\rspyrami.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2006-11-02 1196032]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2006-11-02 2159104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-02 1004136]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{06BAE9EF-082F-4D2C-B706-DE967FFA43F1}"= "c:\windows\system32\rspyrami.dll" [2001-03-30 372736]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{4863346F-60A0-44B6-8151-08DB57EBC2F8}"= UDP:c:\program files\TeamViewer\Version4\TeamViewer.exe:Teamviewer Remote Control Application
"{07CA59A3-B8CE-4117-9CBC-38A2088A3A97}"= TCP:c:\program files\TeamViewer\Version4\TeamViewer.exe:Teamviewer Remote Control Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [11/08/2008 3:41 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sys [19/09/2009 12:37 AM 47640]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [24/08/2009 10:51 AM 185640]
R3 netr28u;Belkin USB Wireless LAN Card Driver for Vista;c:\windows\System32\drivers\netr28u.sys [16/08/2007 4:49 AM 552448]
R3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [02/11/2006 6:25 AM 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [02/11/2006 6:25 AM 251904]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BITS
*NewlyCreated* - LMIINFO
*NewlyCreated* - LMIRFSDRIVER
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://forums.spybot.info/showthread.php?p=337619
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\users\Chaos Productions\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZLP77YRP\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-21 14:09
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4624)
c:\windows\system32\rspyrami.dll
c:\windows\system32\MSVBVM60.DLL
.
Completion time: 2009-09-21 14:10
ComboFix-quarantined-files.txt 2009-09-21 18:10

Pre-Run: 92,655,448,064 bytes free
Post-Run: 92,676,677,632 bytes free

140

when i upgraded my computer my graphics card like uninstalled or something but my computer has a bunch of driver stuff missing i was wondering if when your done helping me remove the malware, you wouldent mind helping me fix my drivers?

Blade81 · Sep 22, 2009

Hi,

Are you able to start BITS and wuauserv services now?

when i upgraded my computer my graphics card like uninstalled or something but my computer has a bunch of driver stuff missing i was wondering if when your done helping me remove the malware, you wouldent mind helping me fix my drivers?

For general computer issues I have to guide you to ask for help at other forum (but not yet) since we help with malware issues here.

RyanTrahan · Sep 25, 2009

no i still cant start bits

and windows update is running

Blade81 · Sep 25, 2009

Hi,

Click start->run->write regedit and press enter.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS key. On the right side of registry editor window you should see ImagePath value. What reads in its data field?

RyanTrahan · Sep 29, 2009

ImagePath REG_EXPAND_SZ %SystemRoot%\system32\svchost.exe -k netsvcs

Blade81 · Sep 30, 2009

Ok. The path seems to be correct at least. What error message do you get when you try to start BITS?

RyanTrahan · Oct 7, 2009

im verry sorry about the long absence just too busy with school to bother unfortunatly and i really care for my computer lol anyways
when i try to run bits through Cmd prompt i get this

Code:

Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\Chaos Productions>start net bits

C:\Users\Chaos Productions>net start bits
The Background Intelligent Transfer Service service is starting.
The Background Intelligent Transfer Service service could not be started.

The service did not report an error.

More help is available by typing NET HELPMSG 3534.


C:\Users\Chaos Productions>

when i try to start it through the service manager i get this

the background intelligent transfer service service on local computer started then stopped. some services stop automatically if they are not in use by other services or programs

i will check back as often as possible even if its on my laptop

Blade81 · Oct 8, 2009

Hi,

I took a new look at your earlier logs and found something that doesn't belong there. Let's remove it.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
c:\windows\system32\eahdc.dll
c:\windows\system32\rspyrami.dll
Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{06BAE9EF-082F-4D2C-B706-DE967FFA43F1}"=-
Reboot::

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let ComboFix update itself)
Then post the resultant log.

RyanTrahan · Oct 9, 2009

ComboFix 09-10-07.05 - Chaos Productions 08/10/2009 19:15.2.2 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.2.1033.18.2037.1258 [GMT -4:00]
Running from: c:\users\Chaos Productions\Desktop\ComboFix.exe
Command switches used :: c:\users\Chaos Productions\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1356 [VPS 091008-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1356 [VPS 091008-0] *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-09-08 to 2009-10-08 )))))))))))))))))))))))))))))))
.

2099-12-31 21:46 . 2099-12-31 21:46 -------- d-----w- C:\Downloads
2099-12-31 21:45 . 2009-10-07 22:38 -------- d-----w- c:\users\Chaos Productions\AppData\Roaming\Free Download Manager
2099-12-31 21:44 . 2099-12-31 21:44 -------- d-----w- c:\programdata\FreeDownloadManager.ORG
2099-12-31 21:44 . 2099-12-31 21:46 -------- d-----w- c:\program files\Free Download Manager
2009-10-08 23:20 . 2009-10-08 23:20 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-10-08 23:20 . 2009-10-08 23:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-07 22:14 . 2009-09-15 10:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-10-07 22:14 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-10-07 22:14 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-10-07 22:14 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-10-07 22:14 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-10-07 22:13 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-10-07 22:13 . 2009-09-15 10:55 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-10-07 22:13 . 2003-03-18 21:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-10-07 22:13 . 2003-03-18 20:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-10-07 22:13 . 2003-02-21 03:42 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-10-07 22:13 . 2009-10-07 22:13 -------- d-----w- c:\program files\Alwil Software
2009-09-19 05:15 . 2009-09-19 05:15 -------- d-----w- c:\users\Chaos Productions\AppData\Roaming\Media Player Classic
2009-09-19 05:15 . 2009-09-19 05:15 -------- d-----w- c:\program files\Essentials Codec Pack
2009-09-19 05:08 . 2009-09-19 05:08 -------- d-----w- c:\programdata\VistaCodecPack
2009-09-19 05:04 . 2009-09-19 05:04 -------- d-----w- c:\program files\Fusion Media Player
2009-09-19 04:56 . 2009-09-19 04:57 -------- d-----w- c:\users\Chaos Productions\AppData\Roaming\DivX
2009-09-19 04:56 . 2009-09-19 04:56 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-09-19 04:55 . 2009-09-21 18:14 -------- d-----w- c:\program files\DivX
2009-09-19 04:55 . 2009-09-19 04:56 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-09-19 04:37 . 2009-09-19 04:37 -------- d-----w- c:\users\Chaos Productions\AppData\Local\LogMeIn
2009-09-19 04:37 . 2009-09-19 04:37 -------- d-----w- c:\programdata\LogMeIn
2009-09-19 04:37 . 2009-09-05 18:23 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-09-19 04:37 . 2009-09-05 18:23 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-09-19 04:37 . 2008-08-11 19:41 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2009-09-19 04:37 . 2009-09-05 18:23 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-09-19 04:37 . 2009-10-08 23:05 -------- d-----w- c:\program files\LogMeIn
2009-09-19 04:32 . 2009-09-19 04:35 -------- d-----w- c:\users\Chaos Productions\AppData\Local\Deployment
2009-09-19 04:32 . 2009-09-19 04:32 -------- d-----w- c:\users\Chaos Productions\AppData\Local\Apps
2009-09-19 04:20 . 2009-09-19 04:20 -------- d-----w- c:\program files\VistaCodecPack
2009-09-17 20:10 . 2009-09-17 20:10 -------- d-----w- c:\users\Chaos Productions\AppData\Roaming\Malwarebytes
2009-09-17 20:10 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-17 20:10 . 2009-09-17 20:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-17 20:10 . 2009-09-17 20:10 -------- d-----w- c:\programdata\Malwarebytes
2009-09-17 20:10 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-11 23:39 . 2009-09-11 23:39 -------- d-----w- c:\program files\Gravity
2009-09-11 23:38 . 2009-09-11 23:50 65536 ----a-w- c:\windows\IFinst27.exe
2009-09-11 02:35 . 2009-09-11 02:35 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-11 02:29 . 2009-09-11 02:29 -------- d-----w- c:\program files\InstallShield Installation Information
2009-09-11 02:28 . 2009-09-11 02:28 -------- d-----w- c:\program files\Belkin
2009-09-11 02:28 . 2009-09-11 02:28 552 ----a-w- c:\users\Chaos Productions\AppData\Local\d3d8caps.dat
2009-09-11 02:28 . 2009-09-19 05:15 -------- d-sh--w- c:\windows\Installer
2009-09-11 02:28 . 2009-09-11 02:28 -------- d-----w- c:\windows\{7B355114-7439-42B6-AB50-516834796D4D}
2009-09-11 02:07 . 2009-09-11 02:07 -------- d-----w- c:\users\Chaos Productions\AppData\Roaming\TeamViewer
2009-09-11 02:07 . 2009-09-11 02:07 -------- d-----w- c:\program files\TeamViewer
2009-09-11 02:07 . 2009-09-11 02:07 -------- d-----w- c:\users\Chaos Productions\temp
2009-09-11 01:58 . 2009-09-11 01:58 -------- d-----w- c:\program files\AhnLab
2009-09-11 01:31 . 2009-09-11 00:51 -------- d-----w- c:\windows\Panther
2009-09-11 01:12 . 2009-09-11 01:51 -------- d-----w- C:\Windows.old
2009-09-11 00:41 . 2009-09-11 00:54 -------- d-----w- c:\windows\Debug
2009-09-10 23:54 . 2009-09-10 23:54 -------- d-----w- c:\windows\system32\Macromed
2009-09-10 23:43 . 2009-09-10 23:43 -------- d-----w- c:\users\Chaos Productions\AppData\Local\WindowsUpdate
2009-09-10 23:41 . 2009-09-10 23:41 51224 ----a-w- c:\windows\system32\wuauclt.exe
2009-09-10 23:41 . 2009-09-10 23:41 43544 ----a-w- c:\windows\system32\wups2.dll
2009-09-10 23:41 . 2009-09-10 23:41 1809944 ----a-w- c:\windows\system32\wuaueng.dll
2009-09-10 23:41 . 2009-09-10 23:41 1524736 ----a-w- c:\windows\system32\wucltux.dll
2009-09-10 23:40 . 2009-09-10 23:40 83456 ----a-w- c:\windows\system32\wudriver.dll
2009-09-10 23:40 . 2009-09-10 23:40 561688 ----a-w- c:\windows\system32\wuapi.dll
2009-09-10 23:40 . 2009-09-10 23:40 34328 ----a-w- c:\windows\system32\wups.dll
2009-09-10 23:40 . 2009-09-10 23:40 31232 ----a-w- c:\windows\system32\wuapp.exe
2009-09-10 23:40 . 2009-09-10 23:40 162064 ----a-w- c:\windows\system32\wuwebv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-08 23:05 . 2009-09-11 00:59 680 ----a-w- c:\users\Chaos Productions\AppData\Local\d3d9caps.dat
2009-09-11 00:59 . 2009-09-11 00:59 48600 ----a-w- c:\users\Chaos Productions\AppData\Local\GDIPFONTCACHEV1.DAT
2001-03-30 16:24 . 2001-03-30 16:24 32768 --sha-r- c:\windows\System32\eahdc.dll
2001-03-30 16:24 . 2001-03-30 16:24 372736 --sha-r- c:\windows\System32\rspyrami.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-21_18.09.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-11 02:36 . 2009-10-07 22:41 19616 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:03 . 2009-10-07 22:41 49664 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2006-11-02 13:00 . 2009-09-21 18:03 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:00 . 2009-10-08 19:41 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:00 . 2009-10-08 19:41 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-02 13:00 . 2009-09-21 18:03 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-02 13:00 . 2009-09-21 18:03 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 13:00 . 2009-10-08 19:41 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-09-11 01:00 . 2009-10-07 22:41 3072 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3079595698-2492634495-289004864-1000_UserData.bin
- 2009-09-18 03:10 . 2009-09-18 03:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-10-08 19:39 . 2009-10-08 19:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-09-18 03:10 . 2009-09-18 03:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-10-08 19:39 . 2009-10-08 19:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2006-11-02 10:33 . 2009-09-21 04:07 621746 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-10-08 19:44 621746 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-09-21 04:07 107332 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-10-08 19:44 107332 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:22 . 2009-09-21 18:13 5767168 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2006-11-02 10:22 . 2009-09-19 04:56 5767168 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2006-11-02 12:46 . 2009-10-07 22:37 1028261 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareLicensing\tokens.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2006-11-02 1196032]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2006-11-02 2159104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-02 1004136]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{06BAE9EF-082F-4D2C-B706-DE967FFA43F1}"= "c:\windows\system32\rspyrami.dll" [2001-03-30 372736]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{4863346F-60A0-44B6-8151-08DB57EBC2F8}"= UDP:c:\program files\TeamViewer\Version4\TeamViewer.exe:Teamviewer Remote Control Application
"{07CA59A3-B8CE-4117-9CBC-38A2088A3A97}"= TCP:c:\program files\TeamViewer\Version4\TeamViewer.exe:Teamviewer Remote Control Application
"TCP Query User{A91C75E8-2A62-42DD-BCA7-109A0C5DD228}c:\\program files\\free download manager\\fdm.exe"= UDP:c:\program files\free download manager\fdm.exe:Free Download Manager
"UDP Query User{A32F5609-F335-4478-A3F9-531538A9105D}c:\\program files\\free download manager\\fdm.exe"= TCP:c:\program files\free download manager\fdm.exe:Free Download Manager

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [07/10/2009 6:14 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [07/10/2009 6:14 PM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [07/10/2009 6:13 PM 53328]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [11/08/2008 3:41 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sys [19/09/2009 12:37 AM 47640]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [24/08/2009 10:51 AM 185640]
R3 netr28u;Belkin USB Wireless LAN Card Driver for Vista;c:\windows\System32\drivers\netr28u.sys [16/08/2007 4:49 AM 552448]
R3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [02/11/2006 6:25 AM 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [02/11/2006 6:25 AM 251904]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://forums.spybot.info/showthread.php?p=337619
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-08 19:20
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3788)
c:\windows\system32\rspyrami.dll
c:\windows\system32\MSVBVM60.DLL
c:\windows\system32\eahdc.dll
.
Completion time: 2009-10-08 19:21
ComboFix-quarantined-files.txt 2009-10-08 23:21
ComboFix2.txt 2009-09-21 18:10

Pre-Run: 97,317,695,488 bytes free
Post-Run: 97,361,698,816 bytes free

183

Blade81 · Oct 9, 2009

Hi,

Did you use script with the contents in my previous post? It namely looks like it hadn't any effect.

Help unable to update

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus