« previous next »
Pages: [1] 2 3 4   Go Down

Author Topic: Virus that blocks any effort to fix it  (Read 7330 times)

0 Members and 1 Guest are viewing this topic.

Offline andylyne215

  • Newbie
  • *
  • Posts: 26
Virus that blocks any effort to fix it
« on: September 01, 2008, 04:10:42 PM »
Hi, I was sent here by ravencajun at Gardenweb.  I was told that might be infected with a virus called Vundo and the Corinne might be able to help me.

The first thing I noticed was that I couldn't upload photos anywhere...said there was a network problem.  Then I noticed that Google wasn't working, it would open another window and send me to some other search engine.  I did all the things I thought were right..I rebooted the computer...the router...reset my internet connection.  Then I ran AVG that was already on my computer...it showed nothing.

So I tried to download some other antivirus software...again said there was a problem with the network connection.  I had hijack this on my computer, so I ran that...but when I tried to analyze it I found I couldn't copy the log.  I tried everything I could to copy that stupid log !!!  I went into the help menu and the computer started playing crazy music !!!

It's blocking all my meager efforts to even start to get rid of it...I'm totally stumped.  I'm hoping that the experts can help me so that I don't have to take it in to the computer doctor.   :sos: :sos: :sos:

Thanks,  Andrea

eta additional symptoms
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Virus that blocks any effort to fix it
« Reply #1 on: September 01, 2008, 04:51:07 PM »
Hi, andylyne215.  Welcome to LandzDown Forum.  I am familiar with ravencajun from Gardenweb and linked to posts there when Windows XP SP3 was released.  Rest assured that the team at LzD will do what we can to assist.

Let's start with a purely analytical tool that will rename HijackThis and provide us with additional information about your computer.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline andylyne215

  • Newbie
  • *
  • Posts: 26
Re: Virus that blocks any effort to fix it
« Reply #2 on: September 01, 2008, 04:59:33 PM »
Thanks so much Corinne,  I just clicked on the link and this is what I got.
Failed to Connect

     

     
     
     

     
       
       

         

Firefox can't establish a connection to the server at images.malwareremoval.com.

       


       
       

Though the site seems valid, the browser was unable to establish a connection.

    * Could the site be temporarily unavailable? Try again later.
    * Are you unable to browse other sites?  Check the computer's network connection.
    * Is your computer or network protected by a firewall or proxy? Incorrect settings can interfere with Web browsing.



   That's what I get with every antivirus site I've gone to.  It's driving me nuts.   :shock:     
       
     


     
     
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Virus that blocks any effort to fix it
« Reply #3 on: September 01, 2008, 05:39:06 PM »
Ok, andylyne215, it looks like we'll need to try some manual cleanup first. 



To manually clean the temp files, delete the following directory contents (but not the directory folder):
  • C:\Windows\Temp\
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies.
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
  • Empty your "Recycle Bin".

For the re-directs, let's see if your Hosts file is infected.
  • Go to C:\WINDOWS\System 32\drivers etc
  • Right click on the host file and select Open. 
  • When prompted, choose the option to "select the program from a list" and Open with Notepad
  • There will likely be a sample entry with the # symbol next to it.  Otherwise, the standard entry is for localhost:  127.0.0.1       localhost
  • Unless you placed entries in the Hosts file, delete any other entries except for localhost

Go to Add/Remove Programs and look for an uninstaller for any software up did not install.  To do this, follow these steps:
  • Click Start, point to Programs, and then search for a folder with the name of the program that you want to remove or the name of a program that may have included the program that you want to remove.
  • Point to the Program_Name folder, and then click the file to remove the program if the file exists. For example, the file might be named Unist.exe, Uninstall, or Uninstall Program_Name.
  • Follow the instructions that appear on the screen to remove the program.
  • Empty your recycle bin.

Because there may not be an entry in Add/Remove Programs or a Start Menu folder but may still be a folder on the hard disk, check with Explorer for any new folders added (sort by date) and check for an uninstall option:
  • Click Start, right-click My Computer, and then click Explore.
  • Expand the folder tree to look for a folder with the name of the program that you want to remove or the name of a program that may have included the program that you want to remove.
  • When you find the unwanted program's folder, click the folder.
  • In the right-pane, if a file to remove the program exists, double-click that file. For example, the file may be named Unist.exe, Uninstall, or Uninstall Program_Name.
  • Follow the instructions that appear on the screen to remove the program.
  • Empty your recycle bin.
Note: If you find a folder for the program that you want to remove, but you do not find a remove file to remove the program, do not delete the folder or the contents of the folder. If you delete the folder or the contents of the folder, you may adversely affect your computer performance and operation. For example, Windows may not start, programs may not start, or programs may stop running.
[/list]

What other security software do you have on your computer besides AVG?  Have you tried scanning with AVG in safe mode? 
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.


Keep us posted. 
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline andylyne215

  • Newbie
  • *
  • Posts: 26
Re: Virus that blocks any effort to fix it
« Reply #4 on: September 01, 2008, 06:05:30 PM »
Corinne...I've taken some Tylenol and am ready to get started with this. 

I don't want to mess things up more, so I already have a question,  When you say 'C:\Windows\Temp\' ...I open that and there's another folder that says HP_webrelease.  When I open that there are more folders along with a whole lot of files.  My question is...is this the right place, and is it safe to delete these folders ?

Andrea
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Virus that blocks any effort to fix it
« Reply #5 on: September 01, 2008, 06:17:21 PM »
Hi, Andrea. 

Yes, you are in the right place.  Assuming you have an HP Printer, the HP_webrelease folder holds the drivers for installing the printer.  You can leave that folder.   There will also likely be a temp file with today's date that you cannot delete.  That is normal.
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline R-C

  • Hero Member
  • *****
  • Posts: 2651
  • Laissez les bons temps rouler!
Re: Virus that blocks any effort to fix it
« Reply #6 on: September 01, 2008, 07:11:00 PM »
Thanks Corrine for your quick assistance for Andrea, I assured her you would take good care of her as you always do. And as all the LzD team does. :thumbsup: :rose: :thanks:
Logged
registered Linux user:476595
May inspiration fill your heart and hands, run down your legs onto your feet and cause Spontaneous Dancing! :dance:

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Virus that blocks any effort to fix it
« Reply #7 on: September 01, 2008, 07:19:58 PM »
* Corrine didn't give away your other identity, you did it.  :lol:
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline R-C

  • Hero Member
  • *****
  • Posts: 2651
  • Laissez les bons temps rouler!
Re: Virus that blocks any effort to fix it
« Reply #8 on: September 01, 2008, 07:42:10 PM »
hahahaaha yea I know the cat is out the bag, no problem I was not very incognito anyway LOL
Logged
registered Linux user:476595
May inspiration fill your heart and hands, run down your legs onto your feet and cause Spontaneous Dancing! :dance:

Offline andylyne215

  • Newbie
  • *
  • Posts: 26
Re: Virus that blocks any effort to fix it
« Reply #9 on: September 01, 2008, 08:28:47 PM »
I did the cleanup...my host was correct, and all the temp files are gone.

I meantioned my problem to a person I know and he got me through to......http://www.malwarebytes.org/mbam.php..... which I ran. Here is the log from that

Malwarebytes' Anti-Malware 1.25
Database version: 1103
Windows 5.1.2600 Service Pack 3

4:42:48 PM 9/1/2008
mbam-log-09-01-2008 (16-42-06).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 169138
Time elapsed: 21 minute(s), 58 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> No action taken.
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> No action taken.


******It fixed whatever it could...so I was able to connect to the link(RSIT) you first gave me...here is what I got******

Logfile of random's system information tool (written by random/random)
Run by ADREAA at 2008-09-01 17:11:01
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 17 GB (38%) free of 45 GB
Total RAM: 2038 MB (74% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:11:04 PM, on 9/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\ADREAA\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\ADREAA.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O20 - AppInit_DLLs: 
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9023 bytes

Scheduled tasks folder

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Registry dump

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll [2007-09-25 501136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar3.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [2008-04-04 734704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar3.dll [2007-01-19 2403392]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 440384]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"preload"=C:\Windows\RUNXMLPL.exe [2005-05-19 32768]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [2004-08-04 59392]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2005-08-24 94208]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2005-08-24 114688]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2005-02-04 102490]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-02-04 708698]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2004-11-02 32768]
"LaunchAp"=C:\Program Files\Launch Manager\LaunchAp.exe [2005-07-25 32768]
"LManager"=C:\Program Files\Launch Manager\HotkeyApp.exe [2006-04-20 69632]
"CtrlVol"=C:\Program Files\Launch Manager\CtrlVol.exe [2003-09-16 20480]
"LMgrOSD"=C:\Program Files\Launch Manager\OSDCtrl.exe [2005-07-25 241664]
"Wbutton"=C:\Program Files\Launch Manager\Wbutton.exe [2006-04-20 86016]
"EPM-DM"=c:\acer\Empowering Technology\ePower\epm-dm.exe [2005-11-10 212992]
"Acer ePower Management"=C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe [2005-11-09 3084288]
"eRecoveryService"=C:\Acer\Empowering Technology\eRecovery\Monitor.exe [2006-01-24 397312]
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [2008-06-27 580096]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-05-27 413696]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-06-13 68856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"=" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-08-24 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll schannel.dll digest.dll msnsspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\MSMSGS.EXE"="C:\Program Files\Messenger\MSMSGS.EXE:*:Enabled:Windows Messenger"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\Program Files\MSN Messenger\msncall.exe"="C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe"="C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe"="C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG7\avgcc.exe"="C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe"
"C:\Program Files\Grisoft\AVG7\avgemc.exe"="C:\Program Files\Grisoft\AVG7\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\IncrediMail\bin\ImApp.exe"="C:\Program Files\IncrediMail\bin\ImApp.exe:*:Enabled:IncrediMail"
"C:\Program Files\IncrediMail\bin\IncMail.exe"="C:\Program Files\IncrediMail\bin\IncMail.exe:*:Enabled:IncrediMail"
"C:\Program Files\IncrediMail\bin\ImpCnt.exe"="C:\Program Files\IncrediMail\bin\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\WINDOWS\System32\DRIVERS\svchost.exe"="C:\WINDOWS\System32\DRIVERS\svchost.exe:*:Disabled:svchost"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\Program Files\MSN Messenger\msncall.exe"="C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

File associations

.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

List of files/folders created in the last three months

2008-09-01 16:59:48 ----D---- C:\rsit
2008-09-01 16:48:12 ----SHD---- C:\FOUND.034
2008-09-01 16:07:04 ----D---- C:\Documents and Settings\ADREAA\Application Data\Malwarebytes
2008-09-01 16:07:01 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-01 16:07:01 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-28 11:55:42 ----HD---- C:\WINDOWS\$NtUninstallKB951978$
2008-08-27 11:50:54 ----A---- C:\WINDOWS\OEWABLog.txt
2008-08-27 11:49:58 ----D---- C:\WINDOWS\Prefetch
2008-08-27 11:48:15 ----HD---- C:\WINDOWS\$NtUninstallKB946648$
2008-08-27 11:48:07 ----HD---- C:\WINDOWS\$NtUninstallKB952287$
2008-08-27 11:48:01 ----HD---- C:\WINDOWS\$NtUninstallKB951066$
2008-08-27 11:47:54 ----HD---- C:\WINDOWS\$NtUninstallKB952954$
2008-08-27 11:47:47 ----HD---- C:\WINDOWS\$NtUninstallKB950974$
2008-08-27 11:47:39 ----HD---- C:\WINDOWS\$NtUninstallKB951748$
2008-08-27 11:47:32 ----HD---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-08-27 11:47:26 ----HD---- C:\WINDOWS\$NtUninstallKB950762$
2008-08-27 11:47:18 ----HD---- C:\WINDOWS\$NtUninstallKB951376$
2008-08-27 11:47:11 ----HD---- C:\WINDOWS\$NtUninstallKB951698$
2008-08-27 11:44:48 ----A---- C:\WINDOWS\setuplog.txt
2008-08-27 11:43:28 ----D---- C:\WINDOWS\system32\scripting
2008-08-27 11:43:28 ----D---- C:\WINDOWS\system32\en
2008-08-27 11:43:28 ----D---- C:\WINDOWS\l2schemas
2008-08-27 11:43:27 ----D---- C:\WINDOWS\system32\bits
2008-08-27 11:41:29 ----D---- C:\WINDOWS\ServicePackFiles
2008-08-27 11:20:34 ----HD---- C:\WINDOWS\$NtServicePackUninstall$
2008-08-27 11:20:32 ----D---- C:\WINDOWS\EHome
2008-08-27 11:06:10 ----N---- C:\WINDOWS\system32\msxml6.dll
2008-08-27 11:06:09 ----N---- C:\WINDOWS\system32\windowscodecs.dll
2008-08-27 11:06:07 ----N---- C:\WINDOWS\system32\windowscodecsext.dll
2008-08-27 11:06:07 ----N---- C:\WINDOWS\system32\dot3ui.dll
2008-08-27 11:06:06 ----N---- C:\WINDOWS\system32\wmphoto.dll
2008-08-27 11:06:06 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2008-08-27 11:06:06 ----N---- C:\WINDOWS\system32\qagentrt.dll
2008-08-27 11:06:06 ----N---- C:\WINDOWS\system32\mmcex.dll
2008-08-27 11:06:05 ----N---- C:\WINDOWS\system32\photometadatahandler.dll
2008-08-27 11:06:05 ----N---- C:\WINDOWS\system32\azroles.dll
2008-08-27 11:06:04 ----N---- C:\WINDOWS\system32\napstat.exe
2008-08-27 11:06:04 ----N---- C:\WINDOWS\system32\eapphost.dll
2008-08-27 11:06:04 ----N---- C:\WINDOWS\system32\eapp3hst.dll
2008-08-27 11:06:03 ----N---- C:\WINDOWS\system32\qagent.dll
2008-08-27 11:06:03 ----N---- C:\WINDOWS\system32\napmontr.dll
2008-08-27 11:06:03 ----N---- C:\WINDOWS\system32\mssha.dll
2008-08-27 11:06:03 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-08-27 11:06:03 ----N---- C:\WINDOWS\system32\dot3svc.dll
2008-08-27 11:06:03 ----N---- C:\WINDOWS\system32\aaclient.dll
2008-08-27 11:06:02 ----N---- C:\WINDOWS\system32\onex.dll
2008-08-27 11:06:02 ----N---- C:\WINDOWS\system32\eappcfg.dll
2008-08-27 11:06:01 ----N---- C:\WINDOWS\system32\eappgnui.dll
2008-08-27 11:06:00 ----N---- C:\WINDOWS\system32\wlanapi.dll
2008-08-27 11:06:00 ----N---- C:\WINDOWS\system32\qutil.dll
2008-08-27 11:06:00 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
2008-08-27 11:05:59 ----N---- C:\WINDOWS\system32\tspkg.dll
2008-08-27 11:05:59 ----N---- C:\WINDOWS\system32\qcliprov.dll
2008-08-27 11:05:59 ----N---- C:\WINDOWS\system32\kmsvc.dll
2008-08-27 11:05:59 ----N---- C:\WINDOWS\system32\eapqec.dll
2008-08-27 11:05:58 ----N---- C:\WINDOWS\system32\tsgqec.dll
2008-08-27 11:05:58 ----N---- C:\WINDOWS\system32\dot3msm.dll
2008-08-27 11:05:58 ----N---- C:\WINDOWS\system32\dot3cfg.dll
2008-08-27 11:05:58 ----N---- C:\WINDOWS\system32\dimsroam.dll
2008-08-27 11:05:58 ----N---- C:\WINDOWS\system32\dhcpqec.dll
2008-08-27 11:05:57 ----N---- C:\WINDOWS\system32\l2gpstore.dll
2008-08-27 11:05:57 ----N---- C:\WINDOWS\system32\eappprxy.dll
2008-08-27 11:05:57 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
2008-08-27 11:05:56 ----N---- C:\WINDOWS\system32\rasqec.dll
2008-08-27 11:05:56 ----N---- C:\WINDOWS\system32\napipsec.dll
2008-08-27 11:05:56 ----N---- C:\WINDOWS\system32\msxml6r.dll
2008-08-27 11:05:56 ----N---- C:\WINDOWS\system32\msshavmsg.dll
2008-08-27 11:05:56 ----N---- C:\WINDOWS\system32\mmcperf.exe
2008-08-27 11:05:56 ----N---- C:\WINDOWS\system32\eapsvc.dll
2008-08-27 11:05:56 ----N---- C:\WINDOWS\system32\eapolqec.dll
2008-08-27 11:05:55 ----N---- C:\WINDOWS\system32\setupn.exe
2008-08-27 11:05:55 ----N---- C:\WINDOWS\system32\dot3api.dll
2008-08-27 11:05:55 ----N---- C:\WINDOWS\system32\dimsntfy.dll
2008-08-27 11:05:54 ----N---- C:\WINDOWS\system32\credssp.dll
2008-08-27 11:05:53 ----N---- C:\WINDOWS\system32\spupdwxp.exe
2008-08-27 11:05:53 ----N---- C:\WINDOWS\system32\dot3dlg.dll
2008-08-27 11:05:52 ----N---- C:\WINDOWS\system32\kbdpash.dll
2008-08-27 11:05:52 ----N---- C:\WINDOWS\system32\kbdnepr.dll
2008-08-27 11:05:52 ----N---- C:\WINDOWS\system32\kbdbhc.dll
2008-08-27 11:05:52 ----N---- C:\WINDOWS\system32\bitsprx4.dll
2008-08-27 11:05:52 ----A---- C:\WINDOWS\system32\spdwnwxp.exe
2008-08-27 11:05:51 ----N---- C:\WINDOWS\system32\kbdiultn.dll
2008-08-27 11:05:50 ----N---- C:\WINDOWS\system32\slextspk.dll
2008-08-27 11:05:48 ----N---- C:\WINDOWS\system32\nv4_disp.dll
2008-08-27 11:05:45 ----N---- C:\WINDOWS\system32\slgen.dll
2008-08-27 11:05:45 ----N---- C:\WINDOWS\system32\mtxparhd.dll
2008-08-27 11:05:43 ----N---- C:\WINDOWS\system32\slserv.exe
2008-08-27 11:05:43 ----N---- C:\WINDOWS\system32\hsfcisp2.dll
2008-08-27 11:05:43 ----N---- C:\WINDOWS\system32\faxpatch.exe
2008-08-27 11:05:43 ----N---- C:\WINDOWS\system32\ati3duag.dll
2008-08-27 11:05:42 ----N---- C:\WINDOWS\system32\slrundll.exe
2008-08-27 11:05:42 ----N---- C:\WINDOWS\system32\slcoinst.dll
2008-08-27 11:05:42 ----N---- C:\WINDOWS\system32\s3gnb.dll
2008-08-27 11:05:42 ----N---- C:\WINDOWS\system32\ati2dvag.dll
2008-08-27 11:05:42 ----N---- C:\WINDOWS\system32\ati2dvaa.dll
2008-08-27 11:05:42 ----N---- C:\WINDOWS\slrundll.exe
2008-08-27 11:05:41 ----N---- C:\WINDOWS\system32\ativtmxx.dll
2008-08-27 11:05:41 ----N---- C:\WINDOWS\system32\ati3d1ag.dll
2008-08-27 11:05:40 ----N---- C:\WINDOWS\system32\ativvaxx.dll
2008-08-27 11:05:40 ----N---- C:\WINDOWS\system32\ati2cqag.dll
2008-08-27 11:05:39 ----A---- C:\WINDOWS\002790_.tmp
2008-08-24 22:53:50 ----SHD---- C:\FOUND.033
2008-08-16 21:24:39 ----A---- C:\DVDPATH.TXT
2008-08-12 17:54:18 ----HD---- C:\WINDOWS\$NtUninstallKB952954_0$
2008-08-12 17:54:14 ----HD---- C:\WINDOWS\$NtUninstallKB946648_0$
2008-08-12 17:54:10 ----HD---- C:\WINDOWS\$NtUninstallKB953839$
2008-08-12 17:54:05 ----HD---- C:\WINDOWS\$NtUninstallKB950974_0$
2008-08-12 17:52:51 ----HD---- C:\WINDOWS\$NtUninstallKB951072-v2$
2008-08-12 17:52:46 ----HD---- C:\WINDOWS\$NtUninstallKB952287_0$
2008-08-12 17:52:22 ----A---- C:\WINDOWS\imsins.BAK
2008-08-12 17:52:19 ----HD---- C:\WINDOWS\$NtUninstallKB951066_0$
2008-08-07 13:24:48 ----SHD---- C:\FOUND.032
2008-08-05 22:31:18 ----SHD---- C:\FOUND.031
2008-08-04 19:55:28 ----SHD---- C:\FOUND.030
2008-08-03 02:00:34 ----SHD---- C:\FOUND.029
2008-08-02 22:33:10 ----SHD---- C:\FOUND.028
2008-07-22 18:05:11 ----A---- C:\Program Files\ccsetup209.exe
2008-07-15 23:56:04 ----SHD---- C:\FOUND.027
2008-07-10 03:10:18 ----HD---- C:\WINDOWS\$NtUninstallKB951748_0$
2008-06-21 06:24:21 ----HD---- C:\WINDOWS\$NtUninstallKB951376-v2_0$
2008-06-17 15:50:02 ----D---- C:\Program Files\QuickTime
2008-06-15 21:10:18 ----SHD---- C:\FOUND.026
2008-06-12 00:32:11 ----HD---- C:\WINDOWS\$NtUninstallKB951698_0$
2008-06-12 00:32:06 ----HD---- C:\WINDOWS\$NtUninstallKB950762_0$
2008-06-12 00:32:02 ----HD---- C:\WINDOWS\$NtUninstallKB950760$
2008-06-12 00:31:56 ----HD---- C:\WINDOWS\$NtUninstallKB951376_0$

List of drivers

R1 Avg7Core;AVG7 Kernel; C:\WINDOWS\system32\System32\Drivers\avg7core.sys []
R1 Avg7RsW;AVG7 Wrap Driver; C:\WINDOWS\system32\System32\Drivers\avg7rsw.sys []
R1 Avg7RsXP;AVG7 Resident Driver XP; C:\WINDOWS\system32\System32\Drivers\avg7rsxp.sys []
R1 AvgClean;AVG7 Clean Driver; C:\WINDOWS\system32\System32\Drivers\avgclean.sys []
R1 Hotkey;Hotkey; C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 9867]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 NetworkX;NetworkX; C:\WINDOWS\system32\system32\ckldrv.sys []
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 AvgTdi;AVG Network Redirector; C:\WINDOWS\system32\System32\Drivers\avgtdi.sys []
R2 EpmPsd;Acer EPM Power Scheme Driver; \??\C:\WINDOWS\system32\drivers\epm-psd.sys []
R2 EpmShd;Acer EPM System Hardware Driver; \??\C:\WINDOWS\system32\drivers\epm-shd.sys []
R2 int15.sys;int15.sys; \??\C:\Acer\Empowering Technology\eRecovery\int15.sys []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-10-05 12544]
R2 npkcrypt;npkcrypt; \??\C:\Program Files\Wizet\MapleStory\npkcrypt.sys []
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-04-19 2317504]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2005-11-08 997376]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys [2005-11-08 242048]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-08-24 1052732]
R3 RTL8023xp;Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys [2004-12-02 70912]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2005-02-04 193216]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 w29n51;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2005-09-12 3298432]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-11-08 723712]
S1 mailKmd;mailKmd; C:\WINDOWS\system32\drivers\mailKmd.sys []
S1 Wbutton;Wbutton; C:\WINDOWS\system32\drivers\Wbutton.sys []
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 BCM43XX;Broadcom 802.11 Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2004-12-22 369024]
S3 EWAVE;EWAVE; \??\C:\WINDOWS\system32\drivers\ew.sys []
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 FILESPY;FILESPY; \??\C:\WINDOWS\system32\drivers\FILESPY.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2005-12-16 51120]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2005-12-16 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-12-16 21744]
S3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-12-15 1038208]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 NSCIRDA;NSC Infrared Device Driver; C:\WINDOWS\system32\DRIVERS\nscirda.sys [2008-04-13 28672]
S3 NSTATION;NSTATION; \??\C:\WINDOWS\system32\drivers\nstation.sys []
S3 NTIDrvr;Upper Class Filter Driver; C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys [2005-11-24 6144]
S3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-12-05 10368]
S3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
S3 SDTHOOK;SDTHOOK; C:\WINDOWS\System32\DRIVERS\SDTHOOK.sys [2007-06-05 44928]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver; C:\WINDOWS\System32\Drivers\tascusb2.sys [2006-10-24 396192]
S3 TASCAM_US122L_MIDI;TASCAM US-122L WDM MIDI Device; C:\WINDOWS\system32\drivers\tscusb2m.sys [2006-10-24 10752]
S3 TASCAM_US122L_WDM;TASCAM US-122L WDM; C:\WINDOWS\system32\drivers\tscusb2a.sys [2006-10-24 19904]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WUDFRd;WUDFRd; C:\WINDOWS\system32\DRIVERS\WUDFRd.sys [2006-09-28 82944]
S4 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys []

List of services

R2 aawservice;Ad-Aware 2007 Service; C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe [2008-04-08 607576]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-02-18 110592]
R2 Avg7Alrt;AVG7 Alert Manager Server; C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [2008-01-30 418816]
R2 Avg7UpdSvc;AVG7 Update Service; C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [2008-01-30 49664]
R2 AVGEMS;AVG E-mail Scanner; C:\PROGRA~1\Grisoft\AVG7\avgemc.exe [2008-01-30 406528]
R2 Crypkey License;Crypkey License; C:\WINDOWS\system32\crypserv.exe [2003-11-26 61440]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 alkeshvaugbt;alkeshvaugbt; C:\WINDOWS\system32\drivers\alkeshvaugbt.sys [2007-06-08 8576]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-06 138168]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------


That sucker is huge !!!  *****only one log came up though.  I did have Comodo firewall, but I uninstalled it yesterday because I thought that maybe something I did caused it to cause the problem.  Is that on fine to reload or do you suggest another one ?  I hope you don't mind me running the other scan...I was so excited to be able to link to something.

Andrea
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Virus that blocks any effort to fix it
« Reply #10 on: September 01, 2008, 08:52:26 PM »
Hold on, Andrea.  You have one of the nastiest infections going at the current time.  I know it can be removed but let me take a deep breath and get my thoughts in order.  In the meantime, you should be able to locate info.txt in C:\RSIT
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline andylyne215

  • Newbie
  • *
  • Posts: 26
Re: Virus that blocks any effort to fix it
« Reply #11 on: September 01, 2008, 09:08:04 PM »
Crap, now I'm really freaked out !!!

Here is the info text

info.txt logfile of random's system information tool 2008-09-01 16:59:57

Uninstall list

-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Acer Inc.\Acer English Online Help Creator\Uninst.isu"
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acer ePower Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58E5844B-7CE2-413D-83D1-99294BF6C74F}\Setup.exe" -l0x9
Ad-Aware 2007-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player-->C:\WINDOWS\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~1\Install.log
Advanced WindowsCare Personal 2.6.0-->"C:\Program Files\IObit\Advanced WindowsCare V2\unins000.exe"
Agatha Christie - And Then There Were None-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E4628D0D-5DC8-49EC-985A-F0C12EDBF1D2}\setup.exe" -l0x9  -uninst
Apple Mobile Device Support-->MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update-->MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
AVG 7.5-->C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
CCScore-->MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Crystal Wizard-->C:\PROGRA~1\EGAMES\CRYSTA~1\UNWISE.EXE C:\PROGRA~1\EGAMES\CRYSTA~1\INSTALL.LOG
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader-->C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
eGames GameButler-->C:\PROGRA~1\EGAMES\GAMEBU~1\UNWISE.EXE C:\PROGRA~1\EGAMES\GAMEBU~1\INSTALL.LOG
ESSBrwr-->MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK-->MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore-->MsiExec.exe /I{42938595-0D83-404D-9F73-F8177FDD531A}
ESSgui-->MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESSini-->MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD-->MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock-->MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC-->MsiExec.exe /I{073F22CE-9A5B-4A40-A604-C7270AC6BF34}
ESSTOOLS-->MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
essvatgt-->MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}
Flipster Twin Pack-->C:\PROGRA~1\EGAMES\FLIPST~1\UNWISE.EXE C:\PROGRA~1\EGAMES\FLIPST~1\INSTALL.LOG
Flipster-->C:\PROGRA~1\EGAMES\FLIPSTER\UNWISE.EXE C:\PROGRA~1\EGAMES\FLIPSTER\INSTALL.LOG
getPlus(R)_ocx-->rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
GigaStudio 3.0 LE-->C:\Program Files\Tascam\Gstudio\UNINST.EXE
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Intel(R) Graphics Media Accelerator Driver for Mobile-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
IrfanView (remove only)-->C:\Program Files\IrfanView\iv_uninstall.exe
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java(TM) 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) SE Runtime Environment 6 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
kgcbaby-->MsiExec.exe /I{E18B549C-5D15-45DA-8D8F-8FD2BD946344}
kgcbase-->MsiExec.exe /I{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}
kgchday-->MsiExec.exe /I{11F3F858-4131-4FFA-A560-3FE282933B6E}
kgchlwn-->MsiExec.exe /I{03EDED24-8375-407D-A721-4643D9768BE1}
kgcinvt-->MsiExec.exe /I{9BD54685-1496-46A5-AB62-357CD140ED8B}
kgckids-->MsiExec.exe /I{693C08A7-9E76-43FF-B11E-9A58175474C4}
kgcmove-->MsiExec.exe /I{A1588373-1D86-4D44-86C9-78ABD190F9CC}
kgcvday-->MsiExec.exe /I{8A8664E1-84C8-4936-891C-BC1F07797549}
Kodak EasyShare software-->C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_1e0002_fa42a6\Setup.exe /APR-REMOVE
Launch Manager V1.1.0.1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0846526-66DD-4DC9-A02C-98F9A2806812}\Setup.exe" -l0x9
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MapleStory-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEC511B1-59CB-4F15-AD75-0543034572A5}\Setup.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (3.0.1)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
netbrdg-->MsiExec.exe /I{4537EA4B-F603-4181-89FB-2953FC695AB1}
NTI Backup NOW! 4-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{385979FE-DC4F-4140-8EAD-A59625000D72} /l1033 BUN4
NTI CD & DVD-Maker-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1033 CDM7
OfotoXMI-->MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
Panda ActiveScan-->C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe"  -uninstall
QuickTax 2007-->MsiExec.exe /X{22EC35BD-F8F2-45EB-8DCB-1C7FB65D0A71}
QuickTime-->MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Rogers Yahoo! Applications-->C:\PROGRA~1\YAHOO!\COMMON\uninstall.exe
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
SFR-->MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA-->MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
skin0001-->MsiExec.exe /I{5316DFC9-CE99-4458-9AB3-E8726EDE0210}
SKINXSDK-->MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_266D_CplEFL5k\HXFSETUP.EXE -U -ICplEFL5K.inf
SoftV90 Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_266D&SUBSYS_006A1025\HXFSETUP.EXE -U -IVEN_8086&DEV_266D&SUBSYS_006A1025
staticcr-->MsiExec.exe /I{8943CE61-53BD-475E-90E1-A580869E98A2}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
TAXWIZ 2006-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1063EB55-E42D-4755-9F83-BF20389E5524}\isetup.ex_" -l0x9  -uninst
tooltips-->MsiExec.exe /I{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
URGE-->MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}
US-122L / US-144 driver-->C:\WINDOWS\usb-audio.deTascam\Setup.exe /l1
VPRINTOL-->MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinZip 11.2-->MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B6}
WIRELESS-->MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}
Yahoo! Photos Easy Upload Tool 1v7-->C:\WINDOWS\system32\regsvr32 /u /s "C:\WINDOWS\cache\YDropperCA.dll"

Hosts File

127.0.0.1   007guard.com
127.0.0.1   www.007guard.com
127.0.0.1   008i.com
127.0.0.1   008k.com
127.0.0.1   www.008k.com
127.0.0.1   00hq.com
127.0.0.1   www.00hq.com
127.0.0.1   010402.com
127.0.0.1   032439.com
127.0.0.1   www.032439.com

Security center information

AV: AVG 7.5.526

Environment variables

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 8, GenuineIntel
"PROCESSOR_REVISION"=0d08
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip

-----------------EOF-----------------
Logged

Offline winchester73

  • Administrator
  • Hero Member
  • *****
  • Posts: 5123
  • Half a bubble off plumb
Re: Virus that blocks any effort to fix it
« Reply #12 on: September 01, 2008, 09:11:03 PM »
Relax, Andrea.  Take a deep breath.  You have a rootkit infection, and we'll have to take the time to do the removal properly.
Logged
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member


Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Virus that blocks any effort to fix it
« Reply #13 on: September 01, 2008, 09:16:16 PM »
Andrea, sorry for having scared you, but without the incredible work by the folks who created MBAM and the brilliance of sUBs, your alternative in the past would have been a total wipe and clean of your computer.  The reason is that a rootkit is a type of trojan that keeps itself, other files, registry keys and network connections hidden from detection. It enables an attacker to have "root" access to the computer, which means it runs at the lowest level of the machine. 

So, let's get your computer cleaned.  There will likely be further steps, but this should be a good start.  For now, just turn on the Windows Firewall.  You can reinstall Comodo or other firewall later.  

I'm not sure if you ended up re-scanning with MBAM and removing what was found so will provide instructions for doing so now, followed by instructions for ComboFix.  

Scan with MBAM again:
  • Launch Malwarebytes' Anti-Malware then click the Update tab and "Check for Updates
  • Once the update has been installed and the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Please post contents of that file in your next reply and a fresh HijackThis log.
Next, Please follow these instructions carefully:  

Download Combofix from any of the links below, and save it to your desktop.  For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix  If you don't have the Recovery Console installed, I suggest following those instructions.  Note that even though SP3 is not mentioned, the link for XP SP1/SP2 is correct.

           Link 1
           Link 2
           Link 3


**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.  
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note: Do not mouse click the combofix window while it is running. That may cause it to stall.  Run ComboFix ONLY one time.

Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Virus that blocks any effort to fix it
« Reply #14 on: September 01, 2008, 09:38:49 PM »
When I was commiserating consulting with other members of the team, I mentioned that I thought you were able to download MBAM because of cleaning your Hosts file.  Wincheter73 pointed out that you wrote:
Quote
my host was correct

127.0.0.1   007guard.com
127.0.0.1   www.007guard.com
127.0.0.1   008i.com
127.0.0.1   008k.com
127.0.0.1   www.008k.com
127.0.0.1   00hq.com
127.0.0.1   www.00hq.com
127.0.0.1   010402.com
127.0.0.1   032439.com
127.0.0.1   www.032439.com

007Guard, for example, is a browser hijacker that redirects the web browser and changes the homepage to a website that advertises fake security. 

Just for the record, you don't want any of those but let's take care of the rest of the infection first.

You're going to be fine. 
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.
Pages: [1] 2 3 4   Go Up
« previous next »