View Full Version : SHeur2 Problems!! Please help! (Resolved)
I got attacked by the SHeur2 trojan today out of the blue, and need some help getting rid of it. From other sites, including a previous thread on this website, I've seen the consensus of running combofix, which I installed and ran (see the log below).
I was told by the directions to post the log and see if anyone can see files that I must manually delete. I ran ad-aware and AVG 7.5 with no real avail, then went straight to combofix which seems to have at least gotten things to run smoother, though my desktop image is now gone :sad:.
I have Windows XP 32-bit version, and I'll be happy to supply any more information you might need.
Here's the log from combofix (my primary harddrive being designated "G" while my secondary harddrive being labled C - all windows system files obviously being in G):
ComboFix 09-04-04.01 - Petrie 2009-04-06 18:45:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1474 [GMT -5:00]
Running from: g:\documents and settings\Petrie\Desktop\ComboFix.exe
AV: AVG 7.5.557 *On-access scanning disabled* (Updated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
g:\docume~1\Petrie\LOCALS~1\Temp\mousehook.dll
g:\docume~1\Petrie\LOCALS~1\Temp\ntdll64.dll
g:\windows\system32\ahtn.htm
g:\windows\system32\amiwezik.ini
g:\windows\system32\drivers\senekabiqqyexm.sys
g:\windows\system32\frmwrk32.exe
g:\windows\system32\kizewima.dll
g:\windows\system32\ntdll64.exe
g:\windows\system32\uniq.tll
g:\windows\system32\warning.gif
g:\windows\system32\win32hlp.cnf
Infected copy of g:\windows\system32\userinit.exe was found and disinfected
Restored copy from - g:\windows\$NtServicePackUninstall$\userinit.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_seneka
((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))
.
2009-04-06 18:33 . 2009-04-06 18:33 27,648 --a------ g:\windows\system32\winsetupsm.exe
2009-04-06 18:18 . 2009-04-06 18:18 27,648 --a------ g:\windows\system32\winsetupsn.exe
2009-03-29 22:43 . 2009-03-29 23:15 <DIR> d-------- g:\documents and settings\Petrie\Application Data\Media Player Classic
2009-03-29 22:38 . 2009-03-29 22:38 <DIR> d-------- g:\program files\Essentials Codec Pack
2009-03-27 14:24 . 2008-04-13 13:45 15,104 --a------ g:\windows\system32\drivers\usbscan.sys
2009-03-27 14:24 . 2008-04-13 13:45 15,104 --a--c--- g:\windows\system32\dllcache\usbscan.sys
2009-03-22 23:23 . 2009-03-22 23:23 <DIR> d-------- g:\windows\system32\IOSUBSYS
2009-03-22 23:22 . 2009-03-22 23:23 <DIR> d-------- g:\program files\Google
2009-03-12 23:27 . 2009-03-12 23:27 <DIR> d-------- g:\program files\Garmin
2009-03-12 23:13 . 2009-03-12 23:19 <DIR> d-------- G:\GARMIN
2009-03-12 23:02 . 2009-03-13 00:33 <DIR> d-------- g:\program files\Palm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-06 23:33 --------- d-----w g:\documents and settings\All Users\Application Data\avg7
2009-04-05 02:06 --------- d-----w g:\documents and settings\Petrie\Application Data\U3
2009-03-26 20:09 --------- d-----w g:\documents and settings\Petrie\Application Data\LimeWire
2009-03-26 05:29 --------- d-----w g:\documents and settings\Petrie\Application Data\AVG7
2009-03-13 04:24 --------- d--h--w g:\program files\InstallShield Installation Information
2009-03-11 08:01 --------- d-----w g:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-05 04:16 64,160 ----a-w g:\windows\system32\drivers\Lbd.sys
2009-03-05 04:16 --------- d-----w g:\documents and settings\All Users\Application Data\Lavasoft
2009-03-05 04:12 --------- dc-h--w g:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-05 04:12 --------- d-----w g:\program files\Lavasoft
2009-02-06 19:34 --------- d-----w g:\program files\FAATP2008
2009-02-03 16:30 137 ---ha-w g:\documents and settings\Petrie\Application Data\lakerda1967.sys
2009-02-03 16:29 360,580 ----a-w g:\windows\eSellerateEngine.dll
2008-06-12 18:55 724,984 ----a-w g:\documents and settings\Petrie\gotomypc_437.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33ffaaa3-bc9c-400e-93b9-3abcccf4f1e3}]
2009-01-06 18:03 47616 --ahs---- g:\windows\system32\powabino.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="g:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="g:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Skype"="g:\program files\Skype\Phone\Skype.exe" [2008-08-11 21741864]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsusStartupHelp"="g:\program files\ASUS\AASP\1.00.16\AsRunHelp.exe" [2006-11-14 363008]
"Launch Ai Booster"="g:\program files\ASUS\AI Booster\OverClk.exe" [2006-11-28 3714048]
"NvCplDaemon"="g:\windows\system32\NvCpl.dll" [2005-04-22 5898240]
"NvMediaCenter"="g:\windows\system32\NvMcTray.dll" [2005-04-22 86016]
"AVG7_CC"="g:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-24 590848]
"GrooveMonitor"="g:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="g:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"SoundMAXPnP"="g:\program files\Analog Devices\Core\smax4pnp.exe" [2006-10-05 868352]
"WinampAgent"="g:\program files\Winamp\winampa.exe" [2007-12-20 37376]
"QuickTime Task"="g:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"iTunesHelper"="g:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"EPSON Stylus CX4800 Series"="g:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-02 98304]
"Monitor"="g:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"Ad-Watch"="g:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-04 515416]
"CPM73b98422"="g:\windows\system32\yazabozo.dll" [2009-04-06 87552]
"Mpivicidu"="g:\windows\owireqij.dll" [2008-04-13 156672]
"nwiz"="nwiz.exe" [2005-04-22 g:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="g:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-24 219136]
g:\documents and settings\Petrie\Start Menu\Programs\Startup\
HotSync Manager.lnk - g:\program files\Palm\HOTSYNC.EXE [2002-08-09 299008]
g:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - g:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "g:\windows\system32\yazabozo.dll" [2009-04-06 87552]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - g:\windows\system32\yazabozo.dll [2009-04-06 87552]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec.dll
"vidc.SEDG"= SamsungVfWCodec.dll
"vidc.DX50"= DivXVfWCodec.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli uapvmso.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW20]
-ra------ 2005-06-30 14:03 200704 g:\windows\system32\sw20.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW24]
-ra------ 2005-07-04 13:29 69632 g:\windows\system32\sw24.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"g:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"g:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"g:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"g:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"g:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"g:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"g:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"g:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"g:\\Program Files\\Trillian\\trillian.exe"=
"g:\\Program Files\\iTunes\\iTunes.exe"=
"g:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"g:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"g:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"g:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Music\\LimeWire\\LimeWire.exe"=
"g:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"g:\\Program Files\\Skype\\Phone\\Skype.exe"=
"g:\\Program Files\\Winamp\\winampa.exe"=
R0 Lbd;Lbd;g:\windows\system32\drivers\Lbd.sys [2009-03-04 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;g:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
R2 Viewpoint Manager Service;Viewpoint Manager Service;g:\program files\Viewpoint\Common\ViewpointService.exe [2008-09-02 24652]
R3 PAC207;Basic Webcam;g:\windows\system32\drivers\PFC027.SYS [2006-11-20 506112]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-04-02 g:\windows\Tasks\Ad-Aware Update (Weekly).job
- g:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-04 23:15]
2009-04-02 g:\windows\Tasks\AppleSoftwareUpdate.job
- g:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-04-06 g:\windows\Tasks\WECPUpdate.job
- g:\program files\Essentials Codec Pack\WECPUpdate.exe [2009-02-25 09:28]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Aim6 - (no file)
HKLM-Run-fuzofehiho - g:\windows\system32\migobemu.dll
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Google Photos Screensa&ver - g:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - g:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {8B9692D7-5A38-460A-8975-4C6EBC579B87} - hxxp://training.aerosim.com/cab/LicenseUpdate/LicenseUpdate.cab
FF - ProfilePath - g:\documents and settings\Petrie\Application Data\Mozilla\Firefox\Profiles\3ikw2f4r.default\
FF - component: g:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: g:\documents and settings\Petrie\Application Data\Mozilla\Firefox\Profiles\3ikw2f4r.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: g:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: g:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: g:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: g:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-06 18:47:52
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthhskcmjdaruuvhlyjiyotkjtqoifittcc]
"imagepath"="\systemroot\system32\drivers\ovfsthfemapmhnwrdrswjmkaklptfjuitjtlpp.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(756)
g:\windows\uapvmso.dll
g:\windows\system32\nvappfilter.dll
.
------------------------ Other Running Processes ------------------------
.
g:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
g:\progra~1\Grisoft\AVG7\avgamsvr.exe
g:\progra~1\Grisoft\AVG7\avgupsvc.exe
g:\progra~1\Grisoft\AVG7\avgemc.exe
g:\windows\system32\nvsvc32.exe
g:\windows\system32\wdfmgr.exe
g:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
g:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
g:\windows\system32\wbem\unsecapp.exe
g:\windows\system32\wscntfy.exe
g:\windows\system32\rundll32.exe
g:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-06 18:51:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-06 23:50:59
Pre-Run: 120,259,862,528 bytes free
Post-Run: 120,611,692,544 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
g:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
209 --- E O F --- 2009-03-23 08:01:12
Do NOT run 'FIXES' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806)
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Failure to reply within 5 days will result in the topic being closed.
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif
Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------
I've seen the consensus of running combofix, which I installed and ran
You should also have seen something like this in the Combofix instructions
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
REMOVE P2P PROGRAMS
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
LimeWire
Please read the Guidelines for P2P Programs (http://forums.spybot.info/showpost.php?p=218503&postcount=4) where we explain why it's not a good idea to have them.
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected.
The bad guys use P2P filesharing as a major conduit to spread their wares.
Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW.
AdAware
Please disable AdWatch, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable AdWatch:
Open AdAware
Go to AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both options. You can enable these after resolving your problem.
----------------------------------------------------------- -----------------------------------------------------------
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
http://forums.spybot.info/showthread.php?t=47504
Comment:: Katana
Suspect::[4]
g:\windows\system32\winsetupsm.exe
g:\windows\system32\winsetupsn.exe
g:\windows\uapvmso.dll
g:\windows\owireqij.dll
g:\windows\system32\yazabozo.dll
g:\windows\system32\powabino.dll
g:\windows\system32\drivers\ovfsthfemapmhnwrdrswjmkaklptfjuitjtlpp.sys
File::
g:\windows\uapvmso.dll
g:\windows\owireqij.dll
g:\windows\system32\yazabozo.dll
g:\windows\system32\powabino.dll
g:\windows\system32\drivers\ovfsthfemapmhnwrdrswjmkaklptfjuitjtlpp.sys
Folder::
c:\Music\LimeWire
Driver::
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33ffaaa3-bc9c-400e-93b9-3abcccf4f1e3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"=-
"CPM73b98422"=-
"Mpivicidu"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Music\\LimeWire\\LimeWire.exe"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthhskcmjdaruuvhlyjiyotkjtqoifittcc]
ADS::
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box.
Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Download and Run RSIT
Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
log.txt will be opened maximized.
info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Combofix Log
RSIT Logs
How are things running now ?
I removed the p2p program soon after I first posted on this thread. I had only used it twice while scanning for viruses each time. I know that doesn't guarentee anything, but I'm doing what I can.
Below is the ComboFix log that was ran with the instructions given. I look forward to hearing back.
ComboFix Log
ComboFix 09-04-13.04 - Petrie 2009-04-12 15:20.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1597 [GMT -5:00]
Running from: g:\documents and settings\Petrie\Desktop\ComboFix.exe
Command switches used :: g:\documents and settings\Petrie\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point
* Resident AV is active
FILE ::
g:\windows\owireqij.dll
g:\windows\system32\drivers\ovfsthfemapmhnwrdrswjmkaklptfjuitjtlpp.sys
g:\windows\system32\powabino.dll
g:\windows\system32\yazabozo.dll
g:\windows\uapvmso.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
g:\windows\system32\drivers\ovfsthfemapmhnwrdrswjmkaklptfjuitjtlpp.sys
g:\windows\system32\ovfsthaogupsrnewvnityckiylwngrdshdopnp.dat
g:\windows\system32\ovfsthgoyrdipyugpoihripkcesunnqjnqvfko.dll
g:\windows\system32\ovfsthskrldcscoicxmhcnjdxjtkjogbxyhayn.dat
g:\windows\system32\ovfsthwonpppdusugwnjulxlukelarwtokepmr.dll
g:\windows\system32\ovfsthxdqeocltuwbrnemklyrwfsncspnvftcv.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_ovfsthhskcmjdaruuvhlyjiyotkjtqoifittcc
((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))
.
2009-04-09 20:41 . 2009-04-09 20:41 -------- d-----w g:\documents and settings\All Users\Application Data\U3
2009-04-09 05:15 . 2009-04-09 05:15 -------- d-----w G:\VundoFix Backups
2009-04-09 03:03 . 2009-04-09 03:03 -------- d-----w g:\documents and settings\Petrie\Application Data\Malwarebytes
2009-04-09 03:02 . 2009-04-06 20:32 15504 ----a-w g:\windows\system32\drivers\mbam.sys
2009-04-09 03:02 . 2009-04-06 20:32 38496 ----a-w g:\windows\system32\drivers\mbamswissarmy.sys
2009-04-09 03:02 . 2009-04-09 03:02 -------- d-----w g:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-09 02:19 . 2009-04-09 02:19 38400 ------w g:\windows\system32\winsetupgl.exe
2009-04-09 02:13 . 2009-04-09 04:52 -------- d-----w g:\documents and settings\Petrie\Application Data\HouseCall 6.6
2009-04-09 02:05 . 2009-04-13 20:29 54156 ---ha-w g:\windows\QTFont.qfn
2009-04-09 02:05 . 2009-04-09 02:05 13588 ----a-w g:\windows\system32\wpa.bak
2009-04-09 02:05 . 2009-04-13 20:29 7412 ----a-w g:\windows\system32\nvdb02.adghz
2009-04-09 02:04 . 2009-04-13 20:29 13646 ----a-w g:\windows\system32\wpa.dbl
2009-04-09 01:07 . 2009-04-09 03:43 -------- d-----w g:\windows\system32\bad
2009-04-09 00:39 . 2009-04-09 00:39 -------- d-----w g:\documents and settings\Petrie\Local Settings\Application Data\{0F574142-F61A-4216-BBF9-65D625683500}
2009-04-07 22:02 . 2009-04-07 22:02 95 ----a-w g:\windows\wininit.ini
2009-04-07 21:27 . 2009-04-12 20:20 -------- d-----w G:\QUARANTINE
2009-04-07 21:07 . 2009-04-07 21:07 -------- d-----w g:\documents and settings\All Users\Application Data\McAfee
2009-04-07 21:07 . 2006-11-17 08:06 280 ----a-w g:\windows\system32\epoPGPsdk.dll.sig
2009-04-07 21:07 . 2006-11-17 08:06 1495552 ----a-w g:\windows\system32\epoPGPsdk.dll
2009-04-07 21:07 . 2006-11-30 13:50 72264 ----a-w g:\windows\system32\drivers\mfeavfk.sys
2009-04-07 21:07 . 2006-11-30 13:50 64360 ----a-w g:\windows\system32\drivers\mfeapfk.sys
2009-04-07 21:07 . 2006-11-30 13:50 52136 ----a-w g:\windows\system32\drivers\mfetdik.sys
2009-04-07 21:07 . 2006-11-30 13:50 34152 ----a-w g:\windows\system32\drivers\mfebopk.sys
2009-04-07 21:07 . 2006-11-30 13:50 168776 ----a-w g:\windows\system32\drivers\mfehidk.sys
2009-04-07 21:00 . 2009-04-12 02:33 -------- d-----w g:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-06 23:32 . 2009-04-08 20:56 -------- d-----w G:\Qoobox.bad
2009-03-30 03:43 . 2009-03-30 04:15 -------- d-----w g:\documents and settings\Petrie\Application Data\Media Player Classic
2009-03-27 19:24 . 2008-04-13 18:45 15104 -c--a-w g:\windows\system32\dllcache\usbscan.sys
2009-03-27 19:24 . 2008-04-13 18:45 15104 ----a-w g:\windows\system32\drivers\usbscan.sys
2009-03-23 04:23 . 2009-03-23 04:26 -------- d-----w g:\documents and settings\Petrie\Local Settings\Application Data\Google
2009-03-23 04:23 . 2009-03-23 04:23 -------- d-----w g:\windows\system32\IOSUBSYS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 05:43 . 2009-04-09 05:15 478 ----a-w G:\VundoFix.txt
2009-04-09 03:03 . 2009-04-09 03:02 -------- d-----w g:\program files\Malwarebytes' Anti-Malware
2009-04-09 01:15 . 2008-09-09 05:42 -------- d-----w g:\documents and settings\Petrie\Application Data\Skype
2009-04-07 21:14 . 2009-04-07 21:00 -------- d-----w g:\program files\Spybot - Search & Destroy
2009-04-07 21:07 . 2009-04-07 21:07 -------- d-----w g:\program files\Common Files\Cisco Systems
2009-04-07 21:07 . 2009-04-07 21:07 -------- d-----w g:\program files\McAfee
2009-04-07 21:07 . 2009-04-07 21:07 -------- d-----w g:\program files\Common Files\McAfee
2009-04-07 21:05 . 2007-09-25 19:07 -------- d-----w g:\documents and settings\All Users\Application Data\avg7
2009-04-07 21:05 . 2007-09-25 19:08 -------- d-----w g:\documents and settings\Petrie\Application Data\AVG7
2009-04-07 20:52 . 2009-04-07 20:52 -------- d-----w g:\program files\Trend Micro
2009-04-07 20:48 . 2009-04-07 20:48 -------- d-----w g:\program files\CCleaner
2009-04-05 02:06 . 2007-09-26 04:06 -------- d-----w g:\documents and settings\Petrie\Application Data\U3
2009-03-30 03:38 . 2009-03-30 03:38 -------- d-----w g:\program files\Essentials Codec Pack
2009-03-26 20:09 . 2008-09-04 04:03 -------- d-----w g:\documents and settings\Petrie\Application Data\LimeWire
2009-03-23 04:23 . 2009-03-23 04:22 -------- d-----w g:\program files\Google
2009-03-13 05:33 . 2009-03-13 04:02 -------- d-----w g:\program files\Palm
2009-03-13 04:27 . 2009-03-13 04:27 -------- d-----w g:\program files\Garmin
2009-03-13 04:24 . 2007-09-25 18:26 -------- d--h--w g:\program files\InstallShield Installation Information
2009-03-13 04:03 . 2009-03-13 04:03 186 ----a-w G:\mapinstall.log
2009-03-11 08:01 . 2007-09-26 03:47 -------- d-----w g:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-05 04:16 . 2009-03-05 04:12 -------- d-----w g:\documents and settings\All Users\Application Data\Lavasoft
2009-03-05 04:16 . 2009-03-05 04:21 15688 ----a-w g:\windows\system32\lsdelete.exe
2009-03-05 04:16 . 2009-03-05 04:16 64160 ----a-w g:\windows\system32\drivers\Lbd.sys
2009-03-05 04:12 . 2009-03-05 04:12 -------- dc-h--w g:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-05 04:12 . 2009-03-05 04:12 -------- d-----w g:\program files\Lavasoft
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w g:\windows\system32\win32k.sys
2009-02-03 16:30 . 2009-02-03 16:29 137 ---ha-w g:\documents and settings\Petrie\Application Data\lakerda1967.sys
2008-09-23 05:18 . 2007-10-10 00:08 70840 ----a-w g:\documents and settings\Petrie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-09 00:38 . 2009-01-09 00:38 79872 --sha-w g:\windows\system32\bad\yizodonu.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="g:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="g:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="g:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="g:\program files\Winamp\winampa.exe" [2007-12-20 37376]
"SunJavaUpdateSched"="g:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"SoundMAXPnP"="g:\program files\Analog Devices\Core\smax4pnp.exe" [2006-10-05 868352]
"QuickTime Task"="g:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"Launch Ai Booster"="g:\program files\ASUS\AI Booster\OverClk.exe" [2006-11-28 3714048]
"iTunesHelper"="g:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"GrooveMonitor"="g:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"EPSON Stylus CX4800 Series"="g:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-02 98304]
"AsusStartupHelp"="g:\program files\ASUS\AASP\1.00.16\AsRunHelp.exe" [2006-11-14 363008]
"NvCplDaemon"="g:\windows\system32\NvCpl.dll" [2005-04-22 5898240]
"ShStatEXE"="g:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="g:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
g:\documents and settings\Petrie\Start Menu\Programs\Startup\
HotSync Manager.lnk - g:\program files\Palm\HOTSYNC.EXE [2002-08-09 299008]
LaunchU3.exe.lnk - g:\documents and settings\Petrie\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_2cd672ae.exe [2009-04-09 1078]
g:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - g:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec.dll
"vidc.SEDG"= SamsungVfWCodec.dll
"vidc.DX50"= DivXVfWCodec.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli uapvmso.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"g:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"g:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"g:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"g:\\Program Files\\Trillian\\trillian.exe"=
"g:\\Program Files\\iTunes\\iTunes.exe"=
"g:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"g:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"g:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"g:\\Program Files\\AIM6\\aim6.exe"=
"g:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"g:\\Program Files\\Skype\\Phone\\Skype.exe"=
"g:\\Program Files\\Winamp\\winampa.exe"=
"g:\\Program Files\\Palm\\HOTSYNC.EXE"=
"g:\\Program Files\\iPod\\bin\\iPodService.exe"=
"g:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"g:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\bin\\nSvcAppFlt.exe"=
"g:\\WINDOWS\\system32\\dwwin.exe"=
"g:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
S0 Lbd;Lbd;g:\windows\system32\DRIVERS\Lbd.sys [2009-03-04 64160]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;g:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S2 Viewpoint Manager Service;Viewpoint Manager Service;g:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 PAC207;Basic Webcam;g:\windows\system32\DRIVERS\PFC027.SYS [2006-11-20 506112]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67d53d9b-6b99-11dc-a243-001a92b06500}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-04-09 g:\windows\Tasks\Ad-Aware Update (Weekly).job
- g:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-04 23:15]
2009-04-09 g:\windows\Tasks\AppleSoftwareUpdate.job
- g:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-04-13 g:\windows\Tasks\WECPUpdate.job
- g:\program files\Essentials Codec Pack\WECPUpdate.exe [2009-02-25 09:28]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - g:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - g:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {8B9692D7-5A38-460A-8975-4C6EBC579B87} - hxxp://training.aerosim.com/cab/LicenseUpdate/LicenseUpdate.cab
FF - ProfilePath - g:\documents and settings\Petrie\Application Data\Mozilla\Firefox\Profiles\zaanqcy6.default\
FF - component: g:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: g:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: g:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: g:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: g:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 15:29
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(756)
g:\windows\system32\nvappfilter.dll
.
------------------------ Other Running Processes ------------------------
.
g:\program files\McAfee\Common Framework\Mctray.exe
g:\documents and settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
g:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
g:\program files\McAfee\Common Framework\FrameworkService.exe
g:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
g:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
g:\windows\system32\nvsvc32.exe
g:\windows\system32\wdfmgr.exe
g:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
g:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
g:\program files\McAfee\Common Framework\naPrdMgr.exe
g:\program files\iPod\bin\iPodService.exe
g:\windows\system32\wbem\unsecapp.exe
g:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-04-13 15:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-13 20:32
ComboFix2.txt 2009-04-12 02:32
Pre-Run: 122,998,747,136 bytes free
Post-Run: 123,037,802,496 bytes free
224 --- E O F --- 2009-03-23 08:01
Do you have the RSIT logs ?
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
**Note**
To optimize scanning time and produce a more sensible report for review: Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
I have them now. I'll copy both below:
RSIT Log (1):
info.txt logfile of random's system information tool 1.06 2009-04-13 21:11:25
======Uninstall list======
-->G:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->G:\WINDOWS\system32\msiuins.exe
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 G:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
3ivx MPEG-4 5.0.2 (remove only)-->"G:\Program Files\3ivx\3ivx MPEG-4 5.0.2\uninstaller.exe"
Ad-Aware-->"G:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->G:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.exe
Adobe Flash Player 10 Plugin-->G:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->G:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player-->G:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE G:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Aerosim CRJ200 VFD 2.1.15.1-->G:\PROGRA~1\Aerosim\BASECR~1\UNWISE.EXE G:\PROGRA~1\Aerosim\BASECR~1\INSTALL.LOG
Aerosim JetPac - CRJ200-->G:\PROGRA~1\Aerosim\JETPAC~1\UNWISE.EXE G:\PROGRA~1\Aerosim\JETPAC~1\INSTALL.LOG
AI Booster-->RunDll32 G:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "G:\Program Files\InstallShield Installation Information\{74BF0A46-DF67-4D86-B038-BF0E51871B66}\setup.exe" -l0x9
AIM 6-->G:\Program Files\AIM6\uninst.exe
Apple Mobile Device Support-->MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ASUSUpdate-->RunDll32 G:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "G:\Program Files\InstallShield Installation Information\{587178E7-B1DF-494E-9838-FA4DD36E873C}\setup.exe" -l0x9
AviSynth 2.5-->"G:\Program Files\AviSynth 2.5\Uninstall.exe"
Basic Webcam -->G:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{35AD8A37-8ECE-4E97-A34E-B15BFEF0E2F2} /l1033
CCleaner (remove only)-->"G:\Program Files\CCleaner\uninst.exe"
DivX Codec-->G:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader-->G:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter-->G:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Web Player-->G:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EPSON Printer Software-->G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan-->G:\Program Files\epson\escndv\setup\setup.exe /r
Gleim's FAA Test Prep 2008 2008-->G:\Program Files\FAATP2008\setup.exe
High Definition Audio Driver Package - KB888111-->G:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe
HijackThis 2.0.2-->"G:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"G:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HouseCall 6.6-->"G:\Documents and Settings\Petrie\Application Data\HouseCall 6.6\uninstaller.exe"
InterActual Player-->G:\Program Files\InterActual\InterActual Player\inuninst.exe
iQue - Detail Map Install-->RunDll32 G:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "G:\Program Files\InstallShield Installation Information\{B6E3E1E1-65D6-443A-AD17-485534AE4995}\Setup.exe" -l0x9 AddRemove
iQue - MapInstall and ContactLocation-->RunDll32 G:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "G:\Program Files\InstallShield Installation Information\{A7C9EE7F-AB00-47D6-98D5-01AE126C7355}\setup.exe" -l0x9 AddRemove
iTunes-->MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
Java(TM) 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Malwarebytes' Anti-Malware-->"G:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MapSource - City Select North America v6-->G:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{5F8434AA-E977-4A28-8D39-35969565DF53} /l1033
McAfee AntiSpyware Enterprise Module-->"G:\Program Files\McAfee\VirusScan Enterprise\scan32.exe" /UninstallMAS
McAfee VirusScan Enterprise-->MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Flight Simulator X-->G:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{9527A496-5DF9-412A-ADC7-168BA5379CA6}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"G:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (3.0.8)-->G:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
NVIDIA Drivers-->G:\WINDOWS\system32\nvudisp.exe UninstallGUI
NVIDIA ForceWare Network Access Manager-->G:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{1F6423DE-7959-4178-80E0-023C7EAA5347} /l1033
Palm Desktop for Garmin iQue 3600-->MsiExec.exe /X{C1C1BAE4-1777-415B-8893-2FE0280195DD}
PC Probe II-->RunDll32 G:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "G:\Program Files\InstallShield Installation Information\{F7338FA3-DAB5-49B2-900D-0AFB5760C166}\setup.exe" -l0x9
Picasa 3-->"G:\Program Files\Google\Picasa3\Uninstall.exe"
QuickTime-->MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB958439)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6491B8AA-D11C-4648-A461-6234B31EB7E2}
Security Update for Microsoft Office Excel 2007 (KB958437)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {648FC016-2D6B-4A16-8D87-404533642F4B}
Security Update for Microsoft Office OneNote 2007 (KB950130)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F1B2401C-B610-4BF2-AA1C-52C55827A8F4}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office Publisher 2007 (KB950114)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office system 2007 (KB956828)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {885E081B-72BD-4E76-8E98-30B4BE468FAC}
Security Update for Microsoft Office Word 2007 (KB956358)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {4551666D-0FD6-4C69-8A81-1C6F2E64517C}
Security Update for Visio 2007 (KB947590)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Security Update for Windows Media Player (KB952069)-->"G:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->G:\WINDOWS\system32\MacroMed\Flash\genuinst.exe G:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"G:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"G:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"G:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"G:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"G:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"G:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"G:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"G:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"G:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"G:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"G:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"G:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"G:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"G:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"G:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"G:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"G:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"G:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"G:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"G:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"G:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"G:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"G:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"G:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"G:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"G:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"G:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"G:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"G:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"G:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"G:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"G:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"G:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"G:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Skype™ 3.8-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SoundMAX-->RunDll32 G:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "G:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
Spybot - Search & Destroy-->"G:\Program Files\Spybot - Search & Destroy\unins000.exe"
Trillian-->G:\Program Files\Trillian\trillian.exe /uninstall
U3Launcher-->MsiExec.exe /I{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}
Update for Microsoft Office Outlook 2007 (KB952142)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {4AD3A076-427C-491F-A5B7-7D1DE788A756}
Update for Office 2007 (KB946691)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb962871)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {297857BF-4011-449B-BD74-DB64D182821C}
Update for Windows XP (KB951072-v2)-->"G:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"G:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"G:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"G:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Videora iPod Converter 3.07-->G:\Program Files\Red Kawa\Video Converter 3\uninstaller.exe
Viewpoint Media Player-->G:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->G:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
WebCam Suite 2.0-->RunDll32 G:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "G:\Program Files\InstallShield Installation Information\{DF157E38-A290-4265-844B-687E5707899E}\Setup.exe" -l0x9
Winamp-->"G:\Program Files\Winamp\UninstWA.exe"
Windows Essentials Media Codec Pack 2.2c-->G:\Program Files\Essentials Codec Pack\uninst.exe
Windows Media Format Runtime-->"G:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows XP Service Pack 3-->"G:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Yahoo! Install Manager-->G:\WINDOWS\system32\regsvr32 /u G:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Messenger-->G:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U G:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
=====HijackThis Backups=====
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - G:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL [2009-04-07]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - G:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2009-04-07]
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - g:\windows\system32\nogayeda.dll (file missing) [2009-04-08]
O4 - HKUS\.DEFAULT\..\Run: [InetChk] G:\WINDOWS\TEMP\ms1239147459.exe work (User 'Default user') [2009-04-08]
O4 - HKLM\..\Run: [SW24] G:\WINDOWS\system32\sw24.exe [2009-04-08]
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit [2009-04-08]
O4 - HKUS\S-1-5-18\..\Run: [InetChk] G:\WINDOWS\TEMP\ms1239147459.exe work (User 'SYSTEM') [2009-04-08]
O4 - HKLM\..\Run: [fuzofehiho] Rundll32.exe "G:\WINDOWS\system32\yuwehosu.dll",s [2009-04-08]
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe [2009-04-08]
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install [2009-04-08]
O2 - BHO: (no name) - {33ffaaa3-bc9c-400e-93b9-3abcccf4f1e3} - G:\WINDOWS\system32\jegulufo.dll (file missing) [2009-04-08]
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup [2009-04-08]
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) [2009-04-08]
O4 - HKLM\..\Run: [SW20] G:\WINDOWS\system32\sw20.exe [2009-04-08]
O4 - HKLM\..\Run: [Monitor] G:\WINDOWS\PixArt\PAC207\Monitor.exe [2009-04-08]
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - g:\windows\system32\nogayeda.dll (file missing) [2009-04-08]
O2 - BHO: (no name) - {33ffaaa3-bc9c-400e-93b9-3abcccf4f1e3} - G:\WINDOWS\system32\jegulufo.dll (file missing) [2009-04-08]
O4 - HKLM\..\Run: [Mpivicidu] rundll32.exe "G:\WINDOWS\egizifow.dll",e [2009-04-08]
O4 - HKLM\..\Run: [fuzofehiho] Rundll32.exe "G:\WINDOWS\system32\yuwehosu.dll",s [2009-04-08]
O1 - Hosts: 82.98.231.89 best-click-scanner.info [2009-04-08]
O20 - AppInit_DLLs: g:\windows\system32\nogayeda.dll,G:\WINDOWS\system32\wumomara.dll [2009-04-08]
O1 - Hosts: 82.98.231.89 browser-security.microsoft.com [2009-04-08]
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe [2009-04-08]
O4 - HKLM\..\Run: [fuzofehiho] Rundll32.exe "G:\WINDOWS\system32\yuwehosu.dll",s [2009-04-08]
O4 - HKLM\..\Run: [Mpivicidu] rundll32.exe "G:\WINDOWS\egizifow.dll",e [2009-04-08]
O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP [2009-04-08]
O20 - AppInit_DLLs: G:\WINDOWS\system32\wumomara.dll [2009-04-08]
O4 - HKLM\..\Run: [fuzofehiho] Rundll32.exe "G:\WINDOWS\system32\yuwehosu.dll",s [2009-04-08]
O4 - HKLM\..\Run: [fuzofehiho] Rundll32.exe "G:\WINDOWS\system32\yuwehosu.dll",s [2009-04-08]
O4 - HKLM\..\Run: [Mpivicidu] rundll32.exe "G:\WINDOWS\egizifow.dll",e [2009-04-08]
O2 - BHO: (no name) - {33ffaaa3-bc9c-400e-93b9-3abcccf4f1e3} - G:\WINDOWS\system32\jegulufo.dll (file missing) [2009-04-08]
O4 - HKLM\..\Run: [fuzofehiho] Rundll32.exe "G:\WINDOWS\system32\yuwehosu.dll",s [2009-04-08]
O4 - HKLM\..\Run: [Mpivicidu] rundll32.exe "G:\WINDOWS\egizifow.dll",e [2009-04-08]
O20 - AppInit_DLLs: G:\WINDOWS\system32\wumomara.dll [2009-04-08]
O4 - HKLM\..\Run: [Mpivicidu] rundll32.exe "G:\WINDOWS\egizifow.dll",e [2009-04-08]
O20 - AppInit_DLLs: G:\WINDOWS\system32\wumomara.dll [2009-04-08]
O4 - HKLM\..\Run: [fuzofehiho] Rundll32.exe "G:\WINDOWS\system32\wumomara.dll",s [2009-04-08]
======Security center information======
AV: VirusScan Enterprise + AntiSpyware Enterprise
======System event log======
Computer Name: JRICHTE
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Record Number: 4803
Source Name: Tcpip
Time Written: 20080916012750.000000-300
Event Type: warning
User:
Computer Name: JRICHTE
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Record Number: 4802
Source Name: Tcpip
Time Written: 20080915202310.000000-300
Event Type: warning
User:
Computer Name: JRICHTE
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.
Record Number: 4801
Source Name: W32Time
Time Written: 20080915081219.000000-300
Event Type: warning
User:
Computer Name: JRICHTE
Event Code: 4199
Message: The system detected an address conflict for IP address 192.168.1.3 with the system
having network hardware address 00:13:02:6E:38:2C. Network operations on this system may
be disrupted as a result.
Record Number: 4799
Source Name: Tcpip
Time Written: 20080914221040.000000-300
Event Type: error
User:
Computer Name: JRICHTE
Event Code: 4199
Message: The system detected an address conflict for IP address 192.168.1.3 with the system
having network hardware address 00:13:02:6E:38:2C. Network operations on this system may
be disrupted as a result.
Record Number: 4797
Source Name: Tcpip
Time Written: 20080914221040.000000-300
Event Type: error
User:
=====Application event log=====
Computer Name: JRICHTE
Event Code: 1002
Message: Hanging application aim6.exe, version 1.4.9.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Record Number: 801
Source Name: Application Hang
Time Written: 20081109213328.000000-360
Event Type: error
User:
Computer Name: JRICHTE
Event Code: 1002
Message: Hanging application firefox.exe, version 1.8.20080.17373, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Record Number: 756
Source Name: Application Hang
Time Written: 20081009010045.000000-300
Event Type: error
User:
Computer Name: JRICHTE
Event Code: 1002
Message: Hanging application iTunes.exe, version 7.6.1.9, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Record Number: 750
Source Name: Application Hang
Time Written: 20080923184441.000000-300
Event Type: error
User:
Computer Name: JRICHTE
Event Code: 63
Message: A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Record Number: 741
Source Name: WinMgmt
Time Written: 20080917185406.000000-300
Event Type: warning
User: JRICHTE\Petrie
Computer Name: JRICHTE
Event Code: 1000
Message: Faulting application firefox.exe, version 1.8.20080.4669, faulting module firefox.exe, version 1.8.20080.4669, fault address 0x0052ff5b.
Record Number: 704
Source Name: Application Error
Time Written: 20080829000444.000000-300
Event Type: error
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;G:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 11, GenuineIntel
"PROCESSOR_REVISION"=0f0b
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;G:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
"QTJAVA"=G:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
"VSEDEFLOGDIR"=G:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
"DEFLOGDIR"=G:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
-----------------EOF-----------------
RSIT Log (2):
Logfile of random's system information tool 1.06 (written by random/random)
Run by Petrie at 2009-04-13 21:11:23
Microsoft Windows XP Home Edition Service Pack 3
System drive G: has 117 GB (77%) free of 153 GB
Total RAM: 2046 MB (73% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:11:24 PM, on 4/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Winamp\winampa.exe
G:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
G:\Program Files\Analog Devices\Core\smax4pnp.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
G:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
G:\Program Files\McAfee\Common Framework\UdaterUI.exe
G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
G:\Program Files\McAfee\Common Framework\McTray.exe
G:\Program Files\Palm\HOTSYNC.EXE
G:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
G:\Program Files\McAfee\Common Framework\FrameworkService.exe
G:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
G:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Viewpoint\Common\ViewpointService.exe
G:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
G:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
G:\WINDOWS\explorer.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Documents and Settings\Petrie\Desktop\RSIT.exe
G:\Program Files\Trend Micro\HijackThis\Petrie.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - G:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - G:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O4 - HKLM\..\Run: [WinampAgent] "G:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] G:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Launch Ai Booster] "G:\Program Files\ASUS\AI Booster\OverClk.exe"
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "G:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [AsusStartupHelp] G:\Program Files\ASUS\AASP\1.00.16\AsRunHelp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "G:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "G:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [updateMgr] G:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = G:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://G:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - G:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {8B9692D7-5A38-460A-8975-4C6EBC579B87} (LicenseClientControl Class) - http://training.aerosim.com/cab/LicenseUpdate/LicenseUpdate.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - G:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Google Updater Service (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - G:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - G:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - G:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - G:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - G:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - G:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 7849 bytes
======Scheduled tasks folder======
G:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
G:\WINDOWS\tasks\AppleSoftwareUpdate.job
G:\WINDOWS\tasks\WECPUpdate.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2009-01-26 1879896]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - G:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - G:\Program Files\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - G:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll [2006-11-30 67136]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"=G:\Program Files\Winamp\winampa.exe [2007-12-20 37376]
"SunJavaUpdateSched"=G:\Program Files\Java\jre1.6.0_05\bin\jusched.exe [2008-02-22 144784]
"SoundMAXPnP"=G:\Program Files\Analog Devices\Core\smax4pnp.exe [2006-10-05 868352]
"QuickTime Task"=G:\Program Files\QuickTime\qttask.exe [2008-01-31 385024]
"Launch Ai Booster"=G:\Program Files\ASUS\AI Booster\OverClk.exe [2006-11-28 3714048]
"iTunesHelper"=G:\Program Files\iTunes\iTunesHelper.exe [2008-02-19 267048]
"GrooveMonitor"=G:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]
"EPSON Stylus CX4800 Series"=G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE [2005-02-02 98304]
"AsusStartupHelp"=G:\Program Files\ASUS\AASP\1.00.16\AsRunHelp.exe [2006-11-14 363008]
"NvCplDaemon"=G:\WINDOWS\system32\NvCpl.dll [2005-04-22 5898240]
"ShStatEXE"=G:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE [2006-11-30 112216]
"McAfeeUpdaterUI"=G:\Program Files\McAfee\Common Framework\UdaterUI.exe [2006-11-17 136768]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"=G:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]
"SpybotSD TeaTimer"=G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]
"ctfmon.exe"=G:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVGEMS"=2
"Avg7UpdSvc"=2
"Avg7Alrt"=2
G:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
G:\Documents and Settings\Petrie\Start Menu\Programs\Startup
HotSync Manager.lnk - G:\Program Files\Palm\HOTSYNC.EXE
LaunchU3.exe.lnk - G:\Documents and Settings\Petrie\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_2cd672ae.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=G:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
uapvmso.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"G:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="G:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"G:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="G:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"G:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="G:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"G:\Program Files\Trillian\trillian.exe"="G:\Program Files\Trillian\trillian.exe:*:Enabled:Trillian"
"G:\Program Files\iTunes\iTunes.exe"="G:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"G:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="G:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"G:\Program Files\Yahoo!\Messenger\YServer.exe"="G:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"G:\Program Files\Common Files\AOL\Loader\aolload.exe"="G:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"G:\Program Files\AIM6\aim6.exe"="G:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"G:\WINDOWS\system32\dpvsetup.exe"="G:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"G:\Program Files\Skype\Phone\Skype.exe"="G:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"G:\Program Files\Winamp\winampa.exe"="G:\Program Files\Winamp\winampa.exe:*:Enabled:winampa"
"G:\Program Files\Palm\HOTSYNC.EXE"="G:\Program Files\Palm\HOTSYNC.EXE:*:Enabled:HOTSYNC"
"G:\Program Files\iPod\bin\iPodService.exe"="G:\Program Files\iPod\bin\iPodService.exe:*:Enabled:iPodService"
"G:\Program Files\McAfee\Common Framework\FrameworkService.exe"="G:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"G:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe"="G:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe:*:Enabled:nSvcAppFlt"
"G:\WINDOWS\system32\dwwin.exe"="G:\WINDOWS\system32\dwwin.exe:*:Enabled:dwwin"
"G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"="G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe:*:Enabled:AppleMobileDeviceService"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
shell\AutoRun\command - I:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
shell\AutoRun\command - L:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67d53d9b-6b99-11dc-a243-001a92b06500}]
shell\AutoRun\command - I:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{823f74d0-6b61-11dc-a10b-806d6172696f}]
shell\AutoRun\command - F:\Programs\nu2menu\nu2menu.exe
======List of files/folders created in the last 1 months======
2009-04-13 21:11:23 ----D---- G:\rsit
2009-04-13 15:32:18 ----D---- G:\WINDOWS\temp
2009-04-12 15:13:07 ----D---- G:\ComboFix
2009-04-11 21:33:46 ----SHD---- G:\RECYCLER
2009-04-11 21:25:37 ----D---- G:\Qoobox
2009-04-09 15:41:19 ----D---- G:\Documents and Settings\All Users\Application Data\U3
2009-04-09 00:15:43 ----D---- G:\VundoFix Backups
2009-04-09 00:15:43 ----A---- G:\VundoFix.txt
2009-04-08 22:03:10 ----D---- G:\Documents and Settings\Petrie\Application Data\Malwarebytes
2009-04-08 22:02:07 ----D---- G:\Program Files\Malwarebytes' Anti-Malware
2009-04-08 22:02:07 ----D---- G:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-04-08 21:19:54 ----N---- G:\WINDOWS\system32\winsetupgl.exe
2009-04-08 21:13:53 ----D---- G:\Documents and Settings\Petrie\Application Data\HouseCall 6.6
2009-04-08 21:05:41 ----A---- G:\WINDOWS\system32\wpa.bak
2009-04-08 21:04:55 ----A---- G:\WINDOWS\SchedLgU.Txt
2009-04-08 20:07:15 ----D---- G:\WINDOWS\system32\bad
2009-04-07 17:02:57 ----A---- G:\WINDOWS\wininit.ini
2009-04-07 16:27:17 ----D---- G:\QUARANTINE
2009-04-07 16:07:38 ----D---- G:\Program Files\Common Files\Cisco Systems
2009-04-07 16:07:38 ----D---- G:\Documents and Settings\All Users\Application Data\McAfee
2009-04-07 16:07:38 ----A---- G:\WINDOWS\system32\epoPGPsdk.dll.sig
2009-04-07 16:07:38 ----A---- G:\WINDOWS\system32\epoPGPsdk.dll
2009-04-07 16:07:10 ----D---- G:\Program Files\McAfee
2009-04-07 16:07:10 ----D---- G:\Program Files\Common Files\McAfee
2009-04-07 16:00:21 ----D---- G:\Program Files\Spybot - Search & Destroy
2009-04-07 16:00:21 ----D---- G:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-07 15:52:31 ----D---- G:\Program Files\Trend Micro
2009-04-07 15:48:22 ----D---- G:\Program Files\CCleaner
2009-04-06 18:42:44 ----A---- G:\Boot.bak
2009-04-06 18:42:41 ----RASHD---- G:\cmdcons
2009-04-06 18:41:02 ----A---- G:\WINDOWS\zip.exe
2009-04-06 18:41:02 ----A---- G:\WINDOWS\VFIND.exe
2009-04-06 18:41:02 ----A---- G:\WINDOWS\SWXCACLS.exe
2009-04-06 18:41:02 ----A---- G:\WINDOWS\SWSC.exe
2009-04-06 18:41:02 ----A---- G:\WINDOWS\SWREG.exe
2009-04-06 18:41:02 ----A---- G:\WINDOWS\sed.exe
2009-04-06 18:41:02 ----A---- G:\WINDOWS\NIRCMD.exe
2009-04-06 18:41:02 ----A---- G:\WINDOWS\grep.exe
2009-04-06 18:36:34 ----D---- G:\WINDOWS\ERDNT
2009-04-06 18:32:25 ----D---- G:\Qoobox.bad
2009-03-29 22:43:14 ----D---- G:\Documents and Settings\Petrie\Application Data\Media Player Classic
2009-03-29 22:38:30 ----D---- G:\Program Files\Essentials Codec Pack
2009-03-22 23:23:06 ----D---- G:\WINDOWS\system32\IOSUBSYS
2009-03-22 23:22:58 ----D---- G:\Program Files\Google
======List of files/folders modified in the last 1 months======
2009-04-13 21:10:22 ----D---- G:\Program Files\Mozilla Firefox
2009-04-13 15:41:17 ----D---- G:\WINDOWS\Prefetch
2009-04-13 15:32:19 ----D---- G:\WINDOWS\system32\drivers
2009-04-13 15:32:19 ----D---- G:\WINDOWS\system32
2009-04-13 15:32:18 ----D---- G:\WINDOWS
2009-04-13 15:31:51 ----D---- G:\WINDOWS\system32\CatRoot2
2009-04-13 15:29:38 ----A---- G:\WINDOWS\system.ini
2009-04-13 15:23:56 ----D---- G:\WINDOWS\system32\config
2009-04-13 15:23:30 ----D---- G:\WINDOWS\AppPatch
2009-04-13 15:23:30 ----D---- G:\Program Files\Common Files
2009-04-10 14:16:40 ----D---- G:\WINDOWS\system32\NtmsData
2009-04-09 15:41:20 ----SHD---- G:\WINDOWS\Installer
2009-04-09 00:38:01 ----A---- G:\WINDOWS\win.ini
2009-04-09 00:13:49 ----D---- G:\Documents and Settings
2009-04-08 22:02:07 ----RD---- G:\Program Files
2009-04-08 21:27:03 ----D---- G:\Documents and Settings\Petrie\Application Data\Mozilla
2009-04-08 20:15:17 ----D---- G:\Documents and Settings\Petrie\Application Data\Skype
2009-04-08 01:35:41 ----D---- G:\Program Files\Internet Explorer
2009-04-07 18:23:21 ----SHD---- G:\System Volume Information
2009-04-07 18:23:21 ----D---- G:\WINDOWS\system32\Restore
2009-04-07 16:22:10 ----D---- G:\WINDOWS\Debug
2009-04-07 16:22:09 ----D---- G:\WINDOWS\Minidump
2009-04-07 16:05:41 ----SD---- G:\Documents and Settings\Petrie\Application Data\Microsoft
2009-04-07 16:05:41 ----D---- G:\WINDOWS\system
2009-04-07 16:05:41 ----D---- G:\Documents and Settings\All Users\Application Data\avg7
2009-04-07 16:05:31 ----D---- G:\Documents and Settings\Petrie\Application Data\AVG7
2009-04-07 03:47:14 ----RHD---- G:\$VAULT$.AVG
2009-04-06 18:46:08 ----RSHDC---- G:\WINDOWS\system32\dllcache
2009-04-06 18:42:44 ----RASH---- G:\boot.ini
2009-04-04 21:06:33 ----D---- G:\Documents and Settings\Petrie\Application Data\U3
2009-03-29 22:38:35 ----SD---- G:\WINDOWS\Tasks
2009-03-27 14:23:20 ----HD---- G:\WINDOWS\inf
2009-03-26 15:09:56 ----D---- G:\Documents and Settings\Petrie\Application Data\LimeWire
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AsIO;AsIO; G:\WINDOWS\system32\drivers\AsIO.sys [2006-10-18 12664]
R1 intelppm;Intel Processor Driver; G:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; G:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 mferkdk;VSCore mferkdk; \??\G:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys []
R1 mfetdik;McAfee Inc.; G:\WINDOWS\system32\drivers\mfetdik.sys [2006-11-30 52136]
R1 NVTCP;NVIDIA TCP/IP Protocol Driver; G:\WINDOWS\System32\DRIVERS\NVTcp.sys [2006-08-07 110080]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; G:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R2 tmcomm;tmcomm; \??\G:\WINDOWS\system32\drivers\tmcomm.sys []
R3 ADIDTSFiltService;ADI DTS Filter Service; G:\WINDOWS\system32\drivers\adidts.sys [2006-09-01 139776]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; G:\WINDOWS\system32\drivers\ADIHdAud.sys [2006-09-07 247296]
R3 AEAudio;AE Audio Service; G:\WINDOWS\system32\drivers\AEAudio.sys [2006-08-29 94080]
R3 Arp1394;1394 ARP Client Protocol; G:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 GEARAspiWDM;GEARAspiWDM; G:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; G:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; G:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mfeapfk;McAfee Inc.; G:\WINDOWS\system32\drivers\mfeapfk.sys [2006-11-30 64360]
R3 mfeavfk;McAfee Inc.; G:\WINDOWS\system32\drivers\mfeavfk.sys [2006-11-30 72264]
R3 mfebopk;McAfee Inc.; G:\WINDOWS\system32\drivers\mfebopk.sys [2006-11-30 34152]
R3 mfehidk;McAfee Inc.; G:\WINDOWS\system32\drivers\mfehidk.sys [2006-11-30 168776]
R3 mouhid;Mouse HID Driver; G:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 MTsensor;ATK0110 ACPI UTILITY; G:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-12 5810]
R3 NIC1394;1394 Net Driver; G:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; G:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-04-22 3095680]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; G:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-08-07 52736]
R3 nvnetbus;NVIDIA Network Bus Enumerator; G:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-08-07 18944]
R3 PAC207;Basic Webcam; G:\WINDOWS\system32\DRIVERS\PFC027.SYS [2006-11-20 506112]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; G:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; G:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; G:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbstor;USB Mass Storage Driver; G:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R4 catchme;catchme; \??\G:\DOCUME~1\Petrie\LOCALS~1\Temp\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; G:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; G:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; G:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; G:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 PalmUSBD;PalmUSBD; G:\WINDOWS\system32\drivers\PalmUSBD.sys [2003-05-19 16772]
S3 SLIP;BDA Slip De-Framer; G:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; G:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 USBAAPL;Apple Mobile USB Driver; G:\WINDOWS\System32\Drivers\usbaapl.sys [2007-10-31 30464]
S3 usbccgp;Microsoft USB Generic Parent Driver; G:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; G:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; G:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WSTCODEC;World Standard Teletext Codec; G:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S4 IntelIde;IntelIde; G:\WINDOWS\system32\drivers\IntelIde.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Apple Mobile Device;Apple Mobile Device; G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-09-06 110592]
R2 ForceWare Intelligent Application Manager (IAM);ForceWare Intelligent Application Manager (IAM); G:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe [2006-09-08 172032]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; G:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
R2 McAfeeFramework;McAfee Framework Service; G:\Program Files\McAfee\Common Framework\FrameworkService.exe [2006-11-17 104000]
R2 McShield;McAfee McShield; G:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager; G:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 nSvcIp;ForceWare IP service; G:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe [2006-09-08 172090]
R2 NVSvc;NVIDIA Display Driver Service; G:\WINDOWS\system32\nvsvc32.exe [2005-04-22 127043]
R2 UMWdf;Windows User Mode Driver Framework; G:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 Viewpoint Manager Service;Viewpoint Manager Service; G:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 iPod Service;iPod Service; G:\Program Files\iPod\bin\iPodService.exe [2008-02-19 504104]
S3 aspnet_state;ASP.NET State Service; G:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; G:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 gusvc;Google Updater Service; G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-31 136120]
S3 IDriverT;InstallDriver Table Manager; G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; G:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]
S3 odserv;Microsoft Office Diagnostics Service; G:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; G:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
-----------------EOF-----------------
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
**Note**
To optimize scanning time and produce a more sensible report for review: Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
I assumed you wanted the log posted once I was finished...
Kaspersky Scanner Log
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, April 14, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, April 13, 2009 20:46:29
Records in database: 2041343
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan statistics:
Files scanned: 105972
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:03:59
File name / Threat name / Threats count
G:\Documents and Settings\Petrie\.housecall6.6\Quarantine\ms1239062557.exe.bac_a02316 Infected: Backdoor.Win32.Rbot.kpe 1
G:\Documents and Settings\Petrie\.housecall6.6\Quarantine\T-5088466-giving up ghost bt[high quality].snd.bac_a02316 Infected: Trojan-Downloader.WMA.GetCodec.s 1
The selected area was scanned.
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
DirLook::
G:\Qoobox.bad
G:\WINDOWS\system32\bad
File::
G:\VundoFix.txt
G:\WINDOWS\system32\winsetupgl.exe
G:\WINDOWS\wininit.ini
Folder::
G:\Documents and Settings\Petrie\Application Data\LimeWire
G:\Documents and Settings\Petrie\Application Data\HouseCall 6.6
ADS::
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
----------------------------------------------------------- -----------------------------------------------------------
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please download Java SE Runtime Environment (JRE) (http://java.sun.com/javase/downloads/index.jsp). ( don't install it yet )
Scroll down to where it says "Java SE Runtime Environment (JRE)".
Click the "Download" button to the right.
Platform = Windows Language = Multi Language
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Now download JavaRa (http://sourceforge.net/project/downloading.php?groupname=javara&filename=JavaRa.zip&use_mirror=osdn) and unzip it to your desktop.
***Please close any instances of Internet Explorer (or other web browser) before continuing!***
Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.
Now install the Java SE Runtime Environment (JRE) package you downloaded
(it comes with a toolbar pre-selected, so make sure you uncheck the box)
You can delete JavaRa (zip and exe)
Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended
There is a newer version of Adobe Acrobat Reader available.
Please go to this link Adobe Acrobat Reader Download Link (http://www.adobe.com/products/acrobat/readstep2.html)
Click Download
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts
When the installation is complete go to Add/Remove Programs and uninstall all previous versions.
Adobe Reader 7.0.9
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Are there any problems now ?
Combo Fix Log
ComboFix 09-04-14.09 - Petrie 04/15/2009 10:04.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1442 [GMT -5:00]
Running from: g:\documents and settings\Petrie\Desktop\ComboFix.exe
Command switches used :: g:\documents and settings\Petrie\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
G:\VundoFix.txt
g:\windows\system32\winsetupgl.exe
g:\windows\wininit.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
g:\documents and settings\Petrie\Application Data\HouseCall 6.6
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\AU_Log\TmuDump.txt
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\aucfg.ini
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\Backup\winsetupgl.exe.bac_a01696
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\BPMNT.dll
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\ciussi32.dll
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\client-defaults.profile.xml
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\dsvout.dll
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\engine.stat
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\fullscan.profile.xml
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\getMac.exe
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\GetServer.ini
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\jlea.dll
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\lea.dll
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\local.conf
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\log\2009-04-08-21-31-26.infections
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\log\dsvout.log
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\log\housecall0.log
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\lpt$vpn.953
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\mfc80.dll
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\mfc80u.dll
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\mfcm80.dll
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\mfcm80u.dll
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\Microsoft.VC80.CRT.manifest
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\Microsoft.VC80.MFC.manifest
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\msvcm80.dll
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\msvcp80.dll
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\msvcr80.dll
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\patch.exe
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\PATCHW32.DLL
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\server-defaults.profile.xml
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\ssapi.log
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\ssapi.log.bak
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\ssapi32.dll
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\ssapiptn.da5
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\tmcomm.cat
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\tmcomm.inf
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\tmcomm.sys
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\TmEngDrv.dll
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\tmlogo.ico
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\TmUpdate.dll
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\TMVAmain.ptn
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\Toolkit.dll
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\tsc.exe
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\tsc.ptn
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\uninstall.dat
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\Uninstaller.exe
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\Update\AU_Cache\ushousecall02.trendmicro.com\ini_xml.zip
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\Update\AU_Cache\ushousecall02.trendmicro.com\ini_xml.zip.etag
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\vsapi32.dll
g:\documents and settings\Petrie\Application Data\HouseCall 6.6\vscan.dat
g:\documents and settings\Petrie\Application Data\LimeWire
g:\documents and settings\Petrie\Application Data\LimeWire\active.mojito
g:\documents and settings\Petrie\Application Data\LimeWire\certificate\limewire.keystore
g:\documents and settings\Petrie\Application Data\LimeWire\createtimes.cache
g:\documents and settings\Petrie\Application Data\LimeWire\downloads.dat
g:\documents and settings\Petrie\Application Data\LimeWire\fileurns.bak
g:\documents and settings\Petrie\Application Data\LimeWire\fileurns.cache
g:\documents and settings\Petrie\Application Data\LimeWire\filters.props
g:\documents and settings\Petrie\Application Data\LimeWire\gnutella.net
g:\documents and settings\Petrie\Application Data\LimeWire\installation.props
g:\documents and settings\Petrie\Application Data\LimeWire\library.dat
g:\documents and settings\Petrie\Application Data\LimeWire\limewire.props
g:\documents and settings\Petrie\Application Data\LimeWire\mojito.props
g:\documents and settings\Petrie\Application Data\LimeWire\passive.mojito
g:\documents and settings\Petrie\Application Data\LimeWire\promotion\promodb.backup
g:\documents and settings\Petrie\Application Data\LimeWire\promotion\promodb.data
g:\documents and settings\Petrie\Application Data\LimeWire\promotion\promodb.properties
g:\documents and settings\Petrie\Application Data\LimeWire\promotion\promodb.script
g:\documents and settings\Petrie\Application Data\LimeWire\questions.props
g:\documents and settings\Petrie\Application Data\LimeWire\responses.cache
g:\documents and settings\Petrie\Application Data\LimeWire\simpp.xml
g:\documents and settings\Petrie\Application Data\LimeWire\spam.dat
g:\documents and settings\Petrie\Application Data\LimeWire\tables.props
g:\documents and settings\Petrie\Application Data\LimeWire\themes\windows_theme.lwtp
g:\documents and settings\Petrie\Application Data\LimeWire\themes\windows_theme\01_star.gif
g:\documents and settings\Petrie\Application Data\LimeWire\themes\windows_theme\02_star.gif
g:\documents and settings\Petrie\Application Data\LimeWire\themes\windows_theme\03_star.gif
g:\documents and settings\Petrie\Application Data\LimeWire\themes\windows_theme\04_star.gif
g:\documents and settings\Petrie\Application Data\LimeWire\themes\windows_theme\05_star.gif
g:\documents and settings\Petrie\Application Data\LimeWire\themes\windows_theme\chat.gif
g:\documents and settings\Petrie\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
g:\documents and settings\Petrie\Application Data\LimeWire\themes\windows_theme\forward_up.gif
g:\documents and settings\Petrie\Application Data\LimeWire\themes\windows_theme\kill.gif
g:\documents and settings\Petrie\Application Data\LimeWire\themes\windows_theme\kill_on.gif
g:\documents and settings\Petrie\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
g:\documents and settings\Petrie\Application Data\LimeWire\themes\windows_theme\pause_up.gif
g:\documents and settings\Petrie\Application Data\LimeWire\themes\windows_theme\play_dn.gif
g:\documents and settings\Petrie\Application Data\LimeWire\themes\windows_theme\play_up.gif
g:\documents and settings\Petrie\Application Data\LimeWire\themes\windows_theme\question.gif
g:\documents and settings\Petrie\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
g:\documents and settings\Petrie\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
g:\documents and settings\Petrie\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
g:\documents and settings\Petrie\Application Data\LimeWire\themes\windows_theme\stop_up.gif
g:\documents and settings\Petrie\Application Data\LimeWire\themes\windows_theme\theme.txt
g:\documents and settings\Petrie\Application Data\LimeWire\themes\windows_theme\version.txt
g:\documents and settings\Petrie\Application Data\LimeWire\themes\windows_theme\warning.gif
g:\documents and settings\Petrie\Application Data\LimeWire\ttrees.cache
g:\documents and settings\Petrie\Application Data\LimeWire\ttroot.cache
g:\documents and settings\Petrie\Application Data\LimeWire\version.xml
g:\documents and settings\Petrie\Application Data\LimeWire\versions.props
g:\documents and settings\Petrie\Application Data\LimeWire\xml\data\audio.sxml2
G:\VundoFix.txt
g:\windows\wininit.ini
.
((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))
.
2009-04-14 02:11 . 2009-04-14 02:11 -------- d-----w G:\rsit
2009-04-09 20:41 . 2009-04-09 20:41 -------- d-----w g:\documents and settings\All Users\Application Data\U3
2009-04-09 05:15 . 2009-04-09 05:15 -------- d-----w G:\VundoFix Backups
2009-04-09 03:03 . 2009-04-09 03:03 -------- d-----w g:\documents and settings\Petrie\Application Data\Malwarebytes
2009-04-09 03:02 . 2009-04-06 20:32 15504 ----a-w g:\windows\system32\drivers\mbam.sys
2009-04-09 03:02 . 2009-04-06 20:32 38496 ----a-w g:\windows\system32\drivers\mbamswissarmy.sys
2009-04-09 03:02 . 2009-04-09 03:02 -------- d-----w g:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-09 02:05 . 2009-04-15 15:07 54156 ---ha-w g:\windows\QTFont.qfn
2009-04-09 02:05 . 2009-04-09 02:05 13588 ----a-w g:\windows\system32\wpa.bak
2009-04-09 02:05 . 2009-04-15 15:07 8152 ----a-w g:\windows\system32\nvdb02.adghz
2009-04-09 02:04 . 2009-04-15 15:07 13646 ----a-w g:\windows\system32\wpa.dbl
2009-04-09 01:07 . 2009-04-09 03:43 -------- d-----w g:\windows\system32\bad
2009-04-09 00:39 . 2009-04-09 00:39 -------- d-----w g:\documents and settings\Petrie\Local Settings\Application Data\{0F574142-F61A-4216-BBF9-65D625683500}
2009-04-07 21:27 . 2009-04-15 09:26 -------- d-----w G:\QUARANTINE
2009-04-07 21:07 . 2009-04-07 21:07 -------- d-----w g:\documents and settings\All Users\Application Data\McAfee
2009-04-07 21:07 . 2006-11-17 08:06 280 ----a-w g:\windows\system32\epoPGPsdk.dll.sig
2009-04-07 21:07 . 2006-11-17 08:06 1495552 ----a-w g:\windows\system32\epoPGPsdk.dll
2009-04-07 21:07 . 2006-11-30 13:50 72264 ----a-w g:\windows\system32\drivers\mfeavfk.sys
2009-04-07 21:07 . 2006-11-30 13:50 64360 ----a-w g:\windows\system32\drivers\mfeapfk.sys
2009-04-07 21:07 . 2006-11-30 13:50 52136 ----a-w g:\windows\system32\drivers\mfetdik.sys
2009-04-07 21:07 . 2006-11-30 13:50 34152 ----a-w g:\windows\system32\drivers\mfebopk.sys
2009-04-07 21:07 . 2006-11-30 13:50 168776 ----a-w g:\windows\system32\drivers\mfehidk.sys
2009-04-07 21:00 . 2009-04-12 02:33 -------- d-----w g:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-06 23:32 . 2009-04-08 20:56 -------- d-----w G:\Qoobox.bad
2009-03-30 03:43 . 2009-03-30 04:15 -------- d-----w g:\documents and settings\Petrie\Application Data\Media Player Classic
2009-03-27 19:24 . 2008-04-13 18:45 15104 -c--a-w g:\windows\system32\dllcache\usbscan.sys
2009-03-27 19:24 . 2008-04-13 18:45 15104 ----a-w g:\windows\system32\drivers\usbscan.sys
2009-03-23 04:23 . 2009-03-23 04:26 -------- d-----w g:\documents and settings\Petrie\Local Settings\Application Data\Google
2009-03-23 04:23 . 2009-03-23 04:23 -------- d-----w g:\windows\system32\IOSUBSYS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 03:03 . 2009-04-09 03:02 -------- d-----w g:\program files\Malwarebytes' Anti-Malware
2009-04-09 01:15 . 2008-09-09 05:42 -------- d-----w g:\documents and settings\Petrie\Application Data\Skype
2009-04-09 00:38 . 2009-01-09 00:38 79872 --sha-w g:\windows\system32\bad\yizodonu.dll
2009-04-07 21:14 . 2009-04-07 21:00 -------- d-----w g:\program files\Spybot - Search & Destroy
2009-04-07 21:07 . 2009-04-07 21:07 -------- d-----w g:\program files\Common Files\Cisco Systems
2009-04-07 21:07 . 2009-04-07 21:07 -------- d-----w g:\program files\McAfee
2009-04-07 21:07 . 2009-04-07 21:07 -------- d-----w g:\program files\Common Files\McAfee
2009-04-07 21:05 . 2007-09-25 19:07 -------- d-----w g:\documents and settings\All Users\Application Data\avg7
2009-04-07 21:05 . 2007-09-25 19:08 -------- d-----w g:\documents and settings\Petrie\Application Data\AVG7
2009-04-07 20:52 . 2009-04-07 20:52 -------- d-----w g:\program files\Trend Micro
2009-04-07 20:48 . 2009-04-07 20:48 -------- d-----w g:\program files\CCleaner
2009-04-05 02:06 . 2007-09-26 04:06 -------- d-----w g:\documents and settings\Petrie\Application Data\U3
2009-03-30 03:38 . 2009-03-30 03:38 -------- d-----w g:\program files\Essentials Codec Pack
2009-03-23 04:23 . 2009-03-23 04:22 -------- d-----w g:\program files\Google
2009-03-13 05:33 . 2009-03-13 04:02 -------- d-----w g:\program files\Palm
2009-03-13 04:27 . 2009-03-13 04:27 -------- d-----w g:\program files\Garmin
2009-03-13 04:24 . 2007-09-25 18:26 -------- d--h--w g:\program files\InstallShield Installation Information
2009-03-13 04:03 . 2009-03-13 04:03 186 ----a-w G:\mapinstall.log
2009-03-11 08:01 . 2007-09-26 03:47 -------- d-----w g:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-05 04:16 . 2009-03-05 04:12 -------- d-----w g:\documents and settings\All Users\Application Data\Lavasoft
2009-03-05 04:16 . 2009-03-05 04:21 15688 ----a-w g:\windows\system32\lsdelete.exe
2009-03-05 04:16 . 2009-03-05 04:16 64160 ----a-w g:\windows\system32\drivers\Lbd.sys
2009-03-05 04:12 . 2009-03-05 04:12 -------- dc-h--w g:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-05 04:12 . 2009-03-05 04:12 -------- d-----w g:\program files\Lavasoft
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w g:\windows\system32\win32k.sys
2009-02-03 16:30 . 2009-02-03 16:29 137 ---ha-w g:\documents and settings\Petrie\Application Data\lakerda1967.sys
2008-09-23 05:18 . 2007-10-10 00:08 70840 ----a-w g:\documents and settings\Petrie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of G:\Qoobox.bad ----
---- Directory of g:\windows\system32\bad ----
2009-04-07 20:59 . 2009-04-07 20:59 155 ----a-w g:\windows\system32\bad\SelfDel.bat
2009-04-06 23:33 . 2009-04-06 23:33 27648 ----a-w g:\windows\system32\bad\winsetupsm.exe
2009-04-06 23:18 . 2009-04-06 23:18 27648 ----a-w g:\windows\system32\bad\winsetupsn.exe
2009-01-09 00:38 . 2009-04-09 00:38 79872 --sha-w g:\windows\system32\bad\yizodonu.dll
2009-01-06 22:48 . 2009-04-09 01:03 11168 ---ha-w g:\windows\system32\bad\nowabame
2007-09-25 18:38 . 2009-04-07 23:24 12642 ----a-w g:\windows\system32\bad\wpa.bak
2007-09-25 18:30 . 2009-04-09 00:38 80672 ----a-w g:\windows\system32\bad\nvdb02.adghz
2007-09-25 18:26 . 2009-04-09 01:00 0 ----a-w g:\windows\system32\bad\nmp.log
2005-04-22 15:54 . 2009-04-09 00:38 22175 ----a-w g:\windows\system32\bad\nvapps.xml
2004-08-04 12:00 . 2009-04-07 23:24 12642 ----a-w g:\windows\system32\bad\wpa.dbl
((((((((((((((((((((((((((((( SnapShot@2009-04-13_15.31.53.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-15 15:06 . 2005-10-21 01:02 163328 g:\windows\ERDNT\subs\ERDNT.EXE
- 2009-04-13 20:23 . 2005-10-21 01:02 163328 g:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="g:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="g:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="g:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="g:\program files\Winamp\winampa.exe" [2007-12-20 37376]
"SunJavaUpdateSched"="g:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"SoundMAXPnP"="g:\program files\Analog Devices\Core\smax4pnp.exe" [2006-10-05 868352]
"QuickTime Task"="g:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"Launch Ai Booster"="g:\program files\ASUS\AI Booster\OverClk.exe" [2006-11-28 3714048]
"iTunesHelper"="g:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"GrooveMonitor"="g:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"EPSON Stylus CX4800 Series"="g:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-02 98304]
"AsusStartupHelp"="g:\program files\ASUS\AASP\1.00.16\AsRunHelp.exe" [2006-11-14 363008]
"NvCplDaemon"="g:\windows\system32\NvCpl.dll" [2005-04-22 5898240]
"ShStatEXE"="g:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="g:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
g:\documents and settings\Petrie\Start Menu\Programs\Startup\
HotSync Manager.lnk - g:\program files\Palm\HOTSYNC.EXE [2002-8-9 299008]
LaunchU3.exe.lnk - g:\documents and settings\Petrie\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_2cd672ae.exe [2009-4-9 1078]
g:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - g:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec.dll
"vidc.SEDG"= SamsungVfWCodec.dll
"vidc.DX50"= DivXVfWCodec.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli uapvmso.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"g:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"g:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"g:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"g:\\Program Files\\Trillian\\trillian.exe"=
"g:\\Program Files\\iTunes\\iTunes.exe"=
"g:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"g:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"g:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"g:\\Program Files\\AIM6\\aim6.exe"=
"g:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"g:\\Program Files\\Skype\\Phone\\Skype.exe"=
"g:\\Program Files\\Winamp\\winampa.exe"=
"g:\\Program Files\\Palm\\HOTSYNC.EXE"=
"g:\\Program Files\\iPod\\bin\\iPodService.exe"=
"g:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"g:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\bin\\nSvcAppFlt.exe"=
"g:\\WINDOWS\\system32\\dwwin.exe"=
"g:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
S0 Lbd;Lbd;g:\windows\system32\DRIVERS\Lbd.sys [2009-03-05 64160]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;g:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-10 951632]
S2 Viewpoint Manager Service;Viewpoint Manager Service;g:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 PAC207;Basic Webcam;g:\windows\system32\DRIVERS\PFC027.SYS [2006-11-20 506112]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67d53d9b-6b99-11dc-a243-001a92b06500}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-04-14 g:\windows\Tasks\Ad-Aware Update (Weekly).job
- g:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 04:15]
2009-04-09 g:\windows\Tasks\AppleSoftwareUpdate.job
- g:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
2009-04-15 g:\windows\Tasks\WECPUpdate.job
- g:\program files\Essentials Codec Pack\WECPUpdate.exe [2009-02-25 14:28]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - g:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - g:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {8B9692D7-5A38-460A-8975-4C6EBC579B87} - hxxp://training.aerosim.com/cab/LicenseUpdate/LicenseUpdate.cab
FF - ProfilePath - g:\documents and settings\Petrie\Application Data\Mozilla\Firefox\Profiles\zaanqcy6.default\
FF - component: g:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: g:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: g:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: g:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: g:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 10:07
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(752)
g:\windows\system32\nvappfilter.dll
- - - - - - - > 'explorer.exe'(1624)
g:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
g:\program files\Spybot - Search & Destroy\SDHelper.dll
.
------------------------ Other Running Processes ------------------------
.
g:\program files\McAfee\Common Framework\Mctray.exe
g:\documents and settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
g:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
g:\program files\McAfee\Common Framework\FrameworkService.exe
g:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
g:\program files\McAfee\Common Framework\naPrdMgr.exe
g:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
g:\windows\system32\nvsvc32.exe
g:\windows\system32\wdfmgr.exe
g:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
g:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
g:\windows\system32\wbem\unsecapp.exe
g:\program files\iPod\bin\iPodService.exe
g:\program files\Lavasoft\Ad-Aware\AAWTray.exe
g:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: ~,10time:~,-3machine was rebootedCombobatch-by
ComboFix-quarantined-files.txt 2009-04-15 15:10
ComboFix2.txt 2009-04-12 02:32
Pre-Run: 122,880,610,304 bytes free
Post-Run: 122,874,691,584 bytes free
335 --- E O F --- 2009-03-23 08:01
Are there any problems now ?
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Folder::
g:\windows\system32\bad
Driver::
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
ADS::
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
Here's the new log. There doesn't seem to be any more problems... the only thing saying otherwise is the code, which you would know more than me about. The symptoms are gone though. Thank you so much!!!
ComboFix Log
ComboFix 09-04-14.09 - Petrie 04/14/2009 16:37.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1588 [GMT -5:00]
Running from: g:\documents and settings\Petrie\Desktop\ComboFix.exe
Command switches used :: g:\documents and settings\Petrie\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Outdated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
g:\windows\system32\bad
g:\windows\system32\bad\nmp.log
g:\windows\system32\bad\nowabame
g:\windows\system32\bad\nvapps.xml
g:\windows\system32\bad\nvdb02.adghz
g:\windows\system32\bad\SelfDel.bat
g:\windows\system32\bad\winsetupsm.exe
g:\windows\system32\bad\winsetupsn.exe
g:\windows\system32\bad\wpa.bak
g:\windows\system32\bad\wpa.dbl
g:\windows\system32\bad\yizodonu.dll
.
((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.
2009-04-15 19:00 . 2008-04-14 00:12 18432 -c--a-w g:\windows\system32\dllcache\bdaplgin.ax
2009-04-15 18:59 . 2001-08-17 17:49 23552 -c--a-w g:\windows\system32\dllcache\atixbar.sys
2009-04-15 18:40 . 2009-04-15 18:40 -------- d-----w g:\windows\system32\XPSViewer
2009-04-15 18:40 . 2008-07-06 12:06 89088 -c----w g:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-15 18:40 . 2008-07-06 12:06 575488 -c----w g:\windows\system32\dllcache\xpsshhdr.dll
2009-04-15 18:40 . 2008-07-06 12:06 575488 ------w g:\windows\system32\xpsshhdr.dll
2009-04-15 18:40 . 2008-07-06 12:06 117760 ------w g:\windows\system32\prntvpt.dll
2009-04-15 18:40 . 2008-07-06 10:50 597504 -c----w g:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-15 18:40 . 2009-04-15 18:40 -------- d-----w G:\387aea75e61215366b
2009-04-15 18:40 . 2008-07-06 12:06 1676288 -c----w g:\windows\system32\dllcache\xpssvcs.dll
2009-04-15 18:40 . 2008-07-06 12:06 1676288 ------w g:\windows\system32\xpssvcs.dll
2009-04-15 18:39 . 2009-04-15 18:51 -------- d-----w g:\windows\SxsCaPendDel
2009-04-15 18:36 . 2009-04-14 20:59 200712 ----a-w g:\windows\system32\nvapps.xml
2009-04-15 18:35 . 2009-04-15 18:59 1374 ----a-w g:\windows\imsins.BAK
2009-04-15 18:35 . 2009-04-15 18:35 -------- d-----w g:\windows\system32\drivers\UMDF
2009-04-15 18:35 . 2009-04-15 18:35 -------- d-----w g:\windows\system32\LogFiles
2009-04-09 20:41 . 2009-04-09 20:41 -------- d-----w g:\documents and settings\All Users\Application Data\U3
2009-04-09 03:03 . 2009-04-09 03:03 -------- d-----w g:\documents and settings\Petrie\Application Data\Malwarebytes
2009-04-09 03:02 . 2009-04-06 20:32 15504 ----a-w g:\windows\system32\drivers\mbam.sys
2009-04-09 03:02 . 2009-04-06 20:32 38496 ----a-w g:\windows\system32\drivers\mbamswissarmy.sys
2009-04-09 03:02 . 2009-04-09 03:02 -------- d-----w g:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-09 02:05 . 2009-04-14 20:59 54156 ---ha-w g:\windows\QTFont.qfn
2009-04-09 02:05 . 2009-04-09 02:05 13588 ----a-w g:\windows\system32\wpa.bak
2009-04-09 02:05 . 2009-04-14 20:59 14812 ----a-w g:\windows\system32\nvdb02.adghz
2009-04-09 02:04 . 2009-04-14 19:55 13646 ----a-w g:\windows\system32\wpa.dbl
2009-04-09 00:39 . 2009-04-09 00:39 -------- d-----w g:\documents and settings\Petrie\Local Settings\Application Data\{0F574142-F61A-4216-BBF9-65D625683500}
2009-04-07 21:27 . 2009-04-14 21:36 -------- d-----w G:\QUARANTINE
2009-04-07 21:07 . 2009-04-07 21:07 -------- d-----w g:\documents and settings\All Users\Application Data\McAfee
2009-04-07 21:07 . 2006-11-17 08:06 280 ----a-w g:\windows\system32\epoPGPsdk.dll.sig
2009-04-07 21:07 . 2006-11-17 08:06 1495552 ----a-w g:\windows\system32\epoPGPsdk.dll
2009-04-07 21:07 . 2006-11-30 13:50 72264 ----a-w g:\windows\system32\drivers\mfeavfk.sys
2009-04-07 21:07 . 2006-11-30 13:50 64360 ----a-w g:\windows\system32\drivers\mfeapfk.sys
2009-04-07 21:07 . 2006-11-30 13:50 52136 ----a-w g:\windows\system32\drivers\mfetdik.sys
2009-04-07 21:07 . 2006-11-30 13:50 34152 ----a-w g:\windows\system32\drivers\mfebopk.sys
2009-04-07 21:07 . 2006-11-30 13:50 168776 ----a-w g:\windows\system32\drivers\mfehidk.sys
2009-04-07 21:00 . 2009-04-15 17:59 -------- d-----w g:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-30 03:43 . 2009-03-30 04:15 -------- d-----w g:\documents and settings\Petrie\Application Data\Media Player Classic
2009-03-27 19:24 . 2008-04-13 18:45 15104 -c--a-w g:\windows\system32\dllcache\usbscan.sys
2009-03-27 19:24 . 2008-04-13 18:45 15104 ----a-w g:\windows\system32\drivers\usbscan.sys
2009-03-23 04:23 . 2009-03-23 04:26 -------- d-----w g:\documents and settings\Petrie\Local Settings\Application Data\Google
2009-03-23 04:23 . 2009-03-23 04:23 -------- d-----w g:\windows\system32\IOSUBSYS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-15 18:57 . 2009-04-15 18:57 -------- d-----w g:\program files\Common Files\Adobe AIR
2009-04-15 18:56 . 2009-04-15 18:56 -------- d-----w g:\program files\Common Files\Adobe
2009-04-15 18:44 . 2007-09-26 03:47 -------- d-----w g:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-15 18:43 . 2009-04-15 18:43 -------- d-----w g:\program files\Microsoft Silverlight
2009-04-15 18:40 . 2009-04-15 18:40 -------- d-----w g:\program files\Reference Assemblies
2009-04-15 18:35 . 2009-04-15 18:35 -------- d-----w g:\program files\Windows Media Connect 2
2009-04-15 18:32 . 2009-04-15 18:33 410984 ----a-w g:\windows\system32\deploytk.dll
2009-04-15 18:32 . 2007-10-23 16:01 -------- d-----w g:\program files\Java
2009-04-14 21:00 . 2007-10-10 00:08 70840 ----a-w g:\documents and settings\Petrie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-09 03:03 . 2009-04-09 03:02 -------- d-----w g:\program files\Malwarebytes' Anti-Malware
2009-04-09 01:15 . 2008-09-09 05:42 -------- d-----w g:\documents and settings\Petrie\Application Data\Skype
2009-04-07 21:14 . 2009-04-07 21:00 -------- d-----w g:\program files\Spybot - Search & Destroy
2009-04-07 21:07 . 2009-04-07 21:07 -------- d-----w g:\program files\Common Files\Cisco Systems
2009-04-07 21:07 . 2009-04-07 21:07 -------- d-----w g:\program files\McAfee
2009-04-07 21:07 . 2009-04-07 21:07 -------- d-----w g:\program files\Common Files\McAfee
2009-04-07 21:05 . 2007-09-25 19:07 -------- d-----w g:\documents and settings\All Users\Application Data\avg7
2009-04-07 20:52 . 2009-04-07 20:52 -------- d-----w g:\program files\Trend Micro
2009-04-07 20:48 . 2009-04-07 20:48 -------- d-----w g:\program files\CCleaner
2009-04-05 02:06 . 2007-09-26 04:06 -------- d-----w g:\documents and settings\Petrie\Application Data\U3
2009-03-30 03:38 . 2009-03-30 03:38 -------- d-----w g:\program files\Essentials Codec Pack
2009-03-23 04:23 . 2009-03-23 04:22 -------- d-----w g:\program files\Google
2009-03-13 05:33 . 2009-03-13 04:02 -------- d-----w g:\program files\Palm
2009-03-13 04:27 . 2009-03-13 04:27 -------- d-----w g:\program files\Garmin
2009-03-13 04:24 . 2007-09-25 18:26 -------- d--h--w g:\program files\InstallShield Installation Information
2009-03-13 04:03 . 2009-03-13 04:03 186 ----a-w G:\mapinstall.log
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w g:\windows\system32\pdh.dll
2009-03-05 04:16 . 2009-03-05 04:12 -------- d-----w g:\documents and settings\All Users\Application Data\Lavasoft
2009-03-05 04:16 . 2009-03-05 04:21 15688 ----a-w g:\windows\system32\lsdelete.exe
2009-03-05 04:16 . 2009-03-05 04:16 64160 ----a-w g:\windows\system32\drivers\Lbd.sys
2009-03-05 04:12 . 2009-03-05 04:12 -------- dc-h--w g:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-05 04:12 . 2009-03-05 04:12 -------- d-----w g:\program files\Lavasoft
2009-02-20 08:10 . 2004-08-04 12:00 666112 ----a-w g:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 12:00 81920 ----a-w g:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w g:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w g:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w g:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w g:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w g:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w g:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-04 12:00 2145280 ----a-w g:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w g:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w g:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w g:\windows\system32\secur32.dll
2009-02-03 16:30 . 2009-02-03 16:29 137 ---ha-w g:\documents and settings\Petrie\Application Data\lakerda1967.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="g:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="g:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="g:\program files\Winamp\winampa.exe" [2007-12-20 37376]
"SoundMAXPnP"="g:\program files\Analog Devices\Core\smax4pnp.exe" [2006-10-05 868352]
"QuickTime Task"="g:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"Launch Ai Booster"="g:\program files\ASUS\AI Booster\OverClk.exe" [2006-11-28 3714048]
"iTunesHelper"="g:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"GrooveMonitor"="g:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"EPSON Stylus CX4800 Series"="g:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-02 98304]
"AsusStartupHelp"="g:\program files\ASUS\AASP\1.00.16\AsRunHelp.exe" [2006-11-14 363008]
"NvCplDaemon"="g:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"ShStatEXE"="g:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="g:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"SunJavaUpdateSched"="g:\program files\Java\jre6\bin\jusched.exe" [2009-04-15 148888]
"NvMediaCenter"="g:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"Adobe Reader Speed Launcher"="g:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Monitor"="g:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"nwiz"="nwiz.exe" - g:\windows\system32\nwiz.exe [2008-09-18 1657376]
g:\documents and settings\Petrie\Start Menu\Programs\Startup\
HotSync Manager.lnk - g:\program files\Palm\HOTSYNC.EXE [2002-8-9 299008]
LaunchU3.exe.lnk - g:\documents and settings\Petrie\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_2cd672ae.exe [2009-4-9 1078]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec.dll
"vidc.SEDG"= SamsungVfWCodec.dll
"vidc.DX50"= DivXVfWCodec.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"g:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"g:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"g:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"g:\\Program Files\\Trillian\\trillian.exe"=
"g:\\Program Files\\iTunes\\iTunes.exe"=
"g:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"g:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"g:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"g:\\Program Files\\AIM6\\aim6.exe"=
"g:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"g:\\Program Files\\Skype\\Phone\\Skype.exe"=
"g:\\Program Files\\Winamp\\winampa.exe"=
"g:\\Program Files\\Palm\\HOTSYNC.EXE"=
"g:\\Program Files\\iPod\\bin\\iPodService.exe"=
"g:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"g:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\bin\\nSvcAppFlt.exe"=
"g:\\WINDOWS\\system32\\dwwin.exe"=
"g:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
S0 Lbd;Lbd;g:\windows\system32\DRIVERS\Lbd.sys [2009-03-05 64160]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;g:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-10 951632]
S2 Viewpoint Manager Service;Viewpoint Manager Service;g:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 PAC207;Basic Webcam;g:\windows\system32\DRIVERS\PFC027.SYS [2006-11-20 506112]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-04-14 g:\windows\Tasks\Ad-Aware Update (Weekly).job
- g:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 04:15]
2009-04-09 g:\windows\Tasks\AppleSoftwareUpdate.job
- g:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
2009-04-14 g:\windows\Tasks\WECPUpdate.job
- g:\program files\Essentials Codec Pack\WECPUpdate.exe [2009-02-25 14:28]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-updateMgr - g:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - g:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - g:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {8B9692D7-5A38-460A-8975-4C6EBC579B87} - hxxp://training.aerosim.com/cab/LicenseUpdate/LicenseUpdate.cab
FF - ProfilePath - g:\documents and settings\Petrie\Application Data\Mozilla\Firefox\Profiles\zaanqcy6.default\
FF - component: g:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: g:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: g:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: g:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: g:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-14 16:38
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(752)
g:\windows\system32\nvappfilter.dll
.
Completion time: ~,10time:~,-3
ComboFix-quarantined-files.txt 2009-04-14 21:39
Pre-Run: 121,590,730,752 bytes free
Post-Run: 121,618,976,768 bytes free
221 --- E O F --- 2009-03-23 08:01
the only thing saying otherwise is the code,
I'm sorry, I don't understand this part ?
Do you mean the logs that you have posted ?
Sorry to confuse you. I meant that the symptoms I had were gone, so I would say that the infections are clear. Unless you saw something in the last log I posted, I think my computer is back to normal.
Congratulations your logs look clean :)
Let's see if I can help you keep it that way
First lets tidy up
Please delete RSIT.exe and C:\RSIT (entire folder)
You can also delete any logs we have produced, and empty your Recycle bin.
Uninstall Combofix
This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
----------------------------------------------------------- -----------------------------------------------------------
The following is some info to help you stay safe and clean.
You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )
Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.
http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html
!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE (http://secunia.com/software_inspector/) for details
AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) <<< A New and effective program
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner
Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 4.0 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/index.php?option=com_content&view=article&id=15&Itemid=33) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections
Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available
Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.
Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep
Also PLEASE read this article.....So How Did I Get Infected In The First Place (http://forum.malwareremoval.com/viewtopic.php?t=4959)
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
If you follow this advice then (with a bit of luck) you will never have to hear from me again :D
If you could post back one more time to let me know everything is OK, then I can have this thread archived.
Happy surfing K'
I've gotten a few of the programs you've listed (on top of the ones I already had), so I don't think there's anything else to cover. Thank you again for all the help you gave!!! Hopefully I won't be back with another problem anytime soon. :D: