Jump to content


Photo
- - - - -

HiJackThis Program will not Open after I downloaded to desk top


  • This topic is locked This topic is locked
26 replies to this topic

#1 Malron

Malron

    New Member

  • Members
  • Pip
  • 31 posts

Posted 15 April 2009 - 11:59 PM

I posted to The Malwarebytes General Forum and they directed me to Here after I downloaded the HiJackThis File. I was not able to Open the HiJackThis program. I also can not Instal Malwarebytes after it was downloaded. Here is The link to original Post http://www.malwareby...showtopic=14169

I also cannot run spybot Search & Destroy, Its already Installed. 2 days ago I was at Geocites using their templates to put up a free website. I either clicked on something or other. I don't know how it happened but somehow I got this screen that poped up called "Spyware Protect 2009 " It said It detected a Trojan and I needed to run this program scan to delete it. I also had an Icon on the task bar that would pop up small windows saying my computer was detecting a virus with an option asking either Get Protection or stay unprotected. I would close the windows constantly. Also every time I tried to open a window in IE7, I would get this fake IE screen saying " Internet Explorer can not display this webpage: Powerful PC Protection Needed " It even had a fake Microsoft address.("browser-security.microsoft.com/blocked.php?=33.1") Any ways I found a process in the start tab of msconfig "sysguard.exe" , stopped the process from running on next start up found the file in C: Windows/ but I could not delete it. Finally after getting some info off the Internet from Symantec about Spyware Protect 2009 from a friends computer. I was able to drag it to the Desktop and Rename it xouce.doc and delete it. I also had to go to the registry and delete a sub key "HKEY-Current User\ Software\ Av Scan. I Deleted Av Scan.
Their was another Key that they said I should have deleted But I could not find it. It also said I should run Ccleaner's registry scan and delete the entrys. Which I did.

Besides not opening Spybot or Malwarebytes. When you do a search on google search pages the results of the search, when you click on an item, it directs you to different advertisement pages, some times dealing with the subject of your search. but not site you wanted. Also the URL does not show up at the bottom Status Bar but other links do like for cached pages will show up in the Status bar.

I also tried to go to Windows update a little while go and after It does its checking it says it can't comlete the connection
My computer is running XP SP2, 2.6GHz Pent 4 ,768 mbs ram Dell Dim 2400, Nvida 6200 PCI Video card. 250GB Hardrive.
Any help is appreciated. I have included a .txt file from Process Explorer of the processes currently running. I had done a search on the forum here and this was one of the suggestions to include. I have also downloaded RootRepeal.zip, but have not installed, this was also suggested.
Thanks for any help.

Malron

Attached Files



#2 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 18 April 2009 - 04:46 PM

Hello,

I'll attempt to help you, providing you manage to get some reports to run.
I've read briefly your other posts. Please keep all your responses here.

You have already renamed the mbam-setup exe, and I recall you still cannot run MBAM.

Please do this. Locate and Rename hijackthis.exe to a new unique name, like Alpha.exe
Then run it and do a Scan and Save. Then get a copy of that log in a reply here.

In a similar vein, you might well need to Rename any other tools I ask you to get.

Download DDS and save it to your desktop as from http://www.techsuppo...ctools/sUBs/dds here or http://download.blee...om/sUBs/dds.scr or
http://www.forospyware.com/sUBs/dds

Rename the dds.scr to Baker.scr
Disable any script blocker if your antivirus/antimalware has it.
Then double click Baker.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.
Please include the following logs in your next reply:
DDS.txt
Attach.txt


If you are not able to get downloads using this pc, use another (but clean) pc and download and burn to CD or DVD, and take and copy to Desktop of infected pc.

If you already have RootkitRepeal, then skip the download step:
Go here and download RootRepeal to your Desktop.
Doubleclick to extract the compressed file to it's own folder and then rightclick on RootRepeal.exe and choose "Run as Administrator"
Click on the Report tab and then click on Scan.
A Windows will open asking what to include in the scan. Check all of the below and then click Ok.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

You will then be asked which drive to scan. Check C: (or the drive your operating system is installed on if not C) and click Ok again.
The scan will start.
It will take a little while so please be patient. When the scan has finished, click on Save Report. Name the log RootRepeal.txt and save it to your Documents folder (it should default there).
When you have done this, please copy and paste it in this thread.
Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.

#3 Malron

Malron

    New Member

  • Members
  • Pip
  • 31 posts

Posted 18 April 2009 - 09:14 PM

Thanks for the help I about gave up. You guys must be Busy,
Well just to update you. I have a new problem Late Thursday nite and I shut down computer went to bed. Next morning I restarted my computer and it kept getting BSOD errors. right away after getting on the desktop maybe 20 seconds later. After starting in safe mode I discovered that I only get the error when I click on IE and my modem kicks in . I have Dial up. Here is the BSOD error.
Driver_IRQL_Not_Less_Or_Equal

STOP *** 0x000000D1(0xE2BE3000, 0x00000002, 0x80000000, 0xF7796CF6)am


I was able to get HijackThis to run by changing the name to Alpha.exe I am inclosing a copy below. I will send the other 2 files in another post.

Thanks for the help

Malron

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:48:39 PM, on 4/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/channel/START
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.53 browser-security.microsoft.com
O1 - Hosts: 94.232.248.53 spy-wareprotector2009.com
O1 - Hosts: 94.232.248.53 www.spy-wareprotector2009.com
O1 - Hosts: 94.232.248.53 secure.spy-wareprotector2009.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: BHO - {ABD45510-9B22-41cd-9ACD-8182A2DA7C63} - C:\WINDOWS\system32\iehelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.cnet.com
O15 - Trusted Zone: http://accessories.us.dell.com
O15 - Trusted Zone: http://support.dell.com
O15 - Trusted Zone: http://www.dell.com
O15 - Trusted Zone: http://www.dellcommunity.com
O15 - Trusted Zone: http://music.download.com
O15 - Trusted Zone: http://*.earthlink.net
O15 - Trusted Zone: http://maps.live.com
O15 - Trusted Zone: http://www.wunderground.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...t/PCPitStop.CAB
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/c.../cpcScanner.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcp.../pcpitstop2.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 10819 bytes

[Edit Tags]

#4 Malron

Malron

    New Member

  • Members
  • Pip
  • 31 posts

Posted 18 April 2009 - 09:29 PM

Thanks again Maurice I had to get my laptop out that what I have been replying with. Get it hooked up to my network. Here are the other 2 files I have not run the RootRepeal program yet. but I'll get it done soon.
DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 19:05:01.12 on Thu 04/16/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.766.283 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.earthlink.net/channel/START
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: BHO: {abd45510-9b22-41cd-9acd-8182a2da7c63} - c:\windows\system32\iehelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Web assistant: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [Symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventr~1.lnk - c:\program files\broderbund\printmaster\pmremind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: <NO NAME> =
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
Trusted Zone: cnet.com
Trusted Zone: dell.com\accessories.us
Trusted Zone: dell.com\support
Trusted Zone: dell.com\www
Trusted Zone: dellcommunity.com\www
Trusted Zone: download.com\music
Trusted Zone: earthlink.net
Trusted Zone: live.com\maps
Trusted Zone: microsoft.com\update
Trusted Zone: wunderground.com\www
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/f/0/2/f02b515c-7076-4cee-bc08-fd6fea594578/VirtualEarth3D.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2008-3-23 305288]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\savrtpel.sys [2008-3-23 37000]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20070613.022\NAVENG.Sys [2007-6-13 77688]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20070613.022\NavEx15.Sys [2007-6-13 852824]

=============== Created Last 30 ================

2009-04-16 12:05 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-16 12:05 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-16 12:05 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-16 12:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-15 12:09 <DIR> --d----- c:\program files\Process Explorer
2009-04-13 14:54 10,240 a------- c:\windows\system32\iehelper.dll
2009-03-25 12:08 <DIR> --d----- c:\windows\system32\IOSUBSYS
2009-03-25 11:47 <DIR> --d----- c:\docume~1\owner\applic~1\AdobeAUM

==================== Find3M ====================

2009-04-13 13:29 4,402 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-04 21:03 59,192 a---h--- c:\windows\system32\mlfcache.dat
2009-02-09 03:19 1,846,272 a------- c:\windows\system32\win32k.sys
2007-05-12 22:04 79,344 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 19:06:12.77 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 3/13/2007 9:18:28 PM
System Uptime: 4/15/2009 8:34:28 PM (23 hours ago)

Motherboard: Dell Computer Corp. | | 0F5949
Processor: Intel® Pentium® 4 CPU 2.66GHz | Microprocessor | 2658/533mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 233 GiB total, 215.162 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
Description: Intel® 82845G/GL/GE/PE/GV Graphics Controller
Device ID: PCI\VEN_8086&DEV_2562&SUBSYS_01601028&REV_01\3&172E68DD&0&10
Manufacturer: Intel Corporation
Name: Intel® 82845G/GL/GE/PE/GV Graphics Controller
PNP Device ID: PCI\VEN_8086&DEV_2562&SUBSYS_01601028&REV_01\3&172E68DD&0&10
Service: ialm

==== System Restore Points ===================

RP668: 1/16/2009 7:09:43 PM - System Checkpoint
RP669: 1/17/2009 7:54:14 PM - System Checkpoint
RP670: 1/18/2009 8:54:14 PM - System Checkpoint
RP671: 1/19/2009 9:54:14 PM - System Checkpoint
RP672: 1/20/2009 10:54:14 PM - System Checkpoint
RP673: 1/22/2009 1:56:42 AM - System Checkpoint
RP674: 1/23/2009 2:50:25 AM - System Checkpoint
RP675: 1/24/2009 3:23:47 AM - System Checkpoint
RP676: 1/25/2009 4:04:02 AM - System Checkpoint
RP677: 1/26/2009 4:23:51 AM - System Checkpoint
RP678: 1/27/2009 4:35:48 AM - System Checkpoint
RP679: 1/27/2009 7:11:00 PM - Spybot-S&D Spyware removal
RP680: 1/29/2009 1:48:21 AM - System Checkpoint
RP681: 1/30/2009 1:52:09 AM - System Checkpoint
RP682: 1/31/2009 2:00:38 AM - System Checkpoint
RP683: 2/1/2009 3:00:38 AM - System Checkpoint
RP684: 2/2/2009 3:32:46 AM - System Checkpoint
RP685: 2/3/2009 4:32:49 AM - System Checkpoint
RP686: 2/4/2009 12:03:25 AM - Software Distribution Service 3.0
RP687: 2/5/2009 1:15:17 AM - System Checkpoint
RP688: 2/6/2009 2:01:11 AM - System Checkpoint
RP689: 2/7/2009 3:17:37 AM - System Checkpoint
RP690: 2/8/2009 4:26:33 AM - System Checkpoint
RP691: 2/9/2009 4:33:38 AM - System Checkpoint
RP692: 2/10/2009 5:32:34 AM - System Checkpoint
RP693: 2/11/2009 5:38:20 AM - System Checkpoint
RP694: 2/12/2009 6:38:24 AM - System Checkpoint
RP695: 2/13/2009 6:52:56 AM - System Checkpoint
RP696: 2/14/2009 7:38:27 AM - System Checkpoint
RP697: 2/15/2009 8:38:24 AM - System Checkpoint
RP698: 2/16/2009 9:38:24 AM - System Checkpoint
RP699: 2/17/2009 9:50:25 AM - System Checkpoint
RP700: 2/18/2009 11:02:28 AM - System Checkpoint
RP701: 2/19/2009 11:38:28 AM - System Checkpoint
RP702: 2/20/2009 3:23:26 PM - System Checkpoint
RP703: 2/21/2009 3:38:05 PM - System Checkpoint
RP704: 2/22/2009 3:43:29 PM - System Checkpoint
RP705: 2/23/2009 3:48:37 PM - System Checkpoint
RP706: 2/24/2009 4:42:03 PM - System Checkpoint
RP707: 2/25/2009 2:05:44 PM - Spybot-S&D Spyware removal
RP708: 2/26/2009 2:42:07 PM - System Checkpoint
RP709: 2/27/2009 4:37:42 PM - System Checkpoint
RP710: 2/28/2009 3:52:40 PM - Spybot-S&D Spyware removal
RP711: 3/1/2009 4:47:12 PM - System Checkpoint
RP712: 3/2/2009 1:29:35 PM - Spybot-S&D Spyware removal
RP713: 3/3/2009 2:13:35 PM - System Checkpoint
RP714: 3/4/2009 2:54:30 PM - System Checkpoint
RP715: 3/5/2009 3:54:34 PM - System Checkpoint
RP716: 3/6/2009 4:18:36 PM - System Checkpoint
RP717: 3/7/2009 5:39:59 PM - System Checkpoint
RP718: 3/8/2009 11:45:39 AM - Spybot-S&D Spyware removal
RP719: 3/9/2009 1:23:38 PM - System Checkpoint
RP720: 3/9/2009 5:32:35 PM - Spybot-S&D Spyware removal
RP721: 3/10/2009 7:11:47 PM - System Checkpoint
RP722: 3/11/2009 8:11:15 PM - System Checkpoint
RP723: 3/12/2009 9:27:04 PM - System Checkpoint
RP724: 3/13/2009 9:29:22 PM - System Checkpoint
RP725: 3/15/2009 12:28:19 AM - System Checkpoint
RP726: 3/16/2009 12:29:18 AM - System Checkpoint
RP727: 3/17/2009 4:06:45 AM - System Checkpoint
RP728: 3/18/2009 4:29:21 AM - System Checkpoint
RP729: 3/19/2009 5:29:27 AM - System Checkpoint
RP730: 3/20/2009 6:29:27 AM - System Checkpoint
RP731: 3/21/2009 6:55:09 AM - System Checkpoint
RP732: 3/22/2009 7:04:02 AM - System Checkpoint
RP733: 3/23/2009 7:38:33 AM - System Checkpoint
RP734: 3/24/2009 12:26:11 PM - System Checkpoint
RP735: 3/25/2009 3:01:38 PM - System Checkpoint
RP736: 3/26/2009 4:29:36 PM - System Checkpoint
RP737: 3/27/2009 4:52:09 PM - System Checkpoint
RP738: 3/27/2009 10:04:29 PM - Spybot-S&D Spyware removal
RP739: 3/27/2009 11:39:03 PM - Software Distribution Service 3.0
RP740: 3/28/2009 1:38:14 AM - Spybot-S&D Spyware removal
RP741: 3/28/2009 10:11:24 AM - Software Distribution Service 3.0
RP742: 3/29/2009 11:11:38 AM - System Checkpoint
RP743: 3/30/2009 12:12:14 PM - System Checkpoint
RP744: 3/31/2009 1:40:06 AM - Software Distribution Service 3.0
RP745: 4/1/2009 2:05:44 AM - System Checkpoint
RP746: 4/2/2009 3:05:45 AM - System Checkpoint
RP747: 4/3/2009 6:59:47 AM - System Checkpoint
RP748: 4/4/2009 7:01:23 AM - System Checkpoint
RP749: 4/5/2009 7:04:53 AM - System Checkpoint
RP750: 4/6/2009 8:04:54 AM - System Checkpoint
RP751: 4/6/2009 11:17:22 AM - Spybot-S&D Spyware removal
RP752: 4/6/2009 1:50:20 PM - Spybot-S&D Spyware removal
RP753: 4/7/2009 1:52:45 PM - System Checkpoint
RP754: 4/8/2009 2:12:20 PM - System Checkpoint
RP755: 4/8/2009 6:07:11 PM - Installed Java™ 6 Update 13
RP756: 4/8/2009 10:01:54 PM - Spybot-S&D Spyware removal
RP757: 4/9/2009 12:21:57 PM - Software Distribution Service 3.0
RP758: 4/9/2009 2:58:13 PM - Software Distribution Service 3.0
RP759: 4/10/2009 12:27:18 AM - Software Distribution Service 3.0
RP760: 4/10/2009 7:16:29 AM - Spybot-S&D Spyware removal
RP761: 4/11/2009 9:18:31 AM - System Checkpoint
RP762: 4/12/2009 11:09:40 AM - System Checkpoint
RP763: 4/13/2009 10:00:08 AM - Spybot-S&D Spyware removal
RP764: 4/14/2009 10:17:53 AM - System Checkpoint
RP765: 4/14/2009 12:38:09 PM - Removed Java™ SE Runtime Environment 6 Update 1
RP766: 4/14/2009 4:18:41 PM - Removed Java™ 6 Update 2
RP767: 4/14/2009 6:39:21 PM - Restore 6:38 PM 4/14/09
RP768: 4/15/2009 11:45:47 PM - System Checkpoint

==== Installed Programs ======================

Ad-Aware SE Personal
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe SVG Viewer 3.0
Adobe® Photoshop® Album Starter Edition 3.0
ArcSoft Camera Suite 1.3
Belarc Advisor 7.2
Broadcom 440x 10/100 Integrated Controller
Bruce's Unusual Typing Wizard, Version 1.5.0
Calculator Powertoy for Windows XP
Call of Duty Game of the Year Edition
Camera Support Core Library
Camera Window
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
CC_ccProxyMSI
CC_ccStart
ccCommon
CCleaner (remove only)
Conexant D850 56K V.9x DFVc Modem
Crash Analysis Tool
Dassault Systemes Software Prerequisites x86
Dell Media Experience
Dell ResourceCD
Dell Support
DivX Content Uploader
DivX Web Player
Driver Sweeper 1.0
Google Toolbar for Internet Explorer
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
hp psc 1200 series
HTML Slideshow Powertoy for Windows XP
Image Resizer Powertoy for Windows XP
Intel® Extreme Graphics Driver
Jasc Paint Shop Pro 8 Dell Edition
Java™ 6 Update 13
Java™ 6 Update 7
LiveReg (Symantec Corporation)
LiveUpdate 1.90 (Symantec Corporation)
Magnifier Powertoy for Windows XP
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel Viewer 2003
Microsoft Silverlight
Microsoft Streets and Trips 2004
Microsoft Web Publishing Wizard 1.52
Microsoft Windows Media Video 9 VCM
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft Word 2002
Microsoft Works
Microsoft Works 2004 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
MovieEdit Task
MSRedist
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
NetWaiting
Norton AntiSpam
Norton AntiVirus
Norton Internet Security
Norton Internet Security (Symantec Corporation)
NVIDIA Drivers
PhotoStitch
Picasa 3
PowerDVD
PrintMaster 12
QuickTime
RAW Image Task 1.1
RegToy 0.5.3.0
RemoteCapture Task 1.0.3
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926247)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Shockwave
Slideshow Generator Powertoy for Windows XP
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Sound Blaster Live!
SoundMAX
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
Symantec Script Blocking Installer
TotalAccess Smart Installer
Tweak UI
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Virtual Desktop Manager Powertoy for Windows XP
Virtual Earth - 3DVIA (Beta)
Virtual Earth 3D (Beta)
WebFldrs XP
Windows Backup Utility
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WordPerfect Office 11
XP Codec Pack

==== Event Viewer Messages From Past Week ========

4/16/2009 7:04:26 PM, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
4/15/2009 8:33:21 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
4/14/2009 6:25:45 PM, error: System Error [1003] - Error code 100000d1, parameter1 e2d2e000, parameter2 00000002, parameter3 00000000, parameter4 f7786cf6.
4/14/2009 6:25:19 PM, error: System Error [1003] - Error code 100000d1, parameter1 e2f09000, parameter2 00000002, parameter3 00000000, parameter4 f7856cf6.
4/14/2009 1:19:02 PM, error: System Error [1003] - Error code 100000d1, parameter1 e2fe3000, parameter2 00000002, parameter3 00000000, parameter4 f76f6cf6.
4/13/2009 10:44:46 AM, error: ipnathlp [31008] - The DNS proxy agent was unable to read the local list of name-resolution servers from the registry. The data is the error code.
4/13/2009 10:00:21 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\zipfldr.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.2180.
4/12/2009 10:22:44 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.

==== End Of File ===========================

#5 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 18 April 2009 - 09:38 PM

While I await your other logs/reports that I asked for, I'd like for you to do these items.
This is only a starter. There is much more to do. The Hosts file is corrupted and there is likely a rogue malware onboard.

Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

O1 - Hosts: ::1 localhost

O1 - Hosts: 94.232.248.53 browser-security.microsoft.com

O1 - Hosts: 94.232.248.53 spy-wareprotector2009.com

O1 - Hosts: 94.232.248.53 www.spy-wareprotector2009.com

O1 - Hosts: 94.232.248.53 secure.spy-wareprotector2009.com

O2 - BHO: BHO - {ABD45510-9B22-41cd-9ACD-8182A2DA7C63} - C:\WINDOWS\system32\iehelper.dll

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!

Get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm

Steps to follow for the MVP Hosts file:
1) Download and SAVE the zip file to a temporary folder
2) Unzip (extract the contents) in the same folder
3) After extract is complete, run mvps.bat batch file. This copies your pre-existing Hosts file to Hosts.mvp in the folder where Windows' Hosts resides typically, C:\WINDOWS\system32\drivers\etc

and after that copy is saved, it replaces the old Hosts with the new one.

And you should see (in the blue background command window) the following:

_________________________________________________
¦ +---+¦
¦ THE MVPS HOSTS FILE IS NOW UPDATED ¦ v ¦¦
¦ +---+¦
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯


Previous version saved and renamed to HOSTS.MVP
Press any key to continue . . .


Find the folder where you saved the original download. Delete hosts.zip and a file folder there named hosts
The latter is the same folder that had mvps.bat

=

Download OTListIt by OldTimer to your desktop: http://oldtimer.geek...m/OTListIt2.exe
  • Please double-click OTListIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :OTLI
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    
    :files
    c:\windows\system32\iehelper.dll
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Return to OTLisIt2. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTListIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

There will be more to do later.
Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.

#6 Malron

Malron

    New Member

  • Members
  • Pip
  • 31 posts

Posted 18 April 2009 - 11:31 PM

I just ran the RootRepeal.exe and got the scan you asked for. Here it is below I hope you get the critter or critters .
Thanks for the help;
Malron

Root Repeal © AD, 2007-2008
==================================================
Scan Time: 2009/04/18 20:57
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3900000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BB7000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBA358000 Size: 45056 File Visible: No
Status: -

Name: UACeypxvvim.sys
Image Path: C:\WINDOWS\system32\drivers\UACeypxvvim.sys
Address: 0xF7845000 Size: 61440 File Visible: -
Status: Hidden from Windows API!

Hidden/Locked Files
-------------------
Path: C:\RECYCLER\S-1-5-21-1645522239-706699826-725345543-1003\Dc5.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\S-1-5-21-1645522239-706699826-725345543-1003\Dc6.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\UACgjlhbgrk.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACimynwyvt.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACiyvvmwdy.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACkqphodoy.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACpqgidlxr.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACpulktndt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACqqmcnlmt.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\Perflib_Perfdata_3cc.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\Owner\Desktop\Alpha.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Dc4.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\backup registrey.reg:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\MBAM-S~1.EXE:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\QuickTimeInstaller.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\RootRepeal.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\drivers\UACeypxvvim.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\163.75_forceware_winxp_32bit_english_whql.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\169.21_forceware_winxp_32bit_english_whql.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Dc8.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\audacity-win-1.2.6.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\averydesignproLimitedrc7.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\mpc_help_eng_20050217.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\nvu-1.0-win32-full.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Dc5.zip
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\psa30se_en_us.exe:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\psa30se_en_us.exe:DocumentSummaryInformation
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\psa30se_en_us.exe:SummaryInformation
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\QuickTimeInstaller.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\seamonkey-1.1.2.en-US.win32.installer.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Dc6.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\spywareblastersetup351.exe:DocumentSummaryInformation
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\spywareblastersetup351.exe:SummaryInformation
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\spywareblastersetup351.exe:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\vst-bridge-1.1.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\XP_Codec_Pack_2.2.0.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\xp_keeprasconn.vbs:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\folderopenssearch.reg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\folder_open.vbs:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Dc9.zip
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\HP Printer:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\lame-3.96.1.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\ccsetup209_slim.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\dcprosetup_15.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Dc3.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Dc7.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Floppy_Office.zip:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Floppy_Office.zip:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Floppy_Office.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Temp\UAC51cf.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\wbem\Logs\wmiprov.log
Status: Size mismatch (API: 3332, Raw: 2974)

Path: C:\Documents and Settings\Owner\Desktop\Downloads\PC Pitstop\MorpheusPhotoAnimationSuite-310.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\HP Printer\CIT207355-HPCOM-PATCH-v8.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Dell\DELL_PDVD52_Upgrade.0714_DVD040713-02_R01.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Dell\DMX2.2_Upgrade.1916(8lang)_PCM040719-01_R02.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Microsoft\GPEdit_Files.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Microsoft\LifeCam2.04.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Microsoft\REGTOY~1.ZIP:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Microsoft\wmv9VCMsetup.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Dell\Precision WS370\win_xp_2k3_32-10.78.0.0.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Microsoft\Templates\WORKOR~1.WKS:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Stealth Objects
-------------------
Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: winlogon.exe (PID: 1192) Address: 0x00650000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: winlogon.exe (PID: 1192) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: services.exe (PID: 1240) Address: 0x00650000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: services.exe (PID: 1240) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: lsass.exe (PID: 1252) Address: 0x00720000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: lsass.exe (PID: 1252) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: svchost.exe (PID: 1432) Address: 0x006f0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: svchost.exe (PID: 1432) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: svchost.exe (PID: 1512) Address: 0x006f0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: svchost.exe (PID: 1512) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: svchost.exe (PID: 1632) Address: 0x006f0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: svchost.exe (PID: 1632) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: svchost.exe (PID: 1700) Address: 0x006f0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: svchost.exe (PID: 1700) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: svchost.exe (PID: 1944) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: svchost.exe (PID: 1944) Address: 0x006f0000 Size: 45056

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: ccSetMgr.exe (PID: 476) Address: 0x006f0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: ccSetMgr.exe (PID: 476) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: Explorer.EXE (PID: 548) Address: 0x00c10000 Size: 45056

Object: Hidden Module [Name: RTShellExt.dll]
Process: Explorer.EXE (PID: 548) Address: 0x050b0000 Size: 102400

Object: Hidden Module [Name: RegToyLib.dll]
Process: Explorer.EXE (PID: 548) Address: 0x05e90000 Size: 348160

Object: Hidden Module [Name: Microsoft.VisualBasic.dll]
Process: Explorer.EXE (PID: 548) Address: 0x05110000 Size: 684032

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: Explorer.EXE (PID: 548) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: ccEvtMgr.exe (PID: 616) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: ccEvtMgr.exe (PID: 616) Address: 0x006f0000 Size: 45056

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: spoolsv.exe (PID: 856) Address: 0x00980000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: spoolsv.exe (PID: 856) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: ccProxy.exe (PID: 1060) Address: 0x009b0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: ccProxy.exe (PID: 1060) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: cisvc.exe (PID: 1076) Address: 0x00740000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: cisvc.exe (PID: 1076) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: ctfmon.exe (PID: 1124) Address: 0x00990000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: ctfmon.exe (PID: 1124) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: CTsvcCDA.exe (PID: 1172) Address: 0x006b0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: CTsvcCDA.exe (PID: 1172) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: jqs.exe (PID: 1580) Address: 0x006f0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: jqs.exe (PID: 1580) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: mdm.exe (PID: 1604) Address: 0x009b0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: mdm.exe (PID: 1604) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: navapsvc.exe (PID: 1772) Address: 0x00800000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: navapsvc.exe (PID: 1772) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: nvsvc32.exe (PID: 1908) Address: 0x006d0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: nvsvc32.exe (PID: 1908) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: SAVScan.exe (PID: 2032) Address: 0x00710000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: SAVScan.exe (PID: 2032) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: tcpsvcs.exe (PID: 272) Address: 0x00700000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: tcpsvcs.exe (PID: 272) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: SNDSrvc.exe (PID: 468) Address: 0x00710000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: SNDSrvc.exe (PID: 468) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: snmp.exe (PID: 972) Address: 0x005e0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: snmp.exe (PID: 972) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: svchost.exe (PID: 300) Address: 0x006f0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: svchost.exe (PID: 300) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: MsPMSPSv.exe (PID: 2092) Address: 0x006a0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: MsPMSPSv.exe (PID: 2092) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: PCMService.exe (PID: 3172) Address: 0x00a20000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: PCMService.exe (PID: 3172) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: tfswctrl.exe (PID: 3188) Address: 0x00920000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: tfswctrl.exe (PID: 3188) Address: 0x009f0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: apdproxy.exe (PID: 3244) Address: 0x003e0000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: apdproxy.exe (PID: 3244) Address: 0x00a90000 Size: 45056

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: Support.exe (PID: 3264) Address: 0x00980000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: Support.exe (PID: 3264) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: NotifyAlert.exe (PID: 3424) Address: 0x009e0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: NotifyAlert.exe (PID: 3424) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: jusched.exe (PID: 3588) Address: 0x00bc0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: jusched.exe (PID: 3588) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: mnyexpr.exe (PID: 3684) Address: 0x00990000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: mnyexpr.exe (PID: 3684) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: wmiprvse.exe (PID: 4068) Address: 0x00820000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: wmiprvse.exe (PID: 4068) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: diagent.exe (PID: 1688) Address: 0x00a10000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: diagent.exe (PID: 1688) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: alg.exe (PID: 2564) Address: 0x00700000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: alg.exe (PID: 2564) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: hpohmr08.exe (PID: 2704) Address: 0x00950000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: hpohmr08.exe (PID: 2704) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: hpotdd01.exe (PID: 2884) Address: 0x00930000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: hpotdd01.exe (PID: 2884) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: hpoevm08.exe (PID: 3344) Address: 0x00970000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: hpoevm08.exe (PID: 3344) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: svchost.exe (PID: 3600) Address: 0x006f0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: svchost.exe (PID: 3600) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: HPZipm12.exe (PID: 3740) Address: 0x006c0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: HPZipm12.exe (PID: 3740) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: hpoSTS08.exe (PID: 1788) Address: 0x003e0000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: hpoSTS08.exe (PID: 1788) Address: 0x00a50000 Size: 45056

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: wuauclt.exe (PID: 2848) Address: 0x00980000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: wuauclt.exe (PID: 2848) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: Explorer.EXE (PID: 2900) Address: 0x00c10000 Size: 45056

Object: Hidden Module [Name: RTShellExt.dll]
Process: Explorer.EXE (PID: 2900) Address: 0x04470000 Size: 102400

Object: Hidden Module [Name: RegToyLib.dll]
Process: Explorer.EXE (PID: 2900) Address: 0x04650000 Size: 348160

Object: Hidden Module [Name: Microsoft.VisualBasic.dll]
Process: Explorer.EXE (PID: 2900) Address: 0x044d0000 Size: 684032

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: Explorer.EXE (PID: 2900) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: cidaemon.exe (PID: 2776) Address: 0x00740000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: cidaemon.exe (PID: 2776) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: cidaemon.exe (PID: 2632) Address: 0x00740000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: cidaemon.exe (PID: 2632) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: Iexplore.exe (PID: 208) Address: 0x00a10000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: Iexplore.exe (PID: 208) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: Iexplore.exe (PID: 1376) Address: 0x00a10000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: Iexplore.exe (PID: 1376) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: Iexplore.exe (PID: 4076) Address: 0x00a10000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: Iexplore.exe (PID: 4076) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: RootRepeal.exe (PID: 2348) Address: 0x00ae0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: RootRepeal.exe (PID: 2348) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: Iexplore.exe (PID: 2472) Address: 0x00a10000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: Iexplore.exe (PID: 2472) Address: 0x10000000 Size: 40960

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACeypxvvim.sys

#7 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 19 April 2009 - 12:15 AM

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

This next step should hopefully break the back of the rootkit infection.

Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • RENAME Avenger.exe to Tango.exe
  • Double click on tango.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
    c:\windows\system32\iehelper.dll
    C:\WINDOWS\system32\UACgjlhbgrk.dll
    C:\WINDOWS\system32\UACimynwyvt.log
    C:\WINDOWS\system32\uacinit.dll
    C:\WINDOWS\system32\UACiyvvmwdy.dll
    C:\WINDOWS\system32\UACkqphodoy.dll
    C:\WINDOWS\system32\UACpqgidlxr.dll
    C:\WINDOWS\system32\UACpulktndt.dll
    C:\WINDOWS\system32\UACqqmcnlmt.dat
    C:\Documents and Settings\Owner\Local Settings\Temp\UAC51cf.tmp
    c:\windows\system32\drivers\UACeypxvvim.sys 
    c:\windows\system32\drivers\msqpdxserv.sys 
    
    Drivers to delete:
    UACd.sys
    UACd
    UACeypxvvim
    UACeypxvvim.sys
    gaopdxserv.sys
    gaopdxserv
    gaopdxl
    tdss
    tdssserv
    TDSSserv.SYS
    Service_TDSSSERV.SYS
    Legacy_TDSSSERV.SYS
    msqpdxserv.sys
    msqpdxserv
    
    Folders to delete:
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler
  • In the avenger window, click the Paste Script from Clipboard icon, Posted Image button.
  • Posted Image Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.

=

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on Combo-Fix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:
Posted Image
then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

Now, locate your mbam.exe and RENAME it to Zango.exe
Start your Zango.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 2003 or later. The latest program version is 1.36 (released April 6)

When done, click the Scanner tab.
Do a Quick Scan.


RE-Enable your AntiVirus and AntiSpyware applications.

Reply with a copy of the C:\Avenger.txt
and C:\Combofix.txt
and the latest MBAM log
and tell me, How is your system now ?
Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.

#8 Malron

Malron

    New Member

  • Members
  • Pip
  • 31 posts

Posted 19 April 2009 - 12:46 AM

I just ran the RootRepeal.exe and got the scan you asked for. Here it is below I hope you get the critter or critters .
Thanks for the help;
Malron

Root Repeal © AD, 2007-2008
==================================================
Scan Time: 2009/04/18 20:57
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3900000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BB7000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBA358000 Size: 45056 File Visible: No
Status: -

Name: UACeypxvvim.sys
Image Path: C:\WINDOWS\system32\drivers\UACeypxvvim.sys
Address: 0xF7845000 Size: 61440 File Visible: -
Status: Hidden from Windows API!

Hidden/Locked Files
-------------------
Path: C:\RECYCLER\S-1-5-21-1645522239-706699826-725345543-1003\Dc5.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\S-1-5-21-1645522239-706699826-725345543-1003\Dc6.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\UACgjlhbgrk.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACimynwyvt.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACiyvvmwdy.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACkqphodoy.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACpqgidlxr.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACpulktndt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACqqmcnlmt.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\Perflib_Perfdata_3cc.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\Owner\Desktop\Alpha.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Dc4.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\backup registrey.reg:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\MBAM-S~1.EXE:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\QuickTimeInstaller.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\RootRepeal.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\drivers\UACeypxvvim.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\163.75_forceware_winxp_32bit_english_whql.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\169.21_forceware_winxp_32bit_english_whql.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Dc8.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\audacity-win-1.2.6.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\averydesignproLimitedrc7.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\mpc_help_eng_20050217.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\nvu-1.0-win32-full.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Dc5.zip
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\psa30se_en_us.exe:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\psa30se_en_us.exe:DocumentSummaryInformation
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\psa30se_en_us.exe:SummaryInformation
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\QuickTimeInstaller.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\seamonkey-1.1.2.en-US.win32.installer.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Dc6.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\spywareblastersetup351.exe:DocumentSummaryInformation
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\spywareblastersetup351.exe:SummaryInformation
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\spywareblastersetup351.exe:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\vst-bridge-1.1.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\XP_Codec_Pack_2.2.0.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\xp_keeprasconn.vbs:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\folderopenssearch.reg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\folder_open.vbs:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Dc9.zip
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\HP Printer:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\lame-3.96.1.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\ccsetup209_slim.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\dcprosetup_15.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Dc3.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Dc7.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Floppy_Office.zip:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Floppy_Office.zip:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Floppy_Office.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Temp\UAC51cf.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\wbem\Logs\wmiprov.log
Status: Size mismatch (API: 3332, Raw: 2974)

Path: C:\Documents and Settings\Owner\Desktop\Downloads\PC Pitstop\MorpheusPhotoAnimationSuite-310.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\HP Printer\CIT207355-HPCOM-PATCH-v8.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Dell\DELL_PDVD52_Upgrade.0714_DVD040713-02_R01.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Dell\DMX2.2_Upgrade.1916(8lang)_PCM040719-01_R02.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Microsoft\GPEdit_Files.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Microsoft\LifeCam2.04.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Microsoft\REGTOY~1.ZIP:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Microsoft\wmv9VCMsetup.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Dell\Precision WS370\win_xp_2k3_32-10.78.0.0.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Microsoft\Templates\WORKOR~1.WKS:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Stealth Objects
-------------------
Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: winlogon.exe (PID: 1192) Address: 0x00650000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: winlogon.exe (PID: 1192) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: services.exe (PID: 1240) Address: 0x00650000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: services.exe (PID: 1240) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: lsass.exe (PID: 1252) Address: 0x00720000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: lsass.exe (PID: 1252) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: svchost.exe (PID: 1432) Address: 0x006f0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: svchost.exe (PID: 1432) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: svchost.exe (PID: 1512) Address: 0x006f0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: svchost.exe (PID: 1512) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: svchost.exe (PID: 1632) Address: 0x006f0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: svchost.exe (PID: 1632) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: svchost.exe (PID: 1700) Address: 0x006f0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: svchost.exe (PID: 1700) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: svchost.exe (PID: 1944) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: svchost.exe (PID: 1944) Address: 0x006f0000 Size: 45056

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: ccSetMgr.exe (PID: 476) Address: 0x006f0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: ccSetMgr.exe (PID: 476) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: Explorer.EXE (PID: 548) Address: 0x00c10000 Size: 45056

Object: Hidden Module [Name: RTShellExt.dll]
Process: Explorer.EXE (PID: 548) Address: 0x050b0000 Size: 102400

Object: Hidden Module [Name: RegToyLib.dll]
Process: Explorer.EXE (PID: 548) Address: 0x05e90000 Size: 348160

Object: Hidden Module [Name: Microsoft.VisualBasic.dll]
Process: Explorer.EXE (PID: 548) Address: 0x05110000 Size: 684032

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: Explorer.EXE (PID: 548) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: ccEvtMgr.exe (PID: 616) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: ccEvtMgr.exe (PID: 616) Address: 0x006f0000 Size: 45056

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: spoolsv.exe (PID: 856) Address: 0x00980000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: spoolsv.exe (PID: 856) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: ccProxy.exe (PID: 1060) Address: 0x009b0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: ccProxy.exe (PID: 1060) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: cisvc.exe (PID: 1076) Address: 0x00740000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: cisvc.exe (PID: 1076) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: ctfmon.exe (PID: 1124) Address: 0x00990000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: ctfmon.exe (PID: 1124) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: CTsvcCDA.exe (PID: 1172) Address: 0x006b0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: CTsvcCDA.exe (PID: 1172) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: jqs.exe (PID: 1580) Address: 0x006f0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: jqs.exe (PID: 1580) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: mdm.exe (PID: 1604) Address: 0x009b0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: mdm.exe (PID: 1604) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: navapsvc.exe (PID: 1772) Address: 0x00800000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: navapsvc.exe (PID: 1772) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: nvsvc32.exe (PID: 1908) Address: 0x006d0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: nvsvc32.exe (PID: 1908) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: SAVScan.exe (PID: 2032) Address: 0x00710000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: SAVScan.exe (PID: 2032) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: tcpsvcs.exe (PID: 272) Address: 0x00700000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: tcpsvcs.exe (PID: 272) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: SNDSrvc.exe (PID: 468) Address: 0x00710000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: SNDSrvc.exe (PID: 468) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: snmp.exe (PID: 972) Address: 0x005e0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: snmp.exe (PID: 972) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: svchost.exe (PID: 300) Address: 0x006f0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: svchost.exe (PID: 300) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: MsPMSPSv.exe (PID: 2092) Address: 0x006a0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: MsPMSPSv.exe (PID: 2092) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: PCMService.exe (PID: 3172) Address: 0x00a20000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: PCMService.exe (PID: 3172) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: tfswctrl.exe (PID: 3188) Address: 0x00920000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: tfswctrl.exe (PID: 3188) Address: 0x009f0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: apdproxy.exe (PID: 3244) Address: 0x003e0000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: apdproxy.exe (PID: 3244) Address: 0x00a90000 Size: 45056

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: Support.exe (PID: 3264) Address: 0x00980000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: Support.exe (PID: 3264) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: NotifyAlert.exe (PID: 3424) Address: 0x009e0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: NotifyAlert.exe (PID: 3424) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: jusched.exe (PID: 3588) Address: 0x00bc0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: jusched.exe (PID: 3588) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: mnyexpr.exe (PID: 3684) Address: 0x00990000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: mnyexpr.exe (PID: 3684) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: wmiprvse.exe (PID: 4068) Address: 0x00820000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: wmiprvse.exe (PID: 4068) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: diagent.exe (PID: 1688) Address: 0x00a10000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: diagent.exe (PID: 1688) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: alg.exe (PID: 2564) Address: 0x00700000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: alg.exe (PID: 2564) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: hpohmr08.exe (PID: 2704) Address: 0x00950000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: hpohmr08.exe (PID: 2704) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: hpotdd01.exe (PID: 2884) Address: 0x00930000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: hpotdd01.exe (PID: 2884) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: hpoevm08.exe (PID: 3344) Address: 0x00970000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: hpoevm08.exe (PID: 3344) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: svchost.exe (PID: 3600) Address: 0x006f0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: svchost.exe (PID: 3600) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: HPZipm12.exe (PID: 3740) Address: 0x006c0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: HPZipm12.exe (PID: 3740) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: hpoSTS08.exe (PID: 1788) Address: 0x003e0000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: hpoSTS08.exe (PID: 1788) Address: 0x00a50000 Size: 45056

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: wuauclt.exe (PID: 2848) Address: 0x00980000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: wuauclt.exe (PID: 2848) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: Explorer.EXE (PID: 2900) Address: 0x00c10000 Size: 45056

Object: Hidden Module [Name: RTShellExt.dll]
Process: Explorer.EXE (PID: 2900) Address: 0x04470000 Size: 102400

Object: Hidden Module [Name: RegToyLib.dll]
Process: Explorer.EXE (PID: 2900) Address: 0x04650000 Size: 348160

Object: Hidden Module [Name: Microsoft.VisualBasic.dll]
Process: Explorer.EXE (PID: 2900) Address: 0x044d0000 Size: 684032

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: Explorer.EXE (PID: 2900) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: cidaemon.exe (PID: 2776) Address: 0x00740000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: cidaemon.exe (PID: 2776) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: cidaemon.exe (PID: 2632) Address: 0x00740000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: cidaemon.exe (PID: 2632) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: Iexplore.exe (PID: 208) Address: 0x00a10000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: Iexplore.exe (PID: 208) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: Iexplore.exe (PID: 1376) Address: 0x00a10000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: Iexplore.exe (PID: 1376) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: Iexplore.exe (PID: 4076) Address: 0x00a10000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: Iexplore.exe (PID: 4076) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: RootRepeal.exe (PID: 2348) Address: 0x00ae0000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: RootRepeal.exe (PID: 2348) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACiyvvmwdy.dll]
Process: Iexplore.exe (PID: 2472) Address: 0x00a10000 Size: 45056

Object: Hidden Module [Name: UACgjlhbgrk.dll]
Process: Iexplore.exe (PID: 2472) Address: 0x10000000 Size: 40960

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACeypxvvim.sys

#9 Malron

Malron

    New Member

  • Members
  • Pip
  • 31 posts

Posted 19 April 2009 - 12:54 AM

I sent that last one by accident. I seen it sitting there and I there and i thought I forgot to send it. I had company over and I quess I was distracted
Thanks
Malron

#10 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 19 April 2009 - 11:16 AM

A checkup here, to make sure you have seen and will do what I outlined in my immediate prior response (of very late my last Saturday evening) which is 3 posts ahead from "this one".

Please do those steps. It calls for a new scripted run of Avenger, a Combofix, and a new update & run of MBAM.
I need to make sure: 1) you have not overlooked it
and 2) you'll take quick action.

This has got a UAC/CLB rootkit infection, which needs removal, pronto.
Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.

#11 Malron

Malron

    New Member

  • Members
  • Pip
  • 31 posts

Posted 20 April 2009 - 04:22 PM

Yes I am workig on it right now I got everything downloaded late Saturday nite but I couldn't get the files tranferred. The laptop I am using doesn't have a cd/rw.
but I am getting them on the desktop now will post when I have more results.

I do have one Question on the Combo Fix program ? The desktop can not get the internet without crashing. and I read up on the combofix about installing Windows recovery Console I tried to install the recovery console into XP (Not ComboFix, I have not run that yet) but it will not install it said my installatin of XP SP2 is newer then my reinstallation CD, XP SP1a (OEM copy)
Please advise run it without the recovery console or what?

Thanks
Malron

#12 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 20 April 2009 - 04:37 PM

Your OEM CD is too old (apparently) and your HD o.s. is the more current, that's why you can't add the Recovery Console from it.

I would prefer, if possible, and as long as the pc is connected to the internet-access point, you should be ok following my procedure for doing the Combofix and let "it" (combofix) get the recovery console, which would give you an edge of protection while we remove malwares.

If the pc is physically disconnected from internet, then proceed without the recovery console.
Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.

#13 Malron

Malron

    New Member

  • Members
  • Pip
  • 31 posts

Posted 20 April 2009 - 06:46 PM

Here is the OTList.log file, running avenger next.

Thanks :D
Malron

========== OTLISTIT ==========
Process explorer.exe killed successfully!
========== FILES ==========
c:\windows\system32\iehelper.dll unregistered successfully.
c:\windows\system32\iehelper.dll moved successfully.
========== COMMANDS ==========
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_6b8.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF3A71.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF3A8B.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF7201.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF7206.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DFD99A.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DFD99F.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_bc8.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_e80.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.14.0 log created on 04202009_150947

Files moved on Reboot...
File C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_6b8.dat not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DF3A71.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DF3A8B.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DF7201.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DF7206.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DFD99A.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DFD99F.tmp not found!
File C:\WINDOWS\temp\Perflib_Perfdata_bc8.dat not found!
C:\WINDOWS\temp\Perflib_Perfdata_e80.dat moved successfully.

Registry entries deleted on Reboot...

#14 Malron

Malron

    New Member

  • Members
  • Pip
  • 31 posts

Posted 20 April 2009 - 09:22 PM

Here is the logs from OTList2.log ,Avenger.log and the log from Combo-Fix.txt . I was able to get the connection for Combo-fix to install Windows Recovery Console. I will run the mbam file and see how the computer is running. I think its running better tho!
Great Big Thanks
Malron

========== OTLISTIT ==========
Process explorer.exe killed successfully!
========== FILES ==========
c:\windows\system32\iehelper.dll unregistered successfully.
c:\windows\system32\iehelper.dll moved successfully.
========== COMMANDS ==========
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_6b8.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF3A71.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF3A8B.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF7201.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF7206.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DFD99A.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DFD99F.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_bc8.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_e80.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.14.0 log created on 04202009_150947




Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "UACd.sys" found!
ImagePath: \systemroot\system32\drivers\UACeypxvvim.sys
Start Type: 4 (Disabled)

Rootkit scan completed.


Error: file "c:\windows\system32\iehelper.dll" not found!
Deletion of file "c:\windows\system32\iehelper.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\UACgjlhbgrk.dll" deleted successfully.
File "C:\WINDOWS\system32\UACimynwyvt.log" deleted successfully.
File "C:\WINDOWS\system32\uacinit.dll" deleted successfully.
File "C:\WINDOWS\system32\UACiyvvmwdy.dll" deleted successfully.
File "C:\WINDOWS\system32\UACkqphodoy.dll" deleted successfully.
File "C:\WINDOWS\system32\UACpqgidlxr.dll" deleted successfully.
File "C:\WINDOWS\system32\UACpulktndt.dll" deleted successfully.
File "C:\WINDOWS\system32\UACqqmcnlmt.dat" deleted successfully.
File "C:\Documents and Settings\Owner\Local Settings\Temp\UAC51cf.tmp" deleted successfully.
File "c:\windows\system32\drivers\UACeypxvvim.sys" deleted successfully.

Error: file "c:\windows\system32\drivers\msqpdxserv.sys" not found!
Deletion of file "c:\windows\system32\drivers\msqpdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "UACd.sys" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACd" not found!
Deletion of driver "UACd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACeypxvvim" not found!
Deletion of driver "UACeypxvvim" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACeypxvvim.sys" not found!
Deletion of driver "UACeypxvvim.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\gaopdxserv.sys" not found!
Deletion of driver "gaopdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\gaopdxserv" not found!
Deletion of driver "gaopdxserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\gaopdxl" not found!
Deletion of driver "gaopdxl" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdss" not found!
Deletion of driver "tdss" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdssserv" not found!
Deletion of driver "tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSserv.SYS" not found!
Deletion of driver "TDSSserv.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Service_TDSSSERV.SYS" not found!
Deletion of driver "Service_TDSSSERV.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Legacy_TDSSSERV.SYS" not found!
Deletion of driver "Legacy_TDSSSERV.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv.sys" not found!
Deletion of driver "msqpdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv" not found!
Deletion of driver "msqpdxserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\recycler" deleted successfully.

Error: could not open folder "D:\recycler"
Deletion of folder "D:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "e:\recycler"
Deletion of folder "e:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "f:\recycler"
Deletion of folder "f:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "g:\recycler"
Deletion of folder "g:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "h:\recycler"
Deletion of folder "h:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished! Terminate.




Files moved on Reboot...
File C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_6b8.dat not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DF3A71.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DF3A8B.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DF7201.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DF7206.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DFD99A.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DFD99F.tmp not found!
File C:\WINDOWS\temp\Perflib_Perfdata_bc8.dat not found!
C:\WINDOWS\temp\Perflib_Perfdata_e80.dat moved successfully.

Registry entries deleted on Reboot...

ComboFix 09-04-19.04 - Owner 04/20/2009 18:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.766.439 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\NTDETECT.PIF
c:\windows\Downloaded Program Files\ODCTOOLS

.
((((((((((((((((((((((((( Files Created from 2009-03-21 to 2009-04-21 )))))))))))))))))))))))))))))))
.

2009-04-20 22:09 . 2009-04-20 22:09 -------- d-----w C:\_OTListIt
2009-04-17 14:26 . 2009-04-17 14:26 -------- d-----w c:\documents and settings\Administrator\Application Data\Lavasoft
2009-04-17 14:22 . 2009-04-17 14:22 79344 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-17 14:22 . 2009-04-17 14:22 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2009-04-17 10:56 . 2009-04-17 10:56 118 ----a-w c:\windows\system32\MRT.INI
2009-04-16 19:05 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-16 19:05 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-16 19:05 . 2009-04-16 19:05 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-25 19:20 . 2009-03-25 19:20 -------- d-----w c:\documents and settings\Owner\Application Data\ArcSoft
2009-03-25 19:08 . 2009-03-25 19:08 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-03-25 19:08 . 2009-03-25 19:08 -------- d-----w c:\windows\system32\IOSUBSYS
2009-03-25 18:47 . 2009-03-25 18:47 -------- d-----w c:\documents and settings\Owner\Application Data\AdobeAUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-21 00:57 . 2007-03-16 04:21 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-21 00:25 . 2009-04-21 00:25 11506 ----a-w C:\avenger.txt
2009-04-19 00:47 . 2009-04-19 00:47 -------- d-----w c:\program files\Trend Micro
2009-04-17 14:28 . 2007-05-20 02:24 45056 ----a-w c:\windows\NCUNINST.EXE
2009-04-16 23:56 . 2008-03-18 07:35 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-16 19:05 . 2009-04-16 19:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-15 19:33 . 2009-04-15 19:09 -------- d-----w c:\program files\Process Explorer
2009-04-15 19:07 . 2007-05-25 02:39 -------- d-----w c:\program files\QuickTime
2009-04-14 19:38 . 2007-04-29 19:37 -------- d-----w c:\program files\Java
2009-04-13 20:29 . 2007-04-11 03:21 4402 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-04-09 22:00 . 2009-04-09 22:00 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-06 18:40 . 2008-03-18 07:35 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-25 19:07 . 2007-04-29 19:42 -------- d-----w c:\program files\Google
2009-03-19 21:11 . 2007-05-01 03:35 519 ----a-w C:\hpfr3420.xml
2009-03-19 21:11 . 2007-05-01 03:35 25096 ----a-w C:\hpfr3425.log
2009-03-09 12:19 . 2008-12-12 05:53 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-05 04:03 . 2009-03-05 04:03 59192 ---ha-w c:\windows\system32\mlfcache.dat
2009-02-09 10:19 . 2003-07-16 20:51 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-03 20:08 . 2003-07-16 20:44 55808 ----a-w c:\windows\system32\secur32.dll
2007-05-20 01:58 . 2007-05-20 01:58 128 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\fusioncache.dat
2007-05-13 05:04 . 2007-05-13 05:04 79344 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-05-02 00:16 . 2007-03-16 03:51 79344 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-23 71280]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-05-25 98304]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-05 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-05 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-10-05 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2003-08-14 54472]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\pmremind.exe [2007-4-21 331776]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave2"= serwvdrv.dll
"wave3"= serwvdrv.dll
"wave4"= serwvdrv.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Sonic\\RecordNow!\\RecordNow.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

S2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe [2004-08-04 14336]

.
Contents of the 'Scheduled Tasks' folder

2007-10-02 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8174244360.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 07:52]

2009-04-11 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2003-08-17 01:22]

2008-09-07 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-03-16 01:38]
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.earthlink.net/channel/START
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: cnet.com
Trusted Zone: dell.com\accessories.us
Trusted Zone: dell.com\support
Trusted Zone: dell.com\www
Trusted Zone: dellcommunity.com\www
Trusted Zone: download.com\music
Trusted Zone: earthlink.net
Trusted Zone: live.com\maps
Trusted Zone: microsoft.com\update
Trusted Zone: wunderground.com\www
TCP: {8BDDAF53-E6E2-42BA-A2C4-8779A386366B} = 207.69.188.185,207.69.188.186
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 18:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-21 18:47
ComboFix-quarantined-files.txt 2009-04-21 01:46

Pre-Run: 230,549,737,472 bytes free
Post-Run: 230,536,744,960 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

161 --- E O F --- 2009-04-17 10:56

#15 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 20 April 2009 - 10:14 PM

The Combofix results are very good. We are getting close to almost finishing. Do have some more patience.
This had a UAC-TDSS rootkit infection.

You already have RootRepeal. I'd like another run of it and report.

Close all your open app windows and get to a clear taskbar.

  • Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
  • Click the "File" tab (located at the bottom of the RootRepeal screen)
  • Click the "Scan" button
  • In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
  • Click OK and the file scan will begin
  • When the scan is done, there will be files listed, but most if not all of them will be legitimate
  • Click the "Save Report" Button
  • Save the log file to your Documents folder
  • Post the content of the RootRepeal file scan log in your next reply.
Please download and run the Trend Micro Sysclean Package on your computer.
NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.
  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and copy their contents to C:\DCE
  • Copy the file sysclean.com to the new folder C:\DCE as well.
  • Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.

    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.

Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.

#16 Malron

Malron

    New Member

  • Members
  • Pip
  • 31 posts

Posted 21 April 2009 - 01:48 AM

I was able to run mbam.exe as Zango and I will inclose report. My computer seems to be working better, as a matter of fact I am writing this from my desktop :D
also I looked in taskmanager and it is using a lot less ram than before. I will run RootRepeal and the program from TrendMicro

I don't know if its my immagination but it seems to be a little faster.( computer)

Great BIG Thanks
Malron


Malwarebytes' Anti-Malware 1.36
Database version: 2016
Windows 5.1.2600 Service Pack 2

4/20/2009 9:06:23 PM
mbam-log-2009-04-20 (21-06-03).txt

Scan type: Full Scan (C:\|)
Objects scanned: 135414
Time elapsed: 20 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{B42B7350-3AE2-440D-8AA1-143A92BEBEF4}\RP775\A0041235.sys (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{B42B7350-3AE2-440D-8AA1-143A92BEBEF4}\RP775\A0041236.dll (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{B42B7350-3AE2-440D-8AA1-143A92BEBEF4}\RP775\A0041238.dll (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{B42B7350-3AE2-440D-8AA1-143A92BEBEF4}\RP775\A0041239.dll (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{B42B7350-3AE2-440D-8AA1-143A92BEBEF4}\RP775\A0041240.dll (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{B42B7350-3AE2-440D-8AA1-143A92BEBEF4}\RP775\A0041241.dll (Trojan.TDSS) -> No action taken.

#17 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 21 April 2009 - 06:47 AM

This last run of MBAM, did you select Show results, and make sure 6 to 4 was check-marked, and select to have it removed ?
There was no action taken by MBAM.

Don't be concerned about anything found in system restore points {system volume information}. SR will be flushed when we get to closure (later).
Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.

#18 Malron

Malron

    New Member

  • Members
  • Pip
  • 31 posts

Posted 21 April 2009 - 08:14 PM

Here are the log files from Sysclean and the RootRepeal log I am going to run mbam.exe again, I thought I checked all the items Malwarebytes found and got rid of them I will send another report. My computer is running a lot better.
Thanks alot maurice
Malron :D

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/21 18:03
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Owner\Desktop\HIJACK~1.EXE:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\MBAM-S~1.EXE:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\ProcessExplorer.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\QuickTimeInstaller.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\RootRepeal.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\setupengpro.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\163.75_forceware_winxp_32bit_english_whql.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\169.21_forceware_winxp_32bit_english_whql.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\audacity-win-1.2.6.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\averydesignproLimitedrc7.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\mpc_help_eng_20050217.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\nvu-1.0-win32-full.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\ProcessExplorer.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\QuickTimeInstaller.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\seamonkey-1.1.2.en-US.win32.installer.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\setupengpro.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\vst-bridge-1.1.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\XP_Codec_Pack_2.2.0.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\xp_keeprasconn.vbs:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\folderopenssearch.reg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\folder_open.vbs:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\lame-3.96.1.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\ccsetup209_slim.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\dcprosetup_15.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Floppy_Office.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\wbem\Logs\wmiprov.log
Status: Size mismatch (API: 25060, Raw: 24881)

Path: C:\Documents and Settings\Owner\Desktop\Downloads\PC Pitstop\MorpheusPhotoAnimationSuite-310.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\HP Printer\CIT207355-HPCOM-PATCH-v8.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Dell\DELL_PDVD52_Upgrade.0714_DVD040713-02_R01.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Dell\DMX2.2_Upgrade.1916(8lang)_PCM040719-01_R02.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Microsoft\GPEdit_Files.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Microsoft\LifeCam2.04.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Microsoft\REGTOY~1.ZIP:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Microsoft\wmv9VCMsetup.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Dell\Precision WS370\win_xp_2k3_32-10.78.0.0.zip:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Desktop\Downloads\Microsoft\Templates\WORKOR~1.WKS:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.



/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006-2007, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2009-04-21, 15:07:07, Auto-clean mode specified.
2009-04-21, 15:07:08, Initialized Rootkit Driver version 2.2.0.1004.
2009-04-21, 15:07:08, Running scanner "C:\DCE-Trendmicro\SYSCLEAN\TSC.BIN"...
2009-04-21, 15:07:32, Scanner "C:\DCE-Trendmicro\SYSCLEAN\TSC.BIN" has finished running.
2009-04-21, 15:07:32, TSC Log:

ÿşD a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 0 ( B u i l d 1 1 7 2 )


W i n d o w s X P ( B u i l d 2 6 0 0 : S e r v i c e P a c k 2 )




S t a r t t i m e : T u e A p r 2 1 2 0 0 9 1 5 : 0 7 : 0 9





L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D C E - T r e n d m i c r o \ S Y S C L E A N \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]


L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D C E - T r e n d m i c r o \ S Y S C L E A N \ t s c . p t n " ( v e r s i o n 1 0 2 8 ) [ s u c c e s s ]





C o m p l e t e t i m e : T u e A p r 2 1 2 0 0 9 1 5 : 0 7 : 3 2


E x e c u t e p a t t e r n c o u n t ( 3 0 4 6 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )





2009-04-21, 15:07:32, Running scanner "C:\DCE-Trendmicro\SYSCLEAN\VSCANTM.BIN"...
2009-04-21, 15:36:34, Scanner "C:\DCE-Trendmicro\SYSCLEAN\VSCANTM.BIN" has finished running.
2009-04-21, 15:36:34, VSCANTM Log:

2009-04-21, 15:36:34, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 4/21/2009 15:07:33
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 977 (382993/382993 Patterns) (2009/04/20) (597700)

Command Line: C:\DCE-Trendmicro\SYSCLEAN\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\DCE-Trendmicro\SYSCLEAN\lpt$vpn.977

C:\Program Files\Trend Micro\HijackThis\backups\backup-20090419-002330-368.dll [TROJ_BHO.WO]
C:\_OTListIt\MovedFiles\04202009_150947\windows\system32\iehelper.dll [TROJ_BHO.WO]
65834 files have been read.
65834 files have been checked.
65808 files have been scanned.
148931 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At: 4/21/2009 15:36:34 29 minutes 1 second (1741.02 seconds) has elapsed.(26.446 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-04-21, 15:36:34, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 4/21/2009 15:07:33
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 977 (382993/382993 Patterns) (2009/04/20) (597700)

Command Line: C:\DCE-Trendmicro\SYSCLEAN\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\DCE-Trendmicro\SYSCLEAN\lpt$vpn.977

65834 files have been read.
65834 files have been checked.
65808 files have been scanned.
148931 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At: 4/21/2009 15:36:34 29 minutes 1 second (1741.02 seconds) has elapsed.(26.446 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-04-21, 15:36:34, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 4/21/2009 15:07:33
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 977 (382993/382993 Patterns) (2009/04/20) (597700)

Command Line: C:\DCE-Trendmicro\SYSCLEAN\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\DCE-Trendmicro\SYSCLEAN\lpt$vpn.977

65834 files have been read.
65834 files have been checked.
65808 files have been scanned.
148931 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At: 4/21/2009 15:36:34 29 minutes 1 second (1741.02 seconds) has elapsed.(26.446 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-04-21, 15:36:34, Running SSAPI scanner ""...
2009-04-21, 15:53:25, SSAPI Log:

SSAPI Scanner Version: 1.0.1003
SSAPI Engine Version: 5.2.1032
SSAPI Pattern Version: 7.59
SSAPI Anti-Rootkit Version: 2.2.0.1004

Spyware Scan Started: 04/21/2009 15:36:37


SSAPI requires the system to reboot.
Detected Items:
[CLEAN SUCCESS][Cookie_YieldManager] Internet Explorer Cache\ad.yieldmanager.com,Cookie:owner@ad.yieldmanager.com/,C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
[CLEAN SUCCESS][Cookie_SpecificClick] Internet Explorer Cache\adopt.specificclick.net,Cookie:owner@adopt.specificclick.net/,C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[1].txt
[CLEAN SUCCESS][Cookie_Pointroll] Internet Explorer Cache\ads.pointroll.com,Cookie:owner@ads.pointroll.com/,C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt
[CLEAN SUCCESS][Cookie_Advertising] Internet Explorer Cache\advertising.com,Cookie:owner@advertising.com/,C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
[CLEAN SUCCESS][Cookie_Atdmt] Internet Explorer Cache\atdmt.com,Cookie:owner@atdmt.com/,C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
[CLEAN SUCCESS][Cookie_Profiling] Internet Explorer Cache\casalemedia.com,Cookie:owner@casalemedia.com/,C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt
[CLEAN SUCCESS][Cookie_DoubleClick] Internet Explorer Cache\doubleclick.net,Cookie:owner@doubleclick.net/,C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:owner@server.iad.liveperson.net/,C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[1].txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:owner@server.iad.liveperson.net/hc/19452074,C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[2].txt
[CLEAN SUCCESS][Cookie_SpecificClick] Internet Explorer Cache\specificclick.net,Cookie:owner@specificclick.net/,C:\Documents and Settings\Owner\Cookies\owner@specificclick[2].txt
[CLEAN SUCCESS][Cookie_StatCounter] Internet Explorer Cache\statcounter.com,Cookie:owner@statcounter.com/,C:\Documents and Settings\Owner\Cookies\owner@statcounter[1].txt
[CLEAN SUCCESS][Cookie_Profiling] Internet Explorer Cache\tribalfusion.com,Cookie:owner@tribalfusion.com/,C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
[CLEAN SUCCESS][Cookie_Zedo] Internet Explorer Cache\zedo.com,Cookie:owner@zedo.com/,C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt
Detected: 13 items.
Cleaned Success: 13 items.
Clean Failed: 0 items.

Spyware Scan Ended: 04/21/2009 15:53:25
Scan Complete. Time=1010.181396.

#19 Malron

Malron

    New Member

  • Members
  • Pip
  • 31 posts

Posted 21 April 2009 - 08:25 PM

I ran the scan from mbam.exe after I updated it and it found one thing
"Rogue Malware Cleaner" I have not been exploring sites with this computer since I have been able to get back on the internet, just Trendmicro Earthlink home page and web mail I checked my history and the only other page was windows update which I do not remeber going to, it did not connect to windows update, it got a Internet Explorer can not display this page,
Here is the log file
Thanks again
Malron

Malwarebytes' Anti-Malware 1.36
Database version: 2022
Windows 5.1.2600 Service Pack 2

4/21/2009 5:32:51 PM
mbam-log-2009-04-21 (17-32-51).txt

Scan type: Full Scan (C:\|)
Objects scanned: 137359
Time elapsed: 21 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\ComPlus Applications (Rogue.MalwareCleaner) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)

#20 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 22 April 2009 - 09:55 AM

Sysclean only found cookies. That's a great result. and kudos on a successful MBAM run.

Place your USB flash drives in-place so that some of these programs will be able to find them.

I'm going to have you get and run two utilities.
The first stops automatic use of the AutoRun feature of XP. The second will write to any connected devices a Read-only, System protected Autorun.inf file on all of your hard drives, and all connected removable storage devices.

Download and Install Microsoft's TweakUI:
http://www.microsoft...ppowertoys.mspx
Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.
Expand the My Computer branch, then the AutoPlay branch, and then select Drives.
Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.

Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
http://download.blee...Disinfector.exe
There is no GUI interface or log file produced.
=

How is your system doing?
Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users