View Full Version : Virtumonde infection
I'm running NOD32, and it repeatedly pops up a balloon saying C:\WINDOWS\system32\RXwxHRqr.ini has the Virtumonde.NEO application. When I have Firefox open, it occasionally spontaneously opens another instance of Firefox with some spam page (don't remember the URL now, and it doesn't show up in my Firefox history).
Ran a Spybot scan, and it turned up Virtumonde, Tinybar.C, and several others. It removed all but one of the Virtumonde entries. When I restart my machine (allowing it to run Spybot on startup), it finds the Virtumonde items again, but says the Virtumonde prx is resident in memory, and can't be removed.
HJT log follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:00 PM, on 4/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Steam\Steam.exe
C:\Documents and Settings\Martoon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [74861902] rundll32.exe "C:\WINDOWS\system32\kfqwleht.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Martoon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1237004493609
O16 - DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} (GameTap Web Updater) - http://archives.gametap.com/static/cab_headless/GameTapWebUpdater.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22BC2DB2-9C30-4582-ADB2-D486A4CC3334}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{22BC2DB2-9C30-4582-ADB2-D486A4CC3334}: NameServer = 192.168.0.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit (mi-raysat_3dsMax2009_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 6921 bytes
Hello and Welcome to Safer Networking,
My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
Please observe these rules while we work:
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Please continue to respond until I give you the "All Clear"
If you follow these instructions, everything should go smoothly.
Please Note, your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe
1 - Rename HJT
Go to C:\Program Files\Trend Micro\HijackThis
Right click on HijackThis.exe and select Rename
Type in Finder.exe
Press the Enter key
2 - Scan With ComboFix
Download and Run ComboFix
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Double click on ComboFix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
4 - Status Check
Please reply with
1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log
Thanks peku006
I renamed HJT, and downloaded combofix.exe to my desktop. I disabled antivirus/antispyware protection in NOD32, and closed any windows. Spybot is not running.
I double-clicked combofix.exe, and didn't touch it again. It showed a small progress bar for a couple seconds, then showed the blue prompt window, which was blank except for a flashing cursor. I let it sit like this for about half an hour, and the window never showed anything but the cursor.
I tried restarting my machine, disabling NOD32 protection, and running combofix.exe again, with the same result.
Hi Martoon
OK, don't worry about Combofix, we'll try a different tools
1 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to a convenient location.
Double click on mbam-setup.exe to install it.
Before clicking the Finish button, make sure that these 2 boxes are checked (ticked): Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
Select the Scanner tab. Click on Perform full scan, then click on Scan.
Leave the default options as it is and click on Start Scan.
When done, you will be prompted. Click OK, then click on Show Results.
Checked (ticked) all items except items in the System Volume Information folder and click on Remove Selected.
http://i35.photobucket.com/albums/d165/ndmmxiaomayi/mayi/mbam1.png
After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.
2 - download and run RSIT
Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt<- (will be maximized) and info.txt<- (will be minimized)
3 - Status Check
Please reply with
1.the logs from RSIT (log.txt ,info.txt)
2. the Malwarebytes' Anti-Malware Log
Thanks peku006
Logfile of random's system information tool 1.06 (written by random/random)
Run by Martoon at 2009-04-21 00:55:15
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 233 GB (76%) free of 305 GB
Total RAM: 2047 MB (74% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:18 AM, on 4/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Steam\Steam.exe
C:\Documents and Settings\Martoon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Martoon\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Martoon.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {333EF545-DA2C-490F-9661-342579CABA5B} - (no file)
O2 - BHO: (no name) - {3A735231-C8FF-400D-91AC-75164073B724} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {78470B45-9135-41AD-970E-C6AA23F4DC5A} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Martoon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1237004493609
O16 - DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} (GameTap Web Updater) - http://archives.gametap.com/static/cab_headless/GameTapWebUpdater.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22BC2DB2-9C30-4582-ADB2-D486A4CC3334}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{22BC2DB2-9C30-4582-ADB2-D486A4CC3334}: NameServer = 192.168.0.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit (mi-raysat_3dsMax2009_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 7644 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-823518204-117609710-725345543-1004.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{333EF545-DA2C-490F-9661-342579CABA5B}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3A735231-C8FF-400D-91AC-75164073B724}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78470B45-9135-41AD-970E-C6AA23F4DC5A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-04-12 35840]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-04-12 73728]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-02-18 13680640]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-02-18 86016]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2005-09-22 14854144]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"googletalk"=C:\Program Files\Google\Google Talk\googletalk.exe [2007-01-01 3739648]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2009-02-06 2021400]
"XboxStat"=C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe [2007-09-26 734264]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-04-12 148888]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"DW6"=C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe [2009-02-11 801904]
"Steam"=C:\Program Files\Steam\Steam.exe [2009-03-15 1410296]
"Google Update"=C:\Documents and Settings\Martoon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-15 133104]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-12-29 687560]
"H/PC Connection Agent"=C:\Program Files\Microsoft ActiveSync\Wcescomm.exe [2006-11-13 1289000]
C:\Documents and Settings\Martoon\Start Menu\Programs\Startup
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Google\Google Talk\googletalk.exe"="C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\UltraVNC\vncviewer.exe"="C:\Program Files\UltraVNC\vncviewer.exe:*:Enabled:vncviewer.exe"
"C:\Program Files\Steam\steamapps\common\gumboy tournament\gumboytournament.exe"="C:\Program Files\Steam\steamapps\common\gumboy tournament\gumboytournament.exe:*:Enabled:Gumboy Tournament"
"C:\Documents and Settings\Martoon\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll"="C:\Documents and Settings\Martoon\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll:*:Enabled:Google Talk Plugin"
"C:\Documents and Settings\Martoon\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe"="C:\Documents and Settings\Martoon\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin"
"C:\Program Files\Steam\steamapps\common\the maw\TheMaw.exe"="C:\Program Files\Steam\steamapps\common\the maw\TheMaw.exe:*:Enabled:The Maw"
"C:\Program Files\Steam\steamapps\common\everyday shooter\EverydayShooter.exe"="C:\Program Files\Steam\steamapps\common\everyday shooter\EverydayShooter.exe:*:Enabled:Everyday Shooter"
"C:\Program Files\Steam\steamapps\common\geometry wars\GeometryWars.exe"="C:\Program Files\Steam\steamapps\common\geometry wars\GeometryWars.exe:*:Enabled:Geometry Wars"
"C:\Program Files\Steam\steamapps\common\the wonderful end of the world\main.exe"="C:\Program Files\Steam\steamapps\common\the wonderful end of the world\main.exe:*:Enabled:The Wonderful End of the World"
"C:\Program Files\Steam\steamapps\common\trials 2 second edition\launcher.exe"="C:\Program Files\Steam\steamapps\common\trials 2 second edition\launcher.exe:*:Enabled:Trials 2: Second Edition"
"C:\Program Files\Steam\steamapps\common\spectraball\Spectraball.exe"="C:\Program Files\Steam\steamapps\common\spectraball\Spectraball.exe:*:Enabled:Spectraball"
"C:\Program Files\GameTap Web Player\bin\release\GameTapPlayer.exe"="C:\Program Files\GameTap Web Player\bin\release\GameTapPlayer.exe:*:Enabled:GameTap Headless Application"
"C:\Program Files\Steam\steamapps\common\osmos igf demo\OsmosDemo.exe"="C:\Program Files\Steam\steamapps\common\osmos igf demo\OsmosDemo.exe:*:Enabled:Osmos IGF Demo"
"C:\Program Files\Steam\steamapps\common\mightier\Mightier.exe"="C:\Program Files\Steam\steamapps\common\mightier\Mightier.exe:*:Enabled:Mightier"
"C:\Program Files\Steam\steamapps\common\flock demo\Flock.exe"="C:\Program Files\Steam\steamapps\common\flock demo\Flock.exe:*:Enabled:FLOCK! Demo"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\Program Files\Autodesk\Backburner\monitor.exe"="C:\Program Files\Autodesk\Backburner\monitor.exe:*:Enabled:backburner 2.3 monitor"
"C:\Program Files\Autodesk\Backburner\manager.exe"="C:\Program Files\Autodesk\Backburner\manager.exe:*:Enabled:backburner 2.3 manager"
"C:\Program Files\Autodesk\Backburner\server.exe"="C:\Program Files\Autodesk\Backburner\server.exe:*:Enabled:backburner 2.3 server"
"C:\Program Files\Autodesk\3ds Max 2009\3dsmax.exe"="C:\Program Files\Autodesk\3ds Max 2009\3dsmax.exe:*:Enabled:Autodesk 3ds Max 2009 32-bit"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
======List of files/folders created in the last 1 months======
2009-04-21 00:55:15 ----D---- C:\rsit
2009-04-20 20:53:06 ----D---- C:\Documents and Settings\Martoon\Application Data\Malwarebytes
2009-04-20 20:53:02 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-20 20:53:02 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-04-17 20:12:43 ----D---- C:\ComboFix
2009-04-17 20:12:43 ----A---- C:\WINDOWS\system32\CF3180.exe
2009-04-17 20:02:30 ----A---- C:\WINDOWS\system32\CF1178.exe
2009-04-17 19:19:06 ----A---- C:\WINDOWS\system32\CF25443.exe
2009-04-17 19:19:04 ----D---- C:\Qoobox
2009-04-16 12:15:57 ----A---- C:\WINDOWS\NeroDigital.ini
2009-04-15 20:27:46 ----D---- C:\Program Files\Trend Micro
2009-04-15 20:27:34 ----D---- C:\WINDOWS\ERDNT
2009-04-15 20:27:01 ----D---- C:\Program Files\ERUNT
2009-04-15 20:26:19 ----A---- C:\WINDOWS\system32\ywkcro.dll
2009-04-15 20:26:17 ----A---- C:\WINDOWS\system32\vshgioao.dll
2009-04-15 09:18:48 ----A---- C:\WINDOWS\system32\henixi.dll
2009-04-15 09:18:47 ----A---- C:\WINDOWS\system32\ncubnhtx.dll
2009-04-15 08:33:44 ----A---- C:\WINDOWS\system32\virbib.dll
2009-04-15 08:33:42 ----A---- C:\WINDOWS\system32\gflbyigy.dll
2009-04-15 02:48:18 ----A---- C:\WINDOWS\system32\fxnvzi.dll
2009-04-15 02:48:16 ----A---- C:\WINDOWS\system32\xkdgcjbi.dll
2009-04-15 02:05:06 ----A---- C:\WINDOWS\system32\ageehb.dll
2009-04-15 02:05:05 ----A---- C:\WINDOWS\system32\gjmoucbn.dll
2009-04-15 00:06:02 ----A---- C:\WINDOWS\wininit.ini
2009-04-14 23:26:50 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-04-14 23:26:50 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-14 23:01:27 ----A---- C:\WINDOWS\system32\clpxqx.dll
2009-04-14 23:01:25 ----A---- C:\WINDOWS\system32\tyvqwhvx.dll
2009-04-14 22:58:43 ----A---- C:\WINDOWS\system32\7fa5dd7c-.txt
2009-04-14 22:53:08 ----A---- C:\WINDOWS\system32\c.bat
2009-04-14 22:53:06 ----A---- C:\WINDOWS\system32\rtcshares.exe
2009-04-14 22:18:36 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-04-14 22:18:31 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-04-14 22:17:08 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-04-14 22:17:00 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-04-14 22:16:54 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-04-14 22:16:48 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-04-14 21:05:22 ----A---- C:\WINDOWS\system32\xpsp4res.dll
2009-04-14 18:04:16 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-04-14 18:04:04 ----D---- C:\Program Files\Cy-Clone
2009-04-14 17:47:01 ----D---- C:\Program Files\GameTop.com
2009-04-14 17:40:36 ----D---- C:\Program Files\bfgclient
2009-04-14 17:39:26 ----D---- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2009-04-14 11:37:18 ----D---- C:\Documents and Settings\Martoon\Application Data\Autodesk
2009-04-14 11:33:20 ----D---- C:\Program Files\Common Files\Autodesk Shared
2009-04-14 11:28:59 ----A---- C:\WINDOWS\system32\javac.exe
2009-04-13 21:47:19 ----HDC---- C:\WINDOWS\$NtUninstallbasecsp$
2009-04-13 21:42:48 ----D---- C:\Program Files\Common Files\Windows Live
2009-04-13 21:41:51 ----HDC---- C:\WINDOWS\$NtUninstallWdf01005$
2009-04-13 21:00:40 ----D---- C:\Documents and Settings\Martoon\Application Data\EPSON
2009-04-12 19:50:59 ----D---- C:\WINDOWS\Sun
2009-04-12 19:49:50 ----A---- C:\WINDOWS\system32\javaws.exe
2009-04-12 19:49:50 ----A---- C:\WINDOWS\system32\javaw.exe
2009-04-12 19:49:50 ----A---- C:\WINDOWS\system32\java.exe
2009-04-12 19:49:50 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-04-12 19:49:44 ----D---- C:\Program Files\Java
2009-04-12 19:48:19 ----D---- C:\Documents and Settings\Martoon\Application Data\Sun
2009-04-12 09:11:36 ----D---- C:\Program Files\eGames
2009-04-10 08:41:18 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-04-09 11:23:10 ----D---- C:\Program Files\Common Files\Native Instruments
2009-04-09 11:23:08 ----D---- C:\Program Files\Common Files\Digidesign
2009-04-09 11:22:40 ----D---- C:\Program Files\Native Instruments
2009-04-09 07:53:05 ----D---- C:\Documents and Settings\All Users\Application Data\Autodesk
2009-04-09 07:50:54 ----D---- C:\Program Files\Autodesk
2009-04-08 21:05:45 ----D---- C:\Program Files\Microsoft ActiveSync
2009-04-06 14:27:35 ----D---- C:\Program Files\Hammer Heads Deluxe
2009-04-06 12:31:28 ----D---- C:\Program Files\Airport Mania
2009-04-04 11:40:38 ----D---- C:\Program Files\OpenAL
2009-04-04 11:40:38 ----A---- C:\WINDOWS\system32\wrap_oal.dll
2009-04-04 11:40:38 ----A---- C:\WINDOWS\system32\OpenAL32.dll
2009-04-03 14:52:21 ----SHD---- C:\WINDOWS\ftpcache
2009-04-03 14:47:25 ----D---- C:\Program Files\OXXOGames
2009-04-02 16:18:41 ----D---- C:\Program Files\Microsoft Money 2006
2009-04-02 16:18:04 ----D---- C:\Documents and Settings\Martoon\Application Data\DAEMON Tools Pro
2009-04-02 16:18:04 ----D---- C:\Documents and Settings\Martoon\Application Data\DAEMON Tools
2009-04-02 16:17:15 ----D---- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
2009-04-02 16:17:10 ----D---- C:\Program Files\DAEMON Tools Lite
2009-04-02 16:12:04 ----D---- C:\Documents and Settings\Martoon\Application Data\DAEMON Tools Lite
2009-04-02 15:56:41 ----D---- C:\Documents and Settings\Martoon\Application Data\Ahead
2009-04-02 15:55:51 ----D---- C:\Program Files\Nero
2009-04-02 15:55:51 ----D---- C:\Program Files\Common Files\Ahead
2009-04-02 12:47:21 ----D---- C:\Program Files\Liong The Lost Amulets
2009-04-02 08:03:25 ----D---- C:\Documents and Settings\Martoon\Application Data\The Journal
2009-04-02 08:03:18 ----D---- C:\Program Files\DavidRM Software
2009-04-02 08:03:18 ----D---- C:\Documents and Settings\All Users\Application Data\The Journal
2009-04-01 07:41:28 ----D---- C:\Program Files\GameTap Web Player
2009-04-01 07:40:34 ----D---- C:\Documents and Settings\All Users\Application Data\GameTap Web Player
2009-03-31 18:48:44 ----D---- C:\Python26
2009-03-31 11:11:38 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2009-03-31 09:51:42 ----D---- C:\Documents and Settings\Martoon\Application Data\FileZilla
2009-03-31 09:48:17 ----D---- C:\Program Files\FileZilla FTP Client
2009-03-31 09:39:43 ----D---- C:\Program Files\Peggle Deluxe
======List of files/folders modified in the last 1 months======
2009-04-21 00:54:42 ----D---- C:\Program Files\Steam
2009-04-21 00:54:07 ----D---- C:\Program Files\Mozilla Firefox
2009-04-21 00:51:48 ----D---- C:\WINDOWS\Temp
2009-04-21 00:50:31 ----D---- C:\WINDOWS\system32\drivers
2009-04-21 00:50:31 ----D---- C:\WINDOWS\system32
2009-04-21 00:49:44 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-21 00:49:32 ----D---- C:\WINDOWS\Prefetch
2009-04-20 20:53:02 ----D---- C:\Program Files
2009-04-19 11:55:41 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-18 10:22:15 ----D---- C:\Documents and Settings\Martoon\Application Data\uTorrent
2009-04-17 20:10:35 ----D---- C:\WINDOWS\system32\Lang
2009-04-16 12:15:57 ----D---- C:\WINDOWS
2009-04-14 22:55:50 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-04-14 22:51:32 ----D---- C:\WINDOWS\system32\wbem
2009-04-14 22:51:32 ----D---- C:\WINDOWS\AppPatch
2009-04-14 22:18:40 ----HD---- C:\WINDOWS\inf
2009-04-14 22:18:38 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-04-14 22:18:34 ----A---- C:\WINDOWS\imsins.BAK
2009-04-14 22:18:22 ----D---- C:\WINDOWS\system32\en-us
2009-04-14 22:18:22 ----D---- C:\Program Files\Internet Explorer
2009-04-14 22:17:07 ----HD---- C:\WINDOWS\$hf_mig$
2009-04-14 11:57:59 ----SHD---- C:\WINDOWS\Installer
2009-04-14 11:33:20 ----D---- C:\Program Files\Common Files
2009-04-14 11:33:00 ----D---- C:\WINDOWS\system32\DirectX
2009-04-13 21:47:23 ----D---- C:\WINDOWS\security
2009-04-13 21:41:57 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-04-10 08:41:30 ----D---- C:\Documents and Settings\Martoon\Application Data\Adobe
2009-04-10 08:41:29 ----D---- C:\Program Files\Adobe
2009-04-10 08:41:19 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-04-10 08:40:59 ----D---- C:\Program Files\Common Files\Adobe
2009-04-09 07:54:21 ----D---- C:\WINDOWS\WinSxS
2009-04-09 07:50:48 ----RSD---- C:\WINDOWS\assembly
2009-04-08 21:06:35 ----SD---- C:\Documents and Settings\Martoon\Application Data\Microsoft
2009-04-08 21:05:45 ----D---- C:\WINDOWS\Help
2009-04-08 21:05:45 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-04-06 23:29:25 ----D---- C:\Documents and Settings\Martoon\Application Data\Mozilla
2009-04-06 09:57:24 ----A---- C:\WINDOWS\system32\MRT.exe
2009-04-05 20:26:57 ----D---- C:\Program Files\World of Warcraft
2009-04-03 15:15:39 ----D---- C:\Documents and Settings\Martoon\Application Data\Macromedia
2009-04-02 16:20:45 ----RSD---- C:\WINDOWS\Fonts
2009-04-02 16:01:26 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-03-31 19:11:48 ----D---- C:\Games
2009-03-31 15:44:24 ----D---- C:\Program Files\XMoto
2009-03-31 09:47:54 ----D---- C:\tools
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AmdPPM;AMD HwPState Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 33792]
R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-02-06 106208]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2009-02-06 93336]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-02-06 113448]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-09-23 3966976]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-02-18 6308224]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-11-27 58368]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-11-27 19968]
R3 RDID1057;EDIROL UA-1EX; C:\WINDOWS\system32\Drivers\rdwm1057.sys [2006-09-25 139793]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 vulfnths;VIA USB Host Controller Lower Filter; C:\WINDOWS\System32\Drivers\vulfnth.sys [2003-08-04 6912]
R3 vulfntrs;VIA USB Roothub Lower Filter; C:\WINDOWS\System32\Drivers\vulfntr.sys [2003-08-04 11392]
R3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
R3 xusb21;Xbox 360 Wireless Receiver Driver Service 21; C:\WINDOWS\system32\DRIVERS\xusb21.sys [2007-08-28 55808]
S1 InCDPass;InCDPass; C:\WINDOWS\system32\drivers\InCDPass.sys []
S1 InCDRm;InCD Reader; C:\WINDOWS\system32\drivers\InCDRm.sys []
S2 X4HSX32;X4HSX32; \??\C:\Program Files\GameTap\bin\Release\X4HSX32.Sys []
S3 a12rqoa1;a12rqoa1; C:\WINDOWS\system32\drivers\a12rqoa1.sys []
S3 usb_rndisx;USB RNDIS Adapter; C:\WINDOWS\system32\DRIVERS\usb8023x.sys [2008-04-13 12800]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 InCDFs;InCD File System; C:\WINDOWS\system32\drivers\InCDFs.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Autodesk Licensing Service;Autodesk Licensing Service; C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe [2009-04-14 79360]
R2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-02-06 727720]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-04-12 152984]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit; C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2009-03-18 86016]
R2 NoIPDUCService;NoIPDUCService; C:\Program Files\No-IP\DUC20.exe [2009-03-18 1172992]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-02-18 163908]
R2 uvnc_service;uvnc_service; C:\Program Files\UltraVNC\WinVNC.exe [2008-08-30 1519168]
S2 mi-raysat_3dsmax9_32;mental ray 3.5 Satellite (32-bit); C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe []
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2009-03-17 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2009-02-06 20680]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
-----------------EOF-----------------
info.txt logfile of random's system information tool 1.06 2009-04-21 00:55:19
======Uninstall list======
-->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3dsmax ancillary install-->MsiExec.exe /I{7C8B5E63-821A-4DFB-BDFA-19854D88EC5C}
A Fairy Tale-->"C:\Program Files\A Fairy Tale\ReflexiveArcade\unins000.exe"
Acrobat.com-->MsiExec.exe /X{287ECFA4-719A-2143-A09B-D6A12DE54E40}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Bridge 1.0-->MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0-->MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2-->msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 9.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Adobe Stock Photos 1.0-->MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Airport Mania-->"C:\Program Files\Airport Mania\ReflexiveArcade\unins000.exe"
Autodesk 3ds Max 2009 32-bit-->MsiExec.exe /I{FDD8070F-E3B9-0409-822C-CCFE5E82C14D}
Autodesk Backburner 2008.1-->MsiExec.exe /I{3D347E6D-5A03-4342-B5BA-6A771885F379}
Big Fish Games Client-->C:\Program Files\bfgclient\Uninstall.exe
Colors of War-->C:\PROGRA~1\eGames\COLORS~1\UNWISE.EXE C:\PROGRA~1\eGames\COLORS~1\INSTALL.LOG
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Cy-Clone-->"C:\Program Files\Cy-Clone\Uninstall.exe"
EPSON Scan-->C:\Program Files\epson\escndv\setup\setup.exe /r
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
Everyday Shooter-->"C:\Program Files\Steam\steam.exe" steam://uninstall/16300
FBX Plugin 2009.0 for Max 2009-->C:\Program Files\Autodesk\FBX\FbxPlugins\2009.0\Max2009\Uninstall.exe
FileZilla Client 3.2.3.1-->C:\Program Files\FileZilla FTP Client\uninstall.exe
FLOCK! Demo-->"C:\Program Files\Steam\steam.exe" steam://uninstall/21650
GameTap Web Player-->"C:\Program Files\GameTap Web Player\unins000.exe"
Geometry Wars-->"C:\Program Files\Steam\steam.exe" steam://uninstall/8400
Google Talk (remove only)-->"C:\Program Files\Google\Google Talk\uninstall.exe"
Google Talk Plugin-->MsiExec.exe /I{5012BC0C-7E1A-329A-8F02-B6846070C5F8}
Gumboy Tournament-->"C:\Program Files\Steam\steam.exe" steam://uninstall/11230
Hammer Heads Deluxe-->"C:\Program Files\Hammer Heads Deluxe\ReflexiveArcade\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
IrfanView (remove only)-->C:\Program Files\IrfanView\iv_uninstall.exe
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
Liong The Lost Amulets-->"C:\Program Files\Liong The Lost Amulets\ReflexiveArcade\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft ActiveSync-->MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Base Smart Card Cryptographic Service Provider Package-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.1-->"C:\WINDOWS\$NtUninstallWdf01001$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Money 2006-->"C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Xbox 360 Accessories 1.1-->MsiExec.exe /X{66F0AC35-4805-44BC-A3D4-347D4196F9B3}
Mightier-->"C:\Program Files\Steam\steam.exe" steam://uninstall/29150
Mozilla Firefox (3.0.8)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser-->MsiExec.exe /I{AEB9948B-4FF2-47C9-990E-47014492A0FE}
Native Instruments Guitar Rig 3-->C:\PROGRA~1\NATIVE~1\GUITAR~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\GUITAR~1\INSTALL.LOG
Native Instruments Service Center-->C:\PROGRA~1\NATIVE~1\SERVIC~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\SERVIC~1\INSTALL.LOG
Nero 7 Demo-->MsiExec.exe /I{84B2CF01-194D-2284-B313-F2E0D78D1033}
No-IP.com DUC (remove only)-->"C:\Program Files\No-IP\DUC20.exe" -uninstall
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
OpenAL-->"C:\Program Files\OpenAL\OpenALwEAX.exe" /U /S
Osmos IGF Demo-->"C:\Program Files\Steam\steam.exe" steam://uninstall/29100
Outlook Recovery Toolbox 1.2-->"C:\Program Files\Outlook Recovery Toolbox\unins000.exe"
Peggle Deluxe-->"C:\Program Files\Peggle Deluxe\ReflexiveArcade\unins000.exe"
Python 2.6 pygame-1.8.1-->MsiExec.exe /I{33BDCB7F-7686-41EE-B745-89CFFAEF3147}
Python 2.6.1-->MsiExec.exe /I{9CC89170-000B-457D-91F1-53691F85B223}
Quadro Racing-->"C:\Program Files\GameTop.com\Quadro Racing\unins000.exe"
Realtek High Definition Audio Driver-->RtlUpd.exe -r
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Spectraball-->"C:\Program Files\Steam\steam.exe" steam://uninstall/18300
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Star Racing-->"C:\Program Files\GameTop.com\Star Racing\unins000.exe"
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
The Journal 4-->"C:\Program Files\DavidRM Software\The Journal 4\unins000.exe"
The Maw-->"C:\Program Files\Steam\steam.exe" steam://uninstall/26000
The Weather Channel Desktop 6-->C:\Program Files\The Weather Channel FW\Desktop\TheWeatherChannelCustomUninstall.exe
The Wonderful End of the World-->"C:\Program Files\Steam\steam.exe" steam://uninstall/15500
Trials 2: Second Edition-->"C:\Program Files\Steam\steam.exe" steam://uninstall/16600
UltraVNC 1.0.5-->"C:\Program Files\UltraVNC\unins000.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
VLC media player 0.9.8a-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
World of Warcraft-->C:\Program Files\Common Files\Blizzard Entertainment\Wrath of the Lich King\Uninstall.exe
xat.com JPEG Optimizer-->"C:\Program Files\xat.com JPEG Optimizer\uninstall.exe"
X-Moto-->"C:\Program Files\XMoto\uninstall.exe"
======Security center information======
AV: ESET NOD32 Antivirus 4.0
======System event log======
Computer Name: SPYRO
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Record Number: 487
Source Name: Tcpip
Time Written: 20090314123522.000000-360
Event Type: warning
User:
Computer Name: SPYRO
Event Code: 20
Message: Printer Driver Microsoft XPS Document Writer for Windows NT x86 Version-3 was added or updated. Files:- mxdwdrv.dll, unidrvui.dll, mxdwdui.gpd, unidrv.hlp, mxdwdui.dll, mxdwdui.ini, stddtype.gdl, stdnames.gpd, stdschem.gdl, stdschmx.gdl, unidrv.dll, unires.dll, XpsSvcs.dll.
Record Number: 322
Source Name: Print
Time Written: 20090314000654.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM
Computer Name: SPYRO
Event Code: 20
Message: Printer Driver Microsoft XPS Document Writer for Windows NT x86 Version-3 was added or updated. Files:- mxdwdrv.dll, unidrvui.dll, mxdwdui.gpd, unidrv.hlp, mxdwdui.dll, mxdwdui.ini, stddtype.gdl, stdnames.gpd, stdschem.gdl, stdschmx.gdl, unidrv.dll, unires.dll, XpsSvcs.dll.
Record Number: 321
Source Name: Print
Time Written: 20090314000652.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM
Computer Name: SPYRO
Event Code: 20
Message: Installation Failure: Windows failed to install the following update with error 0x8007f0ea: Security Update for Internet Explorer 6 for Windows XP (960714).
Record Number: 247
Source Name: Windows Update Agent
Time Written: 20090313225536.000000-360
Event Type: error
User:
Computer Name: SPYRO
Event Code: 20
Message: Installation Failure: Windows failed to install the following update with error 0x8007f0ea: Cumulative Security Update for Internet Explorer 6 for Windows XP (KB958215).
Record Number: 243
Source Name: Windows Update Agent
Time Written: 20090313225530.000000-360
Event Type: error
User:
=====Application event log=====
Computer Name: SPYRO
Event Code: 1000
Message: Faulting application colorsofwar.exe, version 0.0.0.0, faulting module colorsofwar.exe, version 0.0.0.0, fault address 0x0002561a.
Record Number: 414
Source Name: Application Error
Time Written: 20090412091222.000000-300
Event Type: error
User:
Computer Name: SPYRO
Event Code: 1000
Message: Faulting application colorsofwar.exe, version 0.0.0.0, faulting module colorsofwar.exe, version 0.0.0.0, fault address 0x0002561a.
Record Number: 412
Source Name: Application Error
Time Written: 20090412091202.000000-300
Event Type: error
User:
Computer Name: SPYRO
Event Code: 1002
Message: Hanging application firefox.exe, version 1.9.0.3372, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Record Number: 328
Source Name: Application Hang
Time Written: 20090407112523.000000-300
Event Type: error
User:
Computer Name: SPYRO
Event Code: 1000
Message: Faulting application steam.exe, version 1.0.0.0, faulting module steamclient.dll, version 3.0.0.1, fault address 0x00126233.
Record Number: 308
Source Name: Application Error
Time Written: 20090404114006.000000-300
Event Type: error
User:
Computer Name: SPYRO
Event Code: 1002
Message: Hanging application Autorun.exe, version 1.1.0.2, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Record Number: 307
Source Name: Application Hang
Time Written: 20090403151401.000000-300
Event Type: error
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\Common Files\Autodesk Shared\;C:\Program Files\Autodesk\Backburner\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 67 Stepping 3, AuthenticAMD
"PROCESSOR_REVISION"=4303
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
-----------------EOF-----------------
Malwarebytes' Anti-Malware 1.36
Database version: 2016
Windows 5.1.2600 Service Pack 3
4/21/2009 12:49:03 AM
mbam-log-2009-04-21 (00-49-03).txt
Scan type: Full Scan (C:\|S:\|U:\|V:\|)
Objects scanned: 634081
Time elapsed: 3 hour(s), 53 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 18
Registry Keys Infected: 13
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 43
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\blrttbrs.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dbzutu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dirzdv.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ijxchbyb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jflbidyt.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lcuoju.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lmjflkqo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\nkivfgeu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ockjwapa.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ojrccwlq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ptkjxekx.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rqRHxwXR.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\skaqfp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\sqzdtf.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\uiqjjrfk.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vyekte.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wnihch.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ysinmb.dll (Trojan.Vundo) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{05033213-c398-4b25-b6af-d2f33a595e7d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{08175801-749c-425f-a627-cc435bd78acd} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0c4a9df0-7798-4570-8b5f-6fbc2af11338} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{05033213-c398-4b25-b6af-d2f33a595e7d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0c4a9df0-7798-4570-8b5f-6fbc2af11338} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{05033213-c398-4b25-b6af-d2f33a595e7d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0c4a9df0-7798-4570-8b5f-6fbc2af11338} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{08175801-749c-425f-a627-cc435bd78acd} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\74861902 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08175801-749c-425f-a627-cc435bd78acd} (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\rqrhxwxr -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\rqrhxwxr -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\All Users\Documents\tools\FFF-ReflexV2.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Martoon\Local Settings\Temporary Internet Files\Content.IE5\GH4US59Q\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Martoon\Local Settings\Temporary Internet Files\Content.IE5\UBDV50R2\qw[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0ACD229A-33C8-4496-A3E9-BF9EEB4D4323}\RP21\A0005090.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0ACD229A-33C8-4496-A3E9-BF9EEB4D4323}\RP28\A0005387.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0ACD229A-33C8-4496-A3E9-BF9EEB4D4323}\RP56\A0006934.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0ACD229A-33C8-4496-A3E9-BF9EEB4D4323}\RP61\A0007126.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\RXwxHRqr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\RXwxHRqr.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aqwbwcwk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\arekhxtx.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\atwhrpqg.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blrttbrs.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\btmgacpw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dbzutu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dirzdv.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\hhmyoibe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ijxchbyb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\iycvytvq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jflbidyt.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\kmtmkxdn.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lcuoju.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lmjflkqo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\nkivfgeu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ockjwapa.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ojrccwlq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ptkjxekx.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qlwccrjo.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qmajbr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qtytjuux.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRHxwXR.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\skaqfp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\sqzdtf.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\uiqjjrfk.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vyekte.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wnihch.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xxyvvuvt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ysinmb.dll (Trojan.Vundo) -> Delete on reboot.
S:\C backup\Program Files\Aerial Antics\FFF-ReflexV2.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
S:\C backup\Program Files\Farm Frenzy\FFF-ReflexV2.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
S:\C backup\Program Files\NSIS\Plugins\Dialer.dll (Adware.SoftMate) -> Quarantined and deleted successfully.
S:\Install\DVD\GUI_pulldown.exe (RootKit.Clicker) -> Quarantined and deleted successfully.
S:\System Volume Information\_restore{0ACD229A-33C8-4496-A3E9-BF9EEB4D4323}\RP20\A0004967.exe (Trojan.Backdoor) -> Not selected for removal.
Hi Martoon
1 - Remove bad HijackThis entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O2 - BHO: (no name) - {333EF545-DA2C-490F-9661-342579CABA5B} - (no file)
O2 - BHO: (no name) - {3A735231-C8FF-400D-91AC-75164073B724} - (no file)
O2 - BHO: (no name) - {78470B45-9135-41AD-970E-C6AA23F4DC5A} - (no file)
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
2 - Download and Run OTMoveIt3
Download OTMoveIt3 (http://oldtimer.geekstogo.com/OTMoveIt3.exe) by Old Timer and save it to your Desktop.
Double-click OTMoveIt3.exe.
Copy the lines in the codebox below.
:files
C:\WINDOWS\system32\ywkcro.dll
C:\WINDOWS\system32\vshgioao.dll
C:\WINDOWS\system32\henixi.dll
C:\WINDOWS\system32\ncubnhtx.dll
C:\WINDOWS\system32\virbib.dll
C:\WINDOWS\system32\gflbyigy.dll
C:\WINDOWS\system32\fxnvzi.dll
C:\WINDOWS\system32\xkdgcjbi.dll
C:\WINDOWS\system32\ageehb.dll
C:\WINDOWS\system32\gjmoucbn.dll
C:\WINDOWS\system32\clpxqx.dll
C:\WINDOWS\system32\tyvqwhvx.dll
C:\WINDOWS\system32\7fa5dd7c-.txt
C:\WINDOWS\system32\c.bat
:Commands
[EmptyTemp]
Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3
3 - Run Malwarebytes' Anti-Malware
Open Malwarebytes' Anti-Malware
Select the Update tab
Click Check for Updates
After the update have been completed, Select the Scanner tab.
Click on Perform full scan, then click on Scan.
Leave the default options as it is and click on Start Scan.
When done, you will be prompted. Click OK, then click on Show Results.
Checked (ticked) all items except items in the System Volume Information folder and click on Remove Selected.
http://i35.photobucket.com/albums/d165/ndmmxiaomayi/mayi/mbam1.png
After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.
4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
5 - Status Check
Please reply with
1. the OTMoveIt3 log
2. the Malwarebytes' Anti-Malware Log
3. a fresh HijackThis log
Thanks peku006
Step 1: Checked and fixed the 3 indicated items
Step 2: After OTMoveIt3 ran, it popped up a modal dialog box saying it couldn't move some things until I rebooted, and asking if I wanted to reboot (with Yes and No buttons). I couldn't select the text in the results window until I dismissed that dialog, so I clicked No, selected/copied the text and saved it, and manually rebooted. After reboot, it opened notepad with a new log file. I've posted both logs (before and after reboot).
Step 3: Ran the scan. Only one item in the results, and it was in the system volume info folder, so I unchecked it. Got the log file.
Step 4: Ran, got the log file.
Step 5: Here are the logs (OTMoveIt3 before and after reboot, Anti-Malware, and HJT).
DllUnregisterServer procedure not found in C:\WINDOWS\system32\tyvqwhvx.dll
C:\WINDOWS\system32\tyvqwhvx.dll NOT unregistered.
C:\WINDOWS\system32\tyvqwhvx.dll moved successfully.
C:\WINDOWS\system32\7fa5dd7c-.txt moved successfully.
C:\WINDOWS\system32\c.bat moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Martoon\LOCALS~1\Temp\etilqs_Xdz9Sm0JzKwZ6MeHBZK5 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Martoon\LOCALS~1\Temp\WCESLog.log scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Martoon\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_d0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Martoon\Local Settings\Application Data\Mozilla\Firefox\Profiles\5mc5gppk.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Martoon\Local Settings\Application Data\Mozilla\Firefox\Profiles\5mc5gppk.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Martoon\Local Settings\Application Data\Mozilla\Firefox\Profiles\5mc5gppk.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Martoon\Local Settings\Application Data\Mozilla\Firefox\Profiles\5mc5gppk.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Martoon\Local Settings\Application Data\Mozilla\Firefox\Profiles\5mc5gppk.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Martoon\Local Settings\Application Data\Mozilla\Firefox\Profiles\5mc5gppk.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04212009_083749
========== FILES ==========
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ywkcro.dll
C:\WINDOWS\system32\ywkcro.dll NOT unregistered.
C:\WINDOWS\system32\ywkcro.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\vshgioao.dll
C:\WINDOWS\system32\vshgioao.dll NOT unregistered.
C:\WINDOWS\system32\vshgioao.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\henixi.dll
C:\WINDOWS\system32\henixi.dll NOT unregistered.
C:\WINDOWS\system32\henixi.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ncubnhtx.dll
C:\WINDOWS\system32\ncubnhtx.dll NOT unregistered.
C:\WINDOWS\system32\ncubnhtx.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\virbib.dll
C:\WINDOWS\system32\virbib.dll NOT unregistered.
C:\WINDOWS\system32\virbib.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\gflbyigy.dll
C:\WINDOWS\system32\gflbyigy.dll NOT unregistered.
C:\WINDOWS\system32\gflbyigy.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\fxnvzi.dll
C:\WINDOWS\system32\fxnvzi.dll NOT unregistered.
C:\WINDOWS\system32\fxnvzi.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\xkdgcjbi.dll
C:\WINDOWS\system32\xkdgcjbi.dll NOT unregistered.
C:\WINDOWS\system32\xkdgcjbi.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ageehb.dll
C:\WINDOWS\system32\ageehb.dll NOT unregistered.
C:\WINDOWS\system32\ageehb.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\gjmoucbn.dll
C:\WINDOWS\system32\gjmoucbn.dll NOT unregistered.
C:\WINDOWS\system32\gjmoucbn.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\clpxqx.dll
C:\WINDOWS\system32\clpxqx.dll NOT unregistered.
C:\WINDOWS\system32\clpxqx.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\tyvqwhvx.dll
C:\WINDOWS\system32\tyvqwhvx.dll NOT unregistered.
C:\WINDOWS\system32\tyvqwhvx.dll moved successfully.
C:\WINDOWS\system32\7fa5dd7c-.txt moved successfully.
C:\WINDOWS\system32\c.bat moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Martoon\LOCALS~1\Temp\etilqs_Xdz9Sm0JzKwZ6MeHBZK5 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Martoon\LOCALS~1\Temp\WCESLog.log scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Martoon\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_d0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Martoon\Local Settings\Application Data\Mozilla\Firefox\Profiles\5mc5gppk.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Martoon\Local Settings\Application Data\Mozilla\Firefox\Profiles\5mc5gppk.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Martoon\Local Settings\Application Data\Mozilla\Firefox\Profiles\5mc5gppk.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Martoon\Local Settings\Application Data\Mozilla\Firefox\Profiles\5mc5gppk.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Martoon\Local Settings\Application Data\Mozilla\Firefox\Profiles\5mc5gppk.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Martoon\Local Settings\Application Data\Mozilla\Firefox\Profiles\5mc5gppk.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04212009_083749
Files moved on Reboot...
File C:\DOCUME~1\Martoon\LOCALS~1\Temp\etilqs_Xdz9Sm0JzKwZ6MeHBZK5 not found!
C:\DOCUME~1\Martoon\LOCALS~1\Temp\WCESLog.log moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_d0.dat not found!
C:\Documents and Settings\Martoon\Local Settings\Application Data\Mozilla\Firefox\Profiles\5mc5gppk.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Martoon\Local Settings\Application Data\Mozilla\Firefox\Profiles\5mc5gppk.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Martoon\Local Settings\Application Data\Mozilla\Firefox\Profiles\5mc5gppk.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Martoon\Local Settings\Application Data\Mozilla\Firefox\Profiles\5mc5gppk.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Martoon\Local Settings\Application Data\Mozilla\Firefox\Profiles\5mc5gppk.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Martoon\Local Settings\Application Data\Mozilla\Firefox\Profiles\5mc5gppk.default\XUL.mfl moved successfully.
Malwarebytes' Anti-Malware 1.36
Database version: 2019
Windows 5.1.2600 Service Pack 3
4/21/2009 12:03:28 PM
mbam-log-2009-04-21 (12-03-28).txt
Scan type: Full Scan (C:\|S:\|U:\|V:\|)
Objects scanned: 628128
Time elapsed: 3 hour(s), 5 minute(s), 2 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
S:\System Volume Information\_restore{0ACD229A-33C8-4496-A3E9-BF9EEB4D4323}\RP20\A0004967.exe (Trojan.Backdoor) -> Not selected for removal.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:33 PM, on 4/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Martoon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Finder.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Martoon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1237004493609
O16 - DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} (GameTap Web Updater) - http://archives.gametap.com/static/cab_headless/GameTapWebUpdater.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22BC2DB2-9C30-4582-ADB2-D486A4CC3334}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{22BC2DB2-9C30-4582-ADB2-D486A4CC3334}: NameServer = 192.168.0.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit (mi-raysat_3dsMax2009_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 7133 bytes
Hi Martoon
Looking good :)
We will run one online scan to be sure that there is nothing left.
2 - Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
4 - Status Check
Please reply with
1. the Kaspersky online scanner report
2. a fresh HijackThis log
How's the computer running now? Any problems?
Thanks peku006
The computer is running much better now, actually. :) No longer spontaneously opening pages in Firefox.
Okay, after 22 hours, the Kaspersky scan finished, and I got a log from that and the new HJT log. Here they are.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, April 22, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, April 21, 2009 20:10:57
Records in database: 2067094
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
G:\
S:\
U:\
V:\
Scan statistics:
Files scanned: 542277
Threat name: 12
Infected objects: 27
Suspicious objects: 0
Duration of the scan: 21:45:24
File name / Threat name / Threats count
C:\Program Files\UltraVNC\WinVNC.exe/C:\Program Files\UltraVNC\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ab 2
C:\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ab 1
C:\_OTMoveIt\MovedFiles\04212009_083749\WINDOWS\system32\ageehb.dll Infected: Packed.Win32.Krap.n 1
C:\_OTMoveIt\MovedFiles\04212009_083749\WINDOWS\system32\clpxqx.dll Infected: Packed.Win32.Krap.n 1
C:\_OTMoveIt\MovedFiles\04212009_083749\WINDOWS\system32\fxnvzi.dll Infected: Packed.Win32.Krap.n 1
C:\_OTMoveIt\MovedFiles\04212009_083749\WINDOWS\system32\gflbyigy.dll Infected: Packed.Win32.Krap.n 1
C:\_OTMoveIt\MovedFiles\04212009_083749\WINDOWS\system32\gjmoucbn.dll Infected: Packed.Win32.Krap.n 1
C:\_OTMoveIt\MovedFiles\04212009_083749\WINDOWS\system32\henixi.dll Infected: Packed.Win32.Krap.n 1
C:\_OTMoveIt\MovedFiles\04212009_083749\WINDOWS\system32\ncubnhtx.dll Infected: Packed.Win32.Krap.n 1
C:\_OTMoveIt\MovedFiles\04212009_083749\WINDOWS\system32\tyvqwhvx.dll Infected: Packed.Win32.Krap.n 1
C:\_OTMoveIt\MovedFiles\04212009_083749\WINDOWS\system32\virbib.dll Infected: Packed.Win32.Krap.n 1
C:\_OTMoveIt\MovedFiles\04212009_083749\WINDOWS\system32\vshgioao.dll Infected: Packed.Win32.Krap.n 1
C:\_OTMoveIt\MovedFiles\04212009_083749\WINDOWS\system32\xkdgcjbi.dll Infected: Packed.Win32.Krap.n 1
C:\_OTMoveIt\MovedFiles\04212009_083749\WINDOWS\system32\ywkcro.dll Infected: Packed.Win32.Krap.n 1
S:\C backup\Documents and Settings\Martoon\My Documents\web\martoon.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
S:\C backup\Program Files\Farm Frenzy\farm.exe Infected: Trojan.Win32.Genome.fkt 1
S:\C backup\Program Files\Geom\framework.exe Infected: Trojan.Win32.Genome.tbo 1
S:\C backup\Program Files\Kudos 2\Kudos2.exe Infected: Trojan-Downloader.Win32.Agent.bpbq 1
S:\C backup\Program Files\StoneLoops Of Jurassica\StoneLoops.exe.bak Infected: Trojan-Downloader.Win32.Agent.awiz 1
S:\C backup\Program Files\UltraVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
S:\C backup\Program Files\UltraVNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 1
S:\C backup\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
S:\Install\Mirc\mirc612.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 1
S:\Install\Mirc\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
S:\Install\VNC\UltraVnc-101-Setup.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 2
The selected area was scanned.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:33 PM, on 4/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Martoon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\Finder.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Martoon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1237004493609
O16 - DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} (GameTap Web Updater) - http://archives.gametap.com/static/cab_headless/GameTapWebUpdater.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22BC2DB2-9C30-4582-ADB2-D486A4CC3334}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{22BC2DB2-9C30-4582-ADB2-D486A4CC3334}: NameServer = 192.168.0.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit (mi-raysat_3dsMax2009_32) - Unknown owner - C:\Program
Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max
9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 7208 bytes
Hi
Do you know what these programs are ?
S:\C backup\Documents and Settings\Martoon\My Documents\web\martoon.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
S:\C backup\Program Files\Farm Frenzy\farm.exe Infected: Trojan.Win32.Genome.fkt 1
S:\C backup\Program Files\Geom\framework.exe Infected: Trojan.Win32.Genome.tbo 1
S:\C backup\Program Files\Kudos 2\Kudos2.exe Infected: Trojan-Downloader.Win32.Agent.bpbq 1
S:\C backup\Program Files\StoneLoops Of Jurassica\StoneLoops.exe.bak Infected: Trojan-Downloader.Win32.Agent.awiz 1
it seems you don't have any evidence of a third party firewall.
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:
1) Comodo (http://www.personalfirewall.comodo.com/download_firewall.html) (Uncheck during installation "Install COMODO Antivirus (Recommended)"!, "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) PC Tools (http://www.pctools.com/firewall/download/)
4) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
Thanks peku006
martoon.exe is a custom build of UltraVNC. The other four exes are games (and can be deleted).
I run a hardware firewall external to my PC, but I suppose it wouldn't hurt to install ZoneAlarm. I'll do that when I get home from work.
Anything else?
And I just want to say, thanks so much for your help!
Hi Martoon
ok, we removed them........
Run OTMoveIt3
Double-click OTMoveIt3.exe.
Copy the lines in the codebox below.
:files
S:\C backup\Program Files\Farm Frenzy\farm.exe
S:\C backup\Program Files\Geom\framework.exe
S:\C backup\Program Files\Kudos 2\Kudos2.exe
S:\C backup\Program Files\StoneLoops Of Jurassica\StoneLoops.exe.bak
Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3
Please reply with
the OTMoveIt3 log
a fresh HijackThis log
========== FILES ==========
S:\C backup\Program Files\Farm Frenzy\farm.exe moved successfully.
S:\C backup\Program Files\Geom\framework.exe moved successfully.
S:\C backup\Program Files\Kudos 2\Kudos2.exe moved successfully.
S:\C backup\Program Files\StoneLoops Of Jurassica\StoneLoops.exe.bak moved successfully.
OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04232009_093822
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:28 AM, on 4/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Steam\Steam.exe
C:\Documents and Settings\Martoon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Martoon\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Trend Micro\HijackThis\Finder.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Martoon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1237004493609
O16 - DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} (GameTap Web Updater) - http://archives.gametap.com/static/cab_headless/GameTapWebUpdater.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22BC2DB2-9C30-4582-ADB2-D486A4CC3334}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{22BC2DB2-9C30-4582-ADB2-D486A4CC3334}: NameServer = 192.168.0.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit (mi-raysat_3dsMax2009_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 7762 bytes
Hi Martoon
The scans are fine and it looks like your machine is clean :yahoo:
To remove all of the tools we used and the files and folders they created do the following:
Double-click OTMoveIt3.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:
Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
This will remove all restore points except the new one you just created.
Here are some free programs I recommend that could help you improve your computer's security.
Spybot Search and Destroy 1.6
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
Install SpyWare Blaster 4.0
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Install WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)
Install FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)
Install MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Please check out Tony Klein's article "How did I get infected in the first place?" (http://forums.spybot.info/showthread.php?t=279)
Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.
Happy safe surfing! :bigthumb:
Done, and done.
Thank you so much! You've been awesome. :D:
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.