Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

TR/Vundo.Gen - help! [RESOLVED]


  • This topic is locked This topic is locked

#1
elliottrq

elliottrq

    Member

  • Member
  • PipPip
  • 10 posts
I'm getting pretty aggravated with this virus called TR/Vundo.Gen

I've tried several programs that deal with vundos, but I haven't had any luck with them, as they just can't even find this vundo.

My AntiVir Guard refuses to let me delete or put the virus in quarantine - well, I am able to put it in quarantine, but it just pops up again with no end. In addition, it is operating from the file C:\Windows\System32\efcBrOfF.dll, if that is any help, and although I have attempted to delete it, it (again) will not disappear, even if I manage to delete it with AntiVir Guard.

It has slowed down my internet explorer, as well as many of my general programs and also my networking, but I've been lucky in that it hasn't touched my documents and such.

Lastly, it seems to stop my computer's ability to conduct a system restore, both from regular and safe modes, both of which i have tried repeatedly (it gives the message that an unspecified error has interrupted the restore process).

Please help!!!



intLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:13 PM, on 4/24/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\DNA\btdna.exe
C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\Avira-Spybot-Auslogics\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Pantone\hueyPRO\hueyPROTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\Avira-Spybot-Auslogics-H.This\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.co...n...px&id=64855
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Users\Elliot\DOCUME~1\UPPERS~1\10THGR~1\Misc\progs\AVIRA-~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: (no name) - {6221C6A0-575D-4882-A697-6D8663282BEE} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: (no name) - {E1B65598-B60A-4D48-86BB-93A5F1F4BB85} - C:\Windows\system32\efcBrOfF.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\iiffFwxY.dll,#1
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [308b7c65] rundll32.exe "C:\Windows\system32\rmyuuayu.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [googletalk] C:\Users\Elliot\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\Avira-Spybot-Auslogics\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: hueyPROTray.lnk = C:\Program Files\Pantone\hueyPRO\hueyPROTray.exe
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Users\Elliot\DOCUME~1\UPPERS~1\10THGR~1\Misc\progs\AVIRA-~1\SPYBOT~1\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Users\Elliot\DOCUME~1\UPPERS~1\10THGR~1\Misc\progs\AVIRA-~1\SPYBOT~1\SDHelper.dll (file missing)
O13 - Gopher Prefix:
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...ploader_v10.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Unknown owner - C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\Avira-Spybot-Auslogics\Spybot - Search & Destroy\SDWinSec.exe (file missing)
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

I see you have two antivirus programs there (AntiVir and Avast). Decide which one to keep and uninstall one of them now.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O2 - BHO: (no name) - {6221C6A0-575D-4882-A697-6D8663282BEE} - (no file)
O2 - BHO: (no name) - {E1B65598-B60A-4D48-86BB-93A5F1F4BB85} - C:\Windows\system32\efcBrOfF.dll
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\iiffFwxY.dll,#1
O4 - HKLM\..\Run: [308b7c65] rundll32.exe "C:\Windows\system32\rmyuuayu.dll",b


Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\Windows\system32\efcBrOfF.dll
C:\Windows\system32\iiffFwxY.dll
C:\Windows\system32\rmyuuayu.dll


1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
elliottrq

elliottrq

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thank you so far!

I completed the first part and fixed those four files in hijackthis, but when I went to delete the three files in the System32 folder, not only could i not find C:\Windows\system32\rmyuuayu.dll (which i also searched for, just in case), but my computer would not let me delete either C:\Windows\system32\efcBrOfF.dll or C:\Windows\system32\iiffFwxY.dll because they were "being used in another program," although I had no other programs open at the time.

How should I proceed from here?
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Continue with Combofix. We'll take care of those two files later...
  • 0

#5
elliottrq

elliottrq

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Ok, i ran Combofix - here is the log from it:

ComboFix 08-04-24.1 - Elliot 2008-04-25 11:22:40.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1074 [GMT -4:00]
Running from: C:\Users\Elliot\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\System32\adMpWvut.ini
C:\Windows\System32\adMpWvut.ini2
C:\Windows\system32\efcBrOfF.dll
C:\Windows\System32\FfOrBcfe.ini
C:\Windows\System32\FfOrBcfe.ini2
C:\Windows\System32\gPqssBeg.ini
C:\Windows\System32\gPqssBeg.ini2
C:\Windows\system32\ljJAQgff.dll
C:\Windows\system32\troibesw.dll
C:\Windows\system32\tuvWpMda.dll
C:\Windows\System32\wsebiort.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-24 19:11 . 2008-04-24 19:11 <DIR> d-------- C:\VundoFix Backups
2008-04-24 18:31 . 2008-04-24 18:31 <DIR> dr------- C:\Windows\System32\config\systemprofile\Documents
2008-04-24 17:57 . 2008-04-24 17:57 <DIR> d-------- C:\Users\Elliot\AppData\Roaming\Auslogics
2008-04-24 17:37 . 2008-04-24 17:38 1,509,099 ---hs---- C:\Windows\System32\ipngwjak.ini
2008-04-24 17:27 . 2008-04-24 20:23 316 --a------ C:\Windows\wininit.ini
2008-04-24 01:54 . 2008-04-24 17:27 1,509,279 ---hs---- C:\Windows\System32\uyauuymr.ini
2008-04-24 01:38 . 2008-04-25 11:32 54,156 --ah----- C:\Windows\QTFont.qfn
2008-04-24 01:38 . 2008-04-24 01:38 1,409 --a------ C:\Windows\QTFont.for
2008-04-24 01:34 . 2008-04-24 01:36 524,288 --ahs---- C:\Users\Elliot\ntuser.dat{be2b1d9a-11be-11dd-a884-97a447a4f155}.TMContainer00000000000000000002.regtrans-ms
2008-04-24 01:34 . 2008-04-24 01:36 524,288 --ahs---- C:\Users\Elliot\ntuser.dat{be2b1d9a-11be-11dd-a884-97a447a4f155}.TMContainer00000000000000000001.regtrans-ms
2008-04-24 01:34 . 2008-04-24 01:36 65,536 --ahs---- C:\Users\Elliot\ntuser.dat{be2b1d9a-11be-11dd-a884-97a447a4f155}.TM.blf
2008-04-23 20:14 . 2008-04-23 20:14 524,288 --ahs---- C:\ntuser.dat{595fa77f-118c-11dd-be18-001c23a8fbda}.TMContainer00000000000000000002.regtrans-ms
2008-04-23 20:14 . 2008-04-23 20:14 524,288 --ahs---- C:\ntuser.dat{595fa77f-118c-11dd-be18-001c23a8fbda}.TMContainer00000000000000000001.regtrans-ms
2008-04-23 20:14 . 2008-04-23 20:14 524,288 --ahs---- C:\ntuser.dat{595fa773-118c-11dd-be18-001c23a8fbda}.TMContainer00000000000000000002.regtrans-ms
2008-04-23 20:14 . 2008-04-23 20:14 524,288 --ahs---- C:\ntuser.dat{595fa773-118c-11dd-be18-001c23a8fbda}.TMContainer00000000000000000001.regtrans-ms
2008-04-23 20:14 . 2008-04-24 20:01 262,144 --a------ C:\ntuser.dat
2008-04-23 20:14 . 2008-04-23 20:14 65,536 --ahs---- C:\ntuser.dat{595fa77f-118c-11dd-be18-001c23a8fbda}.TM.blf
2008-04-23 20:14 . 2008-04-23 20:14 65,536 --ahs---- C:\ntuser.dat{595fa773-118c-11dd-be18-001c23a8fbda}.TM.blf
2008-04-23 20:14 . 2008-04-24 20:01 5,120 --ah----- C:\ntuser.dat.LOG1
2008-04-23 20:14 . 2008-04-23 20:14 0 --ah----- C:\ntuser.dat.LOG2
2008-04-23 13:58 . 2008-04-25 10:26 <DIR> d-------- C:\Users\All Users\Avira
2008-04-23 13:58 . 2008-04-25 10:26 <DIR> d-------- C:\ProgramData\Avira
2008-04-23 12:34 . 2008-04-24 17:49 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-23 12:34 . 2008-04-24 17:49 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-04-22 22:18 . 2008-04-22 06:06 102,400 --a------ C:\Windows\olgdqarf.exe
2008-04-22 22:18 . 2008-04-22 06:06 94,208 --a------ C:\Windows\wxvgsdbq.exe
2008-04-22 14:02 . 2008-04-22 14:02 <DIR> d-------- C:\Users\All Users\PopCap Games
2008-04-22 14:02 . 2008-04-22 14:02 <DIR> d-------- C:\ProgramData\PopCap Games
2008-04-22 14:02 . 2008-04-24 01:31 <DIR> d-------- C:\Program Files\PopCap Games
2008-04-19 19:37 . 2008-04-19 19:37 25,280 --a------ C:\Windows\System32\drivers\hamachi.sys
2008-04-17 22:35 . 2008-04-17 22:35 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-17 11:22 . 2008-04-17 11:22 <DIR> d-------- C:\Program Files\BFG
2008-04-15 18:19 . 2008-04-15 18:20 <DIR> d-------- C:\Users\All Users\Trymedia
2008-04-15 18:19 . 2008-04-15 18:20 <DIR> d-------- C:\ProgramData\Trymedia
2008-04-15 18:11 . 2008-04-25 11:28 <DIR> d-------- C:\Users\Elliot\AppData\Roaming\DNA
2008-04-15 18:11 . 2008-04-24 01:31 <DIR> d-------- C:\Users\Elliot\AppData\Roaming\BitTorrent
2008-04-15 18:11 . 2008-04-15 18:11 <DIR> d-------- C:\Program Files\DNA
2008-04-10 20:45 . 2008-04-10 20:45 <DIR> d-------- C:\Program Files\iPod
2008-04-10 20:44 . 2008-04-10 20:45 <DIR> d-------- C:\Program Files\iTunes
2008-04-10 20:43 . 2008-04-10 20:43 <DIR> d-------- C:\Program Files\QuickTime
2008-04-10 17:08 . 2008-02-14 19:19 944,184 --a------ C:\Windows\System32\winload.exe
2008-04-10 17:08 . 2008-02-19 01:10 620,088 --a------ C:\Windows\System32\ci.dll
2008-04-10 17:08 . 2008-02-29 02:39 371,712 --a------ C:\Windows\System32\srcore.dll
2008-04-10 17:08 . 2008-02-29 02:38 313,856 --a------ C:\Windows\System32\rstrui.exe
2008-04-10 17:08 . 2008-02-29 02:39 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-10 17:08 . 2008-02-29 02:51 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-10 17:08 . 2008-02-29 02:38 16,384 --a------ C:\Windows\System32\srdelayed.exe
2008-04-10 17:08 . 2008-02-29 02:34 7,168 --a------ C:\Windows\System32\f3ahvoas.dll
2008-04-10 17:08 . 2008-02-29 02:35 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-09 14:54 . 2008-04-09 14:56 <DIR> d-------- C:\Windows\System32\Adobe
2008-03-29 01:09 . 2008-03-29 01:09 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\Windows\System32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 01:19 87,622 ----a-w C:\Users\Elliot\AppData\Roaming\nvModes.dat
2008-04-24 05:31 --------- d-----w C:\Program Files\Microsoft Works
2008-04-24 05:31 --------- d-----w C:\Program Files\Google
2008-04-23 06:13 --------- d-----w C:\Users\Elliot\AppData\Roaming\LimeWire
2008-04-21 19:53 --------- d-----w C:\Program Files\Hamachi
2008-04-20 03:36 --------- d-----w C:\Users\Elliot\AppData\Roaming\Hamachi
2008-04-11 15:21 --------- d-----w C:\Program Files\Windows Mail
2008-03-29 18:32 50,768 ----a-w C:\Windows\system32\drivers\aswMonFlt.sys
2008-03-16 18:36 --------- d-----w C:\Program Files\VALVe
2008-03-03 00:11 --------- d-----w C:\ProgramData\CyberLink
2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-13 05:21 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-13 05:16 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-13 05:16 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-13 05:15 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-13 05:15 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-13 05:15 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-13 05:14 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 05:14 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 05:14 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 05:14 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-02-13 05:14 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 05:14 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 05:14 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-01-29 16:02 107,368 ----a-w C:\Windows\System32\GEARAspi.dll
2008-01-29 04:49 26,955 ----a-w C:\Users\D\AppData\Roaming\nvModes.dat
2007-12-24 19:53 1,154,128 ----a-w C:\Program Files\R166917.ZIP
2007-11-27 18:43 174 --sha-w C:\Program Files\desktop.ini
2008-01-17 19:36 952 --sha-w C:\Windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-07 12:12 68856]
"Steam"="C:\Valve\Steam\Steam.exe" [2008-04-25 10:28 1271032]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 17:30 249856]
"googletalk"="C:\Users\Elliot\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 17:22 3739648]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 08:35 125440]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-17 12:51 486856]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-15 18:11 288576]
"SpybotSD TeaTimer"="C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\Avira-Spybot-Auslogics\Spybot - Search & Destroy\TeaTimer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-11-27 22:29 1006264]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-04 01:21 857648]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-06-27 06:17 405504]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-04-16 18:10 184320]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-25 04:41 86016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-25 04:40 81920]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2007-09-25 04:40 81920]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-25 04:40 8478720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:30 81920]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-27 14:59 1862144]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2007-05-25 02:03 17920]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 05:45 222208]

C:\Users\Elliot\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-01-20 14:44:23 557568]
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2007-12-06 16:29:32 3444008]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-11-27 14:54:16 50688]
hueyPROTray.lnk - C:\Program Files\Pantone\hueyPRO\hueyPROTray.exe [2007-12-09 23:09:11 1081344]
QuickSet.lnk - C:\Windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-11-27 14:55:52 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-482938515-3665599901-2485918241-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{227F0A4B-EBBC-43D5-9FA8-3AFC81D13B09}"= C:\Program Files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{D4BF930B-C520-475C-9325-A7222597E5EB}"= C:\Program Files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{4B84B4B4-3A43-490E-871E-F3ABDC86539A}"= C:\Program Files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{09D458BA-AFC7-4F4A-BBB6-193E24EB1AB5}"= C:\Program Files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{E8A8DEBE-90B9-4BC5-A236-CFD01B76F7E4}"= TCP:10421:SingleClick Discovery Protocol
"{439FBBE3-F1A0-4559-8963-B5F23B741F6E}"= UDP:139:NetBIOS File/Printer Sharing
"{C10599A8-981C-4C31-B068-7D349B529C6D}"= TCP:10426:SingleClick ICC
"{F53958CB-5A4B-4231-877E-F39EBA9D7ACF}"= UDP:445:Microsoft Directory Services
"{3CECF11C-B282-4DDD-AEBA-3592410F95A1}"= TCP:138:NetBIOS Datagram Service
"{D7E41DB4-4FC5-4E30-8FAE-61F69AF0C881}"= TCP:137:NetBIOS Name Service
"{483F0EC9-7E68-4F0E-8353-EF924E597B7D}"= UDP:C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:Dell Network Assistant
"{6C2ADF7A-C088-4E4A-8A08-FF0BCD4A6A87}"= TCP:C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:Dell Network Assistant
"{FB990295-EA83-41FB-9C84-57FBCBCED8D0}"= TCP:10421:SingleClick Discovery Protocol
"{8E120D8F-0C3F-409B-83C5-F4E52762E4F5}"= UDP:139:NetBIOS File/Printer Sharing
"{2EC8EB03-E81F-416B-8C6A-82179B814549}"= TCP:10426:SingleClick ICC
"{CB809F3C-3884-46AA-B7A2-3CF47CE08C83}"= UDP:445:Microsoft Directory Services
"{40615941-D943-4398-98B4-200F62718DBF}"= TCP:138:NetBIOS Datagram Service
"{CF265A68-9C4A-4A0B-95C2-AE078A22306A}"= TCP:137:NetBIOS Name Service
"{8630A8A3-D652-44A2-8075-1E3C58E99BD7}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{93D2A290-EBF8-4690-AC10-B01DE79899F2}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{9D193681-4717-40EA-8BDF-9EFC96E7AA7D}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{BBE30126-964E-4522-9AF9-D170212326D2}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{FCB7860E-86B0-4820-8B03-FF592D1F68F1}"= UDP:C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\LimeWire\LimeWire.exe:LimeWire
"{CDC516D6-A6E5-4460-8EB8-C2687AE149E6}"= TCP:C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{302C0638-F2A2-452E-8A79-8C270A59872C}C:\\users\\elliot\\documents\\upper school\\10th grade\\misc\\progs\\limewire\\limewire.exe"= UDP:C:\users\elliot\documents\upper school\10th grade\misc\progs\limewire\limewire.exe:limewire.exe
"UDP Query User{0FA68659-2801-4754-AB63-6CC134941E27}C:\\users\\elliot\\documents\\upper school\\10th grade\\misc\\progs\\limewire\\limewire.exe"= TCP:C:\users\elliot\documents\upper school\10th grade\misc\progs\limewire\limewire.exe:limewire.exe
"TCP Query User{F2971E4A-741F-4BF9-B6C1-C35DA8E3DE39}C:\\program files\\aim6\\aim6.exe"= UDP:C:\program files\aim6\aim6.exe:AIM
"UDP Query User{16CB945F-6052-450B-AE0F-DDEA374D0DEC}C:\\program files\\aim6\\aim6.exe"= TCP:C:\program files\aim6\aim6.exe:AIM
"{77A7AEC3-3F1A-4A04-A494-F94B539437C5}"= UDP:C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:Dell Network Assistant
"{BB105681-B2E7-400B-8121-A43D745FDF91}"= TCP:C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:Dell Network Assistant
"{F27EC5C1-92BC-48B7-8159-DA6F028A1072}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{2D8811DE-7501-4767-AA56-8565FB7A55E7}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{80DDB913-280F-423C-BB44-4AA86FE46334}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{9435EF03-9B98-4F37-BC1F-C2E420ECE197}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{5149FB04-C05B-4151-BE71-AA0D3693327E}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{BACA84FA-754C-46DA-B367-0741DF9CA9C6}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{F6651969-FD0A-4723-9998-0F782DCF0E6E}"= UDP:C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\Citrus\LimeWire\LimeWire.exe:LimeWire
"{6740E1CA-D297-4733-B7D8-C4C4B47E69EB}"= TCP:C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\Citrus\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{146578A7-735A-4AE4-822F-00A7D2A4E244}C:\\program files\\valve\\counter-strike source\\hl2.exe"= UDP:C:\program files\valve\counter-strike source\hl2.exe:hl2
"UDP Query User{8214FEE5-47BB-42FD-9F76-72B2534F1DCD}C:\\program files\\valve\\counter-strike source\\hl2.exe"= TCP:C:\program files\valve\counter-strike source\hl2.exe:hl2
"{246377FB-30C4-4613-B25F-97FF38582262}"= UDP:C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\Citrus\LimeWire\LimeWire.exe:LimeWire
"{255CD223-8E9A-4381-B892-2C9A3CD51FDD}"= TCP:C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\Citrus\LimeWire\LimeWire.exe:LimeWire
"{94CD5CA7-491A-441C-90AB-57B93574CE34}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{B0BC36A8-B5E1-438F-8A4E-1DEFC8411DC9}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{5458AC46-DEE6-4AF9-9BF2-8BC041083CEC}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
"{8090A3E3-2BDB-4925-B332-F40539079225}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
"{0F46E71D-BB44-4CD9-8FE9-035AF0EE0C63}"= UDP:C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\BitT\BitTorrent\bittorrent.exe:BitTorrent
"{CA53BC01-91D3-4E60-A0F5-D315D565F9D5}"= TCP:C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\BitT\BitTorrent\bittorrent.exe:BitTorrent
"{9A569BD9-33F1-43D2-93B5-B503440D3EE6}"= UDP:C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\BitT\BitTorrent\bittorrent.exe:BitTorrent
"{CEFFCC3B-C32F-4EDC-93AD-D92C3D73A80A}"= TCP:C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\BitT\BitTorrent\bittorrent.exe:BitTorrent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Users\\Elliot\\Documents\\Upper School\\10th Grade\\Misc\\progs\\BitT\\BitTorrent\\bittorrent.exe"= C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\BitT\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-03-29 14:31]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-03-29 14:35]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-03-29 14:32]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 05:45]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R2 WcesComm;Windows Mobile-2003-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 05:45]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-04-29 01:24]
S2 SBSDWSCService;SBSD Security Center Service;C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\Avira-Spybot-Auslogics\Spybot - Search & Destroy\SDWinSec.exe []
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 03:36]
S4 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-02-20 00:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3cc2a3a3-c786-11dc-a3d1-001c23a8fbda}]
\shell\AutoRun\command - G:\AUTORUN.EXE

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 11:32:16
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\Stardock\ObjectDock\DockShellHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\wlanext.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\System32\Locator.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\stacsv.exe
C:\Windows\System32\UI0Detect.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\VSSVC.exe
C:\Windows\System32\wbem\WmiApSrv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Windows\System32\dllhost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\wbem\WMIADAP.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-04-25 11:38:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-25 15:38:43

Pre-Run: 44,565,549,056 bytes free
Post-Run: 44,697,014,272 bytes free

282 --- E O F --- 2008-04-18 00:15:52
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Double click on C:\Windows\wininit.ini to open it in Notepad. Copy and paste the contents of that file here.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\Windows\System32\ipngwjak.ini
C:\Windows\System32\uyauuymr.ini
C:\Windows\olgdqarf.exe
C:\Windows\system32\efcBrOfF.dll
C:\Windows\system32\iiffFwxY.dll
C:\Windows\wxvgsdbq.exe

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is the computer running so far?
  • 0

#7
elliottrq

elliottrq

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here's the C:\Windows\wininit.ini contents:

[rename]
c:\tempjunk9458.tmp=C:\Windows\System32\efcBrOfF.dll
nul=c:\tempjunk3352.tmp
c:\tempjunk82.tmp=C:\Windows\System32\geBssqPg.dll_old
c:\tempjunk530.tmp=C:\Windows\System32\rmyuuayu.dll_old
c:\tempjunk3927.tmp=C:\Windows\System32\efcBrOfF.dll
c:\tempjunk3352.tmp=C:\Windows\System32\geBssqPg.dll_old


And here's the new log:

ComboFix 08-04-24.1 - Elliot 2008-04-25 14:42:29.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1192 [GMT -4:00]
Running from: C:\Users\Elliot\Desktop\ComboFix.exe
Command switches used :: C:\Users\Elliot\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Windows\olgdqarf.exe
C:\Windows\system32\efcBrOfF.dll
C:\Windows\system32\iiffFwxY.dll
C:\Windows\System32\ipngwjak.ini
C:\Windows\System32\uyauuymr.ini
C:\Windows\wxvgsdbq.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\olgdqarf.exe
C:\Windows\System32\ipngwjak.ini
C:\Windows\System32\uyauuymr.ini
C:\Windows\wxvgsdbq.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-24 19:11 . 2008-04-24 19:11 <DIR> d-------- C:\VundoFix Backups
2008-04-24 18:31 . 2008-04-24 18:31 <DIR> dr------- C:\Windows\System32\config\systemprofile\Documents
2008-04-24 17:57 . 2008-04-24 17:57 <DIR> d-------- C:\Users\Elliot\AppData\Roaming\Auslogics
2008-04-24 17:27 . 2008-04-24 20:23 316 --a------ C:\Windows\wininit.ini
2008-04-24 01:38 . 2008-04-25 11:48 54,156 --ah----- C:\Windows\QTFont.qfn
2008-04-24 01:38 . 2008-04-24 01:38 1,409 --a------ C:\Windows\QTFont.for
2008-04-24 01:34 . 2008-04-24 01:36 524,288 --ahs---- C:\Users\Elliot\ntuser.dat{be2b1d9a-11be-11dd-a884-97a447a4f155}.TMContainer00000000000000000002.regtrans-ms
2008-04-24 01:34 . 2008-04-24 01:36 524,288 --ahs---- C:\Users\Elliot\ntuser.dat{be2b1d9a-11be-11dd-a884-97a447a4f155}.TMContainer00000000000000000001.regtrans-ms
2008-04-24 01:34 . 2008-04-24 01:36 65,536 --ahs---- C:\Users\Elliot\ntuser.dat{be2b1d9a-11be-11dd-a884-97a447a4f155}.TM.blf
2008-04-23 20:14 . 2008-04-23 20:14 524,288 --ahs---- C:\ntuser.dat{595fa77f-118c-11dd-be18-001c23a8fbda}.TMContainer00000000000000000002.regtrans-ms
2008-04-23 20:14 . 2008-04-23 20:14 524,288 --ahs---- C:\ntuser.dat{595fa77f-118c-11dd-be18-001c23a8fbda}.TMContainer00000000000000000001.regtrans-ms
2008-04-23 20:14 . 2008-04-23 20:14 524,288 --ahs---- C:\ntuser.dat{595fa773-118c-11dd-be18-001c23a8fbda}.TMContainer00000000000000000002.regtrans-ms
2008-04-23 20:14 . 2008-04-23 20:14 524,288 --ahs---- C:\ntuser.dat{595fa773-118c-11dd-be18-001c23a8fbda}.TMContainer00000000000000000001.regtrans-ms
2008-04-23 20:14 . 2008-04-24 20:01 262,144 --a------ C:\ntuser.dat
2008-04-23 20:14 . 2008-04-23 20:14 65,536 --ahs---- C:\ntuser.dat{595fa77f-118c-11dd-be18-001c23a8fbda}.TM.blf
2008-04-23 20:14 . 2008-04-23 20:14 65,536 --ahs---- C:\ntuser.dat{595fa773-118c-11dd-be18-001c23a8fbda}.TM.blf
2008-04-23 20:14 . 2008-04-24 20:01 5,120 --ah----- C:\ntuser.dat.LOG1
2008-04-23 20:14 . 2008-04-23 20:14 0 --ah----- C:\ntuser.dat.LOG2
2008-04-23 13:58 . 2008-04-25 10:26 <DIR> d-------- C:\Users\All Users\Avira
2008-04-23 13:58 . 2008-04-25 10:26 <DIR> d-------- C:\ProgramData\Avira
2008-04-23 12:34 . 2008-04-24 17:49 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-23 12:34 . 2008-04-24 17:49 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-04-22 14:02 . 2008-04-22 14:02 <DIR> d-------- C:\Users\All Users\PopCap Games
2008-04-22 14:02 . 2008-04-22 14:02 <DIR> d-------- C:\ProgramData\PopCap Games
2008-04-22 14:02 . 2008-04-24 01:31 <DIR> d-------- C:\Program Files\PopCap Games
2008-04-19 19:37 . 2008-04-19 19:37 25,280 --a------ C:\Windows\System32\drivers\hamachi.sys
2008-04-17 22:35 . 2008-04-17 22:35 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-17 11:22 . 2008-04-17 11:22 <DIR> d-------- C:\Program Files\BFG
2008-04-15 18:19 . 2008-04-15 18:20 <DIR> d-------- C:\Users\All Users\Trymedia
2008-04-15 18:19 . 2008-04-15 18:20 <DIR> d-------- C:\ProgramData\Trymedia
2008-04-15 18:11 . 2008-04-25 14:36 <DIR> d-------- C:\Users\Elliot\AppData\Roaming\DNA
2008-04-15 18:11 . 2008-04-24 01:31 <DIR> d-------- C:\Users\Elliot\AppData\Roaming\BitTorrent
2008-04-15 18:11 . 2008-04-15 18:11 <DIR> d-------- C:\Program Files\DNA
2008-04-10 20:45 . 2008-04-10 20:45 <DIR> d-------- C:\Program Files\iPod
2008-04-10 20:44 . 2008-04-10 20:45 <DIR> d-------- C:\Program Files\iTunes
2008-04-10 20:43 . 2008-04-10 20:43 <DIR> d-------- C:\Program Files\QuickTime
2008-04-10 17:08 . 2008-02-14 19:19 944,184 --a------ C:\Windows\System32\winload.exe
2008-04-10 17:08 . 2008-02-19 01:10 620,088 --a------ C:\Windows\System32\ci.dll
2008-04-10 17:08 . 2008-02-29 02:39 371,712 --a------ C:\Windows\System32\srcore.dll
2008-04-10 17:08 . 2008-02-29 02:38 313,856 --a------ C:\Windows\System32\rstrui.exe
2008-04-10 17:08 . 2008-02-29 02:39 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-10 17:08 . 2008-02-29 02:51 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-10 17:08 . 2008-02-29 02:38 16,384 --a------ C:\Windows\System32\srdelayed.exe
2008-04-10 17:08 . 2008-02-29 02:34 7,168 --a------ C:\Windows\System32\f3ahvoas.dll
2008-04-10 17:08 . 2008-02-29 02:35 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-09 14:54 . 2008-04-09 14:56 <DIR> d-------- C:\Windows\System32\Adobe
2008-03-29 01:09 . 2008-03-29 01:09 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\Windows\System32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 15:50 87,622 ----a-w C:\Users\Elliot\AppData\Roaming\nvModes.dat
2008-04-24 05:31 --------- d-----w C:\Program Files\Microsoft Works
2008-04-24 05:31 --------- d-----w C:\Program Files\Google
2008-04-23 06:13 --------- d-----w C:\Users\Elliot\AppData\Roaming\LimeWire
2008-04-21 19:53 --------- d-----w C:\Program Files\Hamachi
2008-04-20 03:36 --------- d-----w C:\Users\Elliot\AppData\Roaming\Hamachi
2008-04-11 15:21 --------- d-----w C:\Program Files\Windows Mail
2008-03-29 18:32 50,768 ----a-w C:\Windows\system32\drivers\aswMonFlt.sys
2008-03-16 18:36 --------- d-----w C:\Program Files\VALVe
2008-03-03 00:11 --------- d-----w C:\ProgramData\CyberLink
2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-13 05:21 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-13 05:16 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-13 05:16 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-13 05:15 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-13 05:15 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-13 05:15 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-13 05:14 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 05:14 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 05:14 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 05:14 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-02-13 05:14 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 05:14 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 05:14 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-01-29 16:02 107,368 ----a-w C:\Windows\System32\GEARAspi.dll
2008-01-29 04:49 26,955 ----a-w C:\Users\D\AppData\Roaming\nvModes.dat
2007-12-24 19:53 1,154,128 ----a-w C:\Program Files\R166917.ZIP
2007-11-27 18:43 174 --sha-w C:\Program Files\desktop.ini
2008-01-17 19:36 952 --sha-w C:\Windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_11.38.14.77 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-25 15:31:36 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-25 18:36:29 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-25 15:48:05 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-04-25 15:48:05 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-04-25 15:14:17 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-04-25 18:36:46 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-04-25 15:32:04 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-04-25 15:51:46 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
- 2008-04-25 15:21:40 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-04-25 18:42:00 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-04-25 15:32:04 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-04-25 15:51:51 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
- 2008-04-25 15:11:56 104,024 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-04-25 15:53:57 104,024 ----a-w C:\Windows\System32\perfc009.dat
- 2008-04-25 15:11:56 618,648 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-04-25 15:53:57 618,648 ----a-w C:\Windows\System32\perfh009.dat
- 2008-04-25 15:10:42 9,116 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-482938515-3665599901-2485918241-1000_UserData.bin
+ 2008-04-25 15:52:17 9,788 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-482938515-3665599901-2485918241-1000_UserData.bin
- 2008-04-25 15:10:42 72,328 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-04-25 15:52:17 72,656 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-04-25 15:10:30 43,738 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-04-25 15:52:14 44,344 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-04-25 15:08:59 289,576 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2008-04-25 18:36:41 290,724 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-07 12:12 68856]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 17:30 249856]
"googletalk"="C:\Users\Elliot\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 17:22 3739648]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 08:35 125440]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-17 12:51 486856]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-15 18:11 288576]
"SpybotSD TeaTimer"="C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\Avira-Spybot-Auslogics\Spybot - Search & Destroy\TeaTimer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-11-27 22:29 1006264]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-04 01:21 857648]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-06-27 06:17 405504]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-04-16 18:10 184320]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-25 04:41 86016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-25 04:40 81920]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2007-09-25 04:40 81920]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-25 04:40 8478720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:30 81920]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-27 14:59 1862144]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2007-05-25 02:03 17920]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 05:45 222208]

C:\Users\Elliot\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-01-20 14:44:23 557568]
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2007-12-06 16:29:32 3444008]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-11-27 14:54:16 50688]
hueyPROTray.lnk - C:\Program Files\Pantone\hueyPRO\hueyPROTray.exe [2007-12-09 23:09:11 1081344]
QuickSet.lnk - C:\Windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-11-27 14:55:52 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-482938515-3665599901-2485918241-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{227F0A4B-EBBC-43D5-9FA8-3AFC81D13B09}"= C:\Program Files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{D4BF930B-C520-475C-9325-A7222597E5EB}"= C:\Program Files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{4B84B4B4-3A43-490E-871E-F3ABDC86539A}"= C:\Program Files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{09D458BA-AFC7-4F4A-BBB6-193E24EB1AB5}"= C:\Program Files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{E8A8DEBE-90B9-4BC5-A236-CFD01B76F7E4}"= TCP:10421:SingleClick Discovery Protocol
"{439FBBE3-F1A0-4559-8963-B5F23B741F6E}"= UDP:139:NetBIOS File/Printer Sharing
"{C10599A8-981C-4C31-B068-7D349B529C6D}"= TCP:10426:SingleClick ICC
"{F53958CB-5A4B-4231-877E-F39EBA9D7ACF}"= UDP:445:Microsoft Directory Services
"{3CECF11C-B282-4DDD-AEBA-3592410F95A1}"= TCP:138:NetBIOS Datagram Service
"{D7E41DB4-4FC5-4E30-8FAE-61F69AF0C881}"= TCP:137:NetBIOS Name Service
"{483F0EC9-7E68-4F0E-8353-EF924E597B7D}"= UDP:C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:Dell Network Assistant
"{6C2ADF7A-C088-4E4A-8A08-FF0BCD4A6A87}"= TCP:C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:Dell Network Assistant
"{FB990295-EA83-41FB-9C84-57FBCBCED8D0}"= TCP:10421:SingleClick Discovery Protocol
"{8E120D8F-0C3F-409B-83C5-F4E52762E4F5}"= UDP:139:NetBIOS File/Printer Sharing
"{2EC8EB03-E81F-416B-8C6A-82179B814549}"= TCP:10426:SingleClick ICC
"{CB809F3C-3884-46AA-B7A2-3CF47CE08C83}"= UDP:445:Microsoft Directory Services
"{40615941-D943-4398-98B4-200F62718DBF}"= TCP:138:NetBIOS Datagram Service
"{CF265A68-9C4A-4A0B-95C2-AE078A22306A}"= TCP:137:NetBIOS Name Service
"{8630A8A3-D652-44A2-8075-1E3C58E99BD7}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{93D2A290-EBF8-4690-AC10-B01DE79899F2}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{9D193681-4717-40EA-8BDF-9EFC96E7AA7D}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{BBE30126-964E-4522-9AF9-D170212326D2}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{FCB7860E-86B0-4820-8B03-FF592D1F68F1}"= UDP:C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\LimeWire\LimeWire.exe:LimeWire
"{CDC516D6-A6E5-4460-8EB8-C2687AE149E6}"= TCP:C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{302C0638-F2A2-452E-8A79-8C270A59872C}C:\\users\\elliot\\documents\\upper school\\10th grade\\misc\\progs\\limewire\\limewire.exe"= UDP:C:\users\elliot\documents\upper school\10th grade\misc\progs\limewire\limewire.exe:limewire.exe
"UDP Query User{0FA68659-2801-4754-AB63-6CC134941E27}C:\\users\\elliot\\documents\\upper school\\10th grade\\misc\\progs\\limewire\\limewire.exe"= TCP:C:\users\elliot\documents\upper school\10th grade\misc\progs\limewire\limewire.exe:limewire.exe
"TCP Query User{F2971E4A-741F-4BF9-B6C1-C35DA8E3DE39}C:\\program files\\aim6\\aim6.exe"= UDP:C:\program files\aim6\aim6.exe:AIM
"UDP Query User{16CB945F-6052-450B-AE0F-DDEA374D0DEC}C:\\program files\\aim6\\aim6.exe"= TCP:C:\program files\aim6\aim6.exe:AIM
"{77A7AEC3-3F1A-4A04-A494-F94B539437C5}"= UDP:C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:Dell Network Assistant
"{BB105681-B2E7-400B-8121-A43D745FDF91}"= TCP:C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:Dell Network Assistant
"{F27EC5C1-92BC-48B7-8159-DA6F028A1072}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{2D8811DE-7501-4767-AA56-8565FB7A55E7}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{80DDB913-280F-423C-BB44-4AA86FE46334}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{9435EF03-9B98-4F37-BC1F-C2E420ECE197}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{5149FB04-C05B-4151-BE71-AA0D3693327E}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{BACA84FA-754C-46DA-B367-0741DF9CA9C6}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{F6651969-FD0A-4723-9998-0F782DCF0E6E}"= UDP:C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\Citrus\LimeWire\LimeWire.exe:LimeWire
"{6740E1CA-D297-4733-B7D8-C4C4B47E69EB}"= TCP:C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\Citrus\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{146578A7-735A-4AE4-822F-00A7D2A4E244}C:\\program files\\valve\\counter-strike source\\hl2.exe"= UDP:C:\program files\valve\counter-strike source\hl2.exe:hl2
"UDP Query User{8214FEE5-47BB-42FD-9F76-72B2534F1DCD}C:\\program files\\valve\\counter-strike source\\hl2.exe"= TCP:C:\program files\valve\counter-strike source\hl2.exe:hl2
"{246377FB-30C4-4613-B25F-97FF38582262}"= UDP:C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\Citrus\LimeWire\LimeWire.exe:LimeWire
"{255CD223-8E9A-4381-B892-2C9A3CD51FDD}"= TCP:C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\Citrus\LimeWire\LimeWire.exe:LimeWire
"{94CD5CA7-491A-441C-90AB-57B93574CE34}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{B0BC36A8-B5E1-438F-8A4E-1DEFC8411DC9}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{5458AC46-DEE6-4AF9-9BF2-8BC041083CEC}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
"{8090A3E3-2BDB-4925-B332-F40539079225}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
"{0F46E71D-BB44-4CD9-8FE9-035AF0EE0C63}"= UDP:C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\BitT\BitTorrent\bittorrent.exe:BitTorrent
"{CA53BC01-91D3-4E60-A0F5-D315D565F9D5}"= TCP:C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\BitT\BitTorrent\bittorrent.exe:BitTorrent
"{9A569BD9-33F1-43D2-93B5-B503440D3EE6}"= UDP:C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\BitT\BitTorrent\bittorrent.exe:BitTorrent
"{CEFFCC3B-C32F-4EDC-93AD-D92C3D73A80A}"= TCP:C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\BitT\BitTorrent\bittorrent.exe:BitTorrent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Users\\Elliot\\Documents\\Upper School\\10th Grade\\Misc\\progs\\BitT\\BitTorrent\\bittorrent.exe"= C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\BitT\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-03-29 14:31]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-03-29 14:35]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-03-29 14:32]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 05:45]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R2 WcesComm;Windows Mobile-2003-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 05:45]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-04-29 01:24]
S2 SBSDWSCService;SBSD Security Center Service;C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\Avira-Spybot-Auslogics\Spybot - Search & Destroy\SDWinSec.exe []
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 03:36]
S4 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-02-20 00:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3cc2a3a3-c786-11dc-a3d1-001c23a8fbda}]
\shell\AutoRun\command - G:\AUTORUN.EXE

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 14:45:16
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-25 14:46:19
ComboFix-quarantined-files.txt 2008-04-25 18:46:13
ComboFix2.txt 2008-04-25 15:38:50

Pre-Run: 44,494,860,288 bytes free
Post-Run: 44,460,646,400 bytes free

270 --- E O F --- 2008-04-18 00:15:52


The computer is running slightly better, but not nearly as well as normal. It's pretty laggy still.
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Open up C:\Windows\wininit.ini and delete all the lines in there. Copy and paste the below two lines into it instead and save it:

[rename]
nul=


Uninstall Viewpoint via the Add/Remove Programs panel. I also suggest uninstalling BitTorrent DNA as there seems to be some exploits with that program that may pose a security risk on the computer...

Did you uninstall AntiVir or Avast yet? Which one did you keep?

Let's try disabling a bunch of startup programs to see if it helps...

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [googletalk] C:\Users\Elliot\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Users\Elliot\Documents\Upper School\10th Grade\Misc\progs\Avira-Spybot-Auslogics\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: hueyPROTray.lnk = C:\Program Files\Pantone\hueyPRO\hueyPROTray.exe
O4 - Global Startup: QuickSet.lnk = ?


Restart the computer and see if there's any improvement. If it's just a lag issue, we might have to ask you to post in the Windows board as the malware infection issue is resolved.

Go to Start->Run, copy/paste in combofix /u and hit OK to remove it.
  • 0

#9
elliottrq

elliottrq

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Ok, I did everything there that you asked me to and the computer seems to be running fine! The only thing is that it still seems to start up more slowly when I first log in than it used to. I will try restarting once again to make sure that it isn't a one time thing.

Actually, I'm now also noticing that connecting to wireless networks seems to be taking a lot longer as well. Is there anything to be done about that (again, I will restart it again to see if it is just a random occurrence).

I uninstalled AntiVir.

Thank you so much for all your help! I really appreciate it! :)
  • 0

#10
elliottrq

elliottrq

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
After restarting again twice, the start up speed has greatly improved, but connecting to networks takes a long time. Anything I should do?
  • 0

#11
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Try turning off your modem/router for a minute or so and then turning it back on to see if it still takes a while to connect back.

If you still have problems with it, post this in the Networking section to see if anyone has other ideas on what could be wrong.

Post back one more time if all is well now (no more malware) so I can mark this topic as solved.
  • 0

#12
elliottrq

elliottrq

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Yes, all is well - problem solved. Thanks again!!!!!
  • 0

#13
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP