Sign in to follow this  
Delsana

Major Infections & Registry Corruption

Recommended Posts

Hello, I'm not new to computers or their security, but recently my father who uses my old gaming computer as a normal computer has suddenly been infected by a plethora of virus's, and malware, as well as other issues.

 

I decided to help him, and while in safe-mode for a few days I constantly scanned using the following programs:

 

Spybot Search & Destroy

Adaware - Anniversary

Spyware Terminator

Avast - Free

Spyware Doctor - Free

AVG AntiVirus - Free

SUPERAntiSpyware - Free

Malwarebytes Anti-Malware

Prevx CSI - free

Registry Mechanic - Free

Spyhunter - Free Scan

CCLeaner

CWShredder

Hijack This

ATF Cleaner

Microsoft Malicious Software Removal Tool

 

It turns out he was using an expired Trend Micro Anti Virus unit on that computer, and he also managed to despite my Malware Free-Shields, become severely infected.

 

I've managed to remove quite a lot of the taint, but I've had no success in fully removing everything, and all the scanners keep reporting several issues despite all my fixes and repairs towards them.

 

Automatic Updates, Security Center, and the Firewall as well as Bits were all using a "FystemRoot" instead of their normal, I fixed these today (the issues started on the 29th, as did my long line of fixes) and Automatic Updates finally isn't giving me an Access Denied error, and while the Security Center service is always disabled despite what I do to it, I can manage to start the system, despite it remaining on a disabled prompt.

 

Just as much, the MSCONFIG has constantly had EXE's added to it via the malware, and I keep removing it, now it seems the most recent which I imagine I got when I went online to get the Windows Update after fixing it (haven't been online for 2 days, due to constant sexual and porn website redirections as well as spyware pop-ups. Most recent add on to the MSCONFIG is: adimecusura which was never even on the startup list until this afternoon when I went back online, the EXE and DLL are valid programs it appears, as it has existed since 2007, unlike every other program I've killed that was created on the 29th, so I suspect it is corrupt.

 

----------------

 

I would appreciate any immediate help that I can get, as I need to repair this for my father, and a reinstall is out of the question due to the sensitive documents and information on the computer.

 

I should be able to remain offline after I post this, and use my laptop to respond to updates on this thread / topic. Thus preventing any additional virus additions.

 

To start off with, here is a list of things that refuse to go away:

 

Ad-Adaware:

 

Win32TrojanSpy - 1

Win32WormLovGate - 2

unknown - 3

 

Spybot:

 

Microsoft.Windows.Explorer

Microsoft.WindowsSecurityCenter.FirewallBypass

Microsoft.WindowsSecurityCenter.RegistryTools

Microsoft.WindowsSecurityCenter_disabled

CDilla - Suspected TurboTax Entity

Virtumonde

Virtumonde.prx

PWS.LDPinchIE

Win32.TDSS.rtk

 

Spyware Doctor:

 

Application.TrackingCookies

- 17 Entries

Adware.Advertising

- 1 Entry

Trojan.Virtumonde

- 8 Entries

Trojan-Downloader.Agent.OGP

- 3 Entry

Backdoor.Agent.CFC

- 1 Entry

 

All other entities are randomly added and taken off.

 

SpyHunter has detected over 295 entries for Zlob.Downloader and with some research and registry diving the entire registry zone for the Internet Explorer is full of porn websites, links, and references and I've deleted the registry entries over 22 times and they just appear in 2 seconds again.

 

PrevX CSI:

 

CBS Refresh

Upovezuyocadi.dll

Uxaqokago.dll

Ilozudana.dll.ren

Uaccbf.tmp

NHSER43uhjnefr.dll.ren

Adimecusura.dll

Uxiva

UACEUOYOWRM.dll

 

As for the other scanners, I've had better luck with them, but undoubtedly due to my activation of the internet today, they will have all found new things.

 

I look forward and request prompt assistance.

 

Thank you.

 

 

 

- Cere.

Share this post


Link to post
Share on other sites

Hi

 

In order to help I need to see some log from the system :)

 

Download and install TrendMicro HijackThis

* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled

Do a system scan only

 

* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.

* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here.

Share this post


Link to post
Share on other sites
Hi

 

In order to help I need to see some log from the system :)

 

Download and install TrendMicro HijackThis

* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled

Do a system scan only

 

* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.

* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here.

 

 

*Log Follows*

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:01:47 AM, on 4/4/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Program Files\Trend Micro\BM\TMBMSRV.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: crawler search - tbr:iemenu

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab

O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab

O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe

O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

 

--

End of file - 6550 bytes

 

*Log Ends*

 

There we go.

 

Adaware keeps finding two W32 worms each time it scans no matter if I quarantine or remove, so I know theirs still a lot of problems, I used windows free one-care full online scanner and it removed a lot but I've no idea how it cleaned.

 

As of this log's posting I have not done any additional modifications to my computer.

 

Oh and just an issue I know is still going on... Mozilla still has Java working, but all BIT images and java images or scripts for Internet Explorer, and as such the windows update site for XP, are just boxes with red x's.

Edited by Delsana

Share this post


Link to post
Share on other sites

Hi again,

 

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

Share this post


Link to post
Share on other sites
Hi again,

 

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

 

*DDS Report*

 

 

DDS (Ver_09-03-16.01) - NTFSx86

Run by Owner at 2:44:05.67 on Sun 04/05/2009

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1453 [GMT -4:00]

 

AV: avast! antivirus 4.8.1335 [VPS 090331-0] *On-access scanning enabled* (Updated)

AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated)

FW: *disabled*

 

============== Running Processes ===============

 

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\Program Files\Trend Micro\BM\TMBMSRV.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\Owner.GAMING\Desktop\dds.com

 

============== Pseudo HJT Report ===============

 

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [ufSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"

IE: crawler search - tbr:iemenu

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab

DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB

DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\toolbar\ctbr.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: ShellExecuteHook class: {fe24cd78-7c63-465d-8787-4edf7fc79895} - c:\program files\logitech\easy synchronization\shellexecutehook.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

LSA: Notification Packages = scecli c:\windows\system32\mupafeve.dll sntfrant.dll

 

================= FIREFOX ===================

 

FF - ProfilePath - c:\docume~1\owner~1.gam\applic~1\mozilla\firefox\profiles\wmw3zg03.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim

FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=

FF - plugin: c:\program files\download manager\npfpdlm.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll

 

============= SERVICES / DRIVERS ===============

 

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-29 64160]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-4-2 50192]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-8-14 36368]

R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-4-2 677128]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]

S3 gsplittm;gsplittm;\??\c:\docume~1\owner~1.gam\locals~1\temp\gsplittm.sys --> c:\docume~1\owner~1.gam\locals~1\temp\gsplittm.sys [?]

S4 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]

 

=============== Created Last 30 ================

 

2009-04-02 13:29 <DIR> --d----- c:\documents and settings\owner.gaming\log

2009-04-02 12:05 150,032 a------- c:\windows\system32\drivers\tmcomm.sys

2009-04-02 12:05 50,192 a------- c:\windows\system32\drivers\tmevtmgr.sys

2009-04-02 12:05 50,192 a------- c:\windows\system32\drivers\tmactmon.sys

2009-04-02 12:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trend Micro

2009-04-01 13:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2009-04-01 13:56 <DIR> --d----- c:\program files\SUPERAntiSpyware

2009-04-01 13:56 <DIR> --d----- c:\docume~1\owner~1.gam\applic~1\SUPERAntiSpyware.com

2009-04-01 13:55 <DIR> --d----- c:\docume~1\owner~1.gam\applic~1\Malwarebytes

2009-04-01 13:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-04-01 13:54 <DIR> --d----- c:\docume~1\owner~1.gam\applic~1\GetRightToGo

2009-04-01 13:51 410,984 a------- c:\windows\system32\deploytk.dll

2009-04-01 13:50 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat

2009-04-01 12:52 <DIR> --d----- C:\5202a2b29edcd70b2e2781

2009-04-01 12:52 <DIR> --d----- c:\windows\SxsCaPendDel

2009-03-31 13:08 <DIR> --d----- C:\212532f9e33c39c6b32d

2009-03-30 19:55 <DIR> --d----- c:\windows\ERUNT

2009-03-30 17:04 <DIR> --d----- c:\program files\Enigma Software Group

2009-03-30 16:50 1,290 a------- c:\windows\system32\tmp.reg

2009-03-30 15:50 <DIR> --d----- C:\SDFix

2009-03-30 15:11 <DIR> --d----- c:\docume~1\owner~1.gam\applic~1\Uniblue

2009-03-30 15:11 <DIR> --d----- c:\program files\Uniblue

2009-03-30 14:40 <DIR> --d----- C:\882d560351a9659d55

2009-03-29 23:55 438 a------- c:\docume~1\owner~1.gam\applic~1\wklnhst.dat

2009-03-29 20:56 15,688 a------- c:\windows\system32\lsdelete.exe

2009-03-29 19:43 64,160 a------- c:\windows\system32\drivers\Lbd.sys

2009-03-29 19:39 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

2009-03-29 19:01 <DIR> --d----- c:\program files\Crawler

2009-03-29 19:01 <DIR> --d----- c:\program files\Spyware Terminator

2009-03-29 15:23 <DIR> --d----- c:\program files\Spybot - Search & Destroy

2009-03-29 15:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2009-03-29 15:10 3,708 a------- c:\windows\wininit.ini

2009-03-19 23:01 <DIR> --d----- c:\program files\CCleaner

2009-03-12 13:39 <DIR> --d----- c:\documents and settings\owner.gaming\Tracing

2009-03-12 13:33 <DIR> --d----- c:\program files\Microsoft

2009-03-12 13:33 <DIR> --d----- c:\program files\Windows Live SkyDrive

2009-03-12 11:42 <DIR> --d----- c:\program files\common files\Windows Live

 

==================== Find3M ====================

 

2009-04-05 02:39 0 a------- c:\windows\system32\drivers\lvuvc.hs

2009-04-04 14:21 0 a------- c:\windows\system32\drivers\logiflt.iad

2009-04-01 03:01 13,312 a------- c:\windows\system32\lsass.exe

2009-03-29 23:55 3,824 ac------ c:\windows\mozver.dat

2009-03-05 22:17 1,195,512 a------- c:\windows\system32\drivers\vsapint.sys

2009-03-05 22:17 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys

2009-03-05 22:17 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys

2009-03-03 19:12 80,400 a------- c:\windows\system32\drivers\tmtdi.sys

2009-02-26 14:46 42,320 a------- c:\windows\system32\xfcodec.dll

2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys

2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll

2007-04-21 12:44 349 ac------ c:\program files\INSTALL.LOG

2003-12-18 11:33 20,102 ac------ c:\program files\Readme.txt

2003-09-03 07:46 10,960 ac------ c:\program files\EULA.txt

2008-08-09 22:35 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080920080810\index.dat

 

============= FINISH: 2:44:28.03 ===============

 

*End DDS Report*

 

*Attach.txt has been "Attached"* <_<.

 

Edit:

 

All but Trend, Ad-aware, Windows Defender, and CC-Cleaner are still on my computer, Avast and all those anti's have been removed.

Attach.rar

Edited by Delsana

Share this post


Link to post
Share on other sites

Hi again,

 

Please visit this webpage for download links, and instructions for running ComboFix tool:

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

Please ensure you read this guide carefully and install the Recovery Console first.

 

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

 

Once installed, you should see a blue screen prompt that says:

 

The Recovery Console was successfully installed.

 

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.
     
     
  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

 

Please include the following reports for further review, and so we may continue cleansing the system:

 

C:\ComboFix.txt

New dds log.

 

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Share this post


Link to post
Share on other sites
Hi again,

 

Please visit this webpage for download links, and instructions for running ComboFix tool:

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

Please ensure you read this guide carefully and install the Recovery Console first.

 

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

 

Once installed, you should see a blue screen prompt that says:

 

The Recovery Console was successfully installed.

 

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.
  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

 

Please include the following reports for further review, and so we may continue cleansing the system:

 

C:\ComboFix.txt

New dds log.

 

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

 

First off, the manual recovery console install is invalid, as when I drag the file into ComboFix.exe it just runs ComboFix and doesn't even mention the Recovery being installed.

 

Secondarily, despite Avast not being on my computer, it continually reminds me that it is on and could be dangerous...

 

When I look at the Security Center, it seems to detect Avast on the AntiVirus section as being updated and its version and what not (instead of detecting Trend as the primary... even though Avast is not on my computer.

 

Edit:

 

I reinstalled Avast and used a special Avast-designed uninstall program and it seems to have successfully removed it.

 

However it still won't detect the recovery console install program when it is over-dragged, and so I'll not do the scan until it accepts it.

 

Any ideas or reasons?

Edited by Delsana

Share this post


Link to post
Share on other sites

Hi

 

Don't drag any recovery console installer to ComboFix. Just run ComboFix and it should ask for permission to install recovery console if needed (this is mentioned in the tutorial behind the link I posted earlier).

Share this post


Link to post
Share on other sites
Hi

 

Don't drag any recovery console installer to ComboFix. Just run ComboFix and it should ask for permission to install recovery console if needed (this is mentioned in the tutorial behind the link I posted earlier).

 

You said install the console first, and they stated to do what I did to get it to install.

 

Edit:

 

Okay, I did that and it installed, I guess the instructions at that site are a bit outdated.

 

In any case, here are the log files, I attached them because them seemed large, if that's not okay, I'll post them on your next response.

New_DDS.txt

New_Attach.txt

ComboFix.txt

Edited by Delsana

Share this post


Link to post
Share on other sites
Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:

As that part in tutorial tells, you will be prompted by ComboFix for a permission to install recovery console if needed. I'm not sure what's outdated with that. Anyway, glad it installed :)

 

Uninstall these vulnerable Javas:

J2SE Runtime Environment 5.0 Update 2

Java™ 6 Update 3

Java™ 6 Update 5

Java™ 6 Update 7

Also, there seems to be signs of McAfee there. Please download & run removal tool found here.

 

 

 

Open notepad and copy/paste the text in the quotebox below into it:

 

KILLALL::

File::
c:\windows\system32\sntfrant.dll

DDS::
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

 

 

Save this as

CFScript

 

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

 

CFScriptB-4.gif

 

Have browser windows closed (this one included) and refering to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log.

 

 

Combofix should never take more that 20 minutes including the reboot if malware is detected.

If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened we want to know, and also what process you had to end.

 

 

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

 

Double-click ATF Cleaner.exe to open it

 

Under Main choose:

Windows Temp

Current User Temp

All Users Temp

Cookies

Temporary Internet Files

Prefetch

Java Cache

*The other boxes are optional*

Then click the Empty Selected button.

 

If you use Firefox:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

 

If you use Opera:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

 

Click Exit on the Main menu to close the program.

 

 

Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here. If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.

 

 

Post back its report, a fresh dds log and above mentioned ComboFix resultant log.

Share this post


Link to post
Share on other sites

Alright I'll get to those scans, currently finishing up with the Kaspersky scan.

 

"Once the Microsoft file has finished downloading, you should drag it on top of the ComboFix icon and let your mouse button go. This is shown in the following image."

 

^ That was for the manual install and that obviously didn't work for me, that's why I referred to it as outdated.

 

Also, do you have any plans to remove the Zlog registry spam / porn sites and its remnants from my computer?

 

As I mentioned above their are 100's of registry entries for it that so far are unresolvable, due to instant replication.

 

As for the Java, I do agree their has been some taint, as though I have the newest one Internet Explorer and in extension AOL aren't showing any BIT images on websites, and are instead just displaying circle, triangle, and square's in an icon format instead of the picture or image.

 

Edit:

 

Kaspersky would not install, it froze at the update screen, and despite all my antivirus being off like it wanted, it wouldn't download anything...

 

Secondary Edit:

 

Okay the logs are being attached, however I never saw anything different when I overdragged the Script onto ComboFix, so if it worked is not known to me at the moment.

 

BTW, for some reason I can no longer upload... so I'll just post it I guess.

 

--------------

 

*Attach Begins*

 

 

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

 

DDS (Ver_09-03-16.01)

 

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 4/20/2007 8:41:39 PM

System Uptime: 4/6/2009 5:18:17 PM (0 hours ago)

 

Motherboard: | | C51MCP51

Processor: AMD Athlon 64 X2 Dual Core Processor 3800+ | Socket 939 | 2004/200mhz

 

==== Disk Partitions =========================

 

C: is FIXED (NTFS) - 228 GiB total, 122.078 GiB free.

D: is FIXED (FAT32) - 4 GiB total, 1.388 GiB free.

E: is CDROM (UDF)

F: is CDROM (CDFS)

G: is Removable

H: is Removable

I: is Removable

J: is Removable

 

==== Disabled Device Manager Items =============

 

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}

Description: Logitech Mic (Ultra Vision)

Device ID: USB\VID_046D&PID_08C9&MI_02\6&202DC094&2&0002

Manufacturer: Logitech

Name: Logitech Mic (Ultra Vision)

PNP Device ID: USB\VID_046D&PID_08C9&MI_02\6&202DC094&2&0002

Service: usbaudio

 

==== System Restore Points ===================

 

RP1: 4/2/2009 7:19:17 PM - Software Distribution Service 3.0

RP2: 4/3/2009 1:00:07 AM - Removed Adobe Reader 8.1.2

RP3: 4/3/2009 1:02:03 AM - Installed Adobe Reader 9.1.

RP4: 4/3/2009 1:21:32 AM - Installed Windows Defender

RP5: 4/3/2009 1:23:06 AM - Software Distribution Service 3.0

RP6: 4/3/2009 11:22:07 AM - Configured TBS WMP Plug-in

RP7: 4/3/2009 11:25:29 AM - Removed SUPERAntiSpyware Free Edition

RP8: 4/3/2009 11:26:17 AM - Removed Windows Vista Upgrade Advisor

RP9: 4/3/2009 11:26:38 AM - Removed World of Warcraft FREE Trial

RP10: 4/3/2009 11:37:38 AM - Removed Command & Conquerâ„¢ Red Alertâ„¢ 3 Demo

RP11: 4/3/2009 2:43:34 PM - Windows Defender Checkpoint

RP12: 4/4/2009 11:40:29 AM - Removed AGEIA PhysX v7.05.05

RP13: 4/4/2009 11:40:56 AM - Removed AGEIA PhysX Processor Driver

RP14: 4/4/2009 11:43:23 AM - Removed Bonjour

RP15: 4/5/2009 2:26:13 PM - System Checkpoint

RP16: 4/6/2009 11:52:24 AM - Software Distribution Service 3.0

RP17: 4/6/2009 2:26:36 PM - ComboFix created restore point

RP18: 4/6/2009 4:37:26 PM - Removed J2SE Runtime Environment 5.0 Update 2

RP19: 4/6/2009 4:39:04 PM - Removed Java 6 Update 3

RP20: 4/6/2009 4:39:47 PM - Removed Java 6 Update 7

RP21: 4/6/2009 4:40:58 PM - Removed Java 6 Update 5

RP22: 4/6/2009 5:15:47 PM - ComboFix created restore point

 

==== Installed Programs ======================

 

 

2007 Microsoft Office Suite Service Pack 1 (SP1)

Acrobat.com

Ad-Aware

Adobe AIR

Adobe Flash Player 10 Plugin

Adobe Flash Player ActiveX

Adobe Reader 9.1

Adobe Shockwave Player

AIM 6

AnswerWorks 4.0 Runtime - English

AnswerWorks 5.0 English Runtime

AOL Coach Version 2.0(Build:20041026.5 en)

AOL Uninstaller (Choose which Products to Remove)

AOL You've Got Pictures Screensaver

Apple Mobile Device Support

Apple Software Update

AT&T Yahoo! Activation

Athlon 64 Processor Driver

ATI - Software Uninstall Utility

ATI Catalyst Control Center

ATI Display Driver

AutoUpdate

Battlefield 2142

BigFix

BufferChm

Cataclysm

Catalyst Control Center - Branding

Catalyst Control Center Core Implementation

Catalyst Control Center Graphics Full Existing

Catalyst Control Center Graphics Full New

Catalyst Control Center Graphics Light

Catalyst Control Center Graphics Previews Common

Catalyst Control Center HydraVision Full

ccc-core-preinstall

ccc-core-static

ccc-utility

CCC Help English

CCleaner (remove only)

Choice Guard

Clan 'Mech Pak

Command & Conquer 3

Command & Conquer Generals

Command & Conquer Renegade

Command and ConquerTM Generals Zero Hour

Counter-Strike: Source

Crawler Toolbar with Web Security Guard

Critical Update for Windows Media Player 11 (KB959772)

Dawn of War - Dark Crusade

Dawn of War - Soulstorm

Dawn Of War - Winter Assault

DawnOfWar

Defense Grid: The Awakening Demo

Destinations

DeviceFunctionQFolder

DeviceManagementQFolder

Digital Media Reader

DivX Converter

DivX Player

DivX Web Player

Download Manager 2.3.6

DriverAgent by TouchStone Software

Dual-Core Optimizer

EA Download Manager

Eclipse Terminal Emulator

Enemy Territory - QUAKE Wars Beta 1.1 Patch

eSupportQFolder

FX MOD 1.72

Guild Wars

GWFreaks 3.5.3.0

Half-Life 2

Hamachi 1.0.2.5

HijackThis 2.0.2

Homeworld2

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 10 (KB903157)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB915800-v4)

Hotfix for Windows XP (KB938759)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

HP Deskjet 5400 series

HP Imaging Device Functions 5.0

HP Product Assistant

HP Solution Center & Imaging Support Tools 5.0

HP Update

HPDeskjet5400Series

HPProductAssistant

Inner Sphere 'Mech Pak

iTunes

Java 6 Update 13

Logitech Audio Echo Cancellation Component

Logitech Desktop Messenger

Logitech Legacy USB Camera Driver Package

Logitech QuickCam

Logitech QuickCam Driver Package

Logitech Updater

Logitech Video Enumerator

MechWarrior 4 Mercenaries

MechWarrior Black Knight

MechWarrior Vengeance

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Application Error Reporting

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Digital Image Library 9 - Blocker

Microsoft Digital Image Starter Edition 2006

Microsoft Digital Image Starter Edition 2006 Editor

Microsoft Digital Image Starter Edition 2006 Library

Microsoft Games for Windows - LIVE

Microsoft Games for Windows - LIVE Redistributable

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft Money 2005

Microsoft National Language Support Downlevel APIs

Microsoft Office Excel MUI (English) 2007

Microsoft Office Home and Student 2007

Microsoft Office Home and Student 2007 Trial

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Standard 2007

Microsoft Office Standard 2007 Trial

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft Software Update for Web Folders (English) 12

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft VC9 runtime libraries

Microsoft Visual C++ 2005 Redistributable

Microsoft Works

Mobile Phone Suite Easy Synchronization

MobileMe Control Panel

Mozilla Firefox (3.0.8)

MSVCRT

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 6.0 Parser (KB933579)

MVision

Napster Burn Engine

Nero BurnRights

Nero OEM

Neverwinter Nights 2

Neverwinter Nights Gold Edition

Nexus: The Jupiter Incident

NVIDIA Drivers

NVIDIA ForceWare Network Access Manager

Octoshape add-in for Adobe Flash Player

PowerDVD

Pure Networks Port Magic

QuickTime

RealPlayer Basic

Realtek AC'97 Audio

Recovery Software Suite Gateway

SCI FI Stargate SG-1 Cast Screensaver

Security Update for 2007 Microsoft Office System (KB951550)

Security Update for 2007 Microsoft Office System (KB951944)

Security Update for 2007 Microsoft Office System (KB958439)

Security Update for CAPICOM (KB931906)

Security Update for Microsoft Office Excel 2007 (KB958437)

Security Update for Microsoft Office OneNote 2007 (KB950130)

Security Update for Microsoft Office PowerPoint 2007 (KB951338)

Security Update for Microsoft Office system 2007 (KB954326)

Security Update for Microsoft Office system 2007 (KB956828)

Security Update for Microsoft Office Word 2007 (KB956358)

Security Update for Visio 2007 (KB947590)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Segoe UI

Sins of a Solar Empire Demo

Skins

SoftV92 Data Fax Modem with SmartCP

SolutionCenter

Sonic Encoders

Star Wars JK II Jedi Outcast

Star Wars Knights of the Old Republic

Star Wars® Knights of the Old Republic® II: The Sith Lords

Starcraft

Status

Steam

The Battle for Middle-earth II

TrayApp

Trend Micro AntiVirus

TurboTax 2008

TurboTax 2008 WinPerFedFormset

TurboTax 2008 WinPerProgramHelp

TurboTax 2008 WinPerReleaseEngine

TurboTax 2008 WinPerTaxSupport

TurboTax 2008 WinPerUserEducation

TurboTax 2008 wrapper

TurboTax Deluxe 2007

Update for Microsoft Office Outlook 2007 (KB952142)

Update for Office 2007 (KB946691)

Update for Outlook 2007 Junk Email Filter (kb962871)

Update for Windows Media Player 10 (KB913800)

Update for Windows Media Player 10 (KB926251)

Update for Windows XP (KB943729)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB953356)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update Rollup 2 for Windows XP Media Center Edition 2005

Virtual Earth 3D (Beta)

Visual C++ 2008 x86 Runtime - (v9.0.30729)

Visual C++ 2008 x86 Runtime - v9.0.30729.01

Warcraft III: All Products

WebFldrs XP

WebReg

Westwood Shared Internet Components

Windows Backup Utility

Windows Defender

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Imaging Component

Windows Internet Explorer 7

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Messenger

Windows Live OneCare safety scanner

Windows Live Sign-in Assistant

Windows Live Upload Tool

Windows Media Format 11 runtime

Windows Media Player 11

Windows Media Player Firefox Plugin

Windows Presentation Foundation

Windows Search 4.0

Windows Vista Upgrade Advisor

Windows XP Media Center Edition 2005 KB925766

Windows XP Service Pack 3

WinRAR archiver

World of Warcraft

Xfire (remove only)

XML Paper Specification Shared Components Pack 1.0

Xvid 1.1.2 final uninstall

Yahoo! Browser Services

Yahoo! Install Manager

Yahoo! Messenger

 

==== Event Viewer Messages From Past Week ========

 

3/30/2009 12:05:17 PM, error: Service Control Manager [7028] - The wuauserv Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.

3/30/2009 11:35:12 AM, error: Service Control Manager [7000] - The AVG Free On-access Scanner Minifilter Driver x86 service failed to start due to the following error: The parameter is incorrect.

3/30/2009 11:22:28 AM, error: Service Control Manager [7000] - The Background Intelligent Transfer Service service failed to start due to the following error: The system cannot find the file specified.

3/30/2009 12:44:23 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

3/30/2009 12:44:02 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {9B1F122C-2982-4E91-AA8B-E071D54F2A4D}

3/30/2009 12:39:59 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

3/30/2009 1:08:01 PM, error: Service Control Manager [7000] - The AVG Free8 WatchDog service failed to start due to the following error: The system cannot find the path specified.

3/30/2009 1:13:51 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 ba18a895, parameter3 a8b35c04, parameter4 00000000.

3/30/2009 4:29:58 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 ba19a895, parameter3 a7bd0c04, parameter4 00000000.

3/30/2009 4:34:36 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

3/30/2009 4:34:36 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/30/2009 4:34:36 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

3/30/2009 4:34:36 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/30/2009 4:34:36 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/30/2009 4:34:36 PM, error: Service Control Manager [7001] - The Forceware Web Interface service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

3/30/2009 4:34:36 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/30/2009 4:34:36 PM, error: Service Control Manager [7001] - The Trend Micro Proxy Service service depends on the Trend Micro TDI Driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/30/2009 4:34:51 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss sp_rsdrv2 Tcpip tmtdi

3/30/2009 4:34:57 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

3/30/2009 4:36:35 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

3/30/2009 4:37:03 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

3/30/2009 4:49:14 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

3/30/2009 4:50:21 PM, error: PlugPlayManager [11] - The device Root\LEGACY_AVGLDX8600 disappeared from the system without first being prepared for removal.

3/30/2009 8:00:13 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

3/31/2009 12:08:58 PM, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).

3/31/2009 12:09:02 PM, error: Service Control Manager [7034] - The PC Tools Auxiliary Service service terminated unexpectedly. It has done this 1 time(s).

3/31/2009 12:54:21 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

3/31/2009 12:55:06 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgmfx86

3/31/2009 1:09:25 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

3/31/2009 1:39:25 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

3/31/2009 2:39:25 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

3/31/2009 2:43:01 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 avgmfx86 Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss sp_rsdrv2 Tcpip tmtdi

3/31/2009 7:04:32 PM, error: Service Control Manager [7028] - The BITS Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.

4/1/2009 1:42:52 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

4/1/2009 1:59:18 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PC Tools Security Service service to connect.

4/1/2009 1:59:18 AM, error: Service Control Manager [7000] - The PC Tools Security Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

4/1/2009 2:14:09 AM, error: DCOM [10000] - Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}. The error: "%5" Happened while starting this command: "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -Embedding

4/1/2009 2:15:44 AM, error: Service Control Manager [7001] - The Windows Firewall/Internet Connection Sharing (ICS) service depends on the Network Connections service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

4/1/2009 3:08:11 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

 

==== End Of File ===========================

 

*Attach Ends*

 

*DDS Begins*

 

 

DDS (Ver_09-03-16.01) - NTFSx86

Run by Owner at 17:31:05.87 on Mon 04/06/2009

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1558 [GMT -4:00]

 

AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated)

 

============== Running Processes ===============

 

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\imapi.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Owner.GAMING\Desktop\dds.com

 

============== Pseudo HJT Report ===============

 

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.dll

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ufSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

IE: crawler search - tbr:iemenu

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab

DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB

DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\toolbar\ctbr.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: ShellExecuteHook class: {fe24cd78-7c63-465d-8787-4edf7fc79895} - c:\program files\logitech\easy synchronization\shellexecutehook.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

 

================= FIREFOX ===================

 

FF - ProfilePath - c:\docume~1\owner~1.gam\applic~1\mozilla\firefox\profiles\wmw3zg03.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=

FF - plugin: c:\program files\download manager\npfpdlm.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll

 

============= SERVICES / DRIVERS ===============

 

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-29 64160]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-8-14 36368]

S2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]

S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-4-2 50192]

S2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-4-2 677128]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S3 gsplittm;gsplittm;\??\c:\docume~1\owner~1.gam\locals~1\temp\gsplittm.sys --> c:\docume~1\owner~1.gam\locals~1\temp\gsplittm.sys [?]

S4 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]

 

=============== Created Last 30 ================

 

2009-04-06 14:27 <DIR> a-dshr-- C:\cmdcons

2009-04-06 14:26 161,792 a------- c:\windows\SWREG.exe

2009-04-06 14:26 98,816 a------- c:\windows\sed.exe

2009-04-02 13:29 <DIR> --d----- c:\documents and settings\owner.gaming\log

2009-04-02 12:05 150,032 a------- c:\windows\system32\drivers\tmcomm.sys

2009-04-02 12:05 50,192 a------- c:\windows\system32\drivers\tmevtmgr.sys

2009-04-02 12:05 50,192 a------- c:\windows\system32\drivers\tmactmon.sys

2009-04-02 12:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trend Micro

2009-04-01 13:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2009-04-01 13:56 <DIR> --d----- c:\program files\SUPERAntiSpyware

2009-04-01 13:56 <DIR> --d----- c:\docume~1\owner~1.gam\applic~1\SUPERAntiSpyware.com

2009-04-01 13:55 <DIR> --d----- c:\docume~1\owner~1.gam\applic~1\Malwarebytes

2009-04-01 13:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-04-01 13:54 <DIR> --d----- c:\docume~1\owner~1.gam\applic~1\GetRightToGo

2009-04-01 13:51 410,984 a------- c:\windows\system32\deploytk.dll

2009-04-01 13:50 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat

2009-04-01 12:52 <DIR> --d----- C:\5202a2b29edcd70b2e2781

2009-04-01 12:52 <DIR> --d----- c:\windows\SxsCaPendDel

2009-03-31 13:08 <DIR> --d----- C:\212532f9e33c39c6b32d

2009-03-30 19:55 <DIR> --d----- c:\windows\ERUNT

2009-03-30 17:04 <DIR> --d----- c:\program files\Enigma Software Group

2009-03-30 15:50 <DIR> --d----- C:\SDFix

2009-03-30 15:11 <DIR> --d----- c:\docume~1\owner~1.gam\applic~1\Uniblue

2009-03-30 15:11 <DIR> --d----- c:\program files\Uniblue

2009-03-30 14:40 <DIR> --d----- C:\882d560351a9659d55

2009-03-29 23:55 438 a------- c:\docume~1\owner~1.gam\applic~1\wklnhst.dat

2009-03-29 20:56 15,688 a------- c:\windows\system32\lsdelete.exe

2009-03-29 19:43 64,160 a------- c:\windows\system32\drivers\Lbd.sys

2009-03-29 19:39 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

2009-03-29 19:01 <DIR> --d----- c:\program files\Crawler

2009-03-29 19:01 <DIR> --d----- c:\program files\Spyware Terminator

2009-03-29 15:23 <DIR> --d----- c:\program files\Spybot - Search & Destroy

2009-03-29 15:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2009-03-29 15:10 3,708 a------- c:\windows\wininit.ini

2009-03-19 23:01 <DIR> --d----- c:\program files\CCleaner

2009-03-12 13:39 <DIR> --d----- c:\documents and settings\owner.gaming\Tracing

2009-03-12 13:33 <DIR> --d----- c:\program files\Microsoft

2009-03-12 13:33 <DIR> --d----- c:\program files\Windows Live SkyDrive

2009-03-12 11:42 <DIR> --d----- c:\program files\common files\Windows Live

 

==================== Find3M ====================

 

2009-04-06 17:18 0 a------- c:\windows\system32\drivers\lvuvc.hs

2009-04-06 17:18 0 a------- c:\windows\system32\drivers\logiflt.iad

2009-04-01 03:01 13,312 a------- c:\windows\system32\lsass.exe

2009-03-29 23:55 3,824 ac------ c:\windows\mozver.dat

2009-03-05 22:17 1,195,512 a------- c:\windows\system32\drivers\vsapint.sys

2009-03-05 22:17 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys

2009-03-05 22:17 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys

2009-03-03 19:12 80,400 a------- c:\windows\system32\drivers\tmtdi.sys

2009-02-26 14:46 42,320 a------- c:\windows\system32\xfcodec.dll

2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys

2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll

2003-12-18 11:33 20,102 ac------ c:\program files\Readme.txt

2003-09-03 07:46 10,960 ac------ c:\program files\EULA.txt

2008-08-09 22:35 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080920080810\index.dat

 

============= FINISH: 17:31:14.70 ===============

 

*DDS Ends*

 

*ComboFix Begins*

 

ComboFix 09-04-04.01 - Owner 2009-04-06 17:16:05.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1550 [GMT -4:00]

Running from: c:\documents and settings\Owner.GAMING\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner.GAMING\Desktop\CFScript.txt

AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated)

* Created a new restore point

 

FILE ::

c:\windows\system32\sntfrant.dll

.

 

((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))

.

 

2009-04-03 23:03 . 2009-04-03 23:28 <DIR> d-------- c:\program files\Windows Live Safety Center

2009-04-03 01:21 . 2009-04-03 01:21 <DIR> d-------- c:\program files\Windows Defender

2009-04-03 01:03 . 2009-04-03 01:03 <DIR> d-------- c:\program files\Common Files\Adobe AIR

2009-04-03 01:02 . 2009-04-03 01:02 <DIR> d-------- c:\program files\Common Files\Adobe

2009-04-03 00:56 . 2009-04-03 11:10 <DIR> d-------- c:\program files\NOS

2009-04-03 00:56 . 2009-04-03 11:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

2009-04-02 13:29 . 2009-04-02 13:29 <DIR> d-------- c:\documents and settings\Owner.GAMING\log

2009-04-02 12:05 . 2009-03-03 04:34 150,032 --a------ c:\windows\system32\drivers\tmcomm.sys

2009-04-02 12:05 . 2009-03-03 04:34 50,192 --a------ c:\windows\system32\drivers\tmevtmgr.sys

2009-04-02 12:05 . 2009-03-03 04:34 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys

2009-04-02 12:03 . 2009-04-02 12:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro

2009-04-01 13:56 . 2009-04-03 11:25 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-04-01 13:56 . 2009-04-05 16:54 <DIR> d-------- c:\program files\Alwil Software

2009-04-01 13:56 . 2009-04-03 11:25 <DIR> d-------- c:\documents and settings\Owner.GAMING\Application Data\SUPERAntiSpyware.com

2009-04-01 13:56 . 2009-04-01 13:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-04-01 13:55 . 2009-04-01 13:55 <DIR> d-------- c:\documents and settings\Owner.GAMING\Application Data\Malwarebytes

2009-04-01 13:55 . 2009-04-01 13:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-04-01 13:54 . 2009-04-01 14:27 <DIR> d-------- c:\documents and settings\Owner.GAMING\Application Data\GetRightToGo

2009-04-01 13:51 . 2009-04-01 13:51 410,984 --a------ c:\windows\system32\deploytk.dll

2009-04-01 13:50 . 2009-01-09 15:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat

2009-04-01 12:52 . 2009-04-01 13:43 <DIR> d-------- c:\windows\SxsCaPendDel

2009-04-01 12:52 . 2009-04-01 12:52 <DIR> d-------- C:\5202a2b29edcd70b2e2781

2009-03-31 13:08 . 2009-03-31 13:08 <DIR> d-------- C:\212532f9e33c39c6b32d

2009-03-30 19:55 . 2009-03-30 19:55 <DIR> d-------- c:\windows\ERUNT

2009-03-30 17:04 . 2009-04-02 12:14 <DIR> d-------- c:\program files\Enigma Software Group

2009-03-30 15:50 . 2009-03-30 19:55 <DIR> d-------- C:\SDFix

2009-03-30 15:11 . 2009-03-30 15:11 <DIR> d-------- c:\program files\Uniblue

2009-03-30 15:11 . 2009-03-30 15:11 <DIR> d-------- c:\documents and settings\Owner.GAMING\Application Data\Uniblue

2009-03-30 14:40 . 2009-03-30 14:40 <DIR> d-------- C:\882d560351a9659d55

2009-03-29 23:55 . 2009-03-29 23:55 <DIR> d-------- c:\documents and settings\Owner.GAMING\Application Data\Template

2009-03-29 23:55 . 2009-03-30 00:10 438 --a------ c:\documents and settings\Owner.GAMING\Application Data\wklnhst.dat

2009-03-29 20:56 . 2009-03-09 15:06 15,688 --a------ c:\windows\system32\lsdelete.exe

2009-03-29 19:43 . 2009-03-09 15:06 64,160 --a------ c:\windows\system32\drivers\Lbd.sys

2009-03-29 19:40 . 2009-03-29 19:40 <DIR> d-------- c:\documents and settings\Donald Lake\Application Data\Viewpoint

2009-03-29 19:39 . 2009-03-29 19:39 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

2009-03-29 19:01 . 2009-04-02 12:12 <DIR> d-------- c:\program files\Spyware Terminator

2009-03-29 19:01 . 2009-03-29 19:01 <DIR> d-------- c:\program files\Crawler

2009-03-29 19:01 . 2009-03-29 19:05 <DIR> d-------- c:\documents and settings\Donald Lake\Application Data\Spyware Terminator

2009-03-29 15:23 . 2009-04-02 11:51 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-03-29 15:23 . 2009-04-02 11:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-03-29 15:10 . 2009-04-01 10:44 3,708 --a------ c:\windows\wininit.ini

2009-03-19 23:01 . 2009-03-19 23:01 <DIR> d-------- c:\program files\CCleaner

2009-03-12 13:39 . 2009-03-29 12:29 <DIR> d-------- c:\documents and settings\Owner.GAMING\Tracing

2009-03-12 13:33 . 2009-03-12 13:33 <DIR> d-------- c:\program files\Windows Live SkyDrive

2009-03-12 13:33 . 2009-03-12 13:33 <DIR> d-------- c:\program files\Microsoft

2009-03-12 11:42 . 2009-03-12 11:42 <DIR> d-------- c:\program files\Common Files\Windows Live

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-06 21:18 0 ----a-w c:\windows\system32\drivers\lvuvc.hs

2009-04-06 21:18 0 ----a-w c:\windows\system32\drivers\logiflt.iad

2009-04-06 20:41 --------- d-----w c:\program files\Java

2009-04-03 15:44 --------- d-----w c:\program files\Steam

2009-04-03 15:26 --------- d-----w c:\program files\Yahoo!

2009-04-03 15:26 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Corporation

2009-04-03 15:23 --------- d--h--w c:\program files\InstallShield Installation Information

2009-04-02 20:57 --------- d-----w c:\program files\Hitman Pro

2009-04-02 17:38 --------- d-----w c:\program files\Google

2009-04-02 17:37 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-04-02 16:05 --------- d-----w c:\program files\Trend Micro

2009-03-29 23:38 --------- d-----w c:\program files\Lavasoft

2009-03-29 22:33 --------- d-----w c:\program files\Viewpoint

2009-03-29 22:33 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint

2009-03-29 20:33 --------- d-----w c:\documents and settings\Owner.GAMING\Application Data\Hamachi

2009-03-29 19:46 --------- d-----w c:\documents and settings\Owner.GAMING\Application Data\Lavasoft

2009-03-29 02:52 --------- d-----w c:\program files\Download Manager

2009-03-29 02:51 --------- d-----w c:\documents and settings\Owner.GAMING\Application Data\IGN_DLM

2009-03-13 15:42 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)

2009-03-12 20:28 --------- d-----w c:\documents and settings\Owner.GAMING\Application Data\Xfire

2009-03-12 17:32 --------- d-----w c:\program files\Windows Live

2009-03-12 04:51 --------- d-----w c:\program files\Atari

2009-03-11 03:29 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2009-03-09 03:05 --------- d-s---w c:\program files\Xfire

2009-03-06 02:17 36,368 ----a-w c:\windows\system32\drivers\tmpreflt.sys

2009-03-06 02:17 205,328 ----a-w c:\windows\system32\drivers\tmxpflt.sys

2009-03-06 02:17 1,195,512 ----a-w c:\windows\system32\drivers\vsapint.sys

2009-03-03 23:12 80,400 ----a-w c:\windows\system32\drivers\tmtdi.sys

2009-02-27 12:09 --------- d-----w c:\program files\Microsoft Silverlight

2009-02-18 22:41 --------- d-----w c:\program files\Warcraft III

2009-02-09 00:28 --------- d-----w c:\program files\Common Files\AnswerWorks 5.0

2009-02-09 00:26 --------- d-----w c:\program files\Common Files\Intuit

2009-02-09 00:26 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit

2009-02-09 00:23 --------- d-----w c:\program files\TurboTax

2008-08-22 03:52 0 ----a-w c:\documents and settings\Donald Lake\Application Data\wklnhst.dat

2003-12-18 15:33 20,102 -c--a-w c:\program files\Readme.txt

2003-09-03 11:46 10,960 -c--a-w c:\program files\EULA.txt

2008-08-10 02:35 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080920080810\index.dat

.

 

((((((((((((((((((((((((((((( [email protected]_14.38.17.48 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-04-06 18:31:48 16,384 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-04-06 21:19:07 16,384 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-04-06 18:31:48 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-04-06 21:19:07 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-04-06 18:31:48 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-04-06 21:19:07 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-04-06 21:19:01 16,384 ----atw c:\windows\temp\Perflib_Perfdata_14c.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-03-13 995528]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-01 148888]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"= "c:\program files\Logitech\Easy Synchronization\shellexecutehook.dll" [2005-10-05 69632]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.XFR1"= xfcodec.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk

backup=c:\windows\pss\BigFix.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk

backup=c:\windows\pss\Bluetooth.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Owner.GAMING^Start Menu^Programs^Startup^Xfire.lnk]

path=c:\documents and settings\Owner.GAMING\Start Menu\Programs\Startup\Xfire.lnk

backup=c:\windows\pss\Xfire.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2009-02-27 17:10 35696 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2008-04-13 20:12 15360 c:\windows\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy Synchronization]

--a------ 2005-10-05 12:00 53248 c:\program files\Logitech\Easy Synchronization\LogitechEasySync.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

--a------ 2005-08-06 00:56 64512 c:\windows\ehome\ehtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

--a------ 2008-06-24 14:34 41824 c:\program files\Common Files\AOL\1177114677\EE\aolsoftware.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2007-05-08 16:24 54840 c:\program files\HP\HP Software Update\hpwuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-11-20 14:20 290088 c:\program files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]

--a------ 2008-08-14 17:11 565008 c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]

--a------ 2008-08-14 17:15 2407184 c:\program files\Logitech\QuickCam\Quickcam.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]

--a------ 2008-04-13 20:12 169984 c:\windows\pchealth\helpctr\binaries\msconfig.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2009-02-06 18:51 3885408 c:\program files\Windows Live\Messenger\msnmsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 14:50 155648 c:\windows\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]

--a------ 2004-04-05 17:33 99480 c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-11-04 11:30 413696 c:\program files\QuickTime\QTTask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]

--a------ 2005-08-27 08:09 139264 c:\program files\Digital Media Reader\readericon45G.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]

--a------ 2002-09-14 02:42 212992 c:\windows\SMINST\Recguard.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]

--a------ 2005-03-09 11:49 966656 c:\windows\creator\remind_xp.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

--a------ 2004-11-02 23:24 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

--a------ 2008-08-29 18:11 61440 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2009-04-01 13:51 148888 c:\program files\Java\jre6\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

--a------ 2007-06-07 14:08 4670968 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

--a------ 2005-09-26 18:07 90112 c:\windows\soundman.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"xmlprov"=3 (0x3)

"WZCSVC"=3 (0x3)

"WmdmPmSN"=3 (0x3)

"WebClient"=2 (0x2)

"VSS"=3 (0x3)

"TermService"=3 (0x3)

"TapiSrv"=2 (0x2)

"seclogon"=3 (0x3)

"PrismXL"=2 (0x2)

"PnkBstrA"=3 (0x3)

"ose"=3 (0x3)

"odserv"=3 (0x3)

"nSvcLog"=2 (0x2)

"LVSrvLauncher"=2 (0x2)

"LVCOMSer"=2 (0x2)

"Logitech Easy Synchronization"=2 (0x2)

"iPod Service"=3 (0x3)

"IntuitUpdateService"=2 (0x2)

"idsvc"=3 (0x3)

"ForcewareWebInterface"=2 (0x2)

"Bonjour Service"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=

"c:\\Program Files\\Common Files\\AOL\\1177114677\\EE\\AOLServiceHost.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=

"c:\\Program Files\\Common Files\\AOL\\1177114677\\EE\\aolsoftware.exe"=

"c:\\Program Files\\AOL 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\Westwood\\Renegade\\Game.exe"=

"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=

"c:\\Program Files\\Hamachi\\hamachi.exe"=

"c:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.4\\cnc3game.dat"=

"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=

"c:\\Program Files\\Starcraft\\StarCraft.exe"=

"c:\\Program Files\\Sierra\\Homeworld2\\Bin\\Release\\Homeworld2.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\NeverwinterNights\\NWN\\nwmain.exe"=

"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=

"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=

"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=

"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=

"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=

"c:\\Program Files\\AOL 9.0a\\waol.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AOL 9.1\\waol.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Games\\Mechwarrior Mercenaries\\MW4MERCS.ICD"=

"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth II\\game.dat"=

"c:\\Program Files\\Nexus - The Jupiter Incident\\nexus_DX9.exe"=

"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire Demo\\Sins of a Solar Empire.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"6112:TCP"= 6112:TCP:6112

"6112:UDP"= 6112:UDP:Warcraft

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"6667:UDP"= 6667:UDP:6667

"6500:UDP"= 6500:UDP:6500

"27900:UDP"= 27900:UDP:27900

"27901:UDP"= 27901:UDP:27901

"29910:UDP"= 29910:UDP:29910

"28910:TCP"= 28910:TCP:28910

"29900:TCP"= 29900:TCP:29900

"29901:TCP"= 29901:TCP:29901

"29920:TCP"= 29920:TCP:29920

"6881:TCP"= 6881:TCP:6881

"6882:TCP"= 6882:TCP:6882

"6883:TCP"= 6883:TCP:6883

"6884:TCP"= 6884:TCP:6884

"6999:TCP"= 6999:TCP:6999

"6998:TCP"= 6998:TCP:6998

"6997:TCP"= 6997:TCP:6997

"6996:TCP"= 6996:TCP:6996

"5730:TCP"= 5730:TCP:5730

"5730:UDP"= 5730:UDP:57301

"5223:TCP"= 5223:TCP:5223

"3658:UDP"= 3658:UDP:3658

"3478:UDP"= 3478:UDP:3478

"3479:UDP"= 3479:UDP:3479

 

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-29 64160]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-08-14 36368]

S2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]

S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]

S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-02 677128]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]

S3 gsplittm;gsplittm;\??\c:\docume~1\OWNER~1.GAM\LOCALS~1\Temp\gsplittm.sys --> c:\docume~1\OWNER~1.GAM\LOCALS~1\Temp\gsplittm.sys [?]

S4 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

\Shell\AutoRun\command - F:\autorun.exe

\Shell\install\command - F:\setup.exe

.

Contents of the 'Scheduled Tasks' folder

 

2009-04-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:06]

.

.

------- Supplementary Scan -------

.

IE: crawler search - tbr:iemenu

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll

FF - ProfilePath - c:\documents and settings\Owner.GAMING\Application Data\Mozilla\Firefox\Profiles\wmw3zg03.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=

FF - plugin: c:\program files\Download Manager\npfpdlm.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll

.

 

**************************************************************************

 

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-06 17:26:46

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-4033319181-1818345494-3884610679-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:c2,e3,2a,6a,b6,5c,b3,c8,a3,58,79,10,6c,5e,13,23,b8,c2,e5,1b,ca,20,e7,

bf,21,ec,20,ed,5b,bb,94,24,ea,e0,d2,27,52,12,f7,0d,f6,01,dd,3d,60,9f,66,b1,\

"??"=hex:7f,d0,64,84,3a,c5,53,8a,ec,a6,0c,8e,99,b6,d2,91

 

[HKEY_USERS\S-1-5-21-4033319181-1818345494-3884610679-1006\Software\SecuROM\License information*]

"datasecu"=hex:ea,1f,2d,95,79,bd,7d,db,57,36,cd,08,fd,d2,93,21,0e,ae,89,dd,d7,

9e,a8,99,e0,e5,42,80,e2,6c,75,77,47,aa,b1,67,50,9d,25,44,24,fc,a5,4a,b5,bd,\

"rkeysecu"=hex:4e,2a,d9,f6,53,90,8f,62,a5,15,ca,90,c0,1b,f8,85

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(820)

c:\windows\system32\Ati2evxx.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\ehome\ehrecvr.exe

c:\windows\ehome\ehSched.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

.

**************************************************************************

.

Completion time: 2009-04-06 17:29:29 - machine was rebooted

ComboFix-quarantined-files.txt 2009-04-06 21:29:27

 

Pre-Run: 130,992,369,664 bytes free

Post-Run: 131,059,322,880 bytes free

 

366 --- E O F --- 2009-04-06 15:52:31

 

*ComboFix Ends*

Edited by Delsana

Share this post


Link to post
Share on other sites
Also, do you have any plans to remove the Zlog registry spam / porn sites and its remnants from my computer?

 

Hi

 

I wouldn't trust too much on Spyhunter's findings in case you mean those. Especially, if none of the other scanners see them.

 

 

As for the Java, I do agree their has been some taint, as though I have the newest one Internet Explorer and in extension AOL aren't showing any BIT images on websites, and are instead just displaying circle, triangle, and square's in an icon format instead of the picture or image.

Please see this article on the issue.

 

Please defrag hard drive(s) and try Kaspersky online scanner again. If that doesn't still work, try following:

 

* Go here to run an online scanner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish
  • Copy and paste that log as a reply to this topic.

Share this post


Link to post
Share on other sites
Hi

 

I wouldn't trust too much on Spyhunter's findings in case you mean those. Especially, if none of the other scanners see them.

Please see this article on the issue.

 

Please defrag hard drive(s) and try Kaspersky online scanner again. If that doesn't still work, try following:

 

* Go here to run an online scanner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish
  • Copy and paste that log as a reply to this topic.

 

I defragged earlier this week, so that shouldn't be a problem... turns out show pictures was unchecked... I wonder if one of the virus's or spyware did that for pure annoyance factor, mmm.

 

The Zlog entities are actually in the registry, seeing as how I did state that I've removed them many times but they just come back due to instant-replication.

 

I'll post links to where the entries I've found in the registry are actually located, however all I really need to do is search for any entry marked antivirus or porn and hundreds of entries come up in the editor.

 

In pretty much every link, in the internet settings, specifically "ZoneMap" and "Domain" folder's about 2 thousand entries regarding fake anti-virus sites and porn sites exist.

 

*Corrupted Entry Segment*

 

Windows Registry Editor Version 5.00

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

@=""

"ProxyByPass"=dword:00000001

"IntranetName"=dword:00000001

"UNCAsIntranet"=dword:00000001

"AutoDetect"=dword:00000001

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains�7guard.com]

"*"=dword:00000004

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains�7guard.com\install]

"*"=dword:00000004

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains�7guard.com\the]

"*"=dword:00000004

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains�7guard.com\www]

"*"=dword:00000004

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\zyban-zocor-##nospam.com]

"*"=dword:00000004

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]

@=""

"http"=dword:00000003

"https"=dword:00000003

"ftp"=dword:00000003

"file"=dword:00000003

"@ivt"=dword:00000001

"shell"=dword:00000000

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

 

*Corrupt Entry Segment Ends*

 

There's the beginning and ending of one of the registry entries for the ZoneMap Domain section, and the same entries are in at least 3 other ZoneMap sections in other HKEY locations.

 

So far, I've no idea what they are meant to do, nor why they can't be deleted.

 

Edit:

 

Okay, I got Kaspersky scanner to finally work, and I'm nearly done with both of them, I'll post the logs when I'm done.

Edited by Delsana

Share this post


Link to post
Share on other sites

Hi

 

Those have been inserted there by antispyware program. They work as a blocklist there. One of the reasons why I wouldn't trust Spyhunter too much ^_^

Share this post


Link to post
Share on other sites
Hi

 

Those have been inserted there by antispyware program. They work as a blocklist there. One of the reasons why I wouldn't trust Spyhunter too much ^_^

 

I deleted spyhunter though.

 

Plus, regardless of what it is meant for, I really don't think the word "porn" should ever be seen in the registry <_<.

Edited by Delsana

Share this post


Link to post
Share on other sites

Some domain with word porn included? I don't think it's protection software's fault if some bad address has it like that. Would it be better leave the address unblocked so that not so careful user falls into trap? Anyway, I'm here to help with malware removal and not to debate about things. There are different places for doing that ^_^

Share this post


Link to post
Share on other sites

K almost done with the Kaspersky scan, the other online one you gave me found nothing, I'll upload the log in a minute.

 

Edit:

 

Okay, uploaded, the other scan did not provide a log, only Kaspersky did.

KAS_Log.txt

Edited by Delsana

Share this post


Link to post
Share on other sites

Hi again,

 

Looks like Kaspersky didn't detect anything malicious. Please post a fresh dds log and let me know how's the system running now :(

Share this post


Link to post
Share on other sites
Hi again,

 

Looks like Kaspersky didn't detect anything malicious. Please post a fresh dds log and let me know how's the system running now :unsure:

 

Good Morning,

 

Here's the logs.

 

Edit:

 

The following three entities are in the Trend quarantine and can't be cleaned or repaired... is it safe to delete these or should I just keep them there for all eternity?

 

acslaeu.exe - no virus found - AOL Backup

dopatofo.dll.ren - virus found - System 32

A0000011.dll - virus found - System Volume Information

Newest_DDS.txt

Newest_Attach.txt

Edited by Delsana

Share this post


Link to post
Share on other sites

Hi

 

Yes, you may delete those three TrendMicro findings.

 

Logs look pretty good. How is the system running now?

Share this post


Link to post
Share on other sites

In truth just a few days after posting this the computer was pretty much fixed, however I wanted to still remove the remnants of the infections.

 

After doing over 15 different scans and removals, some edits of the registry, and a few other things I finally managed to get the computer back to its normal speed and despite sudden crashes, the inability to log-on because of screen freezes, and the temporary inability to get security programs or shields to run, and the additional virus's that were added, I was able to repair all those issues and get it working again, now with the help you've provided I'm confident that the system is as clean as I can make it.

 

The computer seems to be running fine.

 

I appreciate the help.

Share this post


Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. ;)

 

If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.

 

Everyone else please begin a New Topic.

 

Thank you !

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this