Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan:Win32/Vundo.gen!D [RESOLVED]

Started by Jfield , Apr 23 2008 08:33 AM

  • This topic is locked This topic is locked

#1
Jfield
Posted 23 April 2008 - 08:33 AM

Jfield

    New Member

  • Member
  • Pip
  • 3 posts
I have some malware on my system that is making my computer very slow giving me occasional popups and crashing windows explorer. Windows malicious software removal program says its Trojan:Win32/Vundo.gen!D but that it can only be partially removed. I also ran Symantec's FixVundo.exe that said it removed a trojan but it didn't seem to help. I run spybot search and destroy and it finds virtumonde and virtumonde.dll as well as some other ad programs. I keep removing them and they keep coming back. Also, there are files constantly being added to my system startup, random named dll files associated with run32.dll and other stuff titled 'spybot deleting.' I ran combo fix and trend micro hijack this, and things seem to be ok, but as soon as I reboot I know that the problem is going to come back. I am worried about having personal information stolen by this virus and I need to be sure that it is off my system Please let me know what I should do. The log flies are below:

ComboFix 08-04-22.5 - 2008-04-23 10:06:06.1 - NTFSx86


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\BM4dc634ec.xml
C:\Windows\pskt.ini
C:\Windows\System32\bceeg.ini
C:\Windows\System32\bceeg.ini2
C:\Windows\System32\bwhlhcws.ini
C:\Windows\System32\cdeeg.ini
C:\Windows\System32\cdeeg.ini2
C:\Windows\System32\cfefe.ini
C:\Windows\System32\cfefe.ini2
C:\Windows\System32\duqybeoi.ini
C:\Windows\system32\geecb.dll
C:\Windows\System32\gptfxtku.ini
C:\Windows\System32\ieijkhyk.ini
C:\Windows\System32\jhiqqklq.ini
C:\Windows\system32\mcrh.tmp
C:\Windows\System32\mivombyw.ini
C:\Windows\System32\nphpvukq.ini
C:\Windows\System32\pmflbxqd.ini
C:\Windows\System32\qbpfcyik.ini
C:\Windows\System32\qtvwa.ini
C:\Windows\System32\qtvwa.ini2
C:\Windows\System32\tohsrlqt.ini
C:\Windows\System32\tvycf.ini
C:\Windows\System32\tvycf.ini2
C:\Windows\System32\ycfbnmtp.ini
C:\Windows\System32\ypkeoyqk.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-23 09:36 . 2008-04-23 09:36 <DIR> d-------- C:\VundoFix Backups
2008-04-23 00:01 . 2008-04-23 09:14 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-22 15:59 . 2008-04-22 21:32 1,540,737 ---hs---- C:\Windows\System32\njihruyr.ini
2008-04-21 11:47 . 2008-04-21 11:47 <DIR> d-------- C:\Users\Jason Mansfield\AppData\Roaming\Nero
2008-04-21 11:41 . 2008-04-21 11:41 <DIR> d-------- C:\Users\All Users\Nero
2008-04-21 11:41 . 2008-04-21 11:41 <DIR> d-------- C:\ProgramData\Nero
2008-04-21 11:41 . 2008-04-21 11:41 <DIR> d-------- C:\Program Files\Nero
2008-04-21 11:41 . 2008-04-21 11:45 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-04-20 14:19 . 2008-04-20 14:40 294 ---hs---- C:\Windows\System32\djxplkbm.ini
2008-04-19 17:50 . 2007-12-16 18:50 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-04-19 17:50 . 2007-12-16 05:56 41,984 --a------ C:\Windows\System32\drivers\monitor.sys
2008-04-19 17:20 . 2008-04-19 17:20 <DIR> d-------- C:\Users\All Users\Windows Genuine Advantage
2008-04-16 19:42 . 2008-04-16 19:42 <DIR> d-------- C:\Program Files\Apple Software Update(228)
2008-04-15 09:49 . 2008-04-15 09:49 294 --ahs---- C:\Windows\System32\qmftlfma.ini
2008-04-13 20:18 . 2008-04-13 20:43 294 --ahs---- C:\Windows\System32\ttamkuet.ini
2008-04-12 14:10 . 2008-04-12 14:14 <DIR> d-------- C:\Program Files\RegCure
2008-04-12 13:22 . 2008-04-12 13:51 414 --ahs---- C:\Windows\System32\hbocmpem.ini
2008-04-12 10:25 . 2008-04-12 11:22 354 --ahs---- C:\Windows\System32\hcyymyfb.ini
2008-04-10 16:53 . 2008-04-10 16:53 294 --ahs---- C:\Windows\System32\bpcgqfub.ini
2008-04-09 12:52 . 2008-04-09 12:52 129 --a------ C:\Windows\System32\MRT.INI
2008-04-09 08:44 . 2008-02-14 19:19 944,184 --a------ C:\Windows\System32\winload.exe
2008-04-09 08:44 . 2008-02-19 01:10 620,088 --a------ C:\Windows\System32\ci.dll
2008-04-09 08:44 . 2008-02-29 02:39 371,712 --a------ C:\Windows\System32\srcore.dll
2008-04-09 08:44 . 2008-02-29 02:38 313,856 --a------ C:\Windows\System32\rstrui.exe
2008-04-09 08:44 . 2008-02-29 02:39 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-09 08:44 . 2008-02-29 02:51 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-09 08:44 . 2008-02-29 02:38 16,384 --a------ C:\Windows\System32\srdelayed.exe
2008-04-09 08:44 . 2008-02-29 02:34 7,168 --a------ C:\Windows\System32\f3ahvoas.dll
2008-04-09 08:44 . 2008-02-29 02:35 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-09 08:01 . 2008-02-29 00:16 2,027,008 --a------ C:\Windows\System32\win32k.sys
2008-04-09 07:56 . 2008-02-21 00:43 296,448 --a------ C:\Windows\System32\gdi32.dll
2008-04-09 07:56 . 2007-12-16 07:42 83,968 --a------ C:\Windows\System32\dnsrslvr.dll
2008-04-09 07:56 . 2007-12-16 07:41 24,576 --a------ C:\Windows\System32\dnscacheugc.exe
2008-04-08 21:23 . 2008-04-23 09:19 1,267 --a------ C:\Windows\wininit.ini
2008-04-08 20:52 . 2008-04-19 21:35 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-08 20:52 . 2008-04-19 21:35 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-04-08 20:52 . 2008-04-19 21:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-08 20:52 . 2008-04-08 21:27 524,288 --ahs---- C:\ntuser.dat{23bb9f4e-05c6-11dd-a19b-001c26f552eb}.TMContainer00000000000000000002.regtrans-ms
2008-04-08 20:52 . 2008-04-08 21:27 524,288 --ahs---- C:\ntuser.dat{23bb9f4e-05c6-11dd-a19b-001c26f552eb}.TMContainer00000000000000000001.regtrans-ms
2008-04-08 20:52 . 2008-04-08 21:27 65,536 --ahs---- C:\ntuser.dat{23bb9f4e-05c6-11dd-a19b-001c26f552eb}.TM.blf
2008-04-08 08:16 . 2008-04-11 08:21 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-05 15:33 . 2008-04-05 15:33 1,158 --a------ C:\Windows\mozver.dat
2008-04-05 14:29 . 2007-08-01 16:47 102,664 --a------ C:\Windows\System32\drivers\tmcomm.sys
2008-04-05 14:22 . 2008-04-05 19:42 <DIR> d-------- C:\Users\Jason Mansfield\AppData\Roaming\HouseCall 6.6
2008-04-05 13:40 . 2008-04-23 09:01 262,144 --a------ C:\ntuser.dat
2008-04-05 13:40 . 2008-04-23 09:01 5,120 --ah----- C:\ntuser.dat.LOG1
2008-04-05 13:40 . 2008-04-08 20:52 0 --ah----- C:\ntuser.dat.LOG2
2008-04-04 21:34 . 2008-04-04 21:34 <DIR> d-------- C:\Users\Jason Mansfield\.dwa_store
2008-04-04 11:44 . 2008-04-04 11:45 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-04-04 11:44 . 2008-04-04 11:45 <DIR> d-------- C:\Program Files\AVSMedia
2008-04-03 13:50 . 2008-04-03 13:50 0 --a------ C:\Windows\nsreg.dat
2008-04-03 09:35 . 2008-04-03 09:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-02 11:05 . 2007-03-06 22:51 543,232 --a------ C:\Windows\System32\FWPUCLNT.DLL
2008-04-02 11:05 . 2007-03-06 22:51 416,768 --a------ C:\Windows\System32\IKEEXT.DLL
2008-04-02 11:05 . 2007-03-06 22:51 317,440 --a------ C:\Windows\System32\BFE.DLL
2008-04-02 11:05 . 2007-03-06 22:08 84,992 --a------ C:\Windows\System32\drivers\FWPKCLNT.SYS
2008-04-02 10:15 . 2008-04-19 21:35 <DIR> d-------- C:\Users\Jason Mansfield\.housecall6.6
2008-04-01 12:57 . 2008-04-01 12:57 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-01 12:56 . 2008-04-13 14:46 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-04-01 12:56 . 2008-04-13 14:46 <DIR> d-------- C:\ProgramData\Lavasoft
2008-03-31 09:35 . 2008-04-02 10:51 <DIR> d-------- C:\Program Files\Power Video Converter
2008-03-31 09:35 . 2008-03-31 09:35 <DIR> d-------- C:\movies
2008-03-31 09:35 . 2008-03-31 09:35 66 --a------ C:\Windows\Power Video Converter.INI
2008-03-31 09:30 . 2006-11-07 11:22 719,872 --a------ C:\Windows\System32\devil.dll
2008-03-31 09:30 . 2007-05-17 23:30 318,976 --a------ C:\Windows\System32\avisynth.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 03:29 --------- d-----w C:\Users\Jason Mansfield\AppData\Roaming\Zoom Player
2008-04-23 01:53 --------- d-----w C:\Program Files\ReGetDx
2008-04-21 00:32 --------- d-----w C:\Program Files\Apple Software Update
2008-04-20 01:35 --------- d-----w C:\Users\Jason Mansfield\AppData\Roaming\Winamp
2008-04-20 01:35 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-20 01:35 --------- d-----w C:\ProgramData\FLEXnet
2008-04-20 01:35 --------- d-----w C:\Program Files\Microsoft Works
2008-04-20 01:35 --------- d-----w C:\Program Files\GetDiz
2008-04-19 21:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-31 13:30 --------- d-----w C:\Program Files\Amadis Software
2008-03-21 04:07 188,135 ----a-w C:\Users\Jason Mansfield\AppData\Roaming\nvModes.dat
2008-03-06 22:55 --------- d-----w C:\Program Files\Intelore
2008-02-29 23:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-03 20:27 174 --sha-w C:\Program Files\desktop.ini
2008-02-03 20:07 2,923,520 ----a-w C:\Windows\explorer.exe
2008-01-29 04:16 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-29 04:16 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-29 04:16 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-29 04:16 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-29 00:15 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2007-08-30 16:54 76 --sha-r C:\Windows\CT4CET.bin
2007-11-19 00:02 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-11-19 00:02 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-11-19 00:02 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F66DF53-CB1D-4A40-923B-34D2BA7A8488}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A66ED71B-3E07-427F-85B0-BB8132D872C2}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 03:01 1232896]
"DELL Webcam Manager"="C:\Program Files\DELL\DELL Webcam Manager\DellWMgr.exe" [2007-06-07 12:14 118784]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 19:10 1688872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [2007-05-11 02:57 159744]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-06-27 06:17 405504]
"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-08-30 12:52 77824]
"Broadcom Wireless Manager UI"="C:\Windows\system32\WLTRAY.exe" [2007-03-21 15:33 1548288]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-04-16 17:10 184320]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 17:12 107112]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-11-28 06:34 134808]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 19:52 849280]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"bacstray"="C:\Program Files\Broadcom\BACS\BacsTray.exe" [2007-01-14 12:42 124488]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-30 20:34 1006264]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.scg726"= scg726.acm
"msacm.alf2cd"= alf2cd.acm
"vidc.dvsd"= mcdvd_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM4dc634ec]
C:\Windows\system32\wyqyqsel.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-40607026-3291105624-1167355563-1001]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7FE41D3B-2131-4089-B5FC-868C18F3E4D0}"= C:\Program Files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{1A88CDDC-500B-4CD5-B59A-756EBBB6E8FE}"= C:\Program Files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{E4F4B7EA-C727-4889-B564-A1C1B1BF68E9}"= C:\Program Files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{CC0C2EE7-DC23-4A23-BE48-7D83599AF712}"= C:\Program Files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{A5FD891F-9904-43D6-9619-33FB4E3AA2C9}"= TCP:10421:SingleClick Discovery Protocol
"{4181A74C-9EA8-4103-8006-B9B1EE27D566}"= UDP:139:NetBIOS File/Printer Sharing
"{C4C44A5D-9AF4-4BEF-8444-85BB33FF5BAE}"= TCP:10426:SingleClick ICC
"{BADA4872-A6CB-4512-BB1B-72CAA4753D1D}"= UDP:445:Microsoft Directory Services
"{CCB3AAC9-D04C-46B1-843C-E7CE4EDF31D0}"= TCP:138:NetBIOS Datagram Service
"{1DD6585B-8618-411E-ABB3-42DBB9EE493F}"= TCP:137:NetBIOS Name Service
"{E6789448-3068-40E0-98D3-66F829EA1539}"= UDP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{2CBD1202-BD6D-4FB3-9D80-A2D673FEFF29}"= TCP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{627BBABE-7F8A-4A45-8ECC-23922C8B2ECD}"= UDP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{A689DABE-B1D5-4F41-B5AD-4FA98DA75B84}"= TCP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{94E55BB9-25F3-4183-8E87-52C21966EE17}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{4C18457E-B9A4-4416-A1C2-CF6C8D04ABE0}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{B521C8FD-0751-42DA-B2C6-CCDD17388872}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{EE64065F-51AD-438F-9A91-14E33848F3C4}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5C0B85DD-C35B-4042-889C-AF646B769C03}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B2A59812-E3C7-44D9-8C34-91E5907631A9}"= TCP:10421:SingleClick Discovery Protocol
"{48BB4D93-FADD-4E2D-BE45-82CFC3684692}"= UDP:139:NetBIOS File/Printer Sharing
"{E9CD84E0-A768-4FD3-B73C-26A1A9A583C6}"= TCP:10426:SingleClick ICC
"{88131F75-C549-4EC3-9B35-317B8041DEEC}"= UDP:445:Microsoft Directory Services
"{F540B393-3A65-48B5-AA77-4A9FFEF281AA}"= TCP:138:NetBIOS Datagram Service
"{07AD91C0-027A-4AC2-99AB-C6AE4AB78B5B}"= TCP:137:NetBIOS Name Service
"TCP Query User{401BD53F-55B9-49EA-AAB6-5EB05B5522FA}C:\\program files\\cain\\cain.exe"= UDP:C:\program files\cain\cain.exe:Cain - Password Recovery Utility
"UDP Query User{69D7C617-39CC-4516-B784-C7C950AD88A6}C:\\program files\\cain\\cain.exe"= TCP:C:\program files\cain\cain.exe:Cain - Password Recovery Utility
"{74CCE313-9368-4D06-89DE-09567B722B77}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{5F5E2C11-DB71-47A3-9800-B41F6B97F958}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{AB718675-DA16-4B99-A107-D3861555404D}C:\\program files\\aim6\\aim6.exe"= UDP:C:\program files\aim6\aim6.exe:AIM
"UDP Query User{4EA98336-4E84-4BB6-A206-2EF2BD2027DF}C:\\program files\\aim6\\aim6.exe"= TCP:C:\program files\aim6\aim6.exe:AIM
"{D9AAC2BC-E06D-46B0-8FA0-5BC04555BE56}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{6EFEC5F1-6E7D-4506-A0E8-E8B7DCD9066D}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{27B28D25-DDAB-44F2-BE9D-9DAB0ACA1F77}C:\\program files\\aim6\\aim6.exe"= UDP:C:\program files\aim6\aim6.exe:AIM
"UDP Query User{1E3A6628-303C-42BE-8E02-AA8C3224F1F3}C:\\program files\\aim6\\aim6.exe"= TCP:C:\program files\aim6\aim6.exe:AIM
"{584D9298-B006-404D-ADBE-1CD521BF4700}"= UDP:C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:Dell Network Assistant
"{E4E84484-EDDC-4DAC-92F2-41A54A73A205}"= TCP:C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:Dell Network Assistant
"TCP Query User{F0B3D1D8-81C8-4CC7-9804-FB6BED257B0C}C:\\program files\\cain\\cain.exe"= UDP:C:\program files\cain\cain.exe:Cain - Password Recovery Utility
"UDP Query User{2880B2CA-DDDB-424C-8182-5701CFCF6191}C:\\program files\\cain\\cain.exe"= TCP:C:\program files\cain\cain.exe:Cain - Password Recovery Utility

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17d066a3-fa73-11dc-8dfd-001c26f552eb}]
\shell\Auto\command - UFO.exe
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4903a799-d0bc-11dc-9432-001c26f552eb}]
\shell\Auto\command - UFO.exe
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4903a7ae-d0bc-11dc-9432-001c26f552eb}]
\shell\AutoRun\command - MntDrCore.exe
\shell\Open\command - MntDrCore.exe
\shell\Open With...\command - MntDrCore.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b5fbbe2-f107-11dc-9644-001c26f552eb}]
\shell\Auto\command - UFO.exe
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d0e7422-d685-11dc-b5f6-001c26f552eb}]
\shell\Auto\command - UFO.exe
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{973c19eb-ed23-11dc-901f-001c26f552eb}]
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9eee2b3b-d643-11dc-8c50-001c26f552eb}]
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL H:\UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b73f6673-dcaa-11dc-bc2a-001c26f552eb}]
\shell\Auto\command - UFO.exe
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{105F2209-BFB8-3496-CB4D-D83134A3E5A3}]
C:\Windows\system32:wupdate.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 14:12:44 C:\Windows\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-04-12 18:29:38 C:\Windows\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 10:13:01
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\DellTPad\hidfind.exe
C:\Program Files\DellTPad\ApntEx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\DELL\QuickSet\quickset.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\System32\stacsv.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Windows\System32\taskmgr.exe
C:\Windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2008-04-23 10:18:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-23 14:18:08

Pre-Run: 60,020,125,696 bytes free
Post-Run: 59,530,272,768 bytes free

296 --- E O F --- 2008-04-22 19:30:02


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:23 AM, on 4/23/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\DELL\MediaDirect\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Broadcom\BACS\BacsTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DELL\DELL Webcam Manager\DellWMgr.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\DELL\QuickSet\quickset.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\BacsTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DELL Webcam Manager] "C:\Program Files\DELL\DELL Webcam Manager\DellWMgr.exe" /s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-21-40607026-3291105624-1167355563-1001\..\Run: [Aim6] (User '?')
O4 - HKUS\S-1-5-21-40607026-3291105624-1167355563-1001\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-40607026-3291105624-1167355563-1001\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 (User '?')
O4 - S-1-5-21-40607026-3291105624-1167355563-1001 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User '?')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onec...s/wlscctrl2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11735 bytes
  • 0

Advertisements

#2
greyknight17
Posted 23 April 2008 - 09:30 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Uninstall RegCure via your Add/Remove Programs panel.

Open up the C:\Windows\wininit.ini file in Notepad. Copy and paste all the contents of that file here. Then delete everything inside that file. Copy & paste the below two lines into it and save it:

[rename]
nul=


Download the Flash Disinfector at http://www.techsuppo...Disinfector.exe and save it to your desktop. Double-click on it to run it and follow the on-screen instructions.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\Windows\System32\njihruyr.ini
C:\Windows\System32\djxplkbm.ini
C:\Windows\System32\qmftlfma.ini
C:\Windows\System32\ttamkuet.ini
C:\Windows\System32\hbocmpem.ini
C:\Windows\System32\hcyymyfb.ini
C:\Windows\System32\bpcgqfub.ini
C:\Windows\system32\wyqyqsel.dll
C:\Windows\system32\wupdate.exe
C:\Windows\Tasks\RegCure Program Check.job
C:\Windows\Tasks\RegCure.job
Folder::
C:\Program Files\RegCure
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F66DF53-CB1D-4A40-923B-34D2BA7A8488}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A66ED71B-3E07-427F-85B0-BB8132D872C2}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM4dc634ec]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{105F2209-BFB8-3496-CB4D-D83134A3E5A3}]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
Jfield
Posted 23 April 2008 - 01:50 PM

Jfield

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Ok, Things are looking good and I'm assuming that we're making some progress. I was wondering why you had m euninstall regcure. I thought it was a good program. Thanks for all of your help so far. Here are the log files you requested:

Contents of C:\Windows\wininit.ini:

[rename]
c:\tempjunk1724.tmp=C:\Windows\System32\awvtq.dll_old
nul=c:\tempjunk7481.tmp
c:\tempjunk394.tmp=C:\Windows\System32\efefc.dll_old
c:\tempjunk7311.tmp=C:\Windows\System32\fcyvt.dll_old
c:\tempjunk4867.tmp=C:\Windows\System32\geecb.dll
c:\tempjunk7518.tmp=C:\Windows\System32\geedc.dll_old
c:\tempjunk5287.tmp=C:\Windows\System32\geecb.dll
c:\tempjunk5226.tmp=C:\Windows\System32\ndlqcpyk.dll_old
c:\tempjunk7019.tmp=C:\Windows\System32\geecb.dll
c:\tempjunk9053.tmp=C:\Windows\System32\bfymyych.dll_old
c:\tempjunk8128.tmp=C:\Windows\System32\fswuovry.dll_old
c:\tempjunk5191.tmp=C:\Windows\System32\geecb.dll
c:\tempjunk8419.tmp=C:\Windows\System32\geecb.dll
c:\tempjunk5839.tmp=C:\Windows\System32\teukmatt.dll_old
c:\tempjunk7691.tmp=C:\Windows\System32\geecb.dll
c:\tempjunk8135.tmp=C:\Windows\System32\geecb.dll
c:\tempjunk2417.tmp=C:\Windows\System32\mbklpxjd.dll_old
c:\tempjunk7077.tmp=C:\Windows\System32\wyqyqsel.dll_old
c:\tempjunk1645.tmp=C:\Windows\System32\geecb.dll
c:\tempjunk7832.tmp=C:\Windows\System32\geecb.dll
c:\tempjunk2796.tmp=C:\Windows\System32\geecb.dll
c:\tempjunk9329.tmp=C:\Windows\System32\geecb.dll
c:\tempjunk7863.tmp=C:\Windows\System32\geecb.dll
c:\tempjunk7481.tmp=C:\Windows\System32\geecb.dll



ComboFix 08-04-22.5 - 2008-04-23 15:44:25.2 - NTFSx86

Running from: C:\Users\Desktop\ComboFix.exe
Command switches used :: C:\Users\Desktop\CFScript.txt

FILE ::
C:\Windows\System32\bpcgqfub.ini
C:\Windows\System32\djxplkbm.ini
C:\Windows\System32\hbocmpem.ini
C:\Windows\System32\hcyymyfb.ini
C:\Windows\System32\njihruyr.ini
C:\Windows\System32\qmftlfma.ini
C:\Windows\System32\ttamkuet.ini
C:\Windows\system32\wupdate.exe
C:\Windows\system32\wyqyqsel.dll
C:\Windows\Tasks\RegCure Program Check.job
C:\Windows\Tasks\RegCure.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\System32\bpcgqfub.ini
C:\Windows\System32\djxplkbm.ini
C:\Windows\System32\hbocmpem.ini
C:\Windows\System32\hcyymyfb.ini
C:\Windows\System32\njihruyr.ini
C:\Windows\System32\qmftlfma.ini
C:\Windows\System32\ttamkuet.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-23 10:20 . 2008-04-23 10:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-23 09:36 . 2008-04-23 09:36 <DIR> d-------- C:\VundoFix Backups
2008-04-23 00:01 . 2008-04-23 09:14 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-21 11:47 . 2008-04-21 11:47 <DIR> d-------- C:\Users\Jason Mansfield\AppData\Roaming\Nero
2008-04-21 11:41 . 2008-04-21 11:41 <DIR> d-------- C:\Users\All Users\Nero
2008-04-21 11:41 . 2008-04-21 11:41 <DIR> d-------- C:\ProgramData\Nero
2008-04-21 11:41 . 2008-04-21 11:41 <DIR> d-------- C:\Program Files\Nero
2008-04-21 11:41 . 2008-04-21 11:45 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-04-19 17:50 . 2007-12-16 18:50 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-04-19 17:50 . 2007-12-16 05:56 41,984 --a------ C:\Windows\System32\drivers\monitor.sys
2008-04-19 17:20 . 2008-04-19 17:20 <DIR> d-------- C:\Users\All Users\Windows Genuine Advantage
2008-04-16 19:42 . 2008-04-16 19:42 <DIR> d-------- C:\Program Files\Apple Software Update(228)
2008-04-09 12:52 . 2008-04-09 12:52 129 --a------ C:\Windows\System32\MRT.INI
2008-04-09 08:44 . 2008-02-14 19:19 944,184 --a------ C:\Windows\System32\winload.exe
2008-04-09 08:44 . 2008-02-19 01:10 620,088 --a------ C:\Windows\System32\ci.dll
2008-04-09 08:44 . 2008-02-29 02:39 371,712 --a------ C:\Windows\System32\srcore.dll
2008-04-09 08:44 . 2008-02-29 02:38 313,856 --a------ C:\Windows\System32\rstrui.exe
2008-04-09 08:44 . 2008-02-29 02:39 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-09 08:44 . 2008-02-29 02:51 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-09 08:44 . 2008-02-29 02:38 16,384 --a------ C:\Windows\System32\srdelayed.exe
2008-04-09 08:44 . 2008-02-29 02:34 7,168 --a------ C:\Windows\System32\f3ahvoas.dll
2008-04-09 08:44 . 2008-02-29 02:35 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-09 08:01 . 2008-02-29 00:16 2,027,008 --a------ C:\Windows\System32\win32k.sys
2008-04-09 07:56 . 2008-02-21 00:43 296,448 --a------ C:\Windows\System32\gdi32.dll
2008-04-09 07:56 . 2007-12-16 07:42 83,968 --a------ C:\Windows\System32\dnsrslvr.dll
2008-04-09 07:56 . 2007-12-16 07:41 24,576 --a------ C:\Windows\System32\dnscacheugc.exe
2008-04-08 21:23 . 2008-04-23 15:40 14 --a------ C:\Windows\wininit.ini
2008-04-08 20:52 . 2008-04-19 21:35 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-08 20:52 . 2008-04-19 21:35 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-04-08 20:52 . 2008-04-19 21:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-08 20:52 . 2008-04-08 21:27 524,288 --ahs---- C:\ntuser.dat{23bb9f4e-05c6-11dd-a19b-001c26f552eb}.TMContainer00000000000000000002.regtrans-ms
2008-04-08 20:52 . 2008-04-08 21:27 524,288 --ahs---- C:\ntuser.dat{23bb9f4e-05c6-11dd-a19b-001c26f552eb}.TMContainer00000000000000000001.regtrans-ms
2008-04-08 20:52 . 2008-04-08 21:27 65,536 --ahs---- C:\ntuser.dat{23bb9f4e-05c6-11dd-a19b-001c26f552eb}.TM.blf
2008-04-08 08:16 . 2008-04-11 08:21 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-05 15:33 . 2008-04-05 15:33 1,158 --a------ C:\Windows\mozver.dat
2008-04-05 14:29 . 2007-08-01 16:47 102,664 --a------ C:\Windows\System32\drivers\tmcomm.sys
2008-04-05 14:22 . 2008-04-05 19:42 <DIR> d-------- C:\Users\Jason Mansfield\AppData\Roaming\HouseCall 6.6
2008-04-05 13:40 . 2008-04-23 11:14 262,144 --a------ C:\ntuser.dat
2008-04-05 13:40 . 2008-04-23 11:14 5,120 --ah----- C:\ntuser.dat.LOG1
2008-04-05 13:40 . 2008-04-08 20:52 0 --ah----- C:\ntuser.dat.LOG2
2008-04-04 21:34 . 2008-04-04 21:34 <DIR> d-------- C:\Users\Jason Mansfield\.dwa_store
2008-04-04 11:44 . 2008-04-04 11:45 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-04-04 11:44 . 2008-04-04 11:45 <DIR> d-------- C:\Program Files\AVSMedia
2008-04-03 13:50 . 2008-04-03 13:50 0 --a------ C:\Windows\nsreg.dat
2008-04-03 09:35 . 2008-04-03 09:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-02 11:05 . 2007-03-06 22:51 543,232 --a------ C:\Windows\System32\FWPUCLNT.DLL
2008-04-02 11:05 . 2007-03-06 22:51 416,768 --a------ C:\Windows\System32\IKEEXT.DLL
2008-04-02 11:05 . 2007-03-06 22:51 317,440 --a------ C:\Windows\System32\BFE.DLL
2008-04-02 11:05 . 2007-03-06 22:08 84,992 --a------ C:\Windows\System32\drivers\FWPKCLNT.SYS
2008-04-02 10:15 . 2008-04-19 21:35 <DIR> d-------- C:\Users\Jason Mansfield\.housecall6.6
2008-04-01 12:57 . 2008-04-01 12:57 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-01 12:56 . 2008-04-13 14:46 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-04-01 12:56 . 2008-04-13 14:46 <DIR> d-------- C:\ProgramData\Lavasoft
2008-03-31 09:35 . 2008-04-02 10:51 <DIR> d-------- C:\Program Files\Power Video Converter
2008-03-31 09:35 . 2008-03-31 09:35 <DIR> d-------- C:\movies
2008-03-31 09:35 . 2008-03-31 09:35 66 --a------ C:\Windows\Power Video Converter.INI
2008-03-31 09:30 . 2006-11-07 11:22 719,872 --a------ C:\Windows\System32\devil.dll
2008-03-31 09:30 . 2007-05-17 23:30 318,976 --a------ C:\Windows\System32\avisynth.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 19:41 --------- d-----w C:\Program Files\ReGetDx
2008-04-23 03:29 --------- d-----w C:\Users\AppData\Roaming\Zoom Player
2008-04-21 00:32 --------- d-----w C:\Program Files\Apple Software Update
2008-04-20 01:35 --------- d-----w C:\Users\AppData\Roaming\Winamp
2008-04-20 01:35 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-20 01:35 --------- d-----w C:\ProgramData\FLEXnet
2008-04-20 01:35 --------- d-----w C:\Program Files\Microsoft Works
2008-04-20 01:35 --------- d-----w C:\Program Files\GetDiz
2008-04-19 21:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-13 18:45 12,632 ----a-w C:\Windows\System32\lsdelete.exe
2008-03-31 13:30 --------- d-----w C:\Program Files\Amadis Software
2008-03-21 04:07 188,135 ----a-w C:\Users\AppData\Roaming\nvModes.dat
2008-03-06 22:55 --------- d-----w C:\Program Files\Intelore
2008-02-29 23:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-14 07:07 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-14 07:04 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-14 07:04 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-14 07:04 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-03 20:27 174 --sha-w C:\Program Files\desktop.ini
2008-02-03 20:06 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2008-02-03 20:06 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2008-02-03 20:06 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2008-02-03 20:06 297,984 ----a-w C:\Windows\System32\wlansec.dll
2008-02-03 20:06 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2008-02-03 20:05 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2008-02-03 20:05 7,680 ----a-w C:\Windows\System32\spwmp.dll
2008-02-03 20:05 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2008-02-03 20:05 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2008-02-03 20:04 57,856 ----a-w C:\Windows\System32\SLUINotify.dll
2008-02-03 20:04 566,784 ----a-w C:\Windows\System32\SLCommDlg.dll
2008-02-03 20:04 39,936 ----a-w C:\Windows\System32\slcinst.dll
2008-02-03 20:04 351,232 ----a-w C:\Windows\System32\SLUI.exe
2008-02-03 20:04 33,280 ----a-w C:\Windows\System32\slwmi.dll
2008-02-03 20:04 268,288 ----a-w C:\Windows\System32\mcbuilder.exe
2008-02-03 20:04 223,232 ----a-w C:\Windows\System32\SLC.dll
2008-02-03 20:04 2,605,568 ----a-w C:\Windows\System32\SLsvc.exe
2008-02-03 20:04 186,368 ----a-w C:\Windows\System32\SLLUA.exe
2008-01-29 04:16 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-29 04:16 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-29 04:16 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-29 04:16 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-29 04:16 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-01-29 00:30 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-29 00:15 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2007-08-30 16:54 76 --sha-r C:\Windows\CT4CET.bin
2007-11-19 00:02 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-11-19 00:02 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-11-19 00:02 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-04-23_10.17.30.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-23 14:12:20 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-23 19:32:41 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-04-23 14:12:52 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-04-23 14:57:00 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-04-23 14:57:00 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-04-23 14:12:52 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-04-23 14:56:54 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-04-23 14:56:54 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-04-23 01:08:27 104,868 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-04-23 19:35:25 104,868 ----a-w C:\Windows\System32\perfc009.dat
- 2008-04-23 01:08:28 621,552 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-04-23 19:35:25 621,552 ----a-w C:\Windows\System32\perfh009.dat
- 2008-04-22 19:26:30 10,260 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-40607026-3291105624-1167355563-1001_UserData.bin
+ 2008-04-23 14:57:03 10,896 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-40607026-3291105624-1167355563-1001_UserData.bin
- 2008-04-22 19:26:29 86,812 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-04-23 14:57:01 87,100 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 03:01 1232896]
"DELL Webcam Manager"="C:\Program Files\DELL\DELL Webcam Manager\DellWMgr.exe" [2007-06-07 12:14 118784]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 19:10 1688872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [2007-05-11 02:57 159744]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-06-27 06:17 405504]
"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-08-30 12:52 77824]
"Broadcom Wireless Manager UI"="C:\Windows\system32\WLTRAY.exe" [2007-03-21 15:33 1548288]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-04-16 17:10 184320]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 17:12 107112]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-11-28 06:34 134808]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 19:52 849280]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"bacstray"="C:\Program Files\Broadcom\BACS\BacsTray.exe" [2007-01-14 12:42 124488]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-30 20:34 1006264]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.scg726"= scg726.acm
"msacm.alf2cd"= alf2cd.acm
"vidc.dvsd"= mcdvd_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-40607026-3291105624-1167355563-1001]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7FE41D3B-2131-4089-B5FC-868C18F3E4D0}"= C:\Program Files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{1A88CDDC-500B-4CD5-B59A-756EBBB6E8FE}"= C:\Program Files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{E4F4B7EA-C727-4889-B564-A1C1B1BF68E9}"= C:\Program Files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{CC0C2EE7-DC23-4A23-BE48-7D83599AF712}"= C:\Program Files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{A5FD891F-9904-43D6-9619-33FB4E3AA2C9}"= TCP:10421:SingleClick Discovery Protocol
"{4181A74C-9EA8-4103-8006-B9B1EE27D566}"= UDP:139:NetBIOS File/Printer Sharing
"{C4C44A5D-9AF4-4BEF-8444-85BB33FF5BAE}"= TCP:10426:SingleClick ICC
"{BADA4872-A6CB-4512-BB1B-72CAA4753D1D}"= UDP:445:Microsoft Directory Services
"{CCB3AAC9-D04C-46B1-843C-E7CE4EDF31D0}"= TCP:138:NetBIOS Datagram Service
"{1DD6585B-8618-411E-ABB3-42DBB9EE493F}"= TCP:137:NetBIOS Name Service
"{E6789448-3068-40E0-98D3-66F829EA1539}"= UDP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{2CBD1202-BD6D-4FB3-9D80-A2D673FEFF29}"= TCP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{627BBABE-7F8A-4A45-8ECC-23922C8B2ECD}"= UDP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{A689DABE-B1D5-4F41-B5AD-4FA98DA75B84}"= TCP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{94E55BB9-25F3-4183-8E87-52C21966EE17}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{4C18457E-B9A4-4416-A1C2-CF6C8D04ABE0}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{B521C8FD-0751-42DA-B2C6-CCDD17388872}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{EE64065F-51AD-438F-9A91-14E33848F3C4}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5C0B85DD-C35B-4042-889C-AF646B769C03}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B2A59812-E3C7-44D9-8C34-91E5907631A9}"= TCP:10421:SingleClick Discovery Protocol
"{48BB4D93-FADD-4E2D-BE45-82CFC3684692}"= UDP:139:NetBIOS File/Printer Sharing
"{E9CD84E0-A768-4FD3-B73C-26A1A9A583C6}"= TCP:10426:SingleClick ICC
"{88131F75-C549-4EC3-9B35-317B8041DEEC}"= UDP:445:Microsoft Directory Services
"{F540B393-3A65-48B5-AA77-4A9FFEF281AA}"= TCP:138:NetBIOS Datagram Service
"{07AD91C0-027A-4AC2-99AB-C6AE4AB78B5B}"= TCP:137:NetBIOS Name Service
"TCP Query User{401BD53F-55B9-49EA-AAB6-5EB05B5522FA}C:\\program files\\cain\\cain.exe"= UDP:C:\program files\cain\cain.exe:Cain - Password Recovery Utility
"UDP Query User{69D7C617-39CC-4516-B784-C7C950AD88A6}C:\\program files\\cain\\cain.exe"= TCP:C:\program files\cain\cain.exe:Cain - Password Recovery Utility
"{74CCE313-9368-4D06-89DE-09567B722B77}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{5F5E2C11-DB71-47A3-9800-B41F6B97F958}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{AB718675-DA16-4B99-A107-D3861555404D}C:\\program files\\aim6\\aim6.exe"= UDP:C:\program files\aim6\aim6.exe:AIM
"UDP Query User{4EA98336-4E84-4BB6-A206-2EF2BD2027DF}C:\\program files\\aim6\\aim6.exe"= TCP:C:\program files\aim6\aim6.exe:AIM
"{D9AAC2BC-E06D-46B0-8FA0-5BC04555BE56}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{6EFEC5F1-6E7D-4506-A0E8-E8B7DCD9066D}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{27B28D25-DDAB-44F2-BE9D-9DAB0ACA1F77}C:\\program files\\aim6\\aim6.exe"= UDP:C:\program files\aim6\aim6.exe:AIM
"UDP Query User{1E3A6628-303C-42BE-8E02-AA8C3224F1F3}C:\\program files\\aim6\\aim6.exe"= TCP:C:\program files\aim6\aim6.exe:AIM
"{584D9298-B006-404D-ADBE-1CD521BF4700}"= UDP:C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:Dell Network Assistant
"{E4E84484-EDDC-4DAC-92F2-41A54A73A205}"= TCP:C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:Dell Network Assistant
"TCP Query User{F0B3D1D8-81C8-4CC7-9804-FB6BED257B0C}C:\\program files\\cain\\cain.exe"= UDP:C:\program files\cain\cain.exe:Cain - Password Recovery Utility
"UDP Query User{2880B2CA-DDDB-424C-8182-5701CFCF6191}C:\\program files\\cain\\cain.exe"= TCP:C:\program files\cain\cain.exe:Cain - Password Recovery Utility

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17d066a3-fa73-11dc-8dfd-001c26f552eb}]
\shell\Auto\command - UFO.exe
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4903a799-d0bc-11dc-9432-001c26f552eb}]
\shell\Auto\command - UFO.exe
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4903a7ae-d0bc-11dc-9432-001c26f552eb}]
\shell\AutoRun\command - MntDrCore.exe
\shell\Open\command - MntDrCore.exe
\shell\Open With...\command - MntDrCore.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b5fbbe2-f107-11dc-9644-001c26f552eb}]
\shell\Auto\command - UFO.exe
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d0e7422-d685-11dc-b5f6-001c26f552eb}]
\shell\Auto\command - UFO.exe
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{973c19eb-ed23-11dc-901f-001c26f552eb}]
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9eee2b3b-d643-11dc-8c50-001c26f552eb}]
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL H:\UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b73f6673-dcaa-11dc-bc2a-001c26f552eb}]
\shell\Auto\command - UFO.exe
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 15:46:25
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-23 15:47:23
ComboFix-quarantined-files.txt 2008-04-23 19:47:17
ComboFix2.txt 2008-04-23 14:18:20

Pre-Run: 59,519,504,384 bytes free
Post-Run: 59,493,904,384 bytes free

288 --- E O F --- 2008-04-22 19:30:02
  • 0

#4
greyknight17
Posted 23 April 2008 - 07:47 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
If you paid for RegCure and want to continue using it, feel free to install it back. There have been bad reviews regarding this program. It could be just an opinion of others, but I have seen more than a handful of users giving it a bad review.

Did you run the Flash Disinfector yet? If not, please run it now since there are some infections there that requires attention.

Other than that, your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run and copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#5
Jfield
Posted 24 April 2008 - 06:03 AM

Jfield

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Ok, ran the flash disinfector so I guess I'm all set now. Thank You so much for all your help.
  • 0

#6
greyknight17
Posted 24 April 2008 - 07:25 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP