PDA

View Full Version : browser hijacked anti spyware programs wont run.



joshwg
2009-02-14, 04:55
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:59 PM, on 2/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\8D2C.tmp
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.spybot.info/forumdisplay.php?f=22
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.compaq.com/1Q00CDT/0409/bl7.asp
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Gamevance Text - {7370F91F-6994-4595-9949-601FA2261C8D} - C:\Program Files\Gamevance\gvtl.dll
O2 - BHO: AmeoToolbar - {82F25EE1-F69D-4162-B6AA-5AA10EF927C4} - C:\WINDOWS\system32\fejokt.dll
O2 - BHO: C:\WINDOWS\system32\hsfd83jfdg.dll - {C5BF49A2-94F3-42BD-F434-3604812C8955} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Gamevance] C:\Program Files\Gamevance\gamevance32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Sabre Task Tray Icon] C:\SABRE\Sabstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://wildmatch.com/videoservice/ChatSource/hVideoContol.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O20 - AppInit_DLLs: mefwpf.dll
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O20 - Winlogon Notify: yayyYSmm - yayyYSmm.dll (file missing)
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Config Service Helper (CfgSrvc) - Unknown owner - C:\WINDOWS\system32\CfgSrvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HSSP Configuration Module (HsspConfig) - Unknown owner - C:\WINDOWS\system32\CfgSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: Sabre Printing Module (SabrePrint) - Sabre Inc. - C:\SABRE\Apps\OADP\Oadp.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sabre Device Manager (SDMan) - Unknown owner - C:\WINDOWS\SDMan.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7328 bytes

peku006
2009-02-16, 22:36
Hello and welcome to Safer Networking.

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:

If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Please continue to respond until I give you the "All Clear"

If you follow these instructions, everything should go smoothly.

1 - Scan With ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable Anti-virus (http://www.bleepingcomputer.com/forums/topic114351.html)

Please include the C:\ComboFix.txt in your next reply for further review.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log

Thanks peku006

joshwg
2009-02-18, 01:06
I could not go to any of the websites on the infected computer. It redirects me to google with a few porn links above what I typed in the URL.

I used a flash drive to transfer combofix to the infected computer and it will NOT run. please advise.

HIjackthis does run

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:02:08 PM, on 2/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CfgSrvc.exe
C:\WINDOWS\system32\CfgSrvc.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\SDMan.EXE
C:\WINDOWS\system32\userinit.exe
C:\SABRE\Apps\OADP\Oadp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Gamevance\gamevance32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\logon.exe
C:\WINDOWS\TEMP\FFCC.tmp
C:\WINDOWS\TEMP\FFCC.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.spybot.info/forumdisplay.php?f=22
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.compaq.com/1Q00CDT/0409/bl7.asp
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Gamevance Text - {7370F91F-6994-4595-9949-601FA2261C8D} - C:\Program Files\Gamevance\gvtl.dll
O2 - BHO: AmeoToolbar - {82F25EE1-F69D-4162-B6AA-5AA10EF927C4} - C:\WINDOWS\system32\fejokt.dll
O2 - BHO: C:\WINDOWS\system32\hsfd83jfdg.dll - {C5BF49A2-94F3-42BD-F434-3604812C8955} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Gamevance] C:\Program Files\Gamevance\gamevance32.exe
O4 - HKLM\..\RunServices: [Sabre Task Tray Icon] C:\SABRE\Sabstart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Init] C:\WINDOWS\system32\logon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://wildmatch.com/videoservice/ChatSource/hVideoContol.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O20 - AppInit_DLLs: mefwpf.dll
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O20 - Winlogon Notify: yayyYSmm - yayyYSmm.dll (file missing)
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Config Service Helper (CfgSrvc) - Unknown owner - C:\WINDOWS\system32\CfgSrvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HSSP Configuration Module (HsspConfig) - Unknown owner - C:\WINDOWS\system32\CfgSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: Sabre Printing Module (SabrePrint) - Sabre Inc. - C:\SABRE\Apps\OADP\Oadp.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sabre Device Manager (SDMan) - Unknown owner - C:\WINDOWS\SDMan.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7926 bytes

peku006
2009-02-18, 18:01
Hi joshwg

OK don't worry about Combofix, we'll try a different tools

1 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to your desktop.
alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:

Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:

C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

2 - download and run RSIT

Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt<- (will be maximized) and info.txt<- (will be minimized)

3 - Status Check
Please reply with

1.the logs from RSIT (log.txt ,info.txt)
2. the Malwarebytes' Anti-Malware Log

Thanks peku006

joshwg
2009-02-19, 01:22
Malwarebytes won't install. Random system info worked. I also can not access control panel or my computer. I get a msg saying

"This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel.

info.txt logfile of random's system information tool 1.05 2009-02-18 18:02:35

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal-->C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings-->MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3-->C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe
Adobe Photoshop CS3-->MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Reader 7.0.5-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Setup-->MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Advertisement Service-->C:\WINDOWS\system32\prunnet.exe Uninstall
AnalogX MaxMem-->C:\Program Files\AnalogX\MaxMem\maxmemu.exe
AVG Anti-Spyware 7.5-->C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
CC_ccStart-->MsiExec.exe /I{D6414CC7-F215-467F-88B1-546ED863F35B}
ccCommon-->MsiExec.exe /I{DC367608-64A7-4BF7-92F4-8BAA25BA02DB}
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
Gamevance-->C:\Program Files\Gamevance\gvun.exe
Global Explorer Software-->C:\desktop\Uninstall.EXE /u:"Global Explorer Software"
Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
HighMAT Extension to Microsoft Windows XP CD Writing Wizard-->MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows XP (KB914440)-->"C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HP Color LaserJet 3500-->msiexec /x{345DA7F2-83B4-416F-99B1-810E87A701D3}
HP LaserJet 2410/2420/2430-->C:\Program Files\Hewlett-Packard\hp LaserJet 2410 2420 2430\Installer\hpsetup.exe /x
HP LaserJet 2410/2420/2430-->msiexec /x{02C0BC1F-E273-4FA7-BF75-46ACF9650765}
Intel(R) Extreme Graphics 2 Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel(R) PRO Network Adapters and Drivers-->Prounstl.exe
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java 2 Runtime Environment, SE v1.4.2_01-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142010}
Java 2 Runtime Environment, SE v1.4.2_06-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142060}
Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) SE Runtime Environment 6 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LiveReg (Symantec Corporation)-->C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 2.6 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft AntiSpyware-->MsiExec.exe /I{536F7C74-844B-4683-B0C5-EA39E19A6FE3}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Basic Edition 2003-->MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9}
Microsoft Windows Journal Viewer-->MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
MSRedist-->MsiExec.exe /I{FC37ABD0-2108-4beb-B010-1254E0662B5A}
MySabre-->C:\WINDOWS\ISUNINST.EXE -fC:\SABRE\Apps\Portal\Uninstal\DeIsL1.isu
Norton AntiVirus 2004 (Symantec Corporation)-->C:\Program Files\Common Files\Symantec Shared\SymSetup\{C6F5B6CF-609C-428E-876F-CA83176C021B}.exe /X
Norton AntiVirus 2004-->MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B}
Norton AntiVirus Parent MSI-->MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton WMI Update-->MsiExec.exe /X{1526D87C-A955-4FAB-BF18-697BA457E352}
Open Systems Client-->C:\WINDOWS\ISUNINST.EXE -fC:\SABRE\Apps\Sabre\Uninstal\DeIsL1.isu
PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Remote Administrator v2.2-->C:\Program Files\Radmin\uninstal.exe
Sabre CruiseDirector-->C:\WINDOWS\ISUNINST.EXE -fC:\SABRE\Apps\Cruzdir\Uninstal\DeIsL1.isu
Sabre Device Manager-->C:\WINDOWS\ISUNINST.EXE -fC:\SABRE\Apps\SDM\Uninstal\DeIsL1.isu
Sabre Print Module-->C:\WINDOWS\ISUNINST.EXE -fC:\SABRE\Apps\OADP\Uninstal\DeIsL1.isu
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows XP (KB883939)-->"C:\WINDOWS\$NtUninstallKB883939$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896688)-->"C:\WINDOWS\$NtUninstallKB896688$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899588)-->"C:\WINDOWS\$NtUninstallKB899588$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899589)-->"C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB903235)-->"C:\WINDOWS\$NtUninstallKB903235$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905915)-->"C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911567)-->"C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912812)-->"C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913446)-->"C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB916281)-->"C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917159)-->"C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917422)-->"C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918899)-->"C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920214)-->"C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921398)-->"C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921503)-->"C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921883)-->"C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922616)-->"C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922760)-->"C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923694)-->"C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925454)-->"C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925486)-->"C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937894)-->"C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938829)-->"C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948881)-->"C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.EXE"
Spybot - Search & Destroy 1.4-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec Script Blocking Installer-->MsiExec.exe /I{D327AFC9-7BAA-473A-8319-6EB7A0D40138}
SymNet-->MsiExec.exe /I{E47EE8FB-ACC0-4608-859C-4E2851B18A6A}
The Weather Channel Desktop 6-->C:\Program Files\The Weather Channel FW\Desktop\TheWeatherChannelCustomUninstall.exe
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB896727)-->"C:\WINDOWS\$NtUninstallKB896727$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB904942)-->"C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB929338)-->"C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB931836)-->"C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Update for Windows XP (KB932823-v3)-->"C:\WINDOWS\$NtUninstallKB932823-v3$\spuninst\spuninst.exe"
Update for Windows XP (KB933360)-->"C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Update for Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Connect-->msiexec.exe /I {F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}
Windows Media Connect-->MsiExec.exe /I{F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Hotfix - KB834707-->C:\WINDOWS\$NtUninstallKB834707$\spuninst\spuninst.exe
Windows XP Hotfix - KB867282-->C:\WINDOWS\$NtUninstallKB867282$\spuninst\spuninst.exe
Windows XP Hotfix - KB873333-->C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885250-->C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB887797-->C:\WINDOWS\$NtUninstallKB887797$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890047-->C:\WINDOWS\$NtUninstallKB890047$\spuninst\spuninst.exe
Windows XP Hotfix - KB890175-->C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB890923-->"C:\WINDOWS\$NtUninstallKB890923$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB893066-->"C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Windows XP Hotfix - KB893086-->"C:\WINDOWS\$NtUninstallKB893086$\spuninst\spuninst.exe"
Xvid 1.1.2 final uninstall-->"C:\Program Files\Xvid\unins000.exe"

======Security center information======

AV: Norton AntiVirus (disabled) (outdated)

System event log

Computer Name: AGENT
Event Code: 6006
Message: The Event log service was stopped.

Record Number: 24501
Source Name: EventLog
Time Written: 20080904221707.000000-240
Event Type: information
User:

Computer Name: AGENT
Event Code: 7036
Message: The Remote Access Connection Manager service entered the running state.

Record Number: 24500
Source Name: Service Control Manager
Time Written: 20080904160903.000000-240
Event Type: information
User:

Computer Name: AGENT
Event Code: 7036
Message: The SSDP Discovery Service service entered the running state.

Record Number: 24499
Source Name: Service Control Manager
Time Written: 20080904160903.000000-240
Event Type: information
User:

Computer Name: AGENT
Event Code: 7035
Message: The Remote Access Connection Manager service was successfully sent a start control.

Record Number: 24498
Source Name: Service Control Manager
Time Written: 20080904160903.000000-240
Event Type: information
User: AGENT\Administrator

Computer Name: AGENT
Event Code: 7036
Message: The Telephony service entered the running state.

Record Number: 24497
Source Name: Service Control Manager
Time Written: 20080904160903.000000-240
Event Type: information
User:

Application event log

Computer Name: AGENT
Event Code: 1
Message: Application started

Record Number: 2685
Source Name: ccEvtMgr
Time Written: 20051102140813.000000-240
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: AGENT
Event Code: 26
Message: Application starting

Record Number: 2684
Source Name: ccEvtMgr
Time Written: 20051102140812.000000-240
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: AGENT
Event Code: 1
Message: Application started

Record Number: 2683
Source Name: ccSetMgr
Time Written: 20051102140812.000000-240
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: AGENT
Event Code: 26
Message: Application starting

Record Number: 2682
Source Name: ccSetMgr
Time Written: 20051102140811.000000-240
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: AGENT
Event Code: 1000
Message: Faulting application iexplore.exe, version 6.0.2900.2180, faulting module aoltb.dll, version 2.0.4239.61, fault address 0x00052065.

Record Number: 2681
Source Name: Application Error
Time Written: 20051031163655.000000-240
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 1, GenuineIntel
"PROCESSOR_REVISION"=0401
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

Logfile of random's system information tool 1.05 (written by random/random)
Run by Administrator at 2009-02-18 18:02:28
Microsoft Windows XP Professional Service Pack 2
System drive C: has 65 GB (85%) free of 76 GB
Total RAM: 503 MB (56% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:02:32 PM, on 2/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CfgSrvc.exe
C:\WINDOWS\system32\CfgSrvc.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SDMan.EXE
C:\SABRE\Apps\OADP\Oadp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Gamevance\gamevance32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\logon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\TEMP\73E.tmp
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.spybot.info/forumdisplay.php?f=22
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.compaq.com/1Q00CDT/0409/bl7.asp
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Gamevance Text - {7370F91F-6994-4595-9949-601FA2261C8D} - C:\Program Files\Gamevance\gvtl.dll
O2 - BHO: AmeoToolbar - {82F25EE1-F69D-4162-B6AA-5AA10EF927C4} - C:\WINDOWS\system32\fejokt.dll
O2 - BHO: C:\WINDOWS\system32\hsfd83jfdg.dll - {C5BF49A2-94F3-42BD-F434-3604812C8955} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Gamevance] C:\Program Files\Gamevance\gamevance32.exe
O4 - HKLM\..\RunServices: [Sabre Task Tray Icon] C:\SABRE\Sabstart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Init] C:\WINDOWS\system32\logon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://wildmatch.com/videoservice/ChatSource/hVideoContol.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O20 - AppInit_DLLs: mefwpf.dll
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O20 - Winlogon Notify: yayyYSmm - yayyYSmm.dll (file missing)
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Config Service Helper (CfgSrvc) - Unknown owner - C:\WINDOWS\system32\CfgSrvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HSSP Configuration Module (HsspConfig) - Unknown owner - C:\WINDOWS\system32\CfgSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: Sabre Printing Module (SabrePrint) - Sabre Inc. - C:\SABRE\Apps\OADP\Oadp.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sabre Device Manager (SDMan) - Unknown owner - C:\WINDOWS\SDMan.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7960 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Administrator.job
C:\WINDOWS\tasks\RegCure Program Check.job
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\wtldgdev.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7370F91F-6994-4595-9949-601FA2261C8D}]
Gamevance Text - C:\Program Files\Gamevance\gvtl.dll [2008-04-11 225280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{82F25EE1-F69D-4162-B6AA-5AA10EF927C4}]
AmeoToolbar - C:\WINDOWS\system32\fejokt.dll [2009-02-11 122880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5BF49A2-94F3-42BD-F434-3604812C8955}]
C:\WINDOWS\system32\hsfd83jfdg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Norton AntiVirus - C:\Program Files\Norton AntiVirus\NavShExt.dll [2003-11-24 103368]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2008-04-18 2403392]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Gamevance"=C:\Program Files\Gamevance\gamevance32.exe [2008-04-11 79360]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-05-06 68856]
"Init"=C:\WINDOWS\system32\logon.exe [2004-08-04 405504]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BI1HelperStartUp]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2005-12-12 71328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe [2004-12-31 469824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IE-Security]
C:\Program Files\IE-Security\iescan.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Inysfzo]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Java Sabre Server (JSERVER)]
C:\SABRE\Apps\Portal\JServer.exe [2004-07-30 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jsf8uiw3jnjgffght]
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlognn.exe [2009-02-11 15000]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\prunnet]
C:\WINDOWS\system32\prunnet.exe [2009-02-06 44824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2005-06-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rdobaq]
C:\WINDOWS\Mxeribeke.dll [2009-02-11 40448]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetRefresh]
C:\Program Files\Compaq\SetRefresh\SetRefresh.exe [2003-11-06 524800]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
C:\Cpqs\Scom\srmclean.exe [2001-07-24 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient 2.5]
C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe [2003-09-30 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe [2008-02-22 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-05-06 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe [2006-05-09 100056]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tezrtsjhfr84iusjfo84f]
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrssc.exe [2009-02-11 23041]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup 2.5]
C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe [2003-06-10 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vpejideduvakadev]
C:\WINDOWS\urojihaf.dll [2009-02-11 133632]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MaxMem.lnk]
C:\PROGRA~1\AnalogX\MaxMem\maxmem.exe [2005-11-16 75780]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE [2005-09-24 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OADP Utility.lnk]
C:\SABRE\Apps\OADP\OadpUtil.exe [2004-07-12 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sabre Printing Start.lnk]
C:\SABRE\Sabstart.exe [2001-05-25 20992]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sabre Server.lnk]
C:\WINDOWS\sabserv.exe [2004-09-07 135168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="mefwpf.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt]
C:\WINDOWS\system32\crypts.dll [2009-02-11 32256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
igfxsrvc.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
WRLogonNTF.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayyYSmm]
yayyYSmm.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955}

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"=C:\Program Files\Microsoft AntiSpyware\shellextension.dll [2004-12-31 93408]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"=C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [2006-09-28 73728]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SYMTDI]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoSetActiveDesktop"=1
"NoActiveDesktopChanges"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe"="C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe:*:Enabled:javaw"
"C:\WINDOWS\system32\javaw.exe"="C:\WINDOWS\system32\javaw.exe:*:Enabled:javaw"
"C:\SABRE\Apps\OADP\OadpUtil.exe"="C:\SABRE\Apps\OADP\OadpUtil.exe:*:Enabled:Open Auxiliary Device Platform"
"C:\WINDOWS\sabserv.exe"="C:\WINDOWS\sabserv.exe:*:Enabled:CSAPI Server"
"C:\Program Files\Common Files\AOL\1130337771\ee\AOLServiceHost.exe"="C:\Program Files\Common Files\AOL\1130337771\ee\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\StubInstaller.exe"="C:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\1130337771\ee\AOLServiceHost.exe"="C:\Program Files\Common Files\AOL\1130337771\ee\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-02-18 18:02:28 ----D---- C:\rsit
2009-02-14 14:07:43 ----D---- C:\Program Files\IE-Security
2009-02-13 21:39:45 ----D---- C:\Program Files\Trend Micro
2009-02-13 21:09:09 ----D---- C:\WINDOWS\ERDNT
2009-02-13 21:04:12 ----D---- C:\Program Files\ERUNT
2009-02-13 18:05:04 ----SHD---- C:\WINDOWS\CSC
2009-02-13 18:04:54 ----A---- C:\WINDOWS\ntbtlog.txt
2009-02-11 19:33:00 ----A---- C:\WINDOWS\urojihaf.dll
2009-02-11 17:10:52 ----A---- C:\WINDOWS\system32\fejokt.dll
2009-02-11 17:10:50 ----A---- C:\WINDOWS\system32\crypts.dll
2009-02-11 17:10:50 ----A---- C:\pfgiuuo.exe
2009-02-11 17:10:48 ----A---- C:\wskrote.exe
2009-02-11 17:09:55 ----A---- C:\jwfmld.exe
2009-02-11 17:08:54 ----A---- C:\WINDOWS\system32\hsfd83jfdg.dll
2009-02-11 17:08:51 ----A---- C:\WINDOWS\Mxeribeke.dll
2009-02-11 17:08:49 ----A---- C:\kvkglog.exe
2009-02-11 17:08:47 ----A---- C:\WINDOWS\system32\lwtxqnbd.dll
2009-02-11 17:06:14 ----A---- C:\WINDOWS\system32\tyggcadh.dll
2009-02-11 17:06:14 ----A---- C:\WINDOWS\system32\mefwpf.dll
2009-02-10 17:10:54 ----ASH---- C:\WINDOWS\system32\kswdkqrk.ini
2009-02-10 17:10:51 ----A---- C:\WINDOWS\system32\krqkdwsk.dll
2009-02-10 17:08:04 ----A---- C:\WINDOWS\system32\nlgwps.dll
2009-02-10 17:08:02 ----A---- C:\WINDOWS\system32\tpsucwes.dll
2009-02-10 16:37:23 ----A---- C:\WINDOWS\system32\xxyywtqQ.dll
2009-02-10 16:37:18 ----A---- C:\WINDOWS\system32\ntdll64.exe
2009-02-10 16:07:06 ----A---- C:\WINDOWS\system32\frmwrk32.exe
2009-02-10 16:07:05 ----A---- C:\WINDOWS\system32\998.exe
2009-02-09 00:11:22 ----A---- C:\WINDOWS\system32\winlogon2.exe
2009-02-07 14:21:28 ----A---- C:\WINDOWS\WRUninstall.dll
2009-02-07 14:21:28 ----A---- C:\WINDOWS\ssleay32.dll
2009-02-07 14:21:28 ----A---- C:\WINDOWS\libeay32.dll
2009-02-07 10:23:51 ----D---- C:\WINDOWS\RegCure
2009-02-07 10:23:51 ----D---- C:\Program Files\RegCure
2009-02-06 18:54:43 ----A---- C:\WINDOWS\system32\hgGaARLF.dll
2009-02-06 18:53:09 ----D---- C:\Documents and Settings\Administrator\Application Data\VirusRemover2008
2009-02-06 18:51:55 ----A---- C:\WINDOWS\system32\7805bd1f-.txt
2009-02-06 18:51:36 ----ASH---- C:\WINDOWS\system32\Svvwayxx.ini2
2009-02-06 18:51:36 ----ASH---- C:\WINDOWS\system32\Svvwayxx.ini
2009-02-06 18:46:24 ----A---- C:\WINDOWS\system32\prunnet.exe

======List of files/folders modified in the last 1 months======

2009-02-18 17:59:35 ----D---- C:\WINDOWS\Temp
2009-02-18 17:59:35 ----D---- C:\WINDOWS\system32
2009-02-17 18:16:01 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-02-17 17:59:28 ----RASH---- C:\boot.ini
2009-02-17 17:59:28 ----A---- C:\WINDOWS\win.ini
2009-02-17 17:59:28 ----A---- C:\WINDOWS\System.ini
2009-02-17 17:57:52 ----D---- C:\WINDOWS\system32\CatRoot2
2009-02-17 14:46:35 ----D---- C:\WINDOWS\system32\drivers
2009-02-14 14:40:15 ----D---- C:\WINDOWS\Prefetch
2009-02-14 14:07:43 ----RD---- C:\Program Files
2009-02-13 21:40:13 ----D---- C:\desktop
2009-02-13 21:11:21 ----D---- C:\Documents and Settings
2009-02-13 21:09:09 ----D---- C:\WINDOWS
2009-02-10 19:01:17 ----D---- C:\Program Files\Mozilla Firefox
2009-02-10 16:38:06 ----SHD---- C:\WINDOWS\Installer
2009-02-10 16:38:02 ----AC---- C:\WINDOWS\OEWABLog.txt
2009-02-10 16:37:25 ----SD---- C:\WINDOWS\Tasks
2009-02-10 16:07:14 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-02-10 16:07:13 ----A---- C:\WINDOWS\system32\userinit.exe
2009-02-07 14:19:29 ----HD---- C:\WINDOWS\inf
2009-01-28 19:42:21 ----D---- C:\Documents and Settings\Administrator\Application Data\Adobe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver; \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys []
R1 AvgAsCln;AVG Anti-Spyware Clean Driver; C:\WINDOWS\System32\DRIVERS\AvgAsCln.sys [2006-09-05 3968]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Norton AntiVirus\SAVRTPEL.SYS []
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2005-04-05 267192]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2004-08-04 88448]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2004-08-04 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2004-08-04 55936]
R3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-08-03 120094]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-08-03 96858]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2003-09-17 145408]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2003-08-03 91419]
R3 NWRDR;NetWare Rdr; C:\WINDOWS\system32\DRIVERS\nwrdr.sys [2006-10-13 163584]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-08-29 578304]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\system32\DRIVERS\p3.sys [2004-08-04 42496]
S3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
S3 i81x;i81x; C:\WINDOWS\system32\DRIVERS\i81xnt5.sys [2004-08-03 161020]
S3 iAimFP0;iAimFP0; C:\WINDOWS\system32\DRIVERS\wADV01nt.sys [2004-08-03 12415]
S3 iAimFP1;iAimFP1; C:\WINDOWS\system32\DRIVERS\wADV02NT.sys [2004-08-03 12127]
S3 iAimFP2;iAimFP2; C:\WINDOWS\system32\DRIVERS\wADV05NT.sys [2004-08-03 11775]
S3 iAimFP3;iAimFP3; C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys [2004-08-03 12063]
S3 iAimFP4;iAimFP4; C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys [2004-08-03 19455]
S3 iAimFP5;iAimFP5; C:\WINDOWS\system32\DRIVERS\wADV07nt.sys [2004-08-03 11807]
S3 iAimFP6;iAimFP6; C:\WINDOWS\system32\DRIVERS\wADV08nt.sys [2004-08-03 11295]
S3 iAimFP7;iAimFP7; C:\WINDOWS\system32\DRIVERS\wADV09nt.sys [2004-08-03 11871]
S3 iAimTV0;iAimTV0; C:\WINDOWS\system32\DRIVERS\wATV01nt.sys [2004-08-03 29311]
S3 iAimTV1;iAimTV1; C:\WINDOWS\system32\DRIVERS\wATV02NT.sys [2004-08-03 19551]
S3 iAimTV3;iAimTV3; C:\WINDOWS\system32\DRIVERS\wATV04nt.sys [2004-08-03 33599]
S3 iAimTV4;iAimTV4; C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys [2004-08-03 23615]
S3 iAimTV5;iAimTV5; C:\WINDOWS\system32\DRIVERS\wATV10nt.sys [2004-08-03 25471]
S3 iAimTV6;iAimTV6; C:\WINDOWS\system32\DRIVERS\wATV06nt.sys [2004-08-03 22271]
S3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050401.025\NAVENG.Sys []
S3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050401.025\NavEx15.Sys []
S3 SAVRT;SAVRT; \??\C:\Program Files\Norton AntiVirus\SAVRT.SYS []
S3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2005-04-05 17976]
S4 adpu320;adpu320; C:\WINDOWS\system32\DRIVERS\adpu320.sys [2002-05-08 105472]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2004-08-03 5504]
S4 Symmpi;Symmpi; C:\WINDOWS\system32\DRIVERS\symmpi.sys [2002-04-04 28416]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2005-12-12 235168]
R2 CfgSrvc;Config Service Helper; C:\WINDOWS\system32\CfgSrvc.exe [2001-11-09 55296]
R2 HsspConfig;HSSP Configuration Module; C:\WINDOWS\system32\CfgSrvc.exe [2001-11-09 55296]
R2 NWCWorkstation;Client Service for NetWare; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 r_server;Remote Administrator Service; C:\WINDOWS\system32\r_server.exe [2005-06-21 724992]
R2 SabrePrint;Sabre Printing Module; C:\SABRE\Apps\OADP\Oadp.exe [2004-07-12 487424]
R2 SDMan;Sabre Device Manager; C:\WINDOWS\SDMan.EXE [2001-05-29 106496]
R2 SymWSC;SymWMI Service; C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe [2004-11-02 316544]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
S2 SBService;ScriptBlocking Service; C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe [2003-06-24 66784]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard; C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe [2006-09-28 204800]
S3 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2005-12-12 255648]
S3 ccPwdSvc;Symantec Password Validation; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2005-12-12 87712]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-01-09 654848]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-18 138168]
S3 navapsvc;Norton AntiVirus Auto Protect Service; C:\Program Files\Norton AntiVirus\navapsvc.exe [2004-04-23 158848]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2003-10-22 65536]
S3 SAVScan;SAVScan; C:\Program Files\Norton AntiVirus\SAVScan.exe [2005-01-25 194272]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2005-04-05 206552]
S3 WmcCds;Windows Media Connect (WMC); c:\program files\windows media connect\mswmccds.exe [2004-08-11 483328]
S3 WmcCdsLs;Windows Media Connect (WMC) Helper; C:\Program Files\Windows Media Connect\mswmcls.exe [2004-08-10 28160]
S4 Bonjour Service;##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##; C:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]

-----------------EOF-----------------

peku006
2009-02-19, 10:32
Hi joshwg
This is a fairly long instruction, but you can do it. Just take it one step at a time. If there is any step where you need help, please post back and ask.

1 - Uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Gamevance
and click on remove


2 - Remove bad HijackThis entries

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):


O2 - BHO: Gamevance Text - {7370F91F-6994-4595-9949-601FA2261C8D} - C:\Program Files\Gamevance\gvtl.dll
O2 - BHO: AmeoToolbar - {82F25EE1-F69D-4162-B6AA-5AA10EF927C4} - C:\WINDOWS\system32\fejokt.dll
O2 - BHO: C:\WINDOWS\system32\hsfd83jfdg.dll - {C5BF49A2-94F3-42BD-F434-3604812C8955} - (no file)
O4 - HKLM\..\Run: [Gamevance] C:\Program Files\Gamevance\gamevance32.exe
O4 - HKCU\..\Run: [Init] C:\WINDOWS\system32\logon.exe
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O20 - AppInit_DLLs: mefwpf.dll
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O20 - Winlogon Notify: yayyYSmm - yayyYSmm.dll (file missing)
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - (no file)


Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

3 - Download and Run LSPFix
Please download LSPFix (http://download.bleepingcomputer.com/spyware/lspfix.zip) and save it to your desktop:
Disconnect from the Internet.
Unzip the LSPFix file to your desktop.
Open the lspfix folder and double-click on LSPFix.exe to start the program.
Check the "I know what I'm doing" checkbox.
In the left-hand column which is labeled "Keep" select all instances of this file:
ntdll64.dll
Click the arrow >> so it goes over to the right-hand column under "Remove".
Then click Finish to allow LSPFix to rebuild the LSP chain.

Note: Only ntdll64.dll needs to be removed. If you see any other entries in the right pane, move them back to the "Keep" pane and post the filenames to inform me.

4 - Back up your registry with ERUNT
Download ERUNT from here (http://aumha.org/downloads/erunt-setup.exe) and save it to your desktop.
Double click erunt-setup.exe to install the program
Follow the prompts, and then uncheck Create NTREGOPT desktop icon at the Additional Tasks screen. Click No when you are prompted about creating an ERUNT entry in the startup folder. At the next screen, uncheck Show documentation and check Launch ERUNT
If ERUNT doesnt start by itself, launch it from the desktop shortcut.
At the configuration screen, make sure all 3 checkboxes are checked
Click Ok to run the backup process
Note:
The backups can be restored from here:
C:\windows\ERDNT\<todays date>\ERDNT.exe

5 - Download anf Run OTMoveIt3

Download OTMoveIt3 (http://oldtimer.geekstogo.com/OTMoveIt3.exe) by Old Timer and save it to your Desktop.
Double-click OTMoveIt3.exe.
Copy the lines in the codebox below.

:files
C:\WINDOWS\tasks\wtldgdev.job
C:\Program Files\Gamevance
C:\WINDOWS\system32\fejokt.dll
C:\WINDOWS\system32\hsfd83jfdg.dll
C:\WINDOWS\system32\logon.exe
C:\Program Files\IE-Security
C:\WINDOWS\system32\prunnet.exe
C:\WINDOWS\Mxeribeke.dll
C:\WINDOWS\urojihaf.dll
C:\WINDOWS\system32\mefwpf.dll
C:\WINDOWS\urojihaf.dll
C:\WINDOWS\system32\crypts.dll
C:\WINDOWS\ntbtlog.txt
C:\pfgiuuo.exe
C:\wskrote.exe
C:\jwfmld.exe
C:\WINDOWS\system32\hsfd83jfdg.dll
C:\kvkglog.exe
C:\WINDOWS\system32\lwtxqnbd.dll
C:\WINDOWS\system32\tyggcadh.dll
C:\WINDOWS\system32\kswdkqrk.ini
C:\WINDOWS\system32\kswdkqrk.ini
C:\WINDOWS\system32\krqkdwsk.dll
C:\WINDOWS\system32\nlgwps.dll
C:\WINDOWS\system32\tpsucwes.dll
C:\WINDOWS\system32\xxyywtqQ.dll
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\998.exe
C:\WINDOWS\system32\winlogon2.exe
C:\WINDOWS\system32\hgGaARLF.dll
C:\Documents and Settings\Administrator\Application Data\VirusRemover2008
C:\WINDOWS\system32\7805bd1f-.txt
C:\WINDOWS\system32\Svvwayxx.ini2
C:\WINDOWS\system32\Svvwayxx.ini
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrssc.exe

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7370F91F-6994-4595-9949-601FA2261C8D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{82F25EE1-F69D-4162-B6AA-5AA10EF927C4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5BF49A2-94F3-42BD-F434-3604812C8955}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Gamevance"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Init"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IE-Security]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Inysfzo]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jsf8uiw3jnjgffght]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\prunnet]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rdobaq]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tezrtsjhfr84iusjfo84f]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vpejideduvakadev]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt]


Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3

6 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

7 - Status Check
Please reply with


1. the OTMoveIt3 log
2. a fresh HijackThis log
description of any problems you are having with your PC

Thanks peku006

joshwg
2009-02-20, 01:51
after removing gameadvance there were no entries in hijackthis of that program. OTmoveit had an error and closed the program after it was finished(i think it was finished) so I was able to get the log.

========== FILES ==========
C:\WINDOWS\tasks\wtldgdev.job moved successfully.
File/Folder C:\Program Files\Gamevance not found.
File/Folder C:\WINDOWS\system32\fejokt.dll not found.
C:\WINDOWS\system32\hsfd83jfdg.dll NOT unregistered.
C:\WINDOWS\system32\hsfd83jfdg.dll moved successfully.
C:\WINDOWS\system32\logon.exe moved successfully.
File/Folder C:\Program Files\IE-Security not found.
C:\WINDOWS\system32\prunnet.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\Mxeribeke.dll
C:\WINDOWS\Mxeribeke.dll NOT unregistered.
C:\WINDOWS\Mxeribeke.dll moved successfully.
C:\WINDOWS\urojihaf.dll NOT unregistered.
C:\WINDOWS\urojihaf.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\mefwpf.dll
C:\WINDOWS\system32\mefwpf.dll NOT unregistered.
C:\WINDOWS\system32\mefwpf.dll moved successfully.
File/Folder C:\WINDOWS\urojihaf.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\crypts.dll
C:\WINDOWS\system32\crypts.dll NOT unregistered.
C:\WINDOWS\system32\crypts.dll moved successfully.
C:\WINDOWS\ntbtlog.txt moved successfully.
C:\pfgiuuo.exe moved successfully.
C:\wskrote.exe moved successfully.
C:\jwfmld.exe moved successfully.
File/Folder C:\WINDOWS\system32\hsfd83jfdg.dll not found.
C:\kvkglog.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\lwtxqnbd.dll
C:\WINDOWS\system32\lwtxqnbd.dll NOT unregistered.
C:\WINDOWS\system32\lwtxqnbd.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\tyggcadh.dll
C:\WINDOWS\system32\tyggcadh.dll NOT unregistered.
C:\WINDOWS\system32\tyggcadh.dll moved successfully.
C:\WINDOWS\system32\kswdkqrk.ini moved successfully.
File/Folder C:\WINDOWS\system32\kswdkqrk.ini not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\krqkdwsk.dll
C:\WINDOWS\system32\krqkdwsk.dll NOT unregistered.
C:\WINDOWS\system32\krqkdwsk.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\nlgwps.dll
C:\WINDOWS\system32\nlgwps.dll NOT unregistered.
C:\WINDOWS\system32\nlgwps.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\tpsucwes.dll
C:\WINDOWS\system32\tpsucwes.dll NOT unregistered.
C:\WINDOWS\system32\tpsucwes.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\xxyywtqQ.dll
C:\WINDOWS\system32\xxyywtqQ.dll NOT unregistered.
C:\WINDOWS\system32\xxyywtqQ.dll moved successfully.
C:\WINDOWS\system32\ntdll64.exe moved successfully.
C:\WINDOWS\system32\frmwrk32.exe moved successfully.
C:\WINDOWS\system32\998.exe moved successfully.
C:\WINDOWS\system32\winlogon2.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\hgGaARLF.dll
C:\WINDOWS\system32\hgGaARLF.dll NOT unregistered.
C:\WINDOWS\system32\hgGaARLF.dll moved successfully.
C:\Documents and Settings\Administrator\Application Data\VirusRemover2008\Logs moved successfully.
C:\Documents and Settings\Administrator\Application Data\VirusRemover2008 moved successfully.
C:\WINDOWS\system32\7805bd1f-.txt moved successfully.
C:\WINDOWS\system32\Svvwayxx.ini2 moved successfully.
C:\WINDOWS\system32\Svvwayxx.ini moved successfully.
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrssc.exe moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7370F91F-6994-4595-9949-601FA2261C8D}\\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{82F25EE1-F69D-4162-B6AA-5AA10EF927C4}\\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5BF49A2-94F3-42BD-F434-3604812C8955}\\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Gamevance not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Init not found.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IE-Security\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Inysfzo\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jsf8uiw3jnjgffght\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rdobaq\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tezrtsjhfr84iusjfo84f\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vpejideduvakadev\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLS deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt\\ not found.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02192009_184605

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:47:16 PM, on 2/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CfgSrvc.exe
C:\WINDOWS\system32\CfgSrvc.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SDMan.EXE
C:\SABRE\Apps\OADP\Oadp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.spybot.info/forumdisplay.php?f=22
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.compaq.com/1Q00CDT/0409/bl7.asp
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\RunServices: [Sabre Task Tray Icon] C:\SABRE\Sabstart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://wildmatch.com/videoservice/ChatSource/hVideoContol.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Config Service Helper (CfgSrvc) - Unknown owner - C:\WINDOWS\system32\CfgSrvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HSSP Configuration Module (HsspConfig) - Unknown owner - C:\WINDOWS\system32\CfgSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: Sabre Printing Module (SabrePrint) - Sabre Inc. - C:\SABRE\Apps\OADP\Oadp.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sabre Device Manager (SDMan) - Unknown owner - C:\WINDOWS\SDMan.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 6759 bytes

peku006
2009-02-20, 08:38
Hi joshwg

Delete ComboFix.exe and the folder C:\ComboFix

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Thanks peku006

joshwg
2009-02-21, 01:15
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:13:52 PM, on 2/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CfgSrvc.exe
C:\WINDOWS\system32\CfgSrvc.exe
C:\WINDOWS\SDMan.EXE
C:\SABRE\Apps\OADP\Oadp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.spybot.info/forumdisplay.php?f=22
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.compaq.com/1Q00CDT/0409/bl7.asp
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\RunServices: [Sabre Task Tray Icon] C:\SABRE\Sabstart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://wildmatch.com/videoservice/ChatSource/hVideoContol.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Config Service Helper (CfgSrvc) - Unknown owner - C:\WINDOWS\system32\CfgSrvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HSSP Configuration Module (HsspConfig) - Unknown owner - C:\WINDOWS\system32\CfgSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sabre Printing Module (SabrePrint) - Sabre Inc. - C:\SABRE\Apps\OADP\Oadp.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sabre Device Manager (SDMan) - Unknown owner - C:\WINDOWS\SDMan.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 6739 bytes

ComboFix 09-02-19.01 - Administrator 2009-02-20 18:00:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.336 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\mousehook.dll
c:\docume~1\ADMINI~1\LOCALS~1\Temp\ntdll64.dll
c:\documents and settings\Administrator\Desktop\Cheap Pharmacy Online.url
c:\documents and settings\Administrator\Desktop\Search Online.url
c:\documents and settings\Administrator\Desktop\SMS TRAP.url
c:\documents and settings\Administrator\Desktop\VIP Casino.url
c:\documents and settings\Administrator\Favorites\Cheap Pharmacy Online.url
c:\documents and settings\Administrator\Favorites\Search Online.url
c:\documents and settings\Administrator\Favorites\SMS TRAP.url
c:\documents and settings\Administrator\Favorites\VIP Casino.url
c:\documents and settings\Administrator\Start Menu\Cheap Pharmacy Online.url
c:\documents and settings\Administrator\Start Menu\Search Online.url
c:\documents and settings\Administrator\Start Menu\SMS TRAP.url
c:\documents and settings\Administrator\Start Menu\VIP Casino.url
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\ios.dat
c:\windows\sv.ini
c:\windows\system32\c.ico
c:\windows\system32\drivers\senekaaswwopbt.sys
c:\windows\system32\drivers\senekalooqyhkt.sys
c:\windows\system32\drivers\UACcnodddoj.sys
c:\windows\system32\init32.exe
c:\windows\system32\m.ico
c:\windows\system32\m3.ico
c:\windows\system32\p.ico
c:\windows\system32\s.ico
c:\windows\system32\sf.ico
c:\windows\system32\UACbvykdlsv.dll
c:\windows\system32\UACcnagrbvr.dll
c:\windows\system32\UACgrrglgut.dat
c:\windows\system32\UACkcghkjkg.dll
c:\windows\system32\UACmpxmkmob.log
c:\windows\system32\UACpkcvoaij.dll
c:\windows\system32\UACpyomqcyi.log
c:\windows\system32\UACtjylbvoy.log
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
c:\windows\Temp\tmp3.tmp

----- BITS: Possible infected sites -----

hxxp://childhe.com
c:\windows\system32\userinit.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_R_SERVER
-------\Service_r_server


((((((((((((((((((((((((( Files Created from 2009-01-20 to 2009-02-20 )))))))))))))))))))))))))))))))
.

2009-02-19 18:46 . 2009-02-19 18:46 <DIR> d-------- C:\_OTMoveIt
2009-02-18 18:08 . 2009-02-18 17:54 2,876,728 --a------ c:\program files\mbam-setup.exe
2009-02-18 18:02 . 2009-02-18 18:02 <DIR> d-------- C:\rsit
2009-02-13 21:39 . 2009-02-13 21:39 <DIR> d-------- c:\program files\Trend Micro
2009-02-13 21:04 . 2009-02-13 21:04 <DIR> d-------- c:\program files\ERUNT
2009-02-11 18:54 . 2009-02-19 18:36 5,189 --a------ c:\windows\system32\uacinit.dll
2009-02-11 17:09 . 2009-02-11 17:09 2 --a------ C:\1931901390
2009-02-10 16:07 . 2009-02-10 16:07 104,960 --a------ c:\windows\system32\dllcache\userinit.exe
2009-02-07 14:23 . 2009-02-07 14:23 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Webroot
2009-02-07 10:23 . 2009-02-07 10:23 <DIR> d-------- c:\windows\RegCure
2009-02-07 10:23 . 2009-02-13 21:40 <DIR> d-------- c:\program files\RegCure
2009-02-06 18:51 . 2009-02-20 18:04 2,204 --a------ c:\windows\munxktvk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-10 01:46 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-01-10 01:39 --------- d-----w c:\program files\Common Files\Adobe
2009-01-10 01:39 --------- d-----w c:\program files\Bonjour
2009-01-10 01:29 --------- d-----w c:\program files\Common Files\Macrovision Shared
.

------- Sigcheck -------

2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2009-02-10 16:07 104960 58bb7133a2f943f69a5bd91331dbec7b c:\windows\system32\userinit.exe
2009-02-10 16:07 104960 58bb7133a2f943f69a5bd91331dbec7b c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-06 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Sabre Task Tray Icon"="c:\sabre\Sabstart.exe" [2001-05-25 20992]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MaxMem.lnk]
backup=c:\windows\pss\MaxMem.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OADP Utility.lnk]
backup=c:\windows\pss\OADP Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sabre Printing Start.lnk]
backup=c:\windows\pss\Sabre Printing Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sabre Server.lnk]
backup=c:\windows\pss\Sabre Server.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BI1HelperStartUp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2005-12-12 13:37 71328 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
--a------ 2004-12-31 16:14 469824 c:\program files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Java Sabre Server (JSERVER)]
--a--c--- 2004-07-30 14:21 57344 c:\sabre\Apps\Portal\jserver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-06-20 13:38 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetRefresh]
--a------ 2003-11-06 08:22 524800 c:\program files\Compaq\SetRefresh\SetRefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
--a------ 2001-07-24 16:34 36864 c:\cpqs\scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient 2.5]
--a------ 2003-09-30 17:39 61440 c:\program files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-05-06 13:59 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2006-05-09 14:56 100056 c:\progra~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup 2.5]
--a------ 2003-06-10 11:47 155648 c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\SABRE\\Apps\\OADP\\OadpUtil.exe"=
"c:\\WINDOWS\\sabserv.exe"=
"c:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"28178:TCP"= 28178:TCP:PORT_28178
"30375:TCP"= 30375:TCP:PORT_30375
"7260:TCP"= 7260:TCP:PORT_7260
"17311:TCP"= 17311:TCP:PORT_17311
"63767:TCP"= 63767:TCP:PORT_63767
"14664:TCP"= 14664:TCP:PORT_14664
"25305:TCP"= 25305:TCP:PORT_25305
"29176:TCP"= 29176:TCP:PORT_29176
"21356:TCP"= 21356:TCP:PORT_21356
"44500:TCP"= 44500:TCP:PORT_44500
"28341:TCP"= 28341:TCP:PORT_28341
"59758:TCP"= 59758:TCP:PORT_59758
"59516:TCP"= 59516:TCP:PORT_59516
"26621:TCP"= 26621:TCP:PORT_26621
"43785:TCP"= 43785:TCP:PORT_43785
"47981:TCP"= 47981:TCP:PORT_47981
"30200:TCP"= 30200:TCP:PORT_30200
"51870:TCP"= 51870:TCP:PORT_51870
"9116:TCP"= 9116:TCP:PORT_9116
"39273:TCP"= 39273:TCP:PORT_39273
"46404:TCP"= 46404:TCP:PORT_46404
"43832:TCP"= 43832:TCP:PORT_43832
"42910:TCP"= 42910:TCP:PORT_42910
"9976:TCP"= 9976:TCP:PORT_9976
"15226:TCP"= 15226:TCP:PORT_15226
"45479:TCP"= 45479:TCP:PORT_45479
"57588:TCP"= 57588:TCP:PORT_57588
"45398:TCP"= 45398:TCP:PORT_45398
"19376:TCP"= 19376:TCP:PORT_19376
"13308:TCP"= 13308:TCP:PORT_13308
"24958:TCP"= 24958:TCP:PORT_24958
"35835:TCP"= 35835:TCP:PORT_35835
"39281:TCP"= 39281:TCP:PORT_39281
"6235:TCP"= 6235:TCP:PORT_6235
"25007:TCP"= 25007:TCP:PORT_25007
"32458:TCP"= 32458:TCP:PORT_32458
"57614:TCP"= 57614:TCP:PORT_57614
"13804:TCP"= 13804:TCP:PORT_13804
"42113:TCP"= 42113:TCP:PORT_42113
"50337:TCP"= 50337:TCP:PORT_50337
"46391:TCP"= 46391:TCP:PORT_46391
"44122:TCP"= 44122:TCP:PORT_44122
"60707:TCP"= 60707:TCP:PORT_60707
"36918:TCP"= 36918:TCP:PORT_36918
"53707:TCP"= 53707:TCP:PORT_53707
"41551:TCP"= 41551:TCP:PORT_41551

R2 CfgSrvc;Config Service Helper;c:\windows\system32\CfgSrvc.exe [2005-04-20 55296]
R2 HsspConfig;HSSP Configuration Module;c:\windows\system32\CfgSrvc.exe [2005-04-20 55296]
R2 SabrePrint;Sabre Printing Module;c:\sabre\Apps\OADP\Oadp.exe [2005-04-20 487424]
R2 SDMan;Sabre Device Manager;c:\windows\sdman.exe [2005-04-20 106496]
S0 munxktvk;munxktvk;c:\windows\system32\drivers\uojftzzl.sys []
.
Contents of the 'Scheduled Tasks' folder

2009-02-14 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Administrator.job
- c:\progra~1\NORTON~1\Navw32.exe [2003-11-24 09:46]

2009-02-20 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe []

2009-02-07 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe []

2009-02-20 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 12:24]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-prunnet - c:\windows\system32\prunnet.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://forums.spybot.info/forumdisplay.php?f=22
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Connection Wizard,ShellNext = hxxp://go.compaq.com/1Q00CDT/0409/bl7.asp
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 18:05:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\uojftzzl.sys 25088 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-20 18:10:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-20 23:10:19

Pre-Run: 69,012,037,632 bytes free
Post-Run: 69,691,953,152 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

258 --- E O F --- 2009-01-15 03:20:28

peku006
2009-02-22, 21:04
Hi joshwg

1 - Run CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



FCopy::
C:\WINDOWS\ServicePackFiles\i386\userinit.exe | C:\WINDOWS\system32\userinit.exe

File::
c:\windows\munxktvk
c:\windows\system32\drivers\uojftzzl.sys

Driver::
munxktvk


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to your desktop.
alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:

Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:

C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. the Malwarebytes' Anti-Malware Log
3. a fresh HijackThis log
How's the computer running now? Any problems?

Thanks peku006

joshwg
2009-02-25, 03:15
After running malwarebytes' it said it needed to reboot. After reboot explorer wouldn't run automatically.

It was just the desktop background. So I Ctrl + Alt + DEL to bring of task manager and started a new task (explorer.exe).

I restarted again and same issue.

Malwarebytes' Anti-Malware 1.34
Database version: 1800
Windows 5.1.2600 Service Pack 2

2/24/2009 7:01:42 PM
mbam-log-2009-02-24 (19-01-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 130070
Time elapsed: 28 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 33

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{70ffdc96-b410-4030-8a53-0d708ec40e36} (Rogue.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a92f13be-e67f-45d9-b7f2-7e41d8080130} (Rogue.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\IE-Security (Rogue.IE-Security) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090219-183335-511.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACcnagrbvr.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACkcghkjkg.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACpkcvoaij.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekaaswwopbt.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP1072\A0085320.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP1074\A0086320.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP1074\A0086321.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP1074\A0086322.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP1074\A0086346.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\uojftzzl.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02192009_184605\jwfmld.exe (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02192009_184605\kvkglog.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02192009_184605\pfgiuuo.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02192009_184605\wskrote.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02192009_184605\Documents and Settings\Administrator\LOCALS~1\Temp\csrssc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02192009_184605\WINDOWS\Mxeribeke.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02192009_184605\WINDOWS\system32\crypts.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02192009_184605\WINDOWS\system32\hgGaARLF.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02192009_184605\WINDOWS\system32\hsfd83jfdg.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02192009_184605\WINDOWS\system32\lwtxqnbd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02192009_184605\WINDOWS\system32\mefwpf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02192009_184605\WINDOWS\system32\prunnet.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02192009_184605\WINDOWS\system32\tyggcadh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02192009_184605\WINDOWS\system32\xxyywtqQ.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Favorites\Cheap Software.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Start Menu\Cheap Software.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\Cheap Software.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Favorites\MP3 Download.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Start Menu\MP3 Download.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\MP3 Download.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyawvvS.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:56 PM, on 2/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CfgSrvc.exe
C:\WINDOWS\system32\CfgSrvc.exe
C:\WINDOWS\SDMan.EXE
C:\SABRE\Apps\OADP\Oadp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globaldiscoveryvacations.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.compaq.com/1Q00CDT/0409/bl7.asp
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\RunServices: [Sabre Task Tray Icon] C:\SABRE\Sabstart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://wildmatch.com/videoservice/ChatSource/hVideoContol.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Config Service Helper (CfgSrvc) - Unknown owner - C:\WINDOWS\system32\CfgSrvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HSSP Configuration Module (HsspConfig) - Unknown owner - C:\WINDOWS\system32\CfgSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sabre Printing Module (SabrePrint) - Sabre Inc. - C:\SABRE\Apps\OADP\Oadp.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sabre Device Manager (SDMan) - Unknown owner - C:\WINDOWS\SDMan.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 6692 bytes

ComboFix 09-02-24.02 - Administrator 2009-02-24 18:10:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.277 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\New Folder\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\New Folder\cfscript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Outdated)
* Created a new restore point

FILE ::
c:\windows\munxktvk
c:\windows\system32\drivers\uojftzzl.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\munxktvk

c:\windows\system32\userinit.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MUNXKTVK
-------\Service_munxktvk


((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

2009-02-19 18:46 . 2009-02-19 18:46 <DIR> d-------- C:\_OTMoveIt
2009-02-18 18:08 . 2009-02-18 17:54 2,876,728 --a------ c:\program files\mbam-setup.exe
2009-02-18 18:02 . 2009-02-18 18:02 <DIR> d-------- C:\rsit
2009-02-13 21:39 . 2009-02-13 21:39 <DIR> d-------- c:\program files\Trend Micro
2009-02-13 21:04 . 2009-02-13 21:04 <DIR> d-------- c:\program files\ERUNT
2009-02-11 18:54 . 2009-02-19 18:36 5,189 --a------ c:\windows\system32\uacinit.dll
2009-02-11 17:09 . 2009-02-11 17:09 2 --a------ C:\1931901390
2009-02-10 16:07 . 2009-02-10 16:07 104,960 --a------ c:\windows\system32\dllcache\userinit.exe
2009-02-07 14:23 . 2009-02-07 14:23 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Webroot
2009-02-07 10:23 . 2009-02-07 10:23 <DIR> d-------- c:\windows\RegCure
2009-02-07 10:23 . 2009-02-13 21:40 <DIR> d-------- c:\program files\RegCure
2009-02-06 18:51 . 2009-02-06 18:51 302,080 --a------ c:\windows\system32\xxyawvvS.dll.vir
2009-02-06 18:51 . 2009-02-06 18:51 25,088 --a------ c:\windows\system32\drivers\uojftzzl.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-10 01:46 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-01-10 01:39 --------- d-----w c:\program files\Common Files\Adobe
2009-01-10 01:39 --------- d-----w c:\program files\Bonjour
2009-01-10 01:29 --------- d-----w c:\program files\Common Files\Macrovision Shared
.

------- Sigcheck -------

2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2009-02-10 16:07 104960 58bb7133a2f943f69a5bd91331dbec7b c:\windows\system32\userinit.exe
2009-02-10 16:07 104960 58bb7133a2f943f69a5bd91331dbec7b c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-02-20_18.09.20.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-16 20:38:34 124,928 -c----w c:\windows\ie7updates\KB961260-IE7\advpack.dll
+ 2008-10-16 20:38:34 347,136 -c----w c:\windows\ie7updates\KB961260-IE7\dxtmsft.dll
+ 2008-10-16 20:38:34 214,528 -c----w c:\windows\ie7updates\KB961260-IE7\dxtrans.dll
+ 2008-10-16 20:38:35 133,120 -c----w c:\windows\ie7updates\KB961260-IE7\extmgr.dll
+ 2008-10-16 20:38:35 63,488 -c----w c:\windows\ie7updates\KB961260-IE7\icardie.dll
+ 2008-10-16 13:11:09 70,656 -c----w c:\windows\ie7updates\KB961260-IE7\ie4uinit.exe
+ 2008-10-16 20:38:35 153,088 -c----w c:\windows\ie7updates\KB961260-IE7\ieakeng.dll
+ 2008-10-16 20:38:35 230,400 -c----w c:\windows\ie7updates\KB961260-IE7\ieaksie.dll
+ 2008-10-15 07:04:53 161,792 -c----w c:\windows\ie7updates\KB961260-IE7\ieakui.dll
+ 2008-10-16 20:38:35 383,488 -c----w c:\windows\ie7updates\KB961260-IE7\ieapfltr.dll
+ 2008-10-16 20:38:35 384,512 -c----w c:\windows\ie7updates\KB961260-IE7\iedkcs32.dll
+ 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\ie7updates\KB961260-IE7\ieframe.dll
+ 2008-10-16 20:38:37 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\iernonce.dll
+ 2008-10-16 20:38:37 267,776 -c----w c:\windows\ie7updates\KB961260-IE7\iertutil.dll
+ 2008-10-16 13:11:09 13,824 -c----w c:\windows\ie7updates\KB961260-IE7\ieudinit.exe
+ 2008-10-15 07:06:26 633,632 -c----w c:\windows\ie7updates\KB961260-IE7\iexplore.exe
+ 2008-10-16 20:38:37 27,648 -c----w c:\windows\ie7updates\KB961260-IE7\jsproxy.dll
+ 2008-10-16 20:38:37 459,264 -c----w c:\windows\ie7updates\KB961260-IE7\msfeeds.dll
+ 2008-10-16 20:38:37 52,224 -c----w c:\windows\ie7updates\KB961260-IE7\msfeedsbs.dll
+ 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\ie7updates\KB961260-IE7\mshtml.dll
+ 2008-10-16 20:38:38 477,696 -c----w c:\windows\ie7updates\KB961260-IE7\mshtmled.dll
+ 2008-10-16 20:38:38 193,024 -c----w c:\windows\ie7updates\KB961260-IE7\msrating.dll
+ 2008-10-16 20:38:39 671,232 -c----w c:\windows\ie7updates\KB961260-IE7\mstime.dll
+ 2008-10-16 20:38:39 102,912 -c----w c:\windows\ie7updates\KB961260-IE7\occache.dll
+ 2008-10-16 20:38:39 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\pngfilt.dll
+ 2007-03-06 01:22:41 213,216 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\updspapi.dll
+ 2008-10-16 20:38:39 105,984 -c----w c:\windows\ie7updates\KB961260-IE7\url.dll
+ 2008-10-16 20:38:39 1,160,192 -c----w c:\windows\ie7updates\KB961260-IE7\urlmon.dll
+ 2008-10-16 20:38:39 233,472 -c----w c:\windows\ie7updates\KB961260-IE7\webcheck.dll
+ 2008-10-16 20:38:40 826,368 -c----w c:\windows\ie7updates\KB961260-IE7\wininet.dll
- 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2008-12-20 23:15:11 124,928 ----a-w c:\windows\system32\advpack.dll
- 2008-10-16 20:38:34 124,928 ------w c:\windows\system32\dllcache\advpack.dll
+ 2008-12-20 23:15:11 124,928 ------w c:\windows\system32\dllcache\advpack.dll
- 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 ----a-w c:\windows\system32\dllcache\dxtrans.dll
- 2008-10-16 20:38:35 133,120 ----a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-12-20 23:15:13 133,120 ----a-w c:\windows\system32\dllcache\extmgr.dll
- 2008-10-16 20:38:35 63,488 ------w c:\windows\system32\dllcache\icardie.dll
+ 2008-12-20 23:15:13 63,488 ------w c:\windows\system32\dllcache\icardie.dll
- 2008-10-16 13:11:09 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 ------w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 ------w c:\windows\system32\dllcache\ieakeng.dll
- 2008-10-16 20:38:35 230,400 ------w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 ------w c:\windows\system32\dllcache\ieaksie.dll
- 2008-10-15 07:04:53 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
+ 2008-12-19 05:23:56 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
- 2008-10-16 20:38:35 383,488 ------w c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 ------w c:\windows\system32\dllcache\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 ------w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 ------w c:\windows\system32\dllcache\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 ------w c:\windows\system32\dllcache\ieframe.dll
- 2008-10-16 20:38:37 44,544 ------w c:\windows\system32\dllcache\iernonce.dll
+ 2008-12-20 23:15:21 44,544 ------w c:\windows\system32\dllcache\iernonce.dll
- 2008-10-16 20:38:37 267,776 ------w c:\windows\system32\dllcache\iertutil.dll
+ 2008-12-20 23:15:22 267,776 ------w c:\windows\system32\dllcache\iertutil.dll
- 2008-10-16 13:11:09 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
- 2008-10-15 07:06:26 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
+ 2008-12-19 05:25:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
- 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 ----a-w c:\windows\system32\dllcache\jsproxy.dll
- 2008-10-16 20:38:37 459,264 ------w c:\windows\system32\dllcache\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 ------w c:\windows\system32\dllcache\msfeeds.dll
- 2008-10-16 20:38:37 52,224 ------w c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 ------w c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
+ 2009-01-17 02:35:14 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
- 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 ----a-w c:\windows\system32\dllcache\mshtmled.dll
- 2008-10-16 20:38:38 193,024 ----a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-12-20 23:15:31 193,024 ----a-w c:\windows\system32\dllcache\msrating.dll
- 2008-10-16 20:38:39 671,232 ----a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-12-20 23:15:32 671,232 ----a-w c:\windows\system32\dllcache\mstime.dll
- 2008-10-16 20:38:39 102,912 ------w c:\windows\system32\dllcache\occache.dll
+ 2008-12-20 23:15:38 102,912 ------w c:\windows\system32\dllcache\occache.dll
- 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 ----a-w c:\windows\system32\dllcache\pngfilt.dll
- 2008-10-16 20:38:39 105,984 ------w c:\windows\system32\dllcache\url.dll
+ 2008-12-20 23:15:39 105,984 ------w c:\windows\system32\dllcache\url.dll
- 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 ----a-w c:\windows\system32\dllcache\urlmon.dll
- 2008-10-16 20:38:39 233,472 ------w c:\windows\system32\dllcache\webcheck.dll
+ 2008-12-20 23:15:40 233,472 ------w c:\windows\system32\dllcache\webcheck.dll
- 2008-10-16 20:38:40 826,368 ----a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-12-20 23:15:41 826,368 ----a-w c:\windows\system32\dllcache\wininet.dll
- 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 ----a-w c:\windows\system32\dxtrans.dll
- 2008-10-16 20:38:35 133,120 ----a-w c:\windows\system32\extmgr.dll
+ 2008-12-20 23:15:13 133,120 ----a-w c:\windows\system32\extmgr.dll
- 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\icardie.dll
+ 2008-12-20 23:15:13 63,488 ----a-w c:\windows\system32\icardie.dll
- 2008-10-16 13:11:09 70,656 ----a-w c:\windows\system32\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 ----a-w c:\windows\system32\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 ----a-w c:\windows\system32\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 ----a-w c:\windows\system32\ieakeng.dll
- 2008-10-16 20:38:35 230,400 ----a-w c:\windows\system32\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 ----a-w c:\windows\system32\ieaksie.dll
- 2008-10-15 07:04:53 161,792 ----a-w c:\windows\system32\ieakui.dll
+ 2008-12-19 05:23:56 161,792 ----a-w c:\windows\system32\ieakui.dll
- 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 ----a-w c:\windows\system32\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 ----a-w c:\windows\system32\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 ----a-w c:\windows\system32\ieframe.dll
- 2008-10-16 20:38:37 44,544 ----a-w c:\windows\system32\iernonce.dll
+ 2008-12-20 23:15:21 44,544 ----a-w c:\windows\system32\iernonce.dll
- 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\iertutil.dll
+ 2008-12-20 23:15:22 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 ----a-w c:\windows\system32\jsproxy.dll
- 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2008-10-16 20:38:37 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
- 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2009-01-17 02:35:14 3,594,752 ----a-w c:\windows\system32\mshtml.dll
- 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 ----a-w c:\windows\system32\mshtmled.dll
- 2008-10-16 20:38:38 193,024 ----a-w c:\windows\system32\msrating.dll
+ 2008-12-20 23:15:31 193,024 ----a-w c:\windows\system32\msrating.dll
- 2008-10-16 20:38:39 671,232 ----a-w c:\windows\system32\mstime.dll
+ 2008-12-20 23:15:32 671,232 ----a-w c:\windows\system32\mstime.dll
- 2008-10-16 20:38:39 102,912 ----a-w c:\windows\system32\occache.dll
+ 2008-12-20 23:15:38 102,912 ----a-w c:\windows\system32\occache.dll
- 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 ----a-w c:\windows\system32\pngfilt.dll
- 2007-11-30 12:39:22 17,272 ----a-w c:\windows\system32\spmsg.dll
+ 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
- 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-12-20 23:15:39 105,984 ----a-w c:\windows\system32\url.dll
- 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\webcheck.dll
+ 2008-12-20 23:15:40 233,472 ----a-w c:\windows\system32\webcheck.dll
- 2008-10-16 20:38:40 826,368 ----a-w c:\windows\system32\wininet.dll
+ 2008-12-20 23:15:41 826,368 ----a-w c:\windows\system32\wininet.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-06 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Sabre Task Tray Icon"="c:\sabre\Sabstart.exe" [2001-05-25 20992]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MaxMem.lnk]
backup=c:\windows\pss\MaxMem.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OADP Utility.lnk]
backup=c:\windows\pss\OADP Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sabre Printing Start.lnk]
backup=c:\windows\pss\Sabre Printing Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sabre Server.lnk]
backup=c:\windows\pss\Sabre Server.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2005-12-12 13:37 71328 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
--a------ 2004-12-31 16:14 469824 c:\program files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Java Sabre Server (JSERVER)]
--a--c--- 2004-07-30 14:21 57344 c:\sabre\Apps\Portal\jserver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-06-20 13:38 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetRefresh]
--a------ 2003-11-06 08:22 524800 c:\program files\Compaq\SetRefresh\SetRefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
--a------ 2001-07-24 16:34 36864 c:\cpqs\scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient 2.5]
--a------ 2003-09-30 17:39 61440 c:\program files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-05-06 13:59 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2006-05-09 14:56 100056 c:\progra~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup 2.5]
--a------ 2003-06-10 11:47 155648 c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\SABRE\\Apps\\OADP\\OadpUtil.exe"=
"c:\\WINDOWS\\sabserv.exe"=
"c:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"28178:TCP"= 28178:TCP:PORT_28178
"30375:TCP"= 30375:TCP:PORT_30375
"7260:TCP"= 7260:TCP:PORT_7260
"17311:TCP"= 17311:TCP:PORT_17311
"63767:TCP"= 63767:TCP:PORT_63767
"14664:TCP"= 14664:TCP:PORT_14664
"25305:TCP"= 25305:TCP:PORT_25305
"29176:TCP"= 29176:TCP:PORT_29176
"21356:TCP"= 21356:TCP:PORT_21356
"44500:TCP"= 44500:TCP:PORT_44500
"28341:TCP"= 28341:TCP:PORT_28341
"59758:TCP"= 59758:TCP:PORT_59758
"59516:TCP"= 59516:TCP:PORT_59516
"26621:TCP"= 26621:TCP:PORT_26621
"43785:TCP"= 43785:TCP:PORT_43785
"47981:TCP"= 47981:TCP:PORT_47981
"30200:TCP"= 30200:TCP:PORT_30200
"51870:TCP"= 51870:TCP:PORT_51870
"9116:TCP"= 9116:TCP:PORT_9116
"39273:TCP"= 39273:TCP:PORT_39273
"46404:TCP"= 46404:TCP:PORT_46404
"43832:TCP"= 43832:TCP:PORT_43832
"42910:TCP"= 42910:TCP:PORT_42910
"9976:TCP"= 9976:TCP:PORT_9976
"15226:TCP"= 15226:TCP:PORT_15226
"45479:TCP"= 45479:TCP:PORT_45479
"57588:TCP"= 57588:TCP:PORT_57588
"45398:TCP"= 45398:TCP:PORT_45398
"19376:TCP"= 19376:TCP:PORT_19376
"13308:TCP"= 13308:TCP:PORT_13308
"24958:TCP"= 24958:TCP:PORT_24958
"35835:TCP"= 35835:TCP:PORT_35835
"39281:TCP"= 39281:TCP:PORT_39281
"6235:TCP"= 6235:TCP:PORT_6235
"25007:TCP"= 25007:TCP:PORT_25007
"32458:TCP"= 32458:TCP:PORT_32458
"57614:TCP"= 57614:TCP:PORT_57614
"13804:TCP"= 13804:TCP:PORT_13804
"42113:TCP"= 42113:TCP:PORT_42113
"50337:TCP"= 50337:TCP:PORT_50337
"46391:TCP"= 46391:TCP:PORT_46391
"44122:TCP"= 44122:TCP:PORT_44122
"60707:TCP"= 60707:TCP:PORT_60707
"36918:TCP"= 36918:TCP:PORT_36918
"53707:TCP"= 53707:TCP:PORT_53707
"41551:TCP"= 41551:TCP:PORT_41551

R2 CfgSrvc;Config Service Helper;c:\windows\system32\CfgSrvc.exe [2005-04-20 55296]
R2 HsspConfig;HSSP Configuration Module;c:\windows\system32\CfgSrvc.exe [2005-04-20 55296]
R2 SabrePrint;Sabre Printing Module;c:\sabre\Apps\OADP\Oadp.exe [2005-04-20 487424]
R2 SDMan;Sabre Device Manager;c:\windows\sdman.exe [2005-04-20 106496]
.
Contents of the 'Scheduled Tasks' folder

2009-02-21 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Administrator.job
- c:\progra~1\NORTON~1\Navw32.exe [2003-11-24 09:46]

2009-02-24 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe []

2009-02-07 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe []

2009-02-21 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 12:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.globaldiscoveryvacations.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Connection Wizard,ShellNext = hxxp://go.compaq.com/1Q00CDT/0409/bl7.asp
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 18:14:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-24 18:18:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-24 23:18:05
ComboFix2.txt 2009-02-20 23:10:23

Pre-Run: 69,574,541,312 bytes free
Post-Run: 69,607,108,608 bytes free

363 --- E O F --- 2009-02-21 03:54:13

peku006
2009-02-25, 09:49
Hi joshwg

1 - Run CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



File::
c:\windows\system32\xxyawvvS.dll.vir
c:\windows\system32\drivers\uojftzzl.sys
c:\windows\system32\uacinit.dll

Folder::
C:\1931901390

FCOPY::
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe | c:\windows\system32\userinit.exe
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe | c:\windows\system32\dllcache\userinit.exe



Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2 - Status Check
Please reply with

the ComboFix log(C:\ComboFix.txt)

Thanks peku006

joshwg
2009-02-26, 01:36
ComboFix 09-02-25.02 - Administrator 2009-02-25 18:31:48.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.304 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\New Folder\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\New Folder\cfscript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Outdated)
* Created a new restore point

FILE ::
c:\windows\system32\drivers\uojftzzl.sys
c:\windows\system32\uacinit.dll
c:\windows\system32\xxyawvvS.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\1931901390\

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe --> c:\windows\system32\userinit.exe
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe --> c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))
.

2009-02-25 18:31 . 2009-02-25 18:31 <DIR> d-------- c:\windows\LastGood
2009-02-25 18:31 . 2008-04-13 19:12 26,112 --a------ c:\windows\system32\OLD3.tmp
2009-02-24 18:20 . 2009-02-24 19:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-24 18:20 . 2009-02-24 18:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-24 18:20 . 2009-02-24 18:20 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-24 18:20 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-24 18:20 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-19 18:46 . 2009-02-19 18:46 <DIR> d-------- C:\_OTMoveIt
2009-02-18 18:08 . 2009-02-18 17:54 2,876,728 --a------ c:\program files\mbam-setup.exe
2009-02-18 18:02 . 2009-02-18 18:02 <DIR> d-------- C:\rsit
2009-02-13 21:39 . 2009-02-13 21:39 <DIR> d-------- c:\program files\Trend Micro
2009-02-13 21:04 . 2009-02-13 21:04 <DIR> d-------- c:\program files\ERUNT
2009-02-11 17:09 . 2009-02-11 17:09 2 --a------ C:\1931901390
2009-02-07 14:23 . 2009-02-07 14:23 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Webroot
2009-02-07 10:23 . 2009-02-07 10:23 <DIR> d-------- c:\windows\RegCure
2009-02-07 10:23 . 2009-02-13 21:40 <DIR> d-------- c:\program files\RegCure

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-17 02:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-01-10 01:46 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-01-10 01:39 --------- d-----w c:\program files\Common Files\Adobe
2009-01-10 01:39 --------- d-----w c:\program files\Bonjour
2009-01-10 01:29 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-12-11 11:57 333,184 ------w c:\windows\system32\dllcache\srv.sys
.

((((((((((((((((((((((((((((( SnapShot_2009-02-24_18.17.17.87 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 00:12:38 26,112 ----a-w c:\windows\LastGood\system32\userinit.exe
- 2007-10-26 03:34:01 8,460,288 -c--a-w c:\windows\system32\dllcache\shell32.dll
+ 2008-07-03 13:03:29 8,460,800 ----a-w c:\windows\system32\dllcache\shell32.dll
- 2008-05-29 23:35:11 17,486,968 ----a-w c:\windows\system32\MRT.exe
+ 2009-02-12 01:56:18 21,244,872 ----a-w c:\windows\system32\MRT.exe
- 2007-10-26 03:34:01 8,460,288 ----a-w c:\windows\system32\shell32.dll
+ 2008-07-03 13:03:29 8,460,800 ----a-w c:\windows\system32\shell32.dll
- 2007-10-29 10:04:03 350,720 ----a-w c:\windows\system32\xpsp3res.dll
+ 2008-02-15 09:06:21 351,744 ----a-w c:\windows\system32\xpsp3res.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-06 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Sabre Task Tray Icon"="c:\sabre\Sabstart.exe" [2001-05-25 20992]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MaxMem.lnk]
backup=c:\windows\pss\MaxMem.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OADP Utility.lnk]
backup=c:\windows\pss\OADP Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sabre Printing Start.lnk]
backup=c:\windows\pss\Sabre Printing Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sabre Server.lnk]
backup=c:\windows\pss\Sabre Server.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2005-12-12 13:37 71328 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
--a------ 2004-12-31 16:14 469824 c:\program files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Java Sabre Server (JSERVER)]
--a--c--- 2004-07-30 14:21 57344 c:\sabre\Apps\Portal\jserver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-06-20 13:38 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetRefresh]
--a------ 2003-11-06 08:22 524800 c:\program files\Compaq\SetRefresh\SetRefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
--a------ 2001-07-24 16:34 36864 c:\cpqs\scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient 2.5]
--a------ 2003-09-30 17:39 61440 c:\program files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-05-06 13:59 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2006-05-09 14:56 100056 c:\progra~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup 2.5]
--a------ 2003-06-10 11:47 155648 c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\SABRE\\Apps\\OADP\\OadpUtil.exe"=
"c:\\WINDOWS\\sabserv.exe"=
"c:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"28178:TCP"= 28178:TCP:PORT_28178
"30375:TCP"= 30375:TCP:PORT_30375
"7260:TCP"= 7260:TCP:PORT_7260
"17311:TCP"= 17311:TCP:PORT_17311
"63767:TCP"= 63767:TCP:PORT_63767
"14664:TCP"= 14664:TCP:PORT_14664
"25305:TCP"= 25305:TCP:PORT_25305
"29176:TCP"= 29176:TCP:PORT_29176
"21356:TCP"= 21356:TCP:PORT_21356
"44500:TCP"= 44500:TCP:PORT_44500
"28341:TCP"= 28341:TCP:PORT_28341
"59758:TCP"= 59758:TCP:PORT_59758
"59516:TCP"= 59516:TCP:PORT_59516
"26621:TCP"= 26621:TCP:PORT_26621
"43785:TCP"= 43785:TCP:PORT_43785
"47981:TCP"= 47981:TCP:PORT_47981
"30200:TCP"= 30200:TCP:PORT_30200
"51870:TCP"= 51870:TCP:PORT_51870
"9116:TCP"= 9116:TCP:PORT_9116
"39273:TCP"= 39273:TCP:PORT_39273
"46404:TCP"= 46404:TCP:PORT_46404
"43832:TCP"= 43832:TCP:PORT_43832
"42910:TCP"= 42910:TCP:PORT_42910
"9976:TCP"= 9976:TCP:PORT_9976
"15226:TCP"= 15226:TCP:PORT_15226
"45479:TCP"= 45479:TCP:PORT_45479
"57588:TCP"= 57588:TCP:PORT_57588
"45398:TCP"= 45398:TCP:PORT_45398
"19376:TCP"= 19376:TCP:PORT_19376
"13308:TCP"= 13308:TCP:PORT_13308
"24958:TCP"= 24958:TCP:PORT_24958
"35835:TCP"= 35835:TCP:PORT_35835
"39281:TCP"= 39281:TCP:PORT_39281
"6235:TCP"= 6235:TCP:PORT_6235
"25007:TCP"= 25007:TCP:PORT_25007
"32458:TCP"= 32458:TCP:PORT_32458
"57614:TCP"= 57614:TCP:PORT_57614
"13804:TCP"= 13804:TCP:PORT_13804
"42113:TCP"= 42113:TCP:PORT_42113
"50337:TCP"= 50337:TCP:PORT_50337
"46391:TCP"= 46391:TCP:PORT_46391
"44122:TCP"= 44122:TCP:PORT_44122
"60707:TCP"= 60707:TCP:PORT_60707
"36918:TCP"= 36918:TCP:PORT_36918
"53707:TCP"= 53707:TCP:PORT_53707
"41551:TCP"= 41551:TCP:PORT_41551

R2 CfgSrvc;Config Service Helper;c:\windows\system32\CfgSrvc.exe [2005-04-20 55296]
R2 HsspConfig;HSSP Configuration Module;c:\windows\system32\CfgSrvc.exe [2005-04-20 55296]
R2 SabrePrint;Sabre Printing Module;c:\sabre\Apps\OADP\Oadp.exe [2005-04-20 487424]
R2 SDMan;Sabre Device Manager;c:\windows\sdman.exe [2005-04-20 106496]
.
Contents of the 'Scheduled Tasks' folder

2009-02-21 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Administrator.job
- c:\progra~1\NORTON~1\Navw32.exe [2003-11-24 09:46]

2009-02-25 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe []

2009-02-07 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe []

2009-02-25 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 12:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.globaldiscoveryvacations.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Connection Wizard,ShellNext = hxxp://go.compaq.com/1Q00CDT/0409/bl7.asp
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 18:34:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-25 18:35:39
ComboFix-quarantined-files.txt 2009-02-25 23:35:04
ComboFix2.txt 2009-02-24 23:18:09
ComboFix3.txt 2009-02-20 23:10:23

Pre-Run: 69,524,631,552 bytes free
Post-Run: 69,541,560,320 bytes free

217 --- E O F --- 2009-02-25 01:18:50

peku006
2009-02-26, 09:43
Hi joshwg

1 - Update Java

Please download JavaRa (http://prm753.bchea.org/click/click.php?id=9) and unzip it to your desktop.

Double-click on JavaRa.exe to start the program.
Click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a log file has been produced. Click OK.
A log file will pop up. Please save it to a convenient location.

Download the latest version of Java Runtime Environment (JRE) 6 Update 12 (http://java.sun.com/javase/downloads/index.jsp).

Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Then from your desktop double-click on the download to install the newest version.

2 - Clean temp files

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

if you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

if you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Click Exit on the Main menu to close the program


3 - Kaspersky Online Scan

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.

4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

5 - Status Check
Please reply with

1. the Kaspersky online scanner report
2. a fresh HijackThis log
How's the computer running now? Any problems?

Thanks peku006

joshwg
2009-02-27, 03:00
Things seem to be running much better.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:57 PM, on 2/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CfgSrvc.exe
C:\WINDOWS\system32\CfgSrvc.exe
C:\WINDOWS\SDMan.EXE
C:\SABRE\Apps\OADP\Oadp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globaldiscoveryvacations.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.compaq.com/1Q00CDT/0409/bl7.asp
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunServices: [Sabre Task Tray Icon] C:\SABRE\Sabstart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://wildmatch.com/videoservice/ChatSource/hVideoContol.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Config Service Helper (CfgSrvc) - Unknown owner - C:\WINDOWS\system32\CfgSrvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HSSP Configuration Module (HsspConfig) - Unknown owner - C:\WINDOWS\system32\CfgSrvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sabre Printing Module (SabrePrint) - Sabre Inc. - C:\SABRE\Apps\OADP\Oadp.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sabre Device Manager (SDMan) - Unknown owner - C:\WINDOWS\SDMan.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7042 bytes

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, February 26, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, February 26, 2009 23:24:55
Records in database: 1849955
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 60848
Threat name: 8
Infected objects: 15
Suspicious objects: 0
Duration of the scan: 01:09:19


File name / Threat name / Threats count
C:\Program Files\Radmin\radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 1
C:\Program Files\Radmin\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 1
C:\Qoobox\Quarantine\C\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mousehook.dll.vir Infected: Backdoor.Win32.Agent.adqt 1
C:\Qoobox\Quarantine\C\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ntdll64.dll.vir Infected: Backdoor.Win32.Agent.adqt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_UACcnodddoj_.sys.zip Infected: Rootkit.Win32.TDSS.gwh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACbvykdlsv.dll.vir Infected: Packed.Win32.Tdss.c 1
C:\WINDOWS\system32\alrhsvcs.exe Infected: Packed.Win32.NSAnti.r 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G8XD66QE\index[1] Infected: not-a-virus:AdWare.Win32.SuperJuan.iye 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MTNA4CJH\upd105320[1] Infected: Trojan.Win32.Monder.ayvw 1
C:\WINDOWS\system32\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 1
C:\_OTMoveIt\MovedFiles\02192009_184605\WINDOWS\system32\998.exe Infected: Trojan-Downloader.Win32.Murlo.abj 1
C:\_OTMoveIt\MovedFiles\02192009_184605\WINDOWS\system32\frmwrk32.exe Infected: Trojan-Downloader.Win32.Murlo.abj 1
C:\_OTMoveIt\MovedFiles\02192009_184605\WINDOWS\system32\krqkdwsk.dll Infected: Trojan.Win32.Monder.ayvw 1
C:\_OTMoveIt\MovedFiles\02192009_184605\WINDOWS\system32\nlgwps.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.iye 1
C:\_OTMoveIt\MovedFiles\02192009_184605\WINDOWS\system32\tpsucwes.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.iye 1

The selected area was scanned.

peku006
2009-02-27, 10:12
Hi joshwg

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this file
C:\WINDOWS\system32\alrhsvcs.exe

avg antispyware 7.5 is no longer supported and should be uninstalled.

After that.............

Congratulations, your log looks clean! :)

Next we remove all used tools.

Delete RSIT from your desktop, also delete this folder C:\rsit.

uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy 1.6
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)

Install SpyWare Blaster 4.0
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

Install WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)

Install FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)

Install MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Please check out Tony Klein's article "How did I get infected in the first place?" (http://forums.spybot.info/showthread.php?t=279)

Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.


Happy safe surfing! :bigthumb:

joshwg
2009-02-28, 03:05
I downloaded the links you gave me plus downloaded the latest AVG anti virus.

AVG detected something called SABRE as being a trojan right away. It said it fixed it and moved it to the vault. Is this something to be concerned about?

peku006
2009-02-28, 09:44
Hi joshwg
Can you tell me where it was located and what is its full name was ?

Thanks peku006

joshwg
2009-02-28, 17:06
c:\sabre\sabstart.exe

peku006
2009-02-28, 17:56
Hi joshwg

sabstart.exe belonging to Sabstart Application

it is legal (http://www.spywaredata.com/spyware/malware/sabstart.exe.php)

joshwg
2009-03-04, 00:30
ok well other than that you have been GREAT!!! Thank you for helping fix this nightmare!!!

peku006
2009-03-04, 11:02
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.