Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Infected by Win32TR\.\er.Agent

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Infected by Win32TR\.\er.Agent

Unread postby Sunshine » March 17th, 2009, 11:01 pm

Hi. My computer has been taken over by Win32TR\.\er.Agent. Adaware keeps catching it and removing it but upon each reboot it's present again. I can't seem to get rid of it no matter how many scans and cleans I do with various anti-virus/spyware tools. Below is a copy/paste of my Hijack This log:

ugggggLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:37 PM, on 3/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys\WUSB54GSCv2\WLService.exe
C:\Program Files\Linksys\WUSB54GSCv2\WUSB54GSC.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Verizon\McciTrayApp.exe
C:\WINDOWS\system32\KBDaemonA.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\PROGRA~1\MULTI-~1\MMKey.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SightSpeed\SightSpeed.exe
C:\WINDOWS\TEMP\pk3omyta.exe
C:\WINDOWS\TEMP\pk3omyta.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: {b04e8003-c980-e5eb-4254-504e09c4da20} - {02ad4c90-e405-4524-be5e-089c3008e40b} - C:\WINDOWS\system32\frdatv.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {2b4ef98a-049e-4fea-b645-df44682351ed} - C:\WINDOWS\system32\saregiju.dll
O2 - BHO: (no name) - {32341E7E-C319-46DE-91D0-E30BB1A3CABA} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {b8eb2e50-1b1f-4ec2-b794-291faefd9632} - (no file)
O2 - BHO: (no name) - {BCA98B66-43A0-462A-8186-D92B3956E94C} - (no file)
O2 - BHO: (no name) - {D1AAFCAA-7298-416D-9957-185317F5F96D} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F99FFC7A-03E7-4385-A61C-BA0DE6E92F2D} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [StandardKeyboard] KBDaemonA.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Multi-Media Keyboard] C:\PROGRA~1\MULTI-~1\MMKey.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [CPM73448cb5] Rundll32.exe "c:\windows\system32\vowajopi.dll",a
O4 - HKLM\..\Run: [Eqeweduvakad] rundll32.exe "C:\WINDOWS\Smufoxe.dll",e
O4 - HKLM\..\Run: [Fnerud] rundll32.exe "C:\WINDOWS\ubomezim.dll",e
O4 - HKLM\..\Run: [tukoheyowu] Rundll32.exe "C:\WINDOWS\system32\miwefoda.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SightSpeed] "C:\Program Files\SightSpeed\SightSpeed.exe" -bootmode
O4 - HKCU\..\Run: [] C:\WINDOWS\TEMP\pk3omyta.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\pk3omyta.exe
O4 - HKCU\..\Run: [yp07lzhsndx0a4dqkdnc4rnlhypcc1tvepq4wbtqtzf2vc] C:\WINDOWS\TEMP\yw64u10v.exe
O4 - HKCU\..\Run: [hm2q8bw9b17rvc06u7nvmzf9vkf7mfwgsiree6vazwo5l4kw] C:\WINDOWS\TEMP\e2hqdyf.exe
O4 - HKCU\..\Run: [gmvgr8vqh4ootldb6jgtn3] C:\WINDOWS\TEMP\kakbrjk.exe
O4 - HKCU\..\Run: [u2vxff1fma2u37lfec851neu] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\hvzd3wu.exe
O4 - HKCU\..\Run: [ad2yl96kwgqzkg639mjxaukd1swgrtg95yyu8] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\vh8j42dg.exe
O4 - HKCU\..\Run: [fnq247xomy5618s59g] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\p3i5oe3a93h4.exe
O4 - HKCU\..\Run: [ktwn23xxvb7mrs11smh1zg3bttafn2d4l] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\cpohxzv1g7.exe
O4 - HKCU\..\Run: [w3djw285hr6oc1sbav6weutbmy10fsc4] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\iaubx93re4w3.exe
O4 - HKCU\..\Run: [e6vjwxwdvl7zsp0wul89u3] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\o5cp3gsyob.exe
O4 - HKCU\..\Run: [wdvzjyxa3] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\fw4fukg3w5.exe
O4 - HKCU\..\Run: [z4v6wjjfi0ysylh3gsghjpsrk12dyg8n7l3b52u8xreanj0] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\a57ol572775.exe
O4 - HKCU\..\Run: [qo0t1eyb5aeyfa8] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\ywmnjzzb729.exe
O4 - HKCU\..\Run: [v1rku0s75u36puh4nzrol5zz] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\rjy5qladrqgk.exe
O4 - HKCU\..\Run: [vglwd7qj4ky1apwirk93f0l3saqx73xjv3kkh] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\dto944x2b.exe
O4 - HKCU\..\Run: [iss13ywvpfx82javgroefis54nvld4y0v60i48u5] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\u1qbvv1.exe
O4 - HKCU\..\Run: [a0iluif0w148gzv] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\wiu2qtql.exe
O4 - HKCU\..\Run: [zehxpwg0cw867014] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\fpuy2jocw90ot.exe
O4 - HKCU\..\Run: [q01cm7h37sqkxovzzxzvfil] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\p5vi70t.exe
O4 - HKCU\..\Run: [zxi0dbz8xny0s79u] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\ace43na.exe
O4 - HKCU\..\Run: [fh5y994jc9omexazsqfhbmn406gemojwlx9mjnfeu9o4of] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\n6m3ba2qf1e.exe
O4 - HKCU\..\Run: [viyougho1da] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\qo2umgox1t8xg.exe
O4 - HKCU\..\Run: [yqi7o3yuww] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\sspr2nzy8.exe
O4 - HKCU\..\Run: [oeedsfqdfnlbxyfbi6nomaft1shnc7mg2yhdwd] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\gyq3w4.exe
O4 - HKCU\..\Run: [t7qhahvtzv9ho] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\zegulvikpho2.exe
O4 - HKCU\..\Run: [e0ic2jonietzvg] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\o7lm6gn1vkoc2.exe
O4 - HKUS\S-1-5-19\..\Run: [tukoheyowu] Rundll32.exe "C:\WINDOWS\system32\miwefoda.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [tukoheyowu] Rundll32.exe "C:\WINDOWS\system32\miwefoda.dll",s (User 'NETWORK SERVICE')
O4 - Startup: Revolve Clock.lnk = C:\Documents and Settings\Sunshine Lehmann\Local Settings\Temp\Rar$EX00.156\Revolve Clock\Revolve Clock.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4097228859
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.gamehouse.com/games/tumblebugs/axhost.cab
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\vaseyure.dll c:\windows\system32\fapiruda.dll c:\windows\system32\koyojudu.dll frdatv.dll c:\windows\system32\vowajopi.dll
O20 - Winlogon Notify: yaywvuVp - yaywvuVp.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vowajopi.dll
O22 - SharedTaskScheduler: Fences - {EC654325-1273-C2A9-2B7C-45A29BCE2FBD} - C:\Program Files\Stardock\Fences\DesktopDock.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vowajopi.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: WUSB54GSC - GEMTEKS - C:\Program Files\Linksys\WUSB54GSCv2\WLService.exe

--
End of file - 17947 bytes

Any help would be greatly appreciated! Thanks!
Sunshine
Active Member
 
Posts: 7
Joined: March 17th, 2009, 10:55 pm
Advertisement
Register to Remove

Re: Infected by Win32TR\.\er.Agent

Unread postby Bv202 » March 18th, 2009, 2:43 pm

Welcome to Malware Removal!
My name is Bjorn, known as Bv202 on this forum and I'll be happy to assist you with all your malware problems you have on your computer.

Before we start fixing your computer, there are a few points you need to know:
  • Please don't start a new topic, but reply on this one.
  • If you don't understand something, please ask!
  • If you find any new problems and/or details, please post them!
  • Please always try to reply within 5 days. If you know you won't be able to reply for any reason, please tell me so we don't close your thread.
  • As I'm still in training here at Malware Removal, all my posts needs to be checked by an expert first.

Remember: absence of symptoms does not mean your computer is clean!!
Please reply to this topic until I say your computer is clean.

I'm now researching your log. Once it's done, I'll be back to you.

In the meantime, please do this:
  • Open HijackThis.
  • Look under System tools.
  • Click on the Open Uninstall Manager... button.
  • Click on the Save list... button.
  • It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  • Notepad will open. Please copy and paste the contents of this log in your next reply.
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Infected by Win32TR\.\er.Agent

Unread postby Sunshine » March 18th, 2009, 3:07 pm

Hi Bjorn. Here is a copy of the log. Thanks!

Acer GridVista
Ad-Aware
Ad-Aware
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe After Effects CS3 Template Projects & Footage
Adobe After Effects CS3 Third Party Content
Adobe AIR
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Contribute CS3
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Encore CS3
Adobe Encore CS3 Library
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Flash CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop Lightroom
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Third Party Content
Adobe Reader 8.1.3
Adobe Setup
Adobe Shockwave Player
Adobe SING CS3
Adobe Soundbooth CS3
Adobe Soundbooth CS3 Codecs
Adobe Soundbooth CS3 Scores
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
Apple Mobile Device Support
Apple Software Update
Attansic Giga Ethernet Utility
Attansic L1 Gigabit Ethernet Driver
BestOn Software
Browser Mouse
CCleaner (remove only)
CCScore
Compact Wireless-G USB Network Adapter with SpeedBooster
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
DesktopX
Digital Photo Navigator 1.5
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DVD Suite
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
Fences
Fences
FTP Surfer
getPlus(R)_ocx
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) Graphics Media Accelerator Driver
Internet Keyboard
iTunes
Java(TM) 6 Update 12
Java(TM) 6 Update 3
Java(TM) 6 Update 6
Java(TM) 6 Update 7
kgcbase
Kodak EasyShare software
Lexicon Omega Studio(remove only)
MathPlayer
McAfee SecurityCenter
Media Manager for WALKMAN 1.1
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel Add-in for SQL Server Analysis Services
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Microsoft Picture It! Express 9
Microsoft Picture It! Library 9
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Media Video 9 VCM
MIDI Yoke
Mozilla Firefox (3.0.7)
MSN
MSN Encarta Plus Support Files
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Multi-Media Keyboard
Napster Burn Engine
Nero 7 Essentials
netbrdg
ObjectDock
OfotoXMI
OpenMG Secure Module 4.7.00
OpenOffice.org Installer 1.0
PC CameraQ
PDF Settings
PowerCinema NE for Everio
PowerDVD
PowerProducer
QuickTime Alternative 1.81
Rainlendar2 (remove only)
Realtek High Definition Audio Driver
Reason Demo 4.0.1
Rhapsody Player Engine
ScreenPrint32 v3.5
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
SFR
SHASTA
SightSpeed (remove only)
skin0001
SKINXSDK
Skype™ 3.8
SmartFTP Client
Spybot - Search & Destroy
SpywareBlaster 4.1
Standard PS/2 Multi-Media Keyboard Driver
staticcr
Steinberg Cubase LE
The Sims 2 Open For Business
The Sims 2 Pets
The Sims 2 University
The Sims™ 2 Bon Voyage
The Sims™ 2 Deluxe
The Sims™ 2 Seasons
tooltips
TweetDeck
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
USB Wireless Keyboard Driver
Ventrilo Client
VeohTV BETA
Verizon Online
Verizon Online Help and Support
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VPRINTOL
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WIRELESS
World of Warcraft
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
Zoo Tycoon: Complete Collection
Sunshine
Active Member
 
Posts: 7
Joined: March 17th, 2009, 10:55 pm

Re: Infected by Win32TR\.\er.Agent

Unread postby Sunshine » March 18th, 2009, 10:40 pm

Also just as an FYI, this morning (after I ran the logs)-- I now have a new issue. A red X that pops up on my toolbar and says "Warning! Security Report . . . Your Computer is infected! It is recommended to start spyware cleaner tool." It has also disabled my task manager and some of my desktop elements. Not sure if this is what I already had or something new but let me know if you'd like me to re-run the logs. It had gotten to the point of preventing me from accessing the web but I'm running scans like crazy (adaware, spybot, avast) and they seem to be doing just enough to keep me afloat (but not resolve the problem).
Sunshine
Active Member
 
Posts: 7
Joined: March 17th, 2009, 10:55 pm

Re: Infected by Win32TR\.\er.Agent

Unread postby Bv202 » March 19th, 2009, 2:10 am

Hi Sunshine

Thank you for informing me about this. Please follow these instructions :)

Disable protection programs
Please disable the following protection programs so ComboFix can run without trouble :)

MCAFEE ANTIVIRUS
Please navigate to the system tray on the bottom right hand corner and look for a "M"-sign.
  • Right-click it -> chose "Exit."
  • A popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You successfully disabled the McAfee Guard.


SPYBOT TEATIMER
  • Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
  • On the left hand side, click on Tools, then click on the Resident Icon in the list.
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • Click on the "System Startup" icon in the List
  • Uncheck the "TeaTimer" box and "OK" any prompts.
  • If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
  • Exit Spybot S&D when done.
  • (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

Please re-enable them after running ComboFix.


Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Infected by Win32TR\.\er.Agent

Unread postby Sunshine » March 19th, 2009, 10:01 pm

Hi- I ran combo fix and posted the log plus the new hijack this log below. I turned off my virus scanners to DL and run combox fix and after the roboot combo fix does I got hit with a bunch of new problems. The worst being I can no longer get online. I'm in the process of backing up all of my files now just in case I get completely locked out or reloading windows is a best option. This is REALLY bad. I'm afraid to do anything again that disables my protection as this nearly killed me.




ComboFix 09-03-18.01 - Sunshine Lehmann 2009-03-19 8:08:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3063.2052 [GMT -5:00]
Running from: c:\documents and settings\Sunshine Lehmann\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090318-0] *On-access scanning disabled* (Updated)
AV: McAfee VirusScan *On-access scanning disabled* (Outdated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sunshine Lehmann\Application Data\Install.dat
c:\windows\cookies.ini
c:\windows\system32\ahtn.htm
c:\windows\system32\eeMWyyxx.ini
c:\windows\system32\frmwrk32.exe
c:\windows\system32\jukazena.dll
c:\windows\system32\KknUDJjl.ini
c:\windows\system32\ntdll64.exe
c:\windows\system32\pteqjtwi.ini
c:\windows\system32\test.ttt
c:\windows\system32\tizohale.dll
c:\windows\system32\tovofada.dll
c:\windows\system32\uniq.tll
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2009-02-19 to 2009-03-19 )))))))))))))))))))))))))))))))
.

2009-03-18 19:58 . 2009-03-18 19:58 21,091 --a------ c:\windows\system32\AAWService_2009_03_18_19_58_07.dmp
2009-03-18 19:44 . 2009-03-18 19:44 <DIR> d-------- c:\program files\Alwil Software
2009-03-18 19:38 . 2009-03-18 19:38 18,937 --a------ c:\windows\system32\AAWService_2009_03_18_19_38_03.dmp
2009-03-18 19:30 . 2009-03-18 19:30 19,805 --a------ c:\windows\system32\AAWService_2009_03_18_19_30_14.dmp
2009-03-18 17:02 . 2009-03-18 17:02 24,415 --a------ c:\windows\system32\AAWService_2009_03_18_17_02_44.dmp
2009-03-18 16:54 . 2009-03-19 08:15 106,094 --a------ c:\windows\system32\drivers\b66205da.sys
2009-03-18 16:54 . 2009-03-18 16:54 99,328 --a------ C:\pvnncaoo.exe
2009-03-18 16:54 . 2009-03-18 16:54 27,648 --a------ C:\qvmkk.exe
2009-03-18 16:54 . 2009-03-18 16:54 2 --a------ C:\1886896006
2009-03-18 07:21 . 2009-03-18 07:21 19,700 --a------ c:\windows\system32\AAWService_2009_03_18_07_21_57.dmp
2009-03-18 07:17 . 2009-03-18 07:17 18,572 --a------ c:\windows\system32\AAWService_2009_03_18_07_17_57.dmp
2009-03-18 07:12 . 2009-03-18 07:12 24,415 --a------ c:\windows\system32\AAWService_2009_03_18_07_12_56.dmp
2009-03-18 00:18 . 2009-03-18 00:18 23,249 --a------ c:\windows\system32\AAWService_2009_03_18_00_18_18.dmp
2009-03-17 21:34 . 2009-03-17 21:34 20,189 --a------ c:\windows\system32\AAWService_2009_03_17_21_34_23.dmp
2009-03-17 21:07 . 2009-03-17 21:07 20,189 --a------ c:\windows\system32\AAWService_2009_03_17_21_07_57.dmp
2009-03-17 17:05 . 2009-03-17 17:05 133,120 --a------ c:\windows\ubomezim.dll
2009-03-17 16:53 . 2009-03-17 16:53 41,984 --a------ c:\windows\Smufoxe.dll
2009-03-17 16:53 . 2009-03-18 16:53 41,984 --a------ C:\sxprfkgw.exe
2009-03-17 16:53 . 2009-03-18 16:53 10,240 --a------ C:\tlgvlvdw.exe
2009-03-16 16:04 . 2009-03-16 16:04 <DIR> d-------- c:\documents and settings\Sunshine Lehmann\Application Data\Media Player Classic
2009-03-16 15:17 . 2009-03-16 17:25 <DIR> d-------- c:\program files\QuickTime Alternative
2009-03-16 15:17 . 2009-03-16 15:17 <DIR> d-------- c:\program files\Media Player Classic
2009-03-16 15:17 . 2007-04-27 09:42 65,536 --a------ c:\windows\system32\QuickTimeVR.qtx
2009-03-16 15:17 . 2007-04-27 09:42 49,152 --a------ c:\windows\system32\QuickTime.qts
2009-03-16 15:00 . 2009-03-16 15:00 <DIR> d-------- c:\documents and settings\Sunshine Lehmann\Application Data\MPEG Streamclip
2009-03-16 08:52 . 2009-03-16 08:52 <DIR> d-------- c:\windows\system32\windows media
2009-03-16 08:52 . 2009-03-16 08:52 <DIR> d--h----- c:\windows\msdownld.tmp
2009-03-16 08:52 . 2009-03-16 08:52 <DIR> d-------- c:\program files\Windows Media Components
2009-03-16 08:14 . 2009-03-09 14:06 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-16 07:51 . 2009-03-09 14:06 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-16 07:49 . 2009-03-16 07:49 <DIR> d-------- c:\program files\Lavasoft
2009-03-16 07:49 . 2009-03-16 07:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-16 07:49 . 2009-03-16 07:49 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-15 13:08 . 2006-06-04 15:48 198,144 --------- c:\windows\system32\_psisdecd.dll
2009-03-15 13:08 . 2006-06-04 15:48 44,544 --a------ c:\windows\system32\msxml4a.dll
2009-03-15 13:07 . 2009-03-15 13:07 <DIR> d-------- c:\program files\Digital Photo Navigator 1.5
2009-03-15 01:30 . 2009-03-15 01:30 1,595 --a------ c:\windows\ST6UNST.000
2009-03-15 00:44 . 2009-03-15 00:44 <DIR> d-------- c:\program files\ScreenPrint32 v3
2009-03-15 00:44 . 2009-03-15 01:30 249,856 --------- c:\windows\Setup1.exe
2009-03-15 00:44 . 2009-03-15 01:30 73,216 --a------ c:\windows\ST6UNST.EXE
2009-03-14 23:22 . 2009-03-16 08:01 54,156 --ah----- c:\windows\QTFont.qfn
2009-03-14 23:22 . 2009-03-14 23:22 1,409 --a------ c:\windows\QTFont.for
2009-03-14 20:52 . 2009-03-19 08:13 <DIR> d-------- c:\documents and settings\Sunshine Lehmann\.rainlendar2
2009-03-14 20:51 . 2009-03-14 20:52 <DIR> d-------- c:\program files\Rainlendar2
2009-03-14 13:56 . 2009-03-14 13:56 <DIR> d-------- c:\documents and settings\Sunshine Lehmann\Application Data\Stardock
2009-03-14 13:56 . 2009-03-14 13:56 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{067CEB81-A49B-4597-9505-A5515881D672}
2009-03-14 12:16 . 2009-03-15 01:42 <DIR> d-------- c:\program files\Stardock
2009-03-14 12:16 . 2009-03-15 01:42 <DIR> d-------- c:\program files\Common Files\Stardock
2009-03-14 11:06 . 2009-03-14 11:06 <DIR> d-------- c:\program files\TweetDeck
2009-03-14 11:06 . 2009-03-14 11:06 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-14 11:06 . 2009-03-14 11:06 <DIR> d-------- c:\documents and settings\Sunshine Lehmann\Application Data\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1
2009-03-06 15:15 . 2009-03-06 15:15 <DIR> d-------- c:\program files\Common Files\SupportSoft
2009-02-24 11:39 . 2009-02-24 11:39 <DIR> d-------- c:\program files\MSECache
2009-02-23 08:53 . 2009-02-23 08:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Propellerhead Software
2009-02-23 08:53 . 2009-02-23 08:53 368,640 --a------ c:\windows\system32\ReWire.dll
2009-02-23 08:53 . 2009-02-23 08:53 233,472 --a------ c:\windows\system32\REX Shared Library.dll
2009-02-23 08:51 . 2009-02-23 08:53 <DIR> d-------- c:\documents and settings\Sunshine Lehmann\Application Data\Propellerhead Software
2009-02-23 01:17 . 2009-02-23 01:17 <DIR> d-------- c:\program files\Propellerhead
2009-02-19 20:45 . 2009-02-19 20:45 <DIR> d-------- c:\program files\Microsoft Solutions
2009-02-19 20:45 . 2009-02-19 20:45 <DIR> d-------- c:\documents and settings\Sunshine Lehmann\Application Data\ORSLN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-18 19:01 --------- d-----w c:\program files\LimeWire
2009-03-18 02:37 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-18 02:16 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-17 19:13 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-03-17 17:03 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-17 17:03 --------- d-----w c:\program files\Google
2009-03-17 17:03 --------- d-----w c:\program files\Full Tilt Poker
2009-03-17 17:01 --------- d-----w c:\program files\Windows Live Toolbar
2009-03-17 16:59 --------- d-----w c:\program files\VentSrv
2009-03-17 16:59 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-17 16:23 --------- d-----w c:\documents and settings\Sunshine Lehmann\Application Data\Skype
2009-03-16 20:17 --------- d-----w c:\documents and settings\Sunshine Lehmann\Application Data\Apple Computer
2009-03-16 20:17 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-16 20:14 --------- d-----w c:\program files\QuickTime
2009-03-16 12:38 --------- d-----w c:\program files\SpywareBlaster
2009-03-16 12:18 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-16 03:18 --------- d-----w c:\program files\CyberLink
2009-03-15 21:55 --------- d-----w c:\program files\Java
2009-03-15 18:14 --------- d-----w c:\documents and settings\Sunshine Lehmann\Application Data\CyberLink
2009-03-15 18:08 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2009-03-14 22:10 --------- d-----w c:\documents and settings\Sunshine Lehmann\Application Data\LimeWire
2009-03-13 19:53 --------- d-----w c:\documents and settings\Sunshine Lehmann\Application Data\MSN6
2009-03-11 13:19 --------- d-----w c:\documents and settings\Sunshine Lehmann\Application Data\skypePM
2009-03-07 00:31 --------- d-----w c:\program files\World of Warcraft
2009-03-03 02:08 0 ----a-w c:\documents and settings\Sunshine Lehmann\GoToAssistDownloadHelper.exe
2009-02-26 14:00 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-14 05:06 --------- d-----w c:\documents and settings\Sunshine Lehmann\Application Data\DivX
2009-02-14 04:40 --------- d-----w c:\program files\Common Files\Control Panels
2009-02-14 04:40 --------- d-----w c:\program files\Common Files\Adobe
2009-02-14 04:37 --------- d-----w c:\documents and settings\All Users\Application Data\ALM
2009-02-14 03:48 --------- d-----w c:\program files\Bonjour
2009-02-14 03:43 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-02-11 01:41 --------- d-----w c:\documents and settings\Sydney\Application Data\MSN6
2008-08-21 21:03 0 ----a-w c:\documents and settings\Sunshine Lehmann\jagex_runescape_preferences.dat
2008-03-29 21:47 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-11-30 03:26 23,405,072 ----a-w c:\program files\AdbeRdr811_en_US.exe
2008-09-17 02:41 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091620080917\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SightSpeed"="c:\program files\SightSpeed\SightSpeed.exe" [2008-07-18 4770616]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-16 4347120]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2009-02-21 4333568]
"12ZFG94-F641-2SF-K31P-5N1ER6H6L2"="c:\recycler\S-1-5-21-3768935224-3887913295-690910863-1151\service.exe" [2009-03-18 43008]
"12CFG515-K641-55SF-N55P"="c:\recycler\S-1-5-21-0243336035-3055115375-381863305-1553\vslmq.exe" [2009-03-19 25118]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-08-14 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-08-14 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-08-14 94208]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-03-11 936960]
"MULTIMEDIA KEYBOARD"="c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2002-02-27 151552]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 50688]
"Multi-Media Keyboard"="c:\progra~1\MULTI-~1\MMKey.exe" [2002-09-14 172032]
"FLMOFFICE4DMOUSE"="c:\program files\Browser Mouse\mouse32a.exe" [2008-01-05 360448]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-03-29 624248]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-15 148888]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Eqeweduvakad"="c:\windows\Smufoxe.dll" [2009-03-17 41984]
"Fnerud"="c:\windows\ubomezim.dll" [2009-03-17 133120]
"SkyTel"="SkyTel.EXE" [2006-05-15 c:\windows\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-17 c:\windows\RTHDCPL.exe]
"StandardKeyboard"="KBDaemonA.exe" [2004-11-26 c:\windows\system32\KBDaemonA.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-25 517480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 15:13 49152 c:\progra~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"= myokent.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\Sony\\Media Manager for WALKMAN\\MediaManager.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\MSN\\MSNCoreFiles\\msn.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Netropa\\Multimedia Keyboard\\MMKbdCfg.exe"=
"c:\\Program Files\\Verizon\\McciTrayApp.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=
"c:\\WINDOWS\\system32\\igfxpers.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\Program Files\\Linksys\\WUSB54GSCv2\\WUSB54GSC.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\AAWTray.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-16 64160]
R1 aswsp;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-18 114768]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2007-11-17 6656]
R2 aswfsblk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-03-18 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
R2 WUSB54GSC;WUSB54GSC;c:\program files\Linksys\WUSB54GSCv2\WLService.exe [2009-01-18 65596]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2007-11-03 35840]
S2 nhksrv;Netropa NHK Server;c:\program files\Netropa\Multimedia Keyboard\nhksrv.exe --> c:\program files\Netropa\Multimedia Keyboard\nhksrv.exe [?]
S2 wuflyjqorue;wuflyjqorue;c:\windows\System32\svchost.exe -k netsvcs [2004-08-04 14336]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\drivers\ceusbaud.sys [2003-11-05 17920]
S3 DPFilter;USB Keyboard Filter Driver;c:\windows\system32\drivers\DPFilter.sys [2008-01-04 8092]
S3 KBNTXP;Standard PS/2 Multi-Keyboard Filter Driver for WinXp;c:\windows\system32\drivers\KBNTXP.sys [2007-11-17 7296]
S3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\drivers\WUSB54GSCV2.sys [2009-01-18 198144]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wuflyjqorue
.
Contents of the 'Scheduled Tasks' folder

2009-03-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 14:06]

2009-03-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
BHO-{090d0d8e-d51d-4f0b-9acd-161005e5e002} - (no file)
BHO-{2b4ef98a-049e-4fea-b645-df44682351ed} - (no file)
BHO-{b8eb2e50-1b1f-4ec2-b794-291faefd9632} - (no file)
BHO-{BCA98B66-43A0-462A-8186-D92B3956E94C} - (no file)
BHO-{D1AAFCAA-7298-416D-9957-185317F5F96D} - (no file)
BHO-{F99FFC7A-03E7-4385-A61C-BA0DE6E92F2D} - (no file)
HKCU-Run-Windows Resurections - c:\windows\TEMP\pk3omyta.exe
Notify-yaywvuVp - yaywvuVp.dll


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: &Windows Live Search
IE: Append to existing PDF
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
IE: E&xport to Microsoft Excel
IE: Open in new background tab
IE: Open in new foreground tab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} - hxxp://www.gamehouse.com/games/tumblebugs/axhost.cab
FF - ProfilePath - c:\documents and settings\Sunshine Lehmann\Application Data\Mozilla\Firefox\Profiles\gmb03577.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox? ... S:official
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-19 08:15:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b66205da]
"ImagePath"="\SystemRoot\System32\drivers\b66205da.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,4f,35,21,f6,e0,
f3,04,be,c8,28,51,af,b0,29,a3,98,57,04,1e,91,af,c4,76,f7,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,cb,2f,02,2e,6f,
11,f3,3f,71,3b,04,66,8b,46,0d,96,09,c5,53,e9,d2,b1,37,f4,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,0a,b9,a3,70,5d,
1a,cf,e4,25,da,ec,7e,55,20,c9,26,6d,2b,2c,ac,ad,dc,4c,c9,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,96,95,4d,68,4d,
30,7d,31,3e,1e,9e,e0,57,5a,93,61,c4,1c,54,fa,53,c2,05,67,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,1e,7f,98,6b,74,
0b,1b,22,cd,44,cd,b9,a6,33,6c,cd,45,41,cb,b1,96,79,98,6e,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,0f,f7,b2,ed,1a,
bb,24,ab,b0,18,ed,a7,3f,8d,37,a4,9d,8b,15,d7,ef,b2,dd,a9,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,45,0d,d2,54,5b,
55,da,62,31,77,e1,ba,b1,f8,68,02,58,ed,6d,ca,63,c1,7f,fa,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,8e,3a,6e,0f,0c,
93,5b,4d,83,6c,56,8b,a0,85,96,ab,2d,08,19,6e,e0,b4,5c,e8,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,ed,1e,c5,60,5d,
53,8d,ac,51,fa,6e,91,28,9e,14,cc,b4,f9,ff,73,55,89,cb,67,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3,a6,15,56,0a,5d,48,7c,a0,5a,
eb,ce,57,b1,cd,45,5a,a8,c4,f8,b9,ce,98,9b,0a,99,25,69,e1,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,33,f6,ef,bb,a2,
7a,e7,91,e3,0e,66,d5,eb,bc,2f,6b,27,76,dc,6b,02,3d,1c,09,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:05,73,21,dd,54,d8,4a,c5,28,6f,9d,f2,b9,
9d,20,0c,fa,ea,66,7f,d4,3b,6b,70,6a,14,86,e0,1b,90,bc,2c,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\sxs.dll
c:\windows\system32\myokent.dll
c:\progra~1\COMMON~1\Stardock\mcpstub.dll

- - - - - - - > 'lsass.exe'(816)
c:\windows\system32\myokent.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\COMMON~1\Stardock\SDMCP.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Linksys\WUSB54GSCv2\WUSB54GSC.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Netropa\Multimedia Keyboard\Traymon.exe
c:\program files\Netropa\Onscreen Display\osd.exe
c:\windows\system32\rundll32.exe
c:\program files\Stardock\ObjectDock\ObjectDock.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-03-19 8:18:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-19 13:18:01

Pre-Run: 223,390,195,712 bytes free
Post-Run: 224,807,030,784 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

401 --- E O F --- 2009-03-11 08:01:37







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:48:40 PM, on 3/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys\WUSB54GSCv2\WLService.exe
C:\Program Files\Linksys\WUSB54GSCv2\WUSB54GSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Verizon\McciTrayApp.exe
C:\WINDOWS\system32\KBDaemonA.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\MULTI-~1\MMKey.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SightSpeed\SightSpeed.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [StandardKeyboard] KBDaemonA.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Multi-Media Keyboard] C:\PROGRA~1\MULTI-~1\MMKey.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Eqeweduvakad] rundll32.exe "C:\WINDOWS\Smufoxe.dll",e
O4 - HKLM\..\Run: [Fnerud] rundll32.exe "C:\WINDOWS\ubomezim.dll",e
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SightSpeed] "C:\Program Files\SightSpeed\SightSpeed.exe" -bootmode
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] C:\RECYCLER\S-1-5-21-3768935224-3887913295-690910863-1151\service.exe
O4 - HKCU\..\Run: [12CFG515-K641-55SF-N55P] C:\RECYCLER\S-1-5-21-0243336035-3055115375-381863305-1553\vslmq.exe
O4 - HKCU\..\Run: [] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\etf6s5tg9i.exe
O4 - HKCU\..\Run: [Windows Resurections] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\etf6s5tg9i.exe
O4 - HKCU\..\Run: [opru2vpoa5eclxbh4hl3y9z47stnyjfp] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\lmhhkrg.exe
O4 - HKCU\..\Run: [ysi4hymwwdhj3] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\dr8ex3kpgy.exe
O4 - HKCU\..\Run: [uudp5dr25n4f96fzalauxbmwl9phkkevle9be909bz3x8u8rk] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\tggtkm1.exe
O4 - HKCU\..\Run: [fy07g9ngefvcj5nawo] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\jyrr7n54fu.exe
O4 - HKCU\..\Run: [pl054tovmrlbspoz8t7kiyky4go13gyiy5bbpjmpwasvm8] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\vdis8qb9.exe
O4 - Startup: Revolve Clock.lnk = C:\Documents and Settings\Sunshine Lehmann\Local Settings\Temp\Rar$EX00.156\Revolve Clock\Revolve Clock.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - cmdmapping - (no file) (HKCU)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4097228859
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.gamehouse.com/games/tumblebugs/axhost.cab
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: oledll - {59945B67-9234-9234-D929-7F84D923BC79} - C:\WINDOWS\system32\wm16tokl.dll
O22 - SharedTaskScheduler: Fences - {EC654325-1273-C2A9-2B7C-45A29BCE2FBD} - C:\Program Files\Stardock\Fences\DesktopDock.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: WUSB54GSC - GEMTEKS - C:\Program Files\Linksys\WUSB54GSCv2\WLService.exe

--
End of file - 15235 bytes
Sunshine
Active Member
 
Posts: 7
Joined: March 17th, 2009, 10:55 pm

Re: Infected by Win32TR\.\er.Agent

Unread postby Bv202 » March 23rd, 2009, 1:28 pm

Hi Sunshine

Sorry for the delay.

First of all, have a look at this ComboFix tutorial:
http://www.bleepingcomputer.com/combofi ... e-combofix

At the bottom, you'll find instructions how to repair your internet connection. Try these and let me know if you have your connection back. If you still can't connect to the internet, you'll need to download our tools from another computer and put them on your own via flash drives/cd's.


Remove one of your Anti Virus programs.
You are operating your computer with multiple Anti Virus programs running in memory at once:
Mcafee
Avast


Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

Please remove one of them.


COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
    C:\pvnncaoo.exe
    C:\qvmkk.exe
    c:\windows\ubomezim.dll
    c:\windows\Smufoxe.dll
    C:\sxprfkgw.exe
    C:\tlgvlvdw.exe
    c:\recycler\S-1-5-21-3768935224-3887913295-690910863-1151\service.exe
    c:\recycler\S-1-5-21-0243336035-3055115375-381863305-1553\vslmq.exe
    
    Folder::
    C:\1886896006
    
    Driver::
    wuflyjqorue
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


ATF-Cleaner
Please download ATF cleaner
Make sure that all browser windows are closed.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


FIX HIJACKTHIS ENTRIES
Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Eqeweduvakad] rundll32.exe "C:\WINDOWS\Smufoxe.dll",e
O4 - HKLM\..\Run: [Fnerud] rundll32.exe "C:\WINDOWS\ubomezim.dll",e
O4 - HKCU\..\Run: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] C:\RECYCLER\S-1-5-21-3768935224-3887913295-690910863-1151\service.exe
O4 - HKCU\..\Run: [12CFG515-K641-55SF-N55P] C:\RECYCLER\S-1-5-21-0243336035-3055115375-381863305-1553\vslmq.exe
O4 - HKCU\..\Run: [] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\etf6s5tg9i.exe
O4 - HKCU\..\Run: [Windows Resurections] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\etf6s5tg9i.exe
O4 - HKCU\..\Run: [opru2vpoa5eclxbh4hl3y9z47stnyjfp] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\lmhhkrg.exe
O4 - HKCU\..\Run: [ysi4hymwwdhj3] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\dr8ex3kpgy.exe
O4 - HKCU\..\Run: [uudp5dr25n4f96fzalauxbmwl9phkkevle9be909bz3x8u8rk] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\tggtkm1.exe
O4 - HKCU\..\Run: [fy07g9ngefvcj5nawo] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\jyrr7n54fu.exe
O4 - HKCU\..\Run: [pl054tovmrlbspoz8t7kiyky4go13gyiy5bbpjmpwasvm8] C:\DOCUME~1\SUNSHI~1\LOCALS~1\Temp\vdis8qb9.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - cmdmapping - (no file) (HKCU)


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.


If you're still not able to connect to the internet, please ignore these Jotti instructions and tell me
Upload a File to Jotti
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:
c:\windows\system32\drivers\b66205da.sys

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.


In your next reply, please post:
1) The ComboFix log
2) A new HijackThis log
3) Tell me if you're having your connection back
4) The Jotti results (if you have the connection)
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Infected by Win32TR\.\er.Agent

Unread postby Sunshine » March 23rd, 2009, 1:38 pm

Hi Bjorn-

I actually ended up reloading XP from scratch because I didn't really have another computer I could use with any regularity. Everything seems fine now, thankfully. Thanks again for all your help.
Sunshine
Active Member
 
Posts: 7
Joined: March 17th, 2009, 10:55 pm

Re: Infected by Win32TR\.\er.Agent

Unread postby Bv202 » March 23rd, 2009, 2:30 pm

Hi Sunshine

Thanks for informing me you've reformatted the computer. Here are a few tips to prevent re-infection in the future: :)


Prevent re-infection
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Make sure you enable Automatic Updates for your computer. You can set this in the control panel -> windows update.
An alternative way is to visit Microsoft often to get the latest updates for your computer:
http://www.update.microsoft.com


Here are some free programs I recommend that could help you improve your computer's security.

Malwarebytes' Anti-Malware
Download it from here. Click "Download" and you'll get redirected to download.com, where you can download the product. You can also buy this program, which gives you real-time protection against common malware. However, you can use the free program to scan and remove any infections found.

Install SpyWare Blaster 4.0
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

FIREWALL
Without a firewall your computer is susceptible to being hacked and taken over. If you use the Windows Firewall you might think that's sufficient but it only controls one way of the traffic (inbound). Simply using a Firewall in its default configuration can lower your risk greatly.
It's preferable to install one of the suggested firewalls.

FREE FIREWALLS
  • Comodo
    When installing, it will ask you to install Anti-Virus functionality. Please uncheck "install comodo antivirus (recommended)" unless you've uninstalled your AV. NEVER have 2 or more Anti-Virus programs on your computer; it will cause performance loss and/or other problems.
  • Online Armor
  • Sunbelt Kerio

Tutorial about Firewalls can be found here


Read some information here how to prevent Malware.

Is your pc running slow?
Read What to do if your Computer is running slowly

Happy safe surfing!

Please reply once more to this thread so we know it can be closed. If you have any questions left, it's now the time to ask! :)
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Infected by Win32TR\.\er.Agent

Unread postby Sunshine » March 23rd, 2009, 3:44 pm

This is awesome, thank you. I am installing comodo right now as my firewall protection. I have spyware blaster already. I also have adaware, spybot search and destroy, and avast (I got rid of mcaffe as my subscription was expired and I wasn't getting updates anymore). Can I also install Malware bites, winpatrol, etc. also with these? I'm paranoid and I NEVER want this to happen again lol
Sunshine
Active Member
 
Posts: 7
Joined: March 17th, 2009, 10:55 pm

Re: Infected by Win32TR\.\er.Agent

Unread postby Bv202 » March 24th, 2009, 3:52 pm

Hi Sunshine

I don't recommend to have all these protection software installed. Some doesn't even have real-time protection and so can only remove infections after they've been present on the system instead of blocking them to run on your computer.

Also, some of these programs are not very efficiënt anymore because of several reasons. This is my personal recommendation:
1 Antivirus (Avast in your case)
1 Firewall (Comodo in your case)
Winpatrol
Malwarebytes' Anti-Malware

It's not useful to have a lot of others installed :)


Let me know if you have any questions left/we can archive this thread :)
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Infected by Win32TR\.\er.Agent

Unread postby Sunshine » March 25th, 2009, 12:54 pm

Thanks for all of the useful advice! I'll go ahead and do what you recommended. You can archive the thread.

Thanks!
Sunshine
Active Member
 
Posts: 7
Joined: March 17th, 2009, 10:55 pm

Re: Infected by Win32TR\.\er.Agent

Unread postby Elrond » March 26th, 2009, 11:41 am

Sunshine this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 42 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware