Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Has Malware.trace and trojan.vundo [Solved]

Started by Mhyles30 , Dec 24 2008 09:41 AM

This topic is locked

#1
Mhyles30

Posted 24 December 2008 - 09:41 AM

New Member

Member
5 posts

My problem started after I left my computer for a few minutes, when I got back I had an alert of infection. I think I may have downloaded the Defender/Antivirus 2009. I have removed it from my computer and I have changed from AVG to Avast antivirus. I have removed my spyware doctor and changed it to spybot search and destroy. I have followed your advised in trying to solve the problem but same thing is happening. Right now my computer automatically opens a page(s) sometimes I even hear some conversation about a certain product even though there is now window open. I have removed and reloaded firefox and it's still doing the pop up things, Avast seems to block some pages but the pop up still continues. I have ran a complete scan using avast and it showed 2 infections: malware.trace and trojan.vundo. I have run vundofix but it didn't find the infections.

Here is the Hijackthis notepad info:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:07 AM, on 12/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: (no name) - {8D8344B2-1B88-40FE-90B0-FC607E84A3EC} - (no file)
O2 - BHO: {f8a9df70-81db-904a-5274-19dd3582d7da} - {ad7d2853-dd91-4725-a409-bd1807fd9a8f} - C:\WINDOWS\system32\hxhnvy.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://linktrader.cyberspacehq.com
O16 - DPF: Yahoo! Literati - http://download2.gam...nts/y/tt5_x.cab
O16 - DPF: Yahoo! Spelldown - http://origin.games....ts/y/sdt1_x.cab
O16 - DPF: Yahoo! Word Racer - http://origin.games....nts/y/wt1_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/...t/atomaders.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1183792047750
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/...ersion=1,0,0,10
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O20 - AppInit_DLLs: hxhnvy.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 6799 bytes

I appreciate your help. This website is pretty informative.

Merry Christmas to all...

#2
Transience

Posted 24 December 2008 - 09:49 AM

Unofficial Music Guru

Retired Staff
2,448 posts

Hi mhyles30 and welcome to Geeks to Go! My name is Dave and I'll be helping you out.

Let's do this to start:

1. ComboFix

Please download and save ComboFix from one of these locations:

Link 1 | Link 2 | Link 3

* It is very important that ComboFix is saved directly to your desktop.

Notes:

Before running ComboFix, you should disable all Antivirus and Antispyware applications so they don't interfere. You can often do this just by right-clicking on the system tray icon and clicking "Disable" or similar. If you need further instructions for how to disable your programs, look here.
ComboFix will temporarily disconnect your machine from the internet and change your clock settings, this is normal and both will be restored before the program terminates.
Do not attempt to run any programs or click on ComboFix's window while it is running, just allow it to run uninterrupted aside from okaying any prompts. It may appear to be doing nothing at times, don't worry.

Next:

Double click on ComboFix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install it.

* Note: If the Recovery Console is already installed, ComboFix will ignore the installation routines and continue its malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware. The program will scan for malware and then perform various fixes. You may be asked to reboot, okay the prompt and allow your computer to reboot. Log in as normal and allow ComboFix to complete its run without doing anything else.

When it's finished, the program's log will appear in notepad as well as saving itself to C:\ComboFix.txt. Please include the full contents of the log in your next reply.

Cheers,
Dave

Edited by Transience, 24 December 2008 - 09:52 AM.

#3
Mhyles30

Posted 24 December 2008 - 10:19 AM

New Member

Topic Starter
Member
5 posts

Hi Dave! Thanks for replying right away. I did what you advice, my computer automatically rebooted while the combofix was running. I noticed that internet explorer became my web browser instead of firefox after I restarted, is that normal? Anyway, I changed it back to firefox since I thought it's a safer browser. I am not seeing any pop ups as I type this message. Should I be running a scan using my avast? Here's the log:

ComboFix 08-12-23.01 - Maila 2008-12-24 9:03:06.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.327 [GMT -7:00]
Running from: c:\documents and settings\Maila\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Maila\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\aazalirt.exe
c:\windows\iddqdops.exe
c:\windows\jikglond.exe
c:\windows\jiklagka.exe
c:\windows\jungertab.exe
c:\windows\klopnidret.exe
c:\windows\ronitfst.exe
c:\windows\salrtybek.exe
c:\windows\seeukluba.exe
c:\windows\skaaanret.exe
c:\windows\system32\bmvhwlgf.dll
c:\windows\system32\hxhnvy.dll
c:\windows\tobmygers.exe
c:\windows\tobykke.exe
c:\windows\zibaglertz.exe
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-11-24 to 2008-12-24 )))))))))))))))))))))))))))))))
.

2008-12-24 08:05 . 2008-12-24 08:05 <DIR> d-------- C:\VundoFix Backups
2008-12-24 07:42 . 2008-12-24 07:42 <DIR> d-------- c:\program files\ERUNT
2008-12-24 07:32 . 2008-12-24 07:32 <DIR> d-------- c:\program files\Trend Micro
2008-12-23 19:49 . 2008-12-23 19:49 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-23 19:49 . 2008-12-23 19:49 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-23 19:49 . 2008-12-23 19:49 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-23 19:49 . 2008-12-23 19:49 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-23 19:39 . 2008-12-23 19:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2008-12-23 18:28 . 2008-12-23 18:28 <DIR> d-------- c:\program files\Alwil Software
2008-12-23 15:02 . 2008-12-23 15:02 <DIR> d-------- c:\documents and settings\Maila\Application Data\Malwarebytes
2008-12-23 15:00 . 2008-12-23 15:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-23 15:00 . 2008-12-23 15:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-23 15:00 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-23 15:00 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-23 13:30 . 2008-12-23 13:30 <DIR> d-------- C:\ProgramData
2008-12-23 13:30 . 2008-12-23 13:30 <DIR> d-------- c:\program files\Angle Interactive
2008-12-23 10:20 . 2008-12-23 10:20 178,176 --a------ C:\aqpbouph.exe
2008-12-23 10:20 . 2008-12-23 10:21 2 --a------ C:\63868068
2008-12-23 10:05 . 2008-12-23 10:05 45,056 --a------ c:\windows\system32\yAtqroPi.dll
2008-12-20 13:02 . 2008-12-20 13:02 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-20 13:02 . 2008-12-20 13:02 1,409 --a------ c:\windows\QTFont.for
2008-11-30 19:56 . 2008-11-30 19:56 <DIR> d-------- c:\temp\google
2008-11-30 19:56 . 2008-11-30 19:56 <DIR> d-------- C:\temp
2008-11-30 10:13 . 2008-11-30 10:13 <DIR> d-------- c:\windows\system32\IOSUBSYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-11-17 20:04 2,306,113 ----a-w c:\windows\system32\GPhotos.scr
2008-11-05 02:23 --------- d-----w c:\documents and settings\All Users\Application Data\PopCap
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 21:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 21:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 21:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 21:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 21:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 21:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 21:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 21:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 21:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 17:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 23:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2006-12-27 21:11 251 ----a-w c:\program files\wt3d.ini
2005-02-14 21:09 111 ----a-w c:\program files\Common Files\Register.ini
2005-01-17 18:17 4,798,024 ----a-w c:\program files\Common Files\NetZeroCosmiSetup.exe
2004-11-08 19:10 1,115,136 ----a-w c:\program files\Common Files\Register.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 421888]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=hxhnvy.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acer Empowering Technology.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acer Empowering Technology.lnk
backup=c:\windows\pss\Acer Empowering Technology.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Maila^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]
path=c:\documents and settings\Maila\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnk
backup=c:\windows\pss\OpenOffice.org 2.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer ePresentation HPD]
--a------ 2006-03-31 16:39 204800 c:\acer\Empowering Technology\ePresentation\ePresentation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-05-10 11:12 90112 c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
--------- 2006-04-14 22:35 53248 c:\program files\Realtek\InstallShield\AzMixerSel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boot]
--a------ 2006-03-15 22:12 579584 c:\acer\Empowering Technology\ePower\Boot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
--a------ 2006-03-21 18:30 1191936 c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
--a------ 2003-10-13 03:04 184320 c:\program files\Creative\Shared Files\CamTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
--------- 1999-10-10 19:00 41984 c:\windows\Ctregrun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 13:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePower_DMC]
--a------ 2006-05-30 12:11 421888 c:\acer\Empowering Technology\ePower\ePower_DMC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
--a------ 2006-06-01 14:40 413696 c:\acer\Empowering Technology\eRecovery\eRAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-10 20:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
--a------ 2006-06-23 06:59 602112 c:\progra~1\LAUNCH~1\LManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-10 20:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]
--a------ 2005-05-11 17:15 45056 c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-10 20:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-10 20:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-12-23 20:21 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-27 22:39 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-03-03 13:07 761946 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 03:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-06-27 23:54 16248320 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 03:04 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"sdCoreService"=3 (0x3)
"sdAuxService"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"LightScribeService"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-23 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-23 20560]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys []
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys []
S4 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9886c6c6-1965-11dd-9d4e-0016d41cfc0c}]
\Shell\AutoRun\command - f:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - f:\system\viewer\FlipVideoforPC.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-24 c:\windows\Tasks\ifowopbu.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{8D8344B2-1B88-40FE-90B0-FC607E84A3EC} - (no file)
BHO-{ad7d2853-dd91-4725-a409-bd1807fd9a8f} - c:\windows\system32\hxhnvy.dll
MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe
MSConfigStartUp-cafwc - c:\program files\CA\eTrust Internet Security Suite\CA Personal Firewall\cafw.exe
MSConfigStartUp-CAVRID - c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
MSConfigStartUp-cctray - c:\program files\CA\eTrust Internet Security Suite\cctray\cctray.exe
MSConfigStartUp-eTrustPPAP - c:\program files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
MSConfigStartUp-OpwareSE4 - c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
MSConfigStartUp-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-QOELOADER - c:\program files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-5.1.17.0\QOELoader.exe
MSConfigStartUp-SDTray - c:\program files\Spyware Doctor\SDTrayApp.exe
MSConfigStartUp-SSBkgdUpdate - c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: Yahoo! Spelldown - hxxp://origin.games.yahoo.net/games/clients/y/sdt1_x.cab
c:\windows\Downloaded Program Files\Yahoo! Spelldown.osd

O16 -: Yahoo! Word Racer - hxxp://origin.games.yahoo.net/games/clients/y/wt1_x.cab
c:\windows\Downloaded Program Files\Yahoo! Word Racer.osd
FF - ProfilePath - c:\documents and settings\Maila\Application Data\Mozilla\Firefox\Profiles\aa34a4oi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-24 09:07:51
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-24 9:11:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-24 16:10:56

Pre-Run: 18,158,551,040 bytes free
Post-Run: 18,142,658,560 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer

281 --- E O F --- 2008-12-22 16:08:51

Thank you,
Mhyles

#4
Transience

Posted 24 December 2008 - 12:57 PM

Unofficial Music Guru

Retired Staff
2,448 posts

Hi mhyles30 -

Looking better, still a few leftovers to take care of:

1. Run a ComboFix script

Copy the entire contents of the code box below to notepad (Start > Programs > Accessories > Notepad).
Click on File > Save and name the file CFScript.txt. This name is important and must not be changed.
Change the Save as Type to All Files.
Save it directly on your desktop.

File::
C:\aqpbouph.exe
C:\63868068
c:\windows\system32\yAtqroPi.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9886c6c6-1965-11dd-9d4e-0016d41cfc0c}]

SysRst::

Note: If you are not the topic starter, DO NOT download or run this script as it could cause irreversible damage to your computer.

Please note that the same procedure applies to running ComboFix this time as before - disable your protection programs beforehand, close all other programs, don't interrupt it for any reason etc.

Posted Image

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe. This will cause ComboFix to start again. Allow it to complete running, following any prompts. Once the program has completed the log should appear automatically, if it doesn't it can be found at C:\ComboFix.txt. Please post the contents of that log in your next reply.

Just need the CF log next, and give me a full update on the PC - are you still experiencing any problems?

Cheers,
Dave

#5
Mhyles30

Posted 24 December 2008 - 04:17 PM

New Member

Topic Starter
Member
5 posts

So far I am not seeing any problem, no pop ups of any kind. The only thing is, the spybot search and destroy was showing me a prompt, it's asking me if I allow and important change in my registry, i am so afraid to allow anything right now after what happened to i selected no. This prompt came up after I did the last thing you asked me to do. I am not sure if it will affect the combofix. Here is the log:

ComboFix 08-12-23.01 - Maila 2008-12-24 15:07:55.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.558 [GMT -7:00]
Running from: c:\documents and settings\Maila\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Maila\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\63868068
C:\aqpbouph.exe
c:\windows\system32\yAtqroPi.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\63868068
C:\aqpbouph.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\yAtqroPi.dll

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-11-24 to 2008-12-24 )))))))))))))))))))))))))))))))
.

2008-12-24 08:05 . 2008-12-24 08:05 <DIR> d-------- C:\VundoFix Backups
2008-12-24 07:42 . 2008-12-24 07:42 <DIR> d-------- c:\program files\ERUNT
2008-12-24 07:32 . 2008-12-24 07:32 <DIR> d-------- c:\program files\Trend Micro
2008-12-23 19:49 . 2008-12-23 19:49 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-23 19:49 . 2008-12-23 19:49 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-23 19:49 . 2008-12-23 19:49 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-23 19:49 . 2008-12-23 19:49 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-23 19:39 . 2008-12-23 19:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2008-12-23 18:28 . 2008-12-23 18:28 <DIR> d-------- c:\program files\Alwil Software
2008-12-23 15:02 . 2008-12-23 15:02 <DIR> d-------- c:\documents and settings\Maila\Application Data\Malwarebytes
2008-12-23 15:00 . 2008-12-23 15:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-23 15:00 . 2008-12-23 15:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-23 15:00 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-23 15:00 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-23 13:30 . 2008-12-23 13:30 <DIR> d-------- C:\ProgramData
2008-12-23 13:30 . 2008-12-23 13:30 <DIR> d-------- c:\program files\Angle Interactive
2008-12-20 13:02 . 2008-12-24 15:00 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-20 13:02 . 2008-12-20 13:02 1,409 --a------ c:\windows\QTFont.for
2008-11-30 19:56 . 2008-11-30 19:56 <DIR> d-------- c:\temp\google
2008-11-30 19:56 . 2008-11-30 19:56 <DIR> d-------- C:\temp
2008-11-30 10:13 . 2008-11-30 10:13 <DIR> d-------- c:\windows\system32\IOSUBSYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-11-17 20:04 2,306,113 ----a-w c:\windows\system32\GPhotos.scr
2008-11-05 02:23 --------- d-----w c:\documents and settings\All Users\Application Data\PopCap
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 21:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 21:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 21:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 21:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 21:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 21:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 21:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 21:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 21:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 17:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 23:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2006-12-27 21:11 251 ----a-w c:\program files\wt3d.ini
2005-02-14 21:09 111 ----a-w c:\program files\Common Files\Register.ini
2005-01-17 18:17 4,798,024 ----a-w c:\program files\Common Files\NetZeroCosmiSetup.exe
2004-11-08 19:10 1,115,136 ----a-w c:\program files\Common Files\Register.exe
.

((((((((((((((((((((((((((((( snapshot@2008-12-24_ 9.09.57.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-23 18:00:44 16,384 ------w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-24 17:00:28 16,384 ------w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-23 18:00:44 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-24 17:00:28 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-23 18:00:44 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-24 17:00:28 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-24 21:55:08 16,384 ----a-w c:\windows\Temp\Perflib_Perfdata_178.dat
+ 2008-12-24 21:54:54 16,384 ----a-w c:\windows\Temp\Perflib_Perfdata_658.dat
+ 2008-12-24 21:58:08 16,384 ----a-w c:\windows\Temp\Perflib_Perfdata_878.dat
.
((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\aqpbouph.exe
2008-12-23 10:20 178176 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP6\A0000597.exe

2008-12-24 09:10 1142 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegBHO-Global.reg
2008-12-24 09:00 1142 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000520.reg

2008-12-24 09:10 122 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegDCMD-Maila.reg
2008-12-24 09:00 78 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000480.reg

2008-12-24 09:10 145 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegDContxM-Global.reg
2008-12-24 09:00 145 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000472.reg

2008-12-24 09:10 135 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegDFind-Maila.reg
2008-12-24 09:00 135 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000471.reg

2008-12-24 09:10 132 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegDGB-Maila.reg
2008-12-24 09:00 78 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000478.reg

2008-12-24 09:10 151 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegDMyCProp-Maila.reg
2008-12-24 09:00 151 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000470.reg

2008-12-24 09:10 152 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegDMyDProp-Maila.reg
2008-12-24 09:00 152 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000469.reg

2008-12-24 09:10 11638 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegDPF-Global.reg
2008-12-24 09:00 11638 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000519.reg

2008-12-24 09:10 133 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegDRegT-Global.reg
2008-12-24 09:00 148 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000476.reg

2008-12-24 09:10 132 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegDRegT-Maila.reg
2008-12-24 09:00 78 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000479.reg

2008-12-24 09:10 128 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegDScrP-Maila.reg
2008-12-24 09:00 78 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000477.reg

2008-12-24 09:10 132 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegDSysRes-Global.reg
2008-12-24 09:00 89 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000474.reg

2008-12-24 09:10 136 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegDSysResC-Global.reg
2008-12-24 09:00 89 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000475.reg

2008-12-24 09:10 142 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegDTaskMgr-Global.reg
2008-12-24 09:00 142 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000473.reg

2008-12-24 09:10 60 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegDummy-Maila.reg
2008-12-24 09:00 60 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000531.reg

2008-12-24 09:10 77 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegExtBat-Global.reg
2008-12-24 09:00 77 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000502.reg

2008-12-24 09:10 77 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegExtCmd-Global.reg
2008-12-24 09:00 77 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000496.reg

2008-12-24 09:10 77 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegExtCom-Global.reg
2008-12-24 09:00 77 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000501.reg

2008-12-24 09:10 77 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegExtExe-Global.reg
2008-12-24 09:00 77 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000500.reg

2008-12-24 09:10 77 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegExtPif-Global.reg
2008-12-24 09:00 77 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000499.reg

2008-12-24 09:10 86 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegExtReg-Global.reg
2008-12-24 09:00 86 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000497.reg

2008-12-24 09:10 77 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegExtScr-Global.reg
2008-12-24 09:00 77 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000498.reg

2008-12-24 09:10 81 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBME-Global.reg
2008-12-24 09:00 81 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000515.reg

2008-12-24 09:10 116 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBP1-Global.reg
2008-12-24 09:00 116 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000509.reg

2008-12-24 09:10 352 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBP2a-Global.reg
2008-12-24 09:00 352 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000506.reg

2008-12-24 09:10 516 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBP2b-Global.reg
2008-12-24 09:00 516 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000505.reg

2008-12-24 09:10 277 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBP3-Global.reg
2008-12-24 09:00 277 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000504.reg

2008-12-24 09:10 116 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBP4-Global.reg
2008-12-24 09:00 83 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000503.reg

2008-12-24 09:10 186 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBTB1-Global.reg
2008-12-24 09:00 186 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000521.reg

2008-12-24 09:10 240 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBTB2-Global.reg
2008-12-24 09:00 240 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000517.reg

2008-12-24 14:58 87 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGCP-Global.reg
2008-12-24 09:00 87 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000466.reg
2008-12-24 09:10 87 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000586.reg

2008-12-24 09:10 88 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGIESH-Global.reg
2008-12-24 09:00 88 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000483.reg

2008-12-24 09:10 89 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGNTCVW-Global.reg
2008-12-24 09:00 244 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000493.reg

2008-12-24 09:10 336 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGNTCVWL-Global.reg
2008-12-24 09:00 336 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000491.reg

2008-12-24 09:10 673 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS1-Global.reg
2008-12-24 09:00 673 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000526.reg

2008-12-24 09:10 205 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS1SM-Global.reg
2008-12-24 09:00 205 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000488.reg

2008-12-24 15:07 86 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS2-Global.reg
2008-12-23 21:25 191 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP4\A0000423.reg
2008-12-24 09:10 86 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000589.reg

2008-12-24 09:10 205 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS2SM-Global.reg
2008-12-24 09:00 205 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000487.reg

2008-12-24 09:10 90 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS3-Global.reg
2008-12-24 09:00 90 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000524.reg

2008-12-24 09:10 180 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS3SM-Global.reg
2008-12-24 09:00 81 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000486.reg

2008-12-24 09:10 94 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS4-Global.reg
2008-12-24 09:00 94 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000523.reg

2008-12-24 09:10 13929 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGSS-Global.reg
2008-12-24 09:00 13737 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000481.reg

2008-12-24 09:10 383 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGSSODL-Global.reg
2008-12-24 09:00 383 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000489.reg

2008-12-24 09:10 6906 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGWLN-Global.reg
2008-12-24 09:00 6906 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000482.reg

2008-12-24 09:10 1142 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBME-Maila.reg
2008-12-24 09:00 1142 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000516.reg

2008-12-24 09:10 115 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBP1-Maila.reg
2008-12-24 09:00 115 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000514.reg

2008-12-24 09:10 290 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBP2a-Maila.reg
2008-12-24 09:00 290 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000513.reg

2008-12-24 09:10 407 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBP2b-Maila.reg
2008-12-24 09:00 407 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000512.reg

2008-12-24 09:10 177 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBP3-Maila.reg
2008-12-24 09:00 79 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000511.reg

2008-12-24 09:10 115 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBP4-Maila.reg
2008-12-24 09:00 115 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000510.reg

2008-12-24 09:10 3734 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBTB1-Maila.reg
2008-12-24 09:00 3734 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000522.reg

2008-12-24 09:10 86 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBTB2-Maila.reg
2008-12-24 09:00 86 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000518.reg

2008-12-24 09:10 113 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUCP-Maila.reg
2008-12-24 09:00 113 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000495.reg

2008-12-24 09:10 136 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUDesk-Maila.reg
2008-12-24 09:00 136 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000485.reg

2008-12-24 09:10 132 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUIESH-Maila.reg
2008-12-24 09:00 132 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000484.reg

2008-12-24 09:10 235 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUNTCVW-Maila.reg
2008-12-24 09:00 208 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000494.reg

2008-12-24 09:10 390 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUNTCVWL-Maila.reg
2008-12-24 09:00 390 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000492.reg

2008-12-24 09:10 213 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUS1-Maila.reg
2008-12-24 09:00 213 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000530.reg

2008-12-24 09:10 85 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUS2-Maila.reg
2008-12-24 09:00 85 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000529.reg

2008-12-24 09:10 89 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUS3-Maila.reg
2008-12-24 09:00 89 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000528.reg

2008-12-24 09:10 93 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUS4-Maila.reg
2008-12-24 09:00 93 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000527.reg

2008-12-24 09:10 105 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUSSODL-Maila.reg
2008-12-24 09:00 105 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000490.reg

2008-12-24 14:54 229320 c:\program files\Alwil Software\Avast4\DATA\aswar0.dll
2008-12-23 20:39 229320 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP4\A0000414.dll
2008-12-24 09:06 229320 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000581.dll

2008-12-24 14:54 391216 c:\program files\Alwil Software\Avast4\DATA\clnr0.dll
2008-12-23 20:39 391216 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP4\A0000412.dll
2008-12-24 09:06 391216 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000579.dll

2008-12-24 14:54 9080 c:\program files\Alwil Software\Avast4\DATA\exts0.dll
2008-12-23 20:39 9080 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP4\A0000413.dll
2008-12-24 09:06 9080 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000580.dll

c:\windows\aazalirt.exe
2008-12-23 14:02 0 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000437.exe

c:\windows\iddqdops.exe
2008-12-23 14:02 0 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000438.exe

c:\windows\jikglond.exe
2008-12-23 14:02 0 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000439.exe

c:\windows\jiklagka.exe
2008-12-23 14:02 0 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000440.exe

c:\windows\jungertab.exe
2008-12-23 14:02 0 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000441.exe

c:\windows\klopnidret.exe
2008-12-23 14:02 0 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000442.exe

c:\windows\ronitfst.exe
2008-12-23 14:02 0 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000443.exe

c:\windows\salrtybek.exe
2008-12-23 14:02 0 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000444.exe

c:\windows\seeukluba.exe
2008-12-23 14:02 0 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000445.exe

c:\windows\skaaanret.exe
2008-12-23 14:02 0 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000446.exe

c:\windows\system32\bmvhwlgf.dll
2008-12-23 10:11 130048 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000450.dll

c:\windows\system32\HXHNVY.DLL
2008-12-23 10:11 130048 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000451.DLL

c:\windows\system32\yAtqroPi.dll
2008-12-23 10:05 45056 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP6\A0000598.dll

c:\windows\tobmygers.exe
2008-12-23 14:02 0 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000447.exe

c:\windows\tobykke.exe
2008-12-23 14:02 0 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000448.exe

c:\windows\zibaglertz.exe
2008-12-23 14:02 0 {099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000449.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 421888]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acer Empowering Technology.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acer Empowering Technology.lnk
backup=c:\windows\pss\Acer Empowering Technology.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Maila^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]
path=c:\documents and settings\Maila\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnk
backup=c:\windows\pss\OpenOffice.org 2.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer ePresentation HPD]
--a------ 2006-03-31 16:39 204800 c:\acer\Empowering Technology\ePresentation\ePresentation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-05-10 11:12 90112 c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
--------- 2006-04-14 22:35 53248 c:\program files\Realtek\InstallShield\AzMixerSel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boot]
--a------ 2006-03-15 22:12 579584 c:\acer\Empowering Technology\ePower\Boot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
--a------ 2006-03-21 18:30 1191936 c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
--a------ 2003-10-13 03:04 184320 c:\program files\Creative\Shared Files\CamTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
--------- 1999-10-10 19:00 41984 c:\windows\Ctregrun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 13:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePower_DMC]
--a------ 2006-05-30 12:11 421888 c:\acer\Empowering Technology\ePower\ePower_DMC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
--a------ 2006-06-01 14:40 413696 c:\acer\Empowering Technology\eRecovery\eRAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-10 20:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
--a------ 2006-06-23 06:59 602112 c:\progra~1\LAUNCH~1\LManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-10 20:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]
--a------ 2005-05-11 17:15 45056 c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-10 20:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-10 20:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-12-23 20:21 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-27 22:39 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-03-03 13:07 761946 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-06-27 23:54 16248320 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 03:04 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"sdCoreService"=3 (0x3)
"sdAuxService"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"LightScribeService"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-23 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-23 20560]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys []
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys []
S4 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-12-24 c:\windows\Tasks\ifowopbu.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{8D8344B2-1B88-40FE-90B0-FC607E84A3EC} - (no file)
BHO-{ad7d2853-dd91-4725-a409-bd1807fd9a8f} - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: Yahoo! Spelldown - hxxp://origin.games.yahoo.net/games/clients/y/sdt1_x.cab
c:\windows\Downloaded Program Files\Yahoo! Spelldown.osd

O16 -: Yahoo! Word Racer - hxxp://origin.games.yahoo.net/games/clients/y/wt1_x.cab
c:\windows\Downloaded Program Files\Yahoo! Word Racer.osd
FF - ProfilePath - c:\documents and settings\Maila\Application Data\Mozilla\Firefox\Profiles\aa34a4oi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-24 15:10:30
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-24 15:11:46
ComboFix-quarantined-files.txt 2008-12-24 22:11:44
ComboFix2.txt 2008-12-24 16:11:04

Pre-Run: 18,132,074,496 bytes free
Post-Run: 18,113,167,360 bytes free

417 --- E O F --- 2008-12-22 16:08:51

#6
Transience

Posted 24 December 2008 - 09:35 PM

Unofficial Music Guru

Retired Staff
2,448 posts

Hi mhyles -

it's asking me if I allow and important change in my registry

Can you get me the full text or a screenshot of that error message if it comes up again? I'd like to see what changes Spybot is complaining about, probably something triggered by ComboFix, but it's a good thing to check on.

Your CF log looks good, I don't see any more malware, so let's run a final check with MBAM and then an online scan:

1. ATF Cleaner

Please download ATF Cleaner by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

2. Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from here or here.

Doubleclick mbam-setup.exe to install the program.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware at the end of setup, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform Full Scan, then click Scan.
The scan will take a fairly long time to finish (you can leave it to run and go do something else), please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab.
Copy & Paste the entire report in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so and allow MBAM to finish.

3. Kaspersky Online Scan

Kaspersky online scanner uses Java technology to perform the scan. Because your Java is out of date, we need to update it first so that the scan will run without issues.

Update Java

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts. A log will appear (JavaRa.log), please post the contents of this log on the forum in your next reply.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Scan

Follow this link to the Kaspersky WebScanner
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure the following is checked.
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.

So post back with the logs from MBAM and Kaspersky as well as anything you can get on that Spybot error message, and we should soon have you on your way

.

- Dave

#7
Mhyles30

Posted 25 December 2008 - 03:30 PM

New Member

Topic Starter
Member
5 posts

Merry Christmas Dave! Here are the logs:

Malwarebytes' Anti-Malware 1.31
Database version: 1544
Windows 5.1.2600 Service Pack 3

12/25/2008 10:59:12 AM
mbam-log-2008-12-25 (10-59-12).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 125824
Time elapsed: 20 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

JavaRa 1.12 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Dec 25 11:02:31 2008

------------------------------------

Finished reporting.

Below is the Kaspersky Online Scanner Report-it showed that my computer is infected:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, December 25, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, December 25, 2008 07:09:40
Records in database: 1512528
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 75962
Threat name: 1
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 01:55:17

File name / Threat name / Threats count
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000450.dll Infected: Trojan.Win32.Monder.afdj 1
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP5\A0000451.DLL Infected: Trojan.Win32.Monder.afdj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bmvhwlgf.dll.vir Infected: Trojan.Win32.Monder.afdj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hxhnvy.dll.vir Infected: Trojan.Win32.Monder.afdj 1

The selected area was scanned.

A few times spybot prompt me with the changed in registry again and I disallowed all of them. I saved the screenshots in my Openoffice draw and it won't attached to this message saying I am not allowed to upload this type of file.

-Mhyles

#8
Transience

Posted 26 December 2008 - 01:54 PM

Unofficial Music Guru

Retired Staff
2,448 posts

Merry Christmas to you too, I hope it was a good one. Your logs are clean - the files Kaspersky detected are in quarantine already and harmless, we'll clear them out in a bit. As such, we can be pretty sure the registry changes Spybot is asking you about are from something legitimate - it's fine if you want to allow them.

We have a couple last things to take care of and then you're good to go.

Uninstall Combofix

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

Over the course of the fix you've used a variety of special tools to help with the cleaning process - none of these are of any use to you now that you're clean, and it's best not to have them hanging around on your computer. OTCleanIt is a small program that removes all the leftovers tools and logs from cleanup of malware.

Please download OTCleanIt! to your desktop.

Double-click OTCleanIt.exe to run it. (Vista users, please right click on OTCleanIt.exe and select "Run as an Administrator")
Click on the CleanUp! button
A list of tool components used in the cleanup of malware will be downloaded.
If your firewall or other protection attempts to block OTCleanIt's attempts to reach the internet, please allow it to run.
Click Yes to begin the Cleanup process and remove the tools we used, including this application.
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.

Note: RSIT is not currently removed by OTCleanIt. If we used RSIT, feel free to delete RSIT.exe and the logfiles it created manually as they have no further use to you.

Now to get you off to a good start we will clean your system restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

Select Start > All Programs > Accessories > System tools > System Restore.
On the dialogue box that appears select Create a Restore Point
Click NEXT
Enter a name e.g. Clean
Click CREATE

You now have a clean restore point, to get rid of the bad ones:

Select Start > All Programs > Accessories > System tools > Disk Cleanup.
In the Drop down box that appears select your main drive e.g. C
Click OK
The System will do some calculation and the display a dialogue box with TABS
Select the More Options Tab.
At the bottom will be a system restore box with a CLEANUP button click this
Accept the Warning and select OK again, the program will close and you are done

Here are some tips to reduce the potential for malware infection in the future; I strongly that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.

Proper use of antivirus and firewall
Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, and if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, don't shut them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure nothing has slipped through your protection. Once a week works well for many people. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Finally, for a great tutorial on how to get the best protection out of your firewall, visit this link.

Safer web browser
Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a couple good free alternatives: Firefox and Opera. Both are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here which will help you to make IE much safer.

Be careful
Having security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don't get infected is to exercise common sense. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully and look at the file extensions to make sure that you know what you're getting. Using peer-to-peer file sharing programs or downloading cracks and keygens is something else to avoid - the files you will be downloading are infected in a vast majority of cases, and the benefits simply aren't worth the risk to your computer.

A couple other useful utilities:
ATF Cleaner: Cleans unnecessary temporary files from your computer, run regularly to save disk space and keep your computer performing smoothly.
McAfee SiteAdvisor: A great firefox add-on that puts McAfee's database of tested sites at your fingertips so you can know whether or not that link you're about to click is safe.

Windows Updates
Along with keeping all of the programs above that you choose to use updated, it is also important to keep up on system updates from Microsoft, as these patch critical security vulnerabilities and keep you safe. You can update them at this site if they don't automatically install for you: http://www.windowsupdate.com. If you have automatic updates, you should always install them as soon as possible, that little bit of extra time is very well worth it instead of getting infected from an exploit and having to clean your PC again.

And finally, see TonyKlein's good advice (recently rewritten by our own admin Kat) which reinforces and extends on some of the above concepts:
So how did I get infected in the first place?

I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!

Cheers,
Dave

#9
Mhyles30

Posted 26 December 2008 - 02:47 PM

New Member

Topic Starter
Member
5 posts

Hello Dave! I have successfully uninstalled the ComboFix, however I could not figure out the System Restore Points.

After I * Select Start > All Programs > Accessories > System tools, instead of System Restore I see Internet Explorer (No Add ons) so I could not proceed from there.

Is there any other place I can do the system restore points.

Sorry.

Thanks,
Mhyles

#10
Transience

Posted 26 December 2008 - 04:28 PM

Unofficial Music Guru

Retired Staff
2,448 posts

As it turns out it was a slip on my part to have left those instructions in there... as part of its uninstall procedures Combofix takes care of cleaning out your system restore cache, so it's all already done. As for not seeing any System Restore option, you need to be logged onto an account with administrator privileges for System Restore to be available. That is probably the cause. If you aren't sure whether your account is an administrator, look at the User Accounts section of your control panel to find out.

In any event your restore points have been cleaned, so you can continue on with the rest of my advice/instructions if you haven't yet.

- Dave

Edited by Transience, 26 December 2008 - 04:31 PM.

#11
Transience

Posted 28 December 2008 - 08:01 AM

Unofficial Music Guru

Retired Staff
2,448 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.