Jump to content
Sign in to follow this  
Connor3400

Another virus...

Recommended Posts

My family isn't so good with technology... In one ear and out the other.

 

HJT Log

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:04:45 PM, on 4/18/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\dhcp\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\prunnet.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

C:\WINDOWS\TEMP\2978019200.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local

R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll

O2 - BHO: C:\WINDOWS\system32\sdfgerfgf3f.dll - {e2ba40a2-74f3-42bd-f434-2604812c8953} - C:\WINDOWS\system32\sdfgerfgf3f.dll

O2 - BHO: (no name) - {e821f04b-bdfc-46ed-8286-c499585c603f} - C:\WINDOWS\system32\kuzefawi.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"

O4 - HKLM\..\Run: [mosihuziti] Rundll32.exe "C:\WINDOWS\system32\monifave.dll",s

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [Apogubacaxoza] rundll32.exe "C:\WINDOWS\ucezuduqiyaloqe.dll",e

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [d8cf7920] rundll32.exe "C:\WINDOWS\system32\tayijobu.dll",b

O4 - HKLM\..\Run: [CPMdbfc4abc] Rundll32.exe "C:\WINDOWS\system32\reboyuti.dll",a

O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent

O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"

O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\Carson\LOCALS~1\Temp\2115987950.exe

O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\zfuhn7.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\zfuhn7.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\2978019200.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [searching] Search from the Address bar

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

O20 - AppInit_DLLs: C c:\progra~1\ThunMail\testabd.dll C:\WINDOWS\system32\wivevevi.dll c:\windows\system32\reboyuti.dll

O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\reboyuti.dll

O22 - SharedTaskScheduler: sfdawtawgreage4tregrgae34 - {D7BF4552-94F1-42BD-F434-3604812C856D} - C:\WINDOWS\system32\jh9fgo4ksdgf.dll

O22 - SharedTaskScheduler: sdfg54y54yhhgth6w4efvrg - {E2BA40A2-74F3-42BD-F434-2604812C8953} - C:\WINDOWS\system32\sdfgerfgf3f.dll

O22 - SharedTaskScheduler: lkjf9873jhifjnsfi8w3fe - {D5BF49A0-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\zfgh83jg3.dll

O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\reboyuti.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Dhcp server (dhcpsrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

--

End of file - 7481 bytes

 

RST Log

 

Logfile of random's system information tool 1.05 (written by random/random)

Run by Carson at 2009-04-18 13:12:51

Microsoft Windows XP Professional Service Pack 2

System drive C: has 4 GB (12%) free of 30 GB

Total RAM: 2046 MB (70% free)

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:12:52 PM, on 4/18/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\dhcp\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\prunnet.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\TEMP\2978019200.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\svchost.exe

C:\Documents and Settings\Carson\Desktop\RSIT.exe

C:\Program Files\Trend Micro\HijackThis\Carson.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local

R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll

O1 - Hosts: 63.119.44.200 www.sureharbor.com

O2 - BHO: C:\WINDOWS\system32\sdfgerfgf3f.dll - {e2ba40a2-74f3-42bd-f434-2604812c8953} - C:\WINDOWS\system32\sdfgerfgf3f.dll

O2 - BHO: (no name) - {e821f04b-bdfc-46ed-8286-c499585c603f} - C:\WINDOWS\system32\kuzefawi.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"

O4 - HKLM\..\Run: [mosihuziti] Rundll32.exe "C:\WINDOWS\system32\monifave.dll",s

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [Apogubacaxoza] rundll32.exe "C:\WINDOWS\ucezuduqiyaloqe.dll",e

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [d8cf7920] rundll32.exe "C:\WINDOWS\system32\tayijobu.dll",b

O4 - HKLM\..\Run: [CPMdbfc4abc] Rundll32.exe "C:\WINDOWS\system32\reboyuti.dll",a

O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent

O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"

O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\Carson\LOCALS~1\Temp\2115987950.exe

O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\zfuhn7.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\zfuhn7.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\2978019200.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [searching] Search from the Address bar

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

O20 - AppInit_DLLs: C c:\progra~1\ThunMail\testabd.dll C:\WINDOWS\system32\wivevevi.dll c:\windows\system32\reboyuti.dll c:\windows\system32\lomofasi.dll

O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\reboyuti.dll

O22 - SharedTaskScheduler: sfdawtawgreage4tregrgae34 - {D7BF4552-94F1-42BD-F434-3604812C856D} - C:\WINDOWS\system32\jh9fgo4ksdgf.dll

O22 - SharedTaskScheduler: sdfg54y54yhhgth6w4efvrg - {E2BA40A2-74F3-42BD-F434-2604812C8953} - C:\WINDOWS\system32\sdfgerfgf3f.dll

O22 - SharedTaskScheduler: lkjf9873jhifjnsfi8w3fe - {D5BF49A0-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\zfgh83jg3.dll

O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\reboyuti.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Dhcp server (dhcpsrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

--

End of file - 7645 bytes

 

======Scheduled tasks folder======

 

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

C:\WINDOWS\tasks\EasyShare Registration Task.job

C:\WINDOWS\tasks\MP Scheduled Scan.job

 

======Registry dump======

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e2ba40a2-74f3-42bd-f434-2604812c8953}]

C:\WINDOWS\system32\sdfgerfgf3f.dll - C:\WINDOWS\system32\sdfgerfgf3f.dll [2009-04-17 15000]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e821f04b-bdfc-46ed-8286-c499585c603f}]

C:\WINDOWS\system32\kuzefawi.dll [2009-01-17 49152]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-10-07 13574144]

"nwiz"=nwiz.exe /install []

"OrderReminder"=C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe [2006-01-30 118784]

"IntelliPoint"=C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 849280]

"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-02-22 148888]

"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-11-07 111936]

"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]

"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-09-06 434176]

"Ad-Watch"=C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe [2009-03-07 515416]

"prunnet"=C:\WINDOWS\system32\prunnet.exe [2009-04-16 98223]

"mosihuziti"=C:\WINDOWS\system32\monifave.dll [2009-01-17 49152]

"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]

"Apogubacaxoza"=C:\WINDOWS\ucezuduqiyaloqe.dll [2009-04-17 146432]

"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2008-04-10 16861184]

"SkyTel"=C:\WINDOWS\SkyTel.EXE [2007-11-20 1847296]

"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]

"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-10-07 86016]

"d8cf7920"=C:\WINDOWS\system32\tayijobu.dll [2009-04-17 79872]

"CPMdbfc4abc"=C:\WINDOWS\system32\reboyuti.dll [2009-04-18 88064]

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"Steam"=c:\program files\steam\steam.exe [2008-10-09 1410296]

"prunnet"=C:\WINDOWS\system32\prunnet.exe [2009-04-16 98223]

"Diagnostic Manager"=C:\DOCUME~1\Carson\LOCALS~1\Temp\2115987950.exe [2009-04-18 167425]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

C:\Program Files\Windows Live\Messenger\msnmsgr.exe /background []

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE [2007-06-21 282624]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]

C:\PROGRA~1\Kodak\KODAKS~1\7288971\Program\KODAKS~1.EXE [2004-02-13 16423]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLS"="C c:\progra~1\ThunMail\testabd.dll C:\WINDOWS\system32\wivevevi.dll c:\windows\system32\reboyuti.dll c:\windows\system32\lomofasi.dll"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Antiwpa]

C:\WINDOWS\system32\antiwpa.dll [2008-05-29 60416]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll [2008-05-02 72208]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

C:\WINDOWS\system32\WgaLogon.dll [2008-09-06 241704]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\reboyuti.dll [2009-04-18 88064]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]

sfdawtawgreage4tregrgae34 - {D7BF4552-94F1-42BD-F434-3604812C856D} - C:\WINDOWS\system32\jh9fgo4ksdgf.dll [2009-04-16 15000]

sdfg54y54yhhgth6w4efvrg - {E2BA40A2-74F3-42BD-F434-2604812C8953} - C:\WINDOWS\system32\sdfgerfgf3f.dll [2009-04-17 15000]

lkjf9873jhifjnsfi8w3fe - {D5BF49A0-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\zfgh83jg3.dll [2009-04-17 15000]

STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\reboyuti.dll [2009-04-18 88064]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"notification packages"=scecli

C:\WINDOWS\system32\wivevevi.dll

msvcpr.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WdfLoadGroup]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"DisableRegistryTools"=1

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveTypeAutoRun"=323

"NoDriveAutoRun"=67108863

"NoDrives"=0

"NoFolderOptions"=1

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveAutoRun"=

"NoDriveTypeAutoRun"=

"NoDrives"=

"HonorAutoRunSetting"=

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\Program Files\Steam\steamapps\shadow_cat_34\counter-strike\hl.exe"="C:\Program Files\Steam\steamapps\shadow_cat_34\counter-strike\hl.exe:*:Enabled:Half-Life Launcher"

"C:\Program Files\mIRC\mirc.exe"="C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC"

"C:\Program Files\Steam\Steam.exe"="C:\Program Files\Steam\Steam.exe:*:Enabled:Steam"

"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"

"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"

"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"

"C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe"="C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"

"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe"="C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare"

"C:\Program Files\Steam\steamapps\shadow_cat_34\team fortress 2\hl2.exe"="C:\Program Files\Steam\steamapps\shadow_cat_34\team fortress 2\hl2.exe:*:Enabled:hl2"

"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"

"C:\Program Files\Electronic Arts\EADM\Core.exe"="C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\Program Files\Ventrilo\Ventrilo.exe"="C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"

"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"

"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

"C:\Program Files\Steam\steamapps\common\osmos igf demo\OsmosDemo.exe"="C:\Program Files\Steam\steamapps\common\osmos igf demo\OsmosDemo.exe:*:Enabled:Osmos IGF Demo"

"C:\Program Files\Steam\steamapps\common\left 4 dead\left4dead.exe"="C:\Program Files\Steam\steamapps\common\left 4 dead\left4dead.exe:*:Enabled:Left 4 Dead"

"C:\Program Files\iTunes\iTunesHelper.exe"="C:\Program Files\iTunes\iTunesHelper.exe:*:Enabled:iTunesHelper"

"C:\Program Files\Java\jre6\bin\jusched.exe"="C:\Program Files\Java\jre6\bin\jusched.exe:*:Enabled:jusched"

"C:\Program Files\Java\jre6\bin\jucheck.exe"="C:\Program Files\Java\jre6\bin\jucheck.exe:*:Enabled:jucheck"

"C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE:*:Enabled:OUTLOOK"

"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"

"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"

"\??\C:\WINDOWS\system32\winlogon.exe"="\??\C:\WINDOWS\system32\winlogon.exe:*:enabled:@shell32.dll,-1"

"C:\wcfgayg.exe"="C:\wcfgayg.exe:*:Disabled:wcfgayg"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

 

======List of files/folders created in the last 1 months======

 

2009-04-18 13:02:43 ----SH---- C:\WINDOWS\system32\ulajatiz.ini

2009-04-18 12:59:40 ----D---- C:\WINDOWS\Prefetch

2009-04-18 12:53:49 ----RAH---- C:\WINDOWS\system32\logonui.exe.manifest

2009-04-18 12:37:55 ----D---- C:\WINDOWS\NV8441916.TMP

2009-04-18 12:32:30 ----D---- C:\WINDOWS\LastGood

2009-04-18 12:32:27 ----A---- C:\WINDOWS\system32\spxcoins.dll

2009-04-18 12:32:27 ----A---- C:\WINDOWS\system32\irclass.dll

2009-04-18 12:32:01 ----RA---- C:\WINDOWS\SET9F.tmp

2009-04-18 12:31:58 ----RA---- C:\WINDOWS\SET93.tmp

2009-04-18 12:31:56 ----RA---- C:\WINDOWS\SET90.tmp

2009-04-17 23:52:29 ----A---- C:\WINDOWS\system32\zfgh83jg3.dll

2009-04-17 17:27:31 ----A---- C:\WINDOWS\system32\tcpd.dll

2009-04-17 17:27:31 ----A---- C:\WINDOWS\system32\tcpcon.dll

2009-04-17 17:27:31 ----A---- C:\WINDOWS\system32\Packer.dll

2009-04-17 17:27:31 ----A---- C:\WINDOWS\system32\iphy.dll

2009-04-17 17:27:31 ----A---- C:\WINDOWS\system32\fiplock.dll

2009-04-17 17:27:31 ----A---- C:\WINDOWS\system32\fhpatch.dll

2009-04-17 17:27:18 ----D---- C:\WINDOWS\dhcp

2009-04-17 17:26:52 ----RSHD---- C:\Program Files\ThunMail

2009-04-17 17:26:45 ----A---- C:\xpsm.exe

2009-04-17 17:26:44 ----A---- C:\ptrf.exe

2009-04-17 17:26:43 ----A---- C:\WINDOWS\system32\nvrsk.dll

2009-04-17 17:26:42 ----A---- C:\cpjopaid.exe

2009-04-17 17:26:39 ----A---- C:\WINDOWS\system32\sdfgerfgf3f.dll

2009-04-17 17:26:39 ----A---- C:\wcfgayg.exe

2009-04-17 17:26:37 ----A---- C:\tqpxlyy.exe

2009-04-17 11:38:35 ----D---- C:\Program Files\Windows Defender

2009-04-17 10:25:19 ----D---- C:\WINDOWS\LastGood.Tmp

2009-04-17 08:35:16 ----D---- C:\WINDOWS\Minidump

2009-04-17 05:26:18 ----SH---- C:\WINDOWS\system32\ubojiyat.ini

2009-04-16 19:38:54 ----A---- C:\WINDOWS\system32\lsdelete.exe

2009-04-16 18:08:49 ----A---- C:\WINDOWS\system32\SelfDel.bat

2009-04-16 17:50:44 ----A---- C:\WINDOWS\system32\ftp_non_crp.exe

2009-04-16 17:36:00 ----A---- C:\WINDOWS\OEWABLog.txt

2009-04-16 17:35:47 ----A---- C:\WINDOWS\system32\p2hhr.bat

2009-04-16 17:35:42 ----A---- C:\WINDOWS\system32\jh9fgo4ksdgf.dll

2009-04-16 17:35:41 ----A---- C:\WINDOWS\system32\ak1.exe

2009-04-16 17:25:46 ----A---- C:\WINDOWS\instsp2.exe

2009-04-16 17:20:32 ----A---- C:\WINDOWS\system32\prunnet.exe

2009-04-15 18:48:31 ----A---- C:\WINDOWS\system32\xpsp4res.dll

2009-04-14 03:00:32 ----D---- C:\WINDOWS\system32\KB905474

2009-04-13 23:55:10 ----A---- C:\WINDOWS\unvise32.exe

2009-04-13 23:55:06 ----D---- C:\Program Files\RehearScore 2.0

2009-04-13 12:05:12 ----A---- C:\WINDOWS\system32\antiwpa.dll

2009-04-13 11:26:26 ----A---- C:\WINDOWS\setuplog.txt

2009-04-13 09:58:21 ----D---- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

2009-04-12 11:09:12 ----A---- C:\WINDOWS\Validation.bat

2009-03-25 17:49:34 ----D---- C:\Program Files\OpenAL

2009-03-25 17:49:33 ----A---- C:\WINDOWS\system32\wrap_oal.dll

2009-03-25 17:49:33 ----A---- C:\WINDOWS\system32\OpenAL32.dll

 

======List of files/folders modified in the last 1 months======

 

2009-04-18 13:12:26 ----D---- C:\WINDOWS\system32

2009-04-18 13:07:19 ----D---- C:\WINDOWS\temp

2009-04-18 13:06:20 ----D---- C:\Program Files\Mozilla Firefox

2009-04-18 13:02:46 ----D---- C:\Program Files\Steam

2009-04-18 13:02:40 ----SD---- C:\WINDOWS\Tasks

2009-04-18 13:02:31 ----ASH---- C:\WINDOWS\system32\zitajalu.dll

2009-04-18 13:02:31 ----ASH---- C:\WINDOWS\system32\reboyuti.dll

2009-04-18 13:02:30 ----ASH---- C:\WINDOWS\system32\raditile.exe

2009-04-18 13:02:27 ----D---- C:\WINDOWS\Registration

2009-04-18 13:02:01 ----HD---- C:\WINDOWS\inf

2009-04-18 13:01:49 ----D---- C:\WINDOWS\system32\CatRoot2

2009-04-18 13:01:40 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

2009-04-18 13:01:39 ----D---- C:\WINDOWS

2009-04-18 12:59:10 ----D---- C:\WINDOWS\system32\inetsrv

2009-04-18 12:59:10 ----D---- C:\WINDOWS\system32\drivers

2009-04-18 12:59:10 ----D---- C:\WINDOWS\system32\config

2009-04-18 12:59:09 ----D---- C:\WINDOWS\nview

2009-04-18 12:57:26 ----RSHDC---- C:\WINDOWS\system32\dllcache

2009-04-18 12:54:58 ----D---- C:\WINDOWS\security

2009-04-18 12:54:36 ----AC---- C:\WINDOWS\ODBCINST.INI

2009-04-18 12:53:51 ----RD---- C:\WINDOWS\Web

2009-04-18 12:53:51 ----RD---- C:\Program Files

2009-04-18 12:53:43 ----RAHC---- C:\WINDOWS\system32\cdplayer.exe.manifest

2009-04-18 12:53:32 ----A---- C:\WINDOWS\win.ini

2009-04-18 12:53:27 ----D---- C:\WINDOWS\system32\oobe

2009-04-18 12:53:26 ----D---- C:\WINDOWS\srchasst

2009-04-18 12:53:24 ----D---- C:\Program Files\Windows Media Player

2009-04-18 12:53:19 ----D---- C:\Program Files\Movie Maker

2009-04-18 12:53:14 ----D---- C:\WINDOWS\system32\Restore

2009-04-18 12:53:12 ----D---- C:\Program Files\NetMeeting

2009-04-18 12:53:09 ----D---- C:\Program Files\Outlook Express

2009-04-18 12:53:09 ----D---- C:\Program Files\Common Files\System

2009-04-18 12:52:59 ----D---- C:\Program Files\Internet Explorer

2009-04-18 12:52:18 ----D---- C:\WINDOWS\system32\Com

2009-04-18 12:51:50 ----D---- C:\WINDOWS\system32\wbem

2009-04-18 12:51:47 ----D---- C:\Program Files\Windows NT

2009-04-18 12:50:57 ----SH---- C:\boot.ini

2009-04-18 12:38:32 ----SHD---- C:\WINDOWS\Installer

2009-04-18 12:33:41 ----D---- C:\WINDOWS\system32\CatRoot

2009-04-18 12:32:31 ----A---- C:\WINDOWS\system.ini

2009-04-18 12:32:26 ----D---- C:\WINDOWS\system

2009-04-18 12:32:16 ----ASH---- C:\Documents and Settings\All Users\Application Data\desktop.ini

2009-04-18 10:01:16 ----A---- C:\WINDOWS\SchedLgU.Txt

2009-04-18 08:29:32 ----D---- C:\WINDOWS\system32\Setup

2009-04-18 08:29:30 ----D---- C:\WINDOWS\Help

2009-04-18 08:29:25 ----D---- C:\WINDOWS\system32\usmt

2009-04-18 08:29:19 ----D---- C:\WINDOWS\AppPatch

2009-04-18 08:29:13 ----D---- C:\WINDOWS\mui

2009-04-18 08:29:13 ----D---- C:\WINDOWS\ehome

2009-04-18 08:29:12 ----RSD---- C:\WINDOWS\Fonts

2009-04-18 08:29:12 ----D---- C:\WINDOWS\ime

2009-04-18 08:29:11 ----D---- C:\WINDOWS\Media

2009-04-18 08:29:03 ----D---- C:\WINDOWS\PeerNet

2009-04-18 08:28:52 ----D---- C:\WINDOWS\system32\npp

2009-04-18 08:28:46 ----D---- C:\WINDOWS\msagent

2009-04-18 08:26:16 ----D---- C:\WINDOWS\twain_32

2009-04-18 08:25:30 ----D---- C:\WINDOWS\system32\icsxml

2009-04-18 08:25:09 ----D---- C:\WINDOWS\system32\ias

2009-04-18 08:25:05 ----D---- C:\WINDOWS\system32\1033

2009-04-18 08:24:19 ----D---- C:\WINDOWS\WinSxS

2009-04-18 08:24:19 ----D---- C:\WINDOWS\Driver Cache

2009-04-17 17:26:43 ----A---- C:\WINDOWS\ucezuduqiyaloqe.dll

2009-04-17 17:26:35 ----ASH---- C:\WINDOWS\system32\viwawede.dll

2009-04-17 17:26:34 ----ASH---- C:\WINDOWS\system32\sozonolo.exe

2009-04-17 17:26:34 ----ASH---- C:\WINDOWS\system32\lomofasi.dll

2009-04-17 11:38:35 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft

2009-04-17 08:09:09 ----D---- C:\Program Files\Spybot - Search & Destroy

2009-04-17 05:26:37 ----ASH---- C:\WINDOWS\system32\lebegega.dll

2009-04-17 05:26:08 ----ASH---- C:\WINDOWS\system32\wivagoge.dll

2009-04-17 05:26:07 ----A---- C:\WINDOWS\system32\tayijobu.dll

2009-04-16 17:28:25 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2009-04-16 17:25:46 ----ASH---- C:\WINDOWS\system32\birevaga.dll

2009-04-15 23:47:46 ----A---- C:\WINDOWS\imsins.BAK

2009-04-15 23:45:42 ----HD---- C:\WINDOWS\$hf_mig$

2009-04-13 13:01:52 ----D---- C:\Documents and Settings\Carson\Application Data\uTorrent

2009-04-11 23:33:56 ----D---- C:\Documents and Settings\Carson\Application Data\mIRC

2009-04-11 22:57:48 ----D---- C:\Program Files\mIRC

 

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

 

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]

R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]

R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]

R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-04 9600]

R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-04-17 4707328]

R3 L8042Kbd;Logitech SetPoint Keyboard Driver; C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys [2008-02-29 20240]

R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]

R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-10-07 6133856]

R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys [2006-11-08 21760]

R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2007-08-07 98944]

R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]

R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]

R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]

R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]

S3 at1394;at1394; \??\C:\WINDOWS\system32\at1394.sys []

S3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys []

S3 iscFlash;iscFlash; \??\C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys []

S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-10-01 32000]

S3 usbscan;Usbscan; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]

S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]

S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

 

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

 

R2 6to4;6to4; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]

R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]

R2 dhcpsrv;Dhcp server; C:\WINDOWS\dhcp\svchost.exe [2009-04-17 255488]

R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-02-22 152984]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]

R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-10-07 184388]

R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]

R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]

S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]

S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]

S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-02-03 675328]

S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 90112]

S3 LBTServ;Logitech Bluetooth Service; C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe [2008-05-02 121360]

S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

 

-----------------EOF-----------------

Share this post


Link to post
Share on other sites

As I was doing a basic search on the latest filenames associated with an updated "old" virus, this post came up as 1 of 2 web pages found. I just spent a pain in the rear 15 min to get on to reply, as this is fairly important. Yes its a virus....but its probably an updated form of "Virut" - one of the Russian "gangsta" attempts of rippin of primarily American consumers or related users that visit sites that show up in English Google seach results. Nice huh...

 

I am still in my initial phases of "taking apart" a customers' files as this can easily turn into a nasty problem, and easily spread or allow a backdoor into your servers and/or workstations. It infects almost everything- systems files, etc - exe, htm, scr, html, xml, zip, etc.....and since in infects many windows' system files, trying to save ur pc load is not a great option as it has a more than 50% failure rate in the end anyways - u cant delete all infected files (unless you are of course wiping the drive to start "fresh"). The AV you use must clean them, without damaging them...which rearely occurs with this virus. And they appear to have improved it some - I give them a little cred for writing it a little better - it now acts like a polymorph, infects asp, is a persistant "little :filtered:."

 

AND NOTE THIS - it will immediately open a backdoor via IRC bot like original, but it may have a new method - i am currently monitoring a new unusual traffic attempt...not done yet putting everything together. But the point is - its trying to link up, download new instructions or allow a remote user to do as they will with your machine and its world behind your router/firewall.

 

The giveaways - ptrf.exe ; cpjopaid.exe; wcfgayg.exe, a few others.

 

Just don't use it.

Its a late nite, I tryn to track down the suspect remote address for this latest version; and the website that past it - it also changes ur default browser from IE - to what - ?? - as no other browser on the PC. And if it finds those files during its initial search of its new home (your PC), it acts as soon as it finds any web pages - client or server. Until your ready, leave your PC off, as it will continually infect - and soon your few personal files you can save will also be turned. I will hopefully have a useful recommendation to save it all, or at least maximize the user file saves. I am planning on a Tues AM delivery, or sooner, for my team to start a review.

 

Have to go....

 

[email protected]

 

Edit:

removed email address to avoid spambots.

Edited by Juliet

Share this post


Link to post
Share on other sites

Hi Connor3400

 

Why is there no antivirus software on this computer?

 

I can see from the logs you've posted the computer is severely infected, I have no idea if it can be cleaned.

Great probability the tools and scans needed to run here will have error messages or you wont be able to download as needed.

As Mutt has posted, chances are there is an infection on the machine that can only be removed by reformatting.

I wont know till I can get verification.

 

 

 

 

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

 

Link 1

Link 2

Link 3

 

Posted Image

 

 

Posted Image

--------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

(Click on this link to see a list of programs that should be disabled.)

http://www.bleepingcomputer.com/forums/topic114351.html

 

 

Double click on Combo-Fix.exe & follow the prompts.

 

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

 

No Validation is Required.

 

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

 

 

 

** Please Note:

At times ComboFix may appear to stall, please be patient.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
Please only run the tool once, ty.

 

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.

Don't select to run the Recovery Console as we don't need it.

By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

 

You may need several replies to post the requested logs, otherwise they might get cut off.

Share this post


Link to post
Share on other sites

This is what I was worried about! Every time I would run spybot or a similar program, it would try and clean up what it could, but then it would BSOD in about 5 minutes.

 

I'll go get to work on what you posted Jacee, and thanks for that info Mutt. I had a feeling it looked like reformatting time... :(

 

Oh, and there was an anti virus installed at one point, but not sure what my family was up to. They sort of just try to get rid of pop-up messages instead of reading them, so who knows what could have happened.

 

Will be back to post logs ASAP.

Share this post


Link to post
Share on other sites

This is what I was worried about! Every time I would run spybot or a similar program, it would try and clean up what it could, but then it would BSOD in about 5 minutes.

 

I'll go get to work on what you posted Jacee, and thanks for that info Mutt. I had a feeling it looked like reformatting time... :(

 

Oh, and there was an anti virus installed at one point, but not sure what my family was up to. They sort of just try to get rid of pop-up messages instead of reading them, so who knows what could have happened.

 

Will be back to post logs ASAP.

 

Let me know if you need a list of free antivirus choices.

Share this post


Link to post
Share on other sites

Let me know if you need a list of free antivirus choices.

 

That would be excellent, I'm not too up-to-date on the AVs out there. Do you know anything about that NOD32 Anti Virus?

 

I got a ton of windows errors, but HJT and Combo-Fixer still worked.

 

Time for the logs.

 

HJT Log

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:51:48 PM, on 4/19/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\dhcp\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\3361\SVCHOST.exe

C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Documents and Settings\Carson\reader_s.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local

R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

O2 - BHO: C:\WINDOWS\system32\yaubfh983ind.dll - {a5af42a3-94f3-42bd-f634-0604832c897d} - C:\WINDOWS\system32\yaubfh983ind.dll

O2 - BHO: (no name) - {e821f04b-bdfc-46ed-8286-c499585c603f} - C:\WINDOWS\system32\kuzefawi.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [mosihuziti] Rundll32.exe "C:\WINDOWS\system32\monifave.dll",s

O4 - HKLM\..\Run: [Apogubacaxoza] rundll32.exe "C:\WINDOWS\ucezuduqiyaloqe.dll",e

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [CPMdbfc4abc] Rundll32.exe "c:\windows\system32\reboyuti.dll",a

O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe

O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent

O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Carson\reader_s.exe

O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\WINDOWS\system32\config\systemprofile\reader_s.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [svc] c:\program Files\ThunMail\testabd.exe (User 'Default user')

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [searching] Search from the Address bar

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

O20 - AppInit_DLLs: c:\progra~1\ThunMail\testabd.dll c:\windows\system32\reboyuti.dll c:\windows\system32\lomofasi.dll,C:\WINDOWS\system32\wivevevi.dll

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\reboyuti.dll

O22 - SharedTaskScheduler: sfdawtawgreage4tregrgae34 - {D7BF4552-94F1-42BD-F434-3604812C856D} - C:\WINDOWS\system32\jh9fgo4ksdgf.dll

O22 - SharedTaskScheduler: sdfg54y54yhhgth6w4efvrg - {E2BA40A2-74F3-42BD-F434-2604812C8953} - C:\WINDOWS\system32\sdfgerfgf3f.dll

O22 - SharedTaskScheduler: lkjf9873jhifjnsfi8w3fe - {D5BF49A0-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\zfgh83jg3.dll

O22 - SharedTaskScheduler: as3iur98wajkef3wgf3 - {A5AF42A3-94F3-42BD-F634-0604832C897D} - C:\WINDOWS\system32\yaubfh983ind.dll

O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\reboyuti.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Dhcp server (dhcpsrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

--

End of file - 7284 bytes

 

Not sure how I should go about posting the combo fix log, it might take 7 or 8 posts, probably more that that. Would it be safe to upload the log so you could see it, or would that be too dangerous with this virus on here. Don't want to go around infection other peoples computers.

Edited by Connor3400

Share this post


Link to post
Share on other sites

Hi Connor

 

Before you edited your post I was able to catch a glimpse of what you had posted from ComboFix log.

 

Suspicions are confirmed.

C:\documents and settings\Carson\reader_s.exe

 

 

To add further to that Critical windows system files did not pass.

The below are infected and corrupt. This means no clean files were found to replace the infected ones.

 

------- Sigcheck -------

 

2009-04-18 15:41 213376 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\dllcache\ndis.sys

2009-04-18 15:41 213376 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\drivers\ndis.sys

 

2004-08-04 08:00 1052672 0c1a2d86c9f843fc2fbec16a63143e01 c:\windows\explorer.exe

2007-06-13 07:26 1053696 6f57c3e6ac97b63814e82cd0b8f5bd86 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

2004-08-04 08:00 1052672 d0630d0d573212fe03e622f3e5969222 c:\windows\$NtUninstallKB938828$\explorer.exe

2004-08-04 08:00 1052672 cfd2fd6723578ac25be475e626a1bc5f c:\windows\system32\dllcache\explorer.exe

 

2004-08-04 08:00 35840 7d511d7289f2b3ecb55888e82611c4fd c:\windows\system32\ctfmon.exe

2004-08-04 08:00 35840 a77705ebecbccbc93b6cea738d4b0831 c:\windows\system32\dllcache\ctfmon.exe

 

2004-08-04 08:00 131584 926f240aca4b411e1ccc9b0135e65e7c c:\windows\system32\wuauclt.exe

2004-08-04 08:00 131584 3577e8c18b10ecbdab176b26aa97246e c:\windows\system32\dllcache\wuauclt.exe

 

2004-08-04 08:00 45056 7f968fd6ed592436dfb0a22c83264c5c c:\windows\system32\userinit.exe

2004-08-04 08:00 45056 0567e9d6b9df793d007ff20c6572edfb c:\windows\system32\dllcache\userinit.exe

 

 

 

 

You are dealing with Virut on your system.

Game over situation and a format and reinstall is the fastest and especially the safest solution.

Virut is a polymorphic file infector which infects the executable files (.exe) including critical Windows files, and screensaver files (.scr) corrupting them beyond repair in most cases. I'm sorry to have to inform you that the only trustworthy solution for Virut is to format.

 

Do not back up anything other than Documents or other non-executable files (no .scr files or zip/cab/rar files which contain executables), and burn those to CD/DVD, not to USB drive or another machine, as those then become suspect or infected.

 

There is a recent variant of Virut which also infects htm and html files.

 

 

There's no tool that can fix this infection at the moment. Some tools claim to disinfect it but they also end up corrupting the system files in the end just like the virut itself. So, I am afraid there's no other option but a reformat and reinstall.

 

Virut is spread via crack and keygen sites. In future, I would strongly recommend that you or anyone else who can use this computer stay away from such sites.

 

Here's some information on this infection:

 

http://www.microsoft.com/security/encyclop...e=Win32%2fVirut

http://vil.nai.com/vil/content/v_143034.htm

http://www.avast.com/eng/win32-virut.html

http://www.symantec.com/security_response/...-99&tabid=1

 

If you need assistance in performing a clean install, here is a couple of good guides to walk you through the process:

 

http://www.windowsreinstall.com/winxppro/i...stallguides.htm

http://helpdesk.its.uiowa.edu/windows/inst...ns/reformat.htm

 

 

 

You might also like to have a look at this blog by our colleague, miekiemoes:

http://miekiemoes.blogspot.com/2009/02/vir...s-throwing.html

 

 

 

If you would still like a list of free Antivirus choices let me know.

Share this post


Link to post
Share on other sites

Hello...As i am new to this forum, and even more busy with work in order to make the same dollar...I am just able to return to this site.

 

I let a honeypot machine get infected using the files from the customer's PC I mentioned in my first post, and we were watching the traffic of this version of Virut. By tonight, I think we will rain on their parade for pulling this new stunt - or at least on the people looking over our fake personal info.

 

As mentioned by the other posts, Virut immediately goes after system files as quickly other files. And this version appears to escape detection unless the AV is very up-to-date....Kap, Norton, McAffee, and iolo all seem to be adding the updated virus characteristics around the past 3 weeks - another client has two infected laptops that imediately caught it and they had outdated Norton def - prob the prior virus version (we have started the work - they were two laptops that were for travel use so they just put them away to deal with later, until they saw our weekly customer email).

 

Although most people hate the control of MS and their autoupdates, it does not pay to turn off the AV update feature. This is one of those virus' that does not allow any easy way to clean them without trashing the file itself.

 

But we noticed they took no time working on trying to upload new junk to the honey pot. We occasionally drop the connection in order to see how they will behave in reconnect attempts - their willing. They started downloading some docs and the favorites. They will be unpleasantly surprised with the dummy password safe file though.

 

Next time you reformat - use AV and make a backup of your initial install.

 

[email protected]

Share this post


Link to post
Share on other sites

Hello...As i am new to this forum, and even more busy with work in order to make the same dollar...I am just able to return to this site.

 

I let a honeypot machine get infected using the files from the customer's PC I mentioned in my first post, and we were watching the traffic of this version of Virut. By tonight, I think we will rain on their parade for pulling this new stunt - or at least on the people looking over our fake personal info.

 

As mentioned by the other posts, Virut immediately goes after system files as quickly other files. And this version appears to escape detection unless the AV is very up-to-date....Kap, Norton, McAffee, and iolo all seem to be adding the updated virus characteristics around the past 3 weeks - another client has two infected laptops that imediately caught it and they had outdated Norton def - prob the prior virus version (we have started the work - they were two laptops that were for travel use so they just put them away to deal with later, until they saw our weekly customer email).

 

Although most people hate the control of MS and their autoupdates, it does not pay to turn off the AV update feature. This is one of those virus' that does not allow any easy way to clean them without trashing the file itself.

 

But we noticed they took no time working on trying to upload new junk to the honey pot. We occasionally drop the connection in order to see how they will behave in reconnect attempts - their willing. They started downloading some docs and the favorites. They will be unpleasantly surprised with the dummy password safe file though.

 

Next time you reformat - use AV and make a backup of your initial install.

 

[email protected]

 

When experimenting with Virut make sure it's not with a machine you can't do without.

In the last week a new variant is out making it harder to identify and deal with, shows signs of infecting newer things that in it's history didn't.

Good luck with your experimenting.

Share this post


Link to post
Share on other sites

I went ahead and reformatted, but I saved some documents that my family wanted to another partition of my hard drive, and everything seemed to be good as new, but when I got home a few minutes ago there was a pop-up saying your machine is infected so download this, (blah blah blah), so do you think it could still be on here and infected the files on the other partition that I didn't reformat?

 

I'll edit in a HJT log of the machine right now if that might help show if it's still infected or not.

 

HJT Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:06:29 PM, on 4/20/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\winlogon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\HijackThis\HijackThis.exe

 

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKUS\S-1-5-21-1659004503-583907252-725345543-1005\..\Run: [steam] "c:\program files\steam\steam.exe" -silent (User 'Carson')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

--

End of file - 2856 bytes

Edited by Connor3400

Share this post


Link to post
Share on other sites

do you think it could still be on here and infected the files on the other partition that I didn't reformat?

 

I'm going to go out on a limb here and say yes....it can invade the partition drive you didn't reformat.

 

 

We can try to check.

 

 

I can give you links to free Antivirus and Firewall programs which are used by a very many.

What you'll probably have to do is experiment some what to find one that runs well on your machine.

 

Avira

 

 

Avast!

How to Install, Configure, and Use Avast Antivirus

 

AVG Free ,

Help overview http://free.grisoft.com/doc/5/us/frt/0/num/616#faq_616

This is a very useful read:

http://grandstreamdreams.blogspot.com/2008...-version-8.html

 

Never install more than one antivirus scanner or firewall on your system

 

 

I know you know how important an Antivirus is......let's get one installed then follow with the next set of instructions.

 

 

 

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

 

Link 1

Link 2

Link 3

 

Posted Image

 

 

Posted Image

--------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

(Click on this link to see a list of programs that should be disabled.)

http://www.bleepingcomputer.com/forums/topic114351.html

 

 

Double click on Combo-Fix.exe & follow the prompts.

 

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

 

No Validation is Required.

 

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

 

 

 

** Please Note:

At times ComboFix may appear to stall, please be patient.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
Please only run the tool once, ty.

 

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.

Don't select to run the Recovery Console as we don't need it.

By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

 

You may need several replies to post the requested logs, otherwise they might get cut off.

Share this post


Link to post
Share on other sites

Glad we could help. :)Posted Image

 

Since this issue appears resolved ... this Topic is closed.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...