Free Malware Removal Forum

by **raina** » October 27th, 2009, 2:03 am

I started getting popup ads and the like. GO211.com, Paretologic, and Gamevance are a few of the names I'm seeing on the ads.

I downloaded AdAware which found nothing. Then I downloaded Malwarebytes, which wouldn't work at all until we ran it in safe mode because apparently some of the spyware was blocking it, but once we did run it it found four things and eliminated them. But, it didn't get everything as I'm still getting a lot of the same popups as before. Then I downloaded TFC and ran it and rebooted again. And then I ran HiJackthis and found this forum and thought I'd ask for help.

Here is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:46 AM, on 10/27/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18319)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Window Title = Internet Explorer provided

by Dell
R0 - HKCU\Software\Microsoft\Internet

Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7

-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-

90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-

D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0

\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-

4ABF-8ECC-5164760863C6} - C:\Program Files\Common

Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-

31B7-401E-A518-A07C3DB8F777} - C:\Program

Files\BAE\BAE.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)]

"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"

/runcleanupscript
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows

Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [heniwojog] Rundll32.exe "c:\progra~2

\gekuhiri\gekuhiri.dll",a
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%

\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL

SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter]

rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL

SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%

\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK

SERVICE')
O4 - Global Startup: Mozilla Firefox
O8 - Extra context menu item: E&xport to Microsoft Excel

- res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5

-00401C608501} - c:\Program Files\Java\jre1.6.0

\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program

Files\Java\jre1.6.0\bin\npjpi160.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: *.download.com
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2

\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) -

Lavasoft - C:\Program Files\Lavasoft\Ad-

Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec

Corporation - C:\Program

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Lic NetConnect service

(CLTNetCnService) - Unknown owner - C:\Program

Files\Common Files\Symantec Shared\ccSvcHst.exe (file

missing)
O23 - Service: DSBrokerService - Unknown owner -

C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google -

C:\Program Files\Google\Google Desktop

Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -

Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation -

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate

Notice Ex) - Unknown owner - C:\Program Files\Common

Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}

\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) -

NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions -

C:\Program Files\Common Files\Roxio Shared\9.0

\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) -

Sonic Solutions - C:\Program Files\Common Files\Roxio

Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc.

- C:\Program Files\Common Files\SureThing

Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. -

C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5497 bytes

by **Cypher** » October 30th, 2009, 12:37 pm

Hi, Welcome to the Malware Removal forum.
My name is Cypher, and I will be helping you with your malware problems.
Before we begin...please note the following important guidelines.

The instructions being given are for YOUR computer and system only!.
Using these instructions on a different computer, can damage that computer and possibly make it inoperable!
If you don't know or understand something, please don't hesitate to ask.
Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
Only reply to this thread do not start another, Please continue responding until I give you the "All Clean"
Absence of symptoms does not mean that everything is clear.
Please DO NOT run any other tools or scans whilst I am helping you.
Please DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
Print each set of instructions... if possible...your Internet connection might not be available during some fix processes.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
The logs from the tools we use can take some time to research so please be patient.

If you follow these guidelines, things should proceed smoothly.

I am currently reviewing your log, and will return as soon as possible with your instructions.

First thing I would like you to do is to turn Word Wrap off in Notepad:

Open Notepad then on the Toolbar click Format.
Make sure Word Wrap is unticked then close Notepad.

Next,

Post a New HJT Log

Start HijackThis.
If you are on the "scan & fix stuff" page... Press the "Main Menu"...button.
From the Main Menu... Press the "Do System Scan and Save a Log File"...button.
When completed...Notepad will open with the new "hijackthis.log" file contents.

Copy/paste the entire (hijackthis.log) file contents in your next reply.

Next.

Please post an Uninstall list.

Open HijackThis.
Click on the Open the Misc Tools section button.
Look under System tools.
Click on the Open Uninstall Manager... button.
Click on the Save list... button.
It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
Notepad will open. Please post this log in your next reply.

In your next reply.

1. HijackThis log
2. Uninstall list.

by **raina** » October 30th, 2009, 12:52 pm

Thanks for your response! I'm pasting the two logs you requested below.

Here's my un-word-wrapped HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:46 AM, on 10/27/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18319)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [heniwojog] Rundll32.exe "c:\progra~2\gekuhiri\gekuhiri.dll",a
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Mozilla Firefox
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: *.download.com
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5497 bytes

And here's my uninstall log:

Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.9
AOL Install
Conexant D850 PCI V.92 Modem
CueCard (remove only)
Dell DataSafe Online
Dell Support Center
Dell System Customization Wizard
DellSupport
Digital Line Detect
EarthLink Setup Files
ERUNT 1.1j
Games, Music, & Photos Launcher
Google Desktop
Heroes of Might and Magic® III Complete
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Internet Service Offers Launcher
Java(TM) SE Runtime Environment 6
jZip
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
MemoryLifter2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Office XP Standard
Microsoft Works
Modem Diagnostic Tool
Mozilla Firefox (3.0.5)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MUSHclient (remove only)
NetWaiting
NVIDIA Drivers
NVIDIANetworkDiagnostic
PowerDVD
Product Documentation Launcher
Realtek High Definition Audio Driver
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
Sonic Activation Module
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
URL Assistant
User's Guides
Winamp (remove only)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Yahoo! Music Jukebox
zMUD 7.21.0.0

by **Cypher** » October 30th, 2009, 1:17 pm

Hi raina.
The forum is really busy but be assured i will get back to you as soon as possible.
Thank you for your patience.

by **Cypher** » November 2nd, 2009, 6:56 am

Hi raina.
Sorry for the delay and thank you for your patience.

Vista Advice:

All applications I ask to be used will require to be run in Administrator mode. IE: Right click on and select Run as Administrator.

The Operating System(Vista aka Windows 6) in use comes with a inbuilt utility called User Access Control(UAC) when prompted by this with anything I ask you to do carry out please select the option Allow.

MGADiag

Please download this tool from Microsoft.
Right click on MGADiag.exe and select Run As Administrator to run it.
Click Continue.
The program will run. It takes a while to finish the diagnosis, please be patient.
Once done, click on Copy.
Open Notepad and paste the contents in the window.

Save this file and copy/paste it in your next reply.

In your next reply.

1. MGADiag log.

by **raina** » November 2nd, 2009, 1:36 pm

Thanks for responding.

In case this is important: Since I posted my first post, I've started getting some new symptoms - a window for some "url.urtbk.com/blahblahblah" pops up, then more and more and more of them, and they keep coming until I open the task manager and shut down IE.

Here is the MGADiag log you requested:

Diagnostic Report (1.9.0011.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0

Cached Validation Code: N/A, hr = 0xc004f012
Windows Product Key: *****-*****-4WD8X-M9WM7-CH4CG
Windows Product Key Hash: EkdqJZ28Y9zyrh7DU/lHNjTXlQY=
Windows Product ID: 89572-OEM-7332166-00096
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.0.6001.2.00010300.1.0.002
ID: {54C4D56E-6C9C-4B88-8C86-FD72B7D4FED0}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows Vista (TM) Home Basic
Architecture: 0x00000000
Build lab: 6001.vistasp1_gdr.090805-0102
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: 6.0.6002.16398

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 114 Blocked VLK 2
Microsoft Office XP Standard - 114 Blocked VLK 2
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{54C4D56E-6C9C-4B88-8C86-FD72B7D4FED0}</UGUID><Version>1.9.0011.0</Version><OS>6.0.6001.2.00010300.1.0.002</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-CH4CG</PKey><PID>89572-OEM-7332166-00096</PID><PIDType>2</PIDType><SID>S-1-5-21-3162089250-4011727672-1247853657</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Inspiron 531s</Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>1.0.3</Version><SMBIOSVersion major="2" minor="5"/><Date>20070615000000.000000+000</Date></BIOS><HWID>B0303507018400E6</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>AS09 </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>114</Result><Products><Product GUID="{90120409-6000-11D3-8CFE-0050048383C9}"><LegitResult>114</LegitResult><Name>Microsoft Office XP Standard</Name><Ver>10</Ver><Val>39476F84C4B4004</Val><Hash>4iCnywwNW1w4s9ukTIwGMGxyGic=</Hash><Pid>54187-640-0000025-17861</Pid><PidType>14</PidType></Product></Products><Applications><App Id="16" Version="10" Result="114"/><App Id="18" Version="10" Result="114"/><App Id="1A" Version="10" Result="114"/><App Id="1B" Version="10" Result="114"/></Applications></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.0.6001.18000
Name: Windows(TM) Vista, HomeBasic edition
Description: Windows Operating System - Vista, OEM_SLP channel
Activation ID: 199086aa-6cb8-4e5b-b698-f2be56f1e8ee
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 89572-00146-321-600096-02-1033-6000.0000-2192007
Installation ID: 012646481150812560113160673206771862555390401042212444
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=43473
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=43474
Use License URL: http://go.microsoft.com/fwlink/?LinkID=43476
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=43475
Partial Product Key: CH4CG
License Status: Licensed

HWID Data-->
HWID Hash Current: MgAAAAEAAgABAAEAAgABAAAAAgABAAEAnJ8q7mLtilSSAO5zhuNSnfL0xIiqDqxWXj0=

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20000
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL AS09
FACP DELL AS09
HPET DELL AS09
MCFG DELL AS09
SLIC DELL AS09

by **Cypher** » November 4th, 2009, 6:55 am

Hi raina.
While going through your logs I found out that your copy of Microsoft Office has a blocked Volume License Key.

Our forum policy Here says we will not help people who use cracked or pirated software.
You likely got infected by using cracked software or visiting crack sites.
Hence, i would like you to remove all the crack/keygen applications that are present on your system

NOTE: If you give me advice that the software/Keygens have been removed & I find it has not (the tools we use can & will detect it) then I will have no choice but to have this thread closed.
Please decide what you are going to do & let me know.

by **raina** » November 4th, 2009, 2:51 pm

Okay. I've uninstalled Office.

by **Cypher** » November 5th, 2009, 6:34 am

Hi raina.
Thank you for your cooperation.

Run CKScanner

Please download CKScanner by askey127 from Here
Important: - Save it to your desktop.
Right click CKScanner.exe And select " Run as administrator " > then click Search For Files.
After a couple minutes or less, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Next.

RSIT (Random's System Information Tool)

Please download RSIT by random/random... and save it to your desktop.

Right click on RSIT.exe and select "Run As Administrator" to run it. If Windows UAC prompts you, please allow it.
Please read the disclaimer... click on Continue.
RSIT will start running. When done... 2 logs files...will be produced.
The first one, "log.txt", << will be maximized
The second one, "info.txt", << will be minimized.

Please post both... "log.txt" and "info.txt", file contents in your next reply.
(These logs can be lengthy, so post 1 log per reply please.)

In your next reply.

1. CKFiles.txt log.
2. RSIT log.txt file contents and info.txt file contents.

by **raina** » November 5th, 2009, 1:11 pm

Thanks!

I thought I'd let you know: I know you ask us not to download any new software while we're being helped to avoid complicating matters, but I did download Open Office to replace my old Office software. I'll try to avoid any new installations from now on.

Also, today when I loaded up my computer, Windows Defender told me I had a trojan. It described it as "Vundo" or something like that, and the file name, I believe, was gekuhiri.dll. I had Windows remove it and rebooted and now when I load up the computer I get a message saying there was an error loading gekuhiri.dll! So, I guess that's better than if it didn't have trouble loading it...? It still shows up on Windows Defender as a problem needing fixed but I decided to leave it be at that point. (edit: I see the stuff about Vundo comes up in the RSIT file anyhow...so never mind. I ran RSIT after I'd tried to let Windows Defender fix it)

Okay, here are those files!

CKScanner log

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
----- EOF -----

(and that's it. I guess it didn't find anything?) RSIT logs in the following posts.

by **raina** » November 5th, 2009, 1:12 pm

RSIT log.txt file

Logfile of random's system information tool 1.06 (written by random/random)
Run by dawn at 2009-11-05 11:05:41
Microsoft® Windows Vista™ Home Basic Service Pack 1
System drive C: has 96 GB (67%) free of 142 GB
Total RAM: 958 MB (33% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:02 AM, on 11/5/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18319)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\dawn\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\dawn.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [heniwojog] Rundll32.exe "c:\progra~2\gekuhiri\gekuhiri.dll",a
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Mozilla Firefox
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O13 - Gopher Prefix:
O15 - Trusted Zone: *.download.com
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5564 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - C:\Program Files\BAE\BAE.dll [2007-03-16 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-11-04 41760]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
""= []
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-03-15 4390912]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2008-05-02 13535776]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2008-05-02 92704]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-11-04 149280]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-07-26 3883856]
"heniwojog"=c:\progra~2\gekuhiri\gekuhiri.dll,a []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2007-08-03 1862144]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2006-10-03 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2006-10-03 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\Windows\system32\NvCpl.dll [2008-05-02 13535776]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\Windows\system32\NvMcTray.dll [2008-05-02 92704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
C:\Windows\system32\nvsvc.dll [2008-05-02 526880]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
C:\Program Files\Norton Internet Security\osCheck.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [2006-10-20 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
C:\Windows\RtHDVCpl.exe [2007-03-15 4390912]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2007-11-28 583048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe [2007-05-14 35328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
C:\PROGRA~1\DIGITA~1\DLG.exe [2006-11-03 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~3\Office10\OSA.EXE -b -l []

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Mozilla Firefox

C:\Users\dawn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE
OpenOffice.org 3.1.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ed469daf-4195-11dc-8ad3-806e6f6e6963}]
shell\AutoRun\command - E:\_AUTORUN\AUTORUN.EXE
shell\instDX\command - E:\directX\dxsetup.exe
shell\readme\command - notepad readme.txt

======List of files/folders created in the last 1 months======

2009-11-05 11:05:41 ----D---- C:\rsit
2009-11-04 21:04:31 ----D---- C:\Users\dawn\AppData\Roaming\OpenOffice.org
2009-11-04 20:53:33 ----D---- C:\Program Files\JRE
2009-11-04 20:52:43 ----D---- C:\Program Files\OpenOffice.org 3
2009-11-04 20:51:30 ----A---- C:\Windows\system32\javaws.exe
2009-11-04 20:51:30 ----A---- C:\Windows\system32\javaw.exe
2009-11-04 20:51:30 ----A---- C:\Windows\system32\java.exe
2009-11-04 20:51:30 ----A---- C:\Windows\system32\deploytk.dll
2009-11-04 20:47:09 ----D---- C:\Program Files\readmes
2009-11-04 20:47:09 ----D---- C:\Program Files\licenses
2009-11-04 20:47:06 ----D---- C:\Program Files\redist
2009-11-03 07:32:42 ----A---- C:\Windows\system32\mshtml.dll
2009-11-02 11:31:49 ----D---- C:\MGADiagToolOutput
2009-11-02 11:30:27 ----D---- C:\ProgramData\Office Genuine Advantage
2009-10-27 12:36:27 ----D---- C:\Rooter$
2009-10-27 12:32:51 ----D---- C:\Windows\ERDNT
2009-10-27 12:31:49 ----D---- C:\Program Files\ERUNT
2009-10-27 11:57:29 ----A---- C:\Windows\system32\wmp.dll
2009-10-27 11:57:26 ----A---- C:\Windows\system32\unregmp2.exe
2009-10-27 11:57:21 ----A---- C:\Windows\system32\wmploc.DLL
2009-10-26 23:23:51 ----D---- C:\Program Files\Trend Micro
2009-10-26 17:03:37 ----D---- C:\Program Files\Lavasoft
2009-10-26 17:03:36 ----D---- C:\ProgramData\Lavasoft
2009-10-26 17:02:07 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-10-26 11:02:13 ----D---- C:\ProgramData\nelesoye
2009-10-26 11:02:13 ----D---- C:\ProgramData\gekuhiri
2009-10-26 10:57:06 ----D---- C:\ProgramData\yobuwiji
2009-10-26 10:57:06 ----D---- C:\ProgramData\moyofilu
2009-10-26 10:57:06 ----D---- C:\ProgramData\mavozebu
2009-10-13 15:59:52 ----A---- C:\Windows\system32\msv1_0.dll
2009-10-13 15:59:52 ----A---- C:\Windows\system32\lsass.exe
2009-10-13 15:59:44 ----A---- C:\Windows\system32\wininet.dll
2009-10-13 15:59:44 ----A---- C:\Windows\system32\occache.dll
2009-10-13 15:59:43 ----A---- C:\Windows\system32\urlmon.dll
2009-10-13 15:59:42 ----A---- C:\Windows\system32\iertutil.dll
2009-10-13 15:59:42 ----A---- C:\Windows\system32\ieframe.dll
2009-10-13 15:59:42 ----A---- C:\Windows\system32\ieapfltr.dll
2009-10-13 15:59:41 ----A---- C:\Windows\system32\msfeeds.dll
2009-10-13 15:59:41 ----A---- C:\Windows\system32\iedkcs32.dll
2009-10-13 15:59:41 ----A---- C:\Windows\system32\ieaksie.dll
2009-10-13 15:59:40 ----A---- C:\Windows\system32\ieUnatt.exe
2009-10-13 15:59:39 ----A---- C:\Windows\system32\mstime.dll
2009-10-13 15:59:39 ----A---- C:\Windows\system32\ieencode.dll
2009-10-13 15:59:38 ----A---- C:\Windows\system32\jsproxy.dll
2009-10-13 15:59:10 ----A---- C:\Windows\system32\ntoskrnl.exe
2009-10-13 15:59:10 ----A---- C:\Windows\system32\ntkrnlpa.exe
2009-10-13 15:58:35 ----A---- C:\Windows\system32\msasn1.dll
2009-10-13 15:58:25 ----A---- C:\Windows\system32\WMSPDMOD.DLL

======List of files/folders modified in the last 1 months======

2009-11-05 12:26:49 ----D---- C:\Windows\system32\LogFiles
2009-11-05 11:05:51 ----D---- C:\Windows\Prefetch
2009-11-05 11:05:43 ----D---- C:\Windows\Temp
2009-11-05 11:05:07 ----D---- C:\Windows\System32
2009-11-05 11:05:07 ----D---- C:\Windows\inf
2009-11-05 11:05:07 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-11-05 10:59:14 ----D---- C:\Windows\system32\drivers
2009-11-05 10:57:27 ----SHD---- C:\System Volume Information
2009-11-05 10:44:22 ----D---- C:\Windows\system32\catroot2
2009-11-04 20:57:32 ----SHD---- C:\Windows\Installer
2009-11-04 20:56:56 ----RSD---- C:\Windows\assembly
2009-11-04 20:53:57 ----RSD---- C:\Windows\Fonts
2009-11-04 20:53:33 ----RD---- C:\Program Files
2009-11-04 20:50:44 ----D---- C:\Program Files\Java
2009-11-04 12:48:04 ----D---- C:\Program Files\Common Files\microsoft shared
2009-11-04 12:48:02 ----D---- C:\Program Files\Common Files\System
2009-11-04 12:47:51 ----D---- C:\Windows
2009-11-04 12:47:50 ----D---- C:\Program Files\Common Files
2009-11-04 11:32:37 ----D---- C:\Windows\winsxs
2009-11-03 07:31:00 ----D---- C:\Windows\system32\catroot
2009-11-02 11:30:27 ----HD---- C:\ProgramData
2009-10-28 10:49:27 ----D---- C:\Windows\rescache
2009-10-28 10:36:46 ----D---- C:\Windows\system32\en-US
2009-10-28 10:36:45 ----D---- C:\Program Files\Windows Media Player
2009-10-26 23:34:47 ----D---- C:\Program Files\Mozilla Firefox
2009-10-26 22:43:59 ----A---- C:\Windows\ntbtlog.txt
2009-10-26 21:56:20 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-10-14 15:18:12 ----D---- C:\Windows\Microsoft.NET
2009-10-14 15:06:00 ----D---- C:\Program Files\Internet Explorer
2009-10-14 15:05:52 ----D---- C:\Program Files\Windows Mail
2009-10-14 10:57:02 ----D---- C:\Program Files\Microsoft Works

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 dsunidrv;DellSupport UniDriver; C:\Windows\system32\DRIVERS\dsunidrv.sys [2007-02-25 5376]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 8192]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2006-10-18 986624]
R3 HSXHWBS2;HSXHWBS2; C:\Windows\system32\DRIVERS\HSXHWBS2.sys [2006-10-18 258048]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-03-15 1744928]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\Windows\system32\DRIVERS\nvmfdx32.sys [2007-03-15 1059112]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2008-05-02 7460320]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2006-10-18 659968]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-18 5632]
S3 DSproct;DSproct; \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys [2006-10-05 4736]
S3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2006-11-02 200704]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-18 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-18 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-18 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-18 6016]
S3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 2028032]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-18 83328]
S4 nvrd32;NVIDIA nForce RAID Driver; C:\Windows\system32\drivers\nvrd32.sys [2007-03-23 129832]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2009-10-26 611664]
R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2007-09-12 554352]
R2 LiveUpdate Notice Service;LiveUpdate Notice Service; C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2007-11-28 583048]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2008-05-02 118784]
R2 RoxWatch9;Roxio Hard Drive Watcher 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2006-11-05 159744]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2006-08-04 386560]
S2 CLTNetCnService;Symantec Lic NetConnect service; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon []
S2 LiveUpdate Notice Ex;LiveUpdate Notice Service Ex; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon []
S3 DSBrokerService;DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [2007-03-19 70656]
S3 GoogleDesktopManager;GoogleDesktopManager; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2007-08-03 1862144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2007-09-12 2999664]
S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2006-11-05 880640]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2006-09-14 73728]

-----------------EOF-----------------

by **raina** » November 5th, 2009, 1:19 pm

info.txt logfile of random's system information tool 1.06 2009-11-05 11:06:05

======Uninstall list======

Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
AOL Install-->MsiExec.exe /I{2357B8BC-88C9-4A72-818C-050CC4EB0778}
Conexant D850 PCI V.92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -IDel200fz.inf
CueCard (remove only)-->"C:\Program Files\CueCard\uninst.exe"
Dell DataSafe Online-->MsiExec.exe /I{2C6C74C2-042F-4D36-B7B0-0C538FCF01AB}
Dell Support Center-->MsiExec.exe /I{B8C54AB1-7E1A-40E8-B794-EDB6E8921F3A}
Dell System Customization Wizard-->MsiExec.exe /I{13BA7B44-B712-4DEE-A7B8-1DD564F37AE5}
DellSupport-->MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
Digital Line Detect-->C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
EarthLink Setup Files-->MsiExec.exe /X{5E68BB65-4059-4FE5-AAC4-0CD1D79BBDE2}
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
Games, Music, & Photos Launcher-->MsiExec.exe /I{3E25E350-949F-4DB7-8288-2A60E018B4C1}
Google Desktop-->C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Heroes of Might and Magic® III Complete-->C:\Windows\IsUninst.exe -f"C:\Program Files\3DO\Heroes 3 Complete\Heroes of Might and Magic® III.isu" -c"C:\Program Files\Common Files\3DO Shared\3DOUnInst.dll
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Internet Service Offers Launcher-->MsiExec.exe /I{CCFF1E13-77A2-4032-8B12-7566982A27DF}
Java(TM) 6 Update 16-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216016FF}
Java(TM) SE Runtime Environment 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
jZip-->C:\PROGRA~1\jZip\UNWISE.EXE /U C:\PROGRA~1\jZip\INSTALL.LOG
LiveUpdate 3.2 (Symantec Corporation)-->"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation)-->MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MemoryLifter2-->MsiExec.exe /X{58D297A5-4AD9-4904-AACF-7675DB21BA9A}
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Modem Diagnostic Tool-->MsiExec.exe /I{F63A3748-B93D-4360-9AD4-B064481A5C7B}
Mozilla Firefox (3.0.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MUSHclient (remove only)-->C:\Program Files\MUSHclient\uninstall.exe
NetWaiting-->C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI
NVIDIANetworkDiagnostic-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EFAD4066-CAF3-4B27-9669-12EED352C376}
OpenOffice.org 3.1-->MsiExec.exe /I{E6B87DC4-2B3D-4483-ADFF-E483BF718991}
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{281ECE39-F043-492B-8337-F2E546B5604A}\Setup.exe" -l0x9 -cluninstall
Product Documentation Launcher-->MsiExec.exe /I{89CEAE14-DD0F-448E-9554-15781EC9DB24}
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
Roxio Creator Audio-->MsiExec.exe /I{83FFCFC7-88C6-41c6-8752-958A45325C82}
Roxio Creator BDAV Plugin-->MsiExec.exe /I{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}
Roxio Creator Copy-->MsiExec.exe /I{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
Roxio Creator Data-->MsiExec.exe /I{0D397393-9B50-4c52-84D5-77E344289F87}
Roxio Creator DE-->MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Tools-->MsiExec.exe /I{0394CDC8-FABD-4ed8-B104-03393876DFDF}
Roxio Express Labeler-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio MyDVD DE-->MsiExec.exe /I{D639085F-4B6E-4105-9F37-A0DBB023E2FB}
Roxio Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Sonic Activation Module-->MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
URL Assistant-->regsvr32 /u /s "C:\Program Files\BAE\BAE.dll"
User's Guides-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}\setup.exe"
Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}
Windows Live Messenger-->MsiExec.exe /X{A85FD55B-891B-4314-97A5-EA96C0BD80B5}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Yahoo! Music Jukebox-->MsiExec.exe /X{7C49EA42-5647-4051-84C2-E6404F25A931}
zMUD 7.21.0.0-->C:\Program Files\zMUD\uninst.exe

======Security center information======

AS: Windows Defender

======System event log======

Computer Name: dawn-PC
Event Code: 3006
Message: Windows Defender Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid= ... tid=145414
Scan ID: {806E14A3-6A08-4FBF-9803-90A09443815A}
User: dawn-PC\dawn
Name: Trojan:Win32/Vundo.gen!BQ
ID: 145414
Severity ID: 5
Category ID: 8
Path:
Alert Type: Spyware or other potentially unwanted software
Action: Remove
Error Code: 0x80508022
Error description: To finish removing spyware and other potentially unwanted software, restart the computer.
Record Number: 204461
Source Name: Microsoft-Windows-Windows Defender
Time Written: 20091105165740.000000-000
Event Type: Error
User:

Computer Name: dawn-PC
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid= ... tid=145414
Scan ID: {5B07E876-1810-4510-9E01-B45B70AF94A5}
User: dawn-PC\dawn
Name: Trojan:Win32/Vundo.gen!BQ
ID: 145414
Severity ID: 5
Category ID: 8
Path Found: process:pid:3932;file:c:\ProgramData\gekuhiri\gekuhiri.dll
Alert Type: Spyware or other potentially unwanted software
Detection Type: Generic
Record Number: 204463
Source Name: Microsoft-Windows-Windows Defender
Time Written: 20091105165747.000000-000
Event Type: Warning
User:

Computer Name: dawn-PC
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid= ... tid=145414
Scan ID: {BFECBBB6-A527-433E-AC2A-778061D25948}
User: dawn-PC\dawn
Name: Trojan:Win32/Vundo.gen!BQ
ID: 145414
Severity ID: 5
Category ID: 8
Path Found: regkey:HKCU@S-1-5-21-3162089250-4011727672-1247853657-1000\Software\Microsoft\Windows\CurrentVersion\Run\\heniwojog;runkey:HKCU@S-1-5-21-3162089250-4011727672-1247853657-1000\Software\Microsoft\Windows\CurrentVersion\Run\\heniwojog;file:c:\ProgramData\gekuhiri\gekuhiri.dll
Alert Type: Spyware or other potentially unwanted software
Detection Type: Generic
Record Number: 204465
Source Name: Microsoft-Windows-Windows Defender
Time Written: 20091105165758.000000-000
Event Type: Warning
User:

Computer Name: dawn-PC
Event Code: 15016
Message: Unable to initialize the security package Kerberos for server side authentication. The data field contains the error number.
Record Number: 204482
Source Name: Microsoft-Windows-HttpEvent
Time Written: 20091105165937.838932-000
Event Type: Error
User:

Computer Name: dawn-PC
Event Code: 7000
Message: The Parallel port driver service failed to start due to the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
Record Number: 204518
Source Name: Service Control Manager
Time Written: 20091105170105.000000-000
Event Type: Error
User:

=====Application event log=====

Computer Name: dawn-PC
Event Code: 1
Message: The application (Acrobat Reader 7.*, from vendor Adobe) has the following problem: Acrobat Reader 7.* has a known compatibility issue with this version of Windows. For an update that is compatible with this version of Windows, contact Adobe.
Record Number: 77657
Source Name: Microsoft-Windows-ApplicationExperienceInfrastructure
Time Written: 20091105002924.314400-000
Event Type: Warning
User: dawn-PC\dawn

Computer Name: dawn-PC
Event Code: 1
Message: The application (Acrobat Reader 7.*, from vendor Adobe) has the following problem: Acrobat Reader 7.* has a known compatibility issue with this version of Windows. For an update that is compatible with this version of Windows, contact Adobe.
Record Number: 77675
Source Name: Microsoft-Windows-ApplicationExperienceInfrastructure
Time Written: 20091105030414.335200-000
Event Type: Warning
User: dawn-PC\dawn

Computer Name: dawn-PC
Event Code: 3003
Message: Windows Defender Real-Time Protection checkpoint has encountered an error and failed to start.
User: dawn-PC\dawn
Checkpoint ID: 27
Error Code: 0x80070005
Error description: Access is denied.
Record Number: 77717
Source Name: Microsoft-Windows-Windows Defender
Time Written: 20091105165154.000000-000
Event Type: Error
User:

Computer Name: dawn-PC
Event Code: 8194
Message: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005. This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {6e8b60c9-00ef-4f80-b299-4bc18746c9b8}
Record Number: 77733
Source Name: VSS
Time Written: 20091105165707.000000-000
Event Type: Error
User:

Computer Name: dawn-PC
Event Code: 3003
Message: Windows Defender Real-Time Protection checkpoint has encountered an error and failed to start.
User: dawn-PC\dawn
Checkpoint ID: 27
Error Code: 0x80070005
Error description: Access is denied.
Record Number: 77760
Source Name: Microsoft-Windows-Windows Defender
Time Written: 20091105170030.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: dawn-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys
Record Number: 55626
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091105170601.598932-000
Event Type: Audit Failure
User:

Computer Name: dawn-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys
Record Number: 55627
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091105170601.692532-000
Event Type: Audit Failure
User:

Computer Name: dawn-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys
Record Number: 55628
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091105170601.770532-000
Event Type: Audit Failure
User:

Computer Name: dawn-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys
Record Number: 55629
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091105170601.864132-000
Event Type: Audit Failure
User:

Computer Name: dawn-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys
Record Number: 55630
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091105170601.957732-000
Event Type: Audit Failure
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\jZip
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 79 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=4f02
"NUMBER_OF_PROCESSORS"=1
"RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\

-----------------EOF-----------------

by **Cypher** » November 6th, 2009, 6:44 am

Hi raina.

I did download Open Office to replace my old Office software. I'll try to avoid any new installations from now on.

Thats fine but do try not to install any more software until your PC is clean

Fix HijackThis entries

Run HijackThis

If using Vista, you must right click (hijackthis.exe) and choose "Run As Administrator".

If you are on the Main Menu page... Click "Do a system scan only"
If you are on the "scan & fix stuff" page... Press the Scan...button.
When the scan finishes...Place a check mark next to the following entries (if they are still present)
Note: Only check those items listed below.

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKCU\..\Run: [heniwojog] Rundll32.exe "c:\progra~2\gekuhiri\gekuhiri.dll",a
O4 - Global Startup: Mozilla Firefox
O15 - Trusted Zone: *.download.com
After checking these items... CLOSE ALL open windows except HijackThis.
Click the Fix Checked ...button...to remove the entries you checked.
Choose YES...when prompted to fix the selected items.
Once it has fixed them, close HijackThis and reboot your computer normally.

Next.

Download and run OTM

Download OTM by Old Timer and save it to your Desktop.

Right-click OTM.exe and chose "Run as administrator" to run it.
Paste the following code under the area. Do not include the word Code.
Code: Select all
```
:Files
C:\ProgramData\nelesoye
C:\ProgramData\gekuhiri
C:\ProgramData\yobuwiji
C:\ProgramData\moyofilu

:Commands
[emptytemp]
[Reboot]
```
- Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
- Push the large button.
- OTM may ask to reboot the machine. Please do so if asked.
- Copy everything in the Results window (under the green bar), and paste it in your next reply.
NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next.

Re-run - RSIT (Random's System Information Tool)

You should still have this program on your desktop.
- Right click on RSIT.exe and select "Run As Administrator" to run it. If Windows UAC prompts you, please allow it.
- Please read the disclaimer... click on Continue.
- RSIT will start running. When done... ONLY the "C:\RSIT\log.txt"...will be reproduced. ( it will be maximized )
- Please post ONLY the "log.txt", file contents in your next reply.
  (This log can be lengthy, so a separate post may be needed.)

In your next reply.

1. OTM log.
2. RSIT log.txt.

by **raina** » November 6th, 2009, 1:48 pm

Compy is acting much better now. It actually let ERUNT run (or at least I didn't get the message saying it couldn't) for the first time, and is much faster, and I haven't seen any popups yet. I will wait until you tell me everything's fixed for sure, though, before I rejoice too much.

I was a little confused by your OTM instructions. I pasted the bit of code in the box you told me to just fine, but the next instruction said "Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste." and I couldn't figure out where that window was or what you meant. So I just clicked the MoveIt button. It seemed to do what I wanted, but I hope I didn't leave anything important out.

Here is my OTM file

All processes killed
========== FILES ==========
C:\ProgramData\nelesoye moved successfully.
C:\ProgramData\gekuhiri moved successfully.
C:\ProgramData\yobuwiji moved successfully.
C:\ProgramData\moyofilu moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: dawn
->Temp folder emptied: 948472498 bytes
->Temporary Internet Files folder emptied: 108606165 bytes
->Java cache emptied: 272563 bytes
->FireFox cache emptied: 21832688 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 34435328 bytes

Total Files Cleaned = 1062.03 mb

OTM by OldTimer - Version 3.0.0.6 log created on 11062009_113051

And here is my new RSIT log.txt file

Logfile of random's system information tool 1.06 (written by random/random)
Run by dawn at 2009-11-06 11:39:18
Microsoft® Windows Vista™ Home Basic Service Pack 1
System drive C: has 97 GB (68%) free of 142 GB
Total RAM: 958 MB (44% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:25 AM, on 11/6/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18319)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\notepad.exe
C:\Users\dawn\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\dawn.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5534 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - C:\Program Files\BAE\BAE.dll [2007-03-16 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-11-04 41760]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
""= []
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-03-15 4390912]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2008-05-02 13535776]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2008-05-02 92704]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-11-04 149280]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2007-08-03 1862144]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2006-10-03 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2006-10-03 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\Windows\system32\NvCpl.dll [2008-05-02 13535776]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\Windows\system32\NvMcTray.dll [2008-05-02 92704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
C:\Windows\system32\nvsvc.dll [2008-05-02 526880]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
C:\Program Files\Norton Internet Security\osCheck.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [2006-10-20 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
C:\Windows\RtHDVCpl.exe [2007-03-15 4390912]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2007-11-28 583048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe [2007-05-14 35328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
C:\PROGRA~1\DIGITA~1\DLG.exe [2006-11-03 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~3\Office10\OSA.EXE -b -l []

C:\Users\dawn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE
OpenOffice.org 3.1.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ed469daf-4195-11dc-8ad3-806e6f6e6963}]
shell\AutoRun\command - E:\_AUTORUN\AUTORUN.EXE
shell\instDX\command - E:\directX\dxsetup.exe
shell\readme\command - notepad readme.txt

======List of files/folders created in the last 1 months======

2009-11-06 11:30:51 ----D---- C:\_OTM
2009-11-06 11:19:35 ----A---- C:\Windows\system32\wups2.dll
2009-11-06 11:19:35 ----A---- C:\Windows\system32\wucltux.dll
2009-11-06 11:19:35 ----A---- C:\Windows\system32\wuaueng.dll
2009-11-06 11:19:35 ----A---- C:\Windows\system32\wuauclt.exe
2009-11-06 11:19:09 ----A---- C:\Windows\system32\wups.dll
2009-11-06 11:19:09 ----A---- C:\Windows\system32\wudriver.dll
2009-11-06 11:19:09 ----A---- C:\Windows\system32\wuapi.dll
2009-11-06 11:18:55 ----A---- C:\Windows\system32\wuwebv.dll
2009-11-06 11:18:55 ----A---- C:\Windows\system32\wuapp.exe
2009-11-05 11:05:41 ----D---- C:\rsit
2009-11-04 21:04:31 ----D---- C:\Users\dawn\AppData\Roaming\OpenOffice.org
2009-11-04 20:53:33 ----D---- C:\Program Files\JRE
2009-11-04 20:52:43 ----D---- C:\Program Files\OpenOffice.org 3
2009-11-04 20:51:30 ----A---- C:\Windows\system32\javaws.exe
2009-11-04 20:51:30 ----A---- C:\Windows\system32\javaw.exe
2009-11-04 20:51:30 ----A---- C:\Windows\system32\java.exe
2009-11-04 20:51:30 ----A---- C:\Windows\system32\deploytk.dll
2009-11-04 20:47:09 ----D---- C:\Program Files\readmes
2009-11-04 20:47:09 ----D---- C:\Program Files\licenses
2009-11-04 20:47:06 ----D---- C:\Program Files\redist
2009-11-03 07:32:42 ----A---- C:\Windows\system32\mshtml.dll
2009-11-02 11:31:49 ----D---- C:\MGADiagToolOutput
2009-11-02 11:30:27 ----D---- C:\ProgramData\Office Genuine Advantage
2009-10-27 12:36:27 ----D---- C:\Rooter$
2009-10-27 12:32:51 ----D---- C:\Windows\ERDNT
2009-10-27 12:31:49 ----D---- C:\Program Files\ERUNT
2009-10-27 11:57:29 ----A---- C:\Windows\system32\wmp.dll
2009-10-27 11:57:26 ----A---- C:\Windows\system32\unregmp2.exe
2009-10-27 11:57:21 ----A---- C:\Windows\system32\wmploc.DLL
2009-10-26 23:23:51 ----D---- C:\Program Files\Trend Micro
2009-10-26 17:03:37 ----D---- C:\Program Files\Lavasoft
2009-10-26 17:03:36 ----D---- C:\ProgramData\Lavasoft
2009-10-26 17:02:07 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-10-26 10:57:06 ----D---- C:\ProgramData\mavozebu
2009-10-13 15:59:52 ----A---- C:\Windows\system32\msv1_0.dll
2009-10-13 15:59:52 ----A---- C:\Windows\system32\lsass.exe
2009-10-13 15:59:44 ----A---- C:\Windows\system32\wininet.dll
2009-10-13 15:59:44 ----A---- C:\Windows\system32\occache.dll
2009-10-13 15:59:43 ----A---- C:\Windows\system32\urlmon.dll
2009-10-13 15:59:42 ----A---- C:\Windows\system32\iertutil.dll
2009-10-13 15:59:42 ----A---- C:\Windows\system32\ieframe.dll
2009-10-13 15:59:42 ----A---- C:\Windows\system32\ieapfltr.dll
2009-10-13 15:59:41 ----A---- C:\Windows\system32\msfeeds.dll
2009-10-13 15:59:41 ----A---- C:\Windows\system32\iedkcs32.dll
2009-10-13 15:59:41 ----A---- C:\Windows\system32\ieaksie.dll
2009-10-13 15:59:40 ----A---- C:\Windows\system32\ieUnatt.exe
2009-10-13 15:59:39 ----A---- C:\Windows\system32\mstime.dll
2009-10-13 15:59:39 ----A---- C:\Windows\system32\ieencode.dll
2009-10-13 15:59:38 ----A---- C:\Windows\system32\jsproxy.dll
2009-10-13 15:59:10 ----A---- C:\Windows\system32\ntoskrnl.exe
2009-10-13 15:59:10 ----A---- C:\Windows\system32\ntkrnlpa.exe
2009-10-13 15:58:35 ----A---- C:\Windows\system32\msasn1.dll
2009-10-13 15:58:25 ----A---- C:\Windows\system32\WMSPDMOD.DLL

======List of files/folders modified in the last 1 months======

2009-11-06 11:39:24 ----D---- C:\Windows\Temp
2009-11-06 11:32:09 ----D---- C:\Windows\Prefetch
2009-11-06 11:31:49 ----D---- C:\Windows\System32
2009-11-06 11:31:49 ----D---- C:\Windows\inf
2009-11-06 11:31:49 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-11-06 11:30:52 ----HD---- C:\ProgramData
2009-11-06 11:24:15 ----D---- C:\Windows\system32\en-US
2009-11-06 11:21:25 ----D---- C:\Windows\winsxs
2009-11-06 11:20:01 ----D---- C:\Windows\system32\catroot
2009-11-06 11:18:47 ----SHD---- C:\System Volume Information
2009-11-05 12:26:49 ----D---- C:\Windows\system32\LogFiles
2009-11-05 10:59:14 ----D---- C:\Windows\system32\drivers
2009-11-05 10:44:22 ----D---- C:\Windows\system32\catroot2
2009-11-04 20:57:32 ----SHD---- C:\Windows\Installer
2009-11-04 20:56:56 ----RSD---- C:\Windows\assembly
2009-11-04 20:53:57 ----RSD---- C:\Windows\Fonts
2009-11-04 20:53:33 ----RD---- C:\Program Files
2009-11-04 20:50:44 ----D---- C:\Program Files\Java
2009-11-04 12:48:04 ----D---- C:\Program Files\Common Files\microsoft shared
2009-11-04 12:48:02 ----D---- C:\Program Files\Common Files\System
2009-11-04 12:47:51 ----D---- C:\Windows
2009-11-04 12:47:50 ----D---- C:\Program Files\Common Files
2009-10-28 10:49:27 ----D---- C:\Windows\rescache
2009-10-28 10:36:45 ----D---- C:\Program Files\Windows Media Player
2009-10-26 23:34:47 ----D---- C:\Program Files\Mozilla Firefox
2009-10-26 22:43:59 ----A---- C:\Windows\ntbtlog.txt
2009-10-26 21:56:20 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-10-14 15:18:12 ----D---- C:\Windows\Microsoft.NET
2009-10-14 15:06:00 ----D---- C:\Program Files\Internet Explorer
2009-10-14 15:05:52 ----D---- C:\Program Files\Windows Mail
2009-10-14 10:57:02 ----D---- C:\Program Files\Microsoft Works

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 dsunidrv;DellSupport UniDriver; C:\Windows\system32\DRIVERS\dsunidrv.sys [2007-02-25 5376]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 8192]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2006-10-18 986624]
R3 HSXHWBS2;HSXHWBS2; C:\Windows\system32\DRIVERS\HSXHWBS2.sys [2006-10-18 258048]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-03-15 1744928]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\Windows\system32\DRIVERS\nvmfdx32.sys [2007-03-15 1059112]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2008-05-02 7460320]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2006-10-18 659968]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-18 5632]
S3 DSproct;DSproct; \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys [2006-10-05 4736]
S3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2006-11-02 200704]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-18 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-18 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-18 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-18 6016]
S3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 2028032]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-18 83328]
S4 nvrd32;NVIDIA nForce RAID Driver; C:\Windows\system32\drivers\nvrd32.sys [2007-03-23 129832]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2009-10-26 611664]
R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2007-09-12 554352]
R2 LiveUpdate Notice Service;LiveUpdate Notice Service; C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2007-11-28 583048]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2008-05-02 118784]
R2 RoxWatch9;Roxio Hard Drive Watcher 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2006-11-05 159744]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2006-08-04 386560]
S2 CLTNetCnService;Symantec Lic NetConnect service; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon []
S2 LiveUpdate Notice Ex;LiveUpdate Notice Service Ex; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon []
S3 DSBrokerService;DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [2007-03-19 70656]
S3 GoogleDesktopManager;GoogleDesktopManager; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2007-08-03 1862144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2007-09-12 2999664]
S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2006-11-05 880640]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2006-09-14 73728]

-----------------EOF-----------------

by **Cypher** » November 7th, 2009, 7:42 am

Hi raina.
Good work so far :thumbup:

Add/Remove programs

Click on Start
All programs
Accessories
Run
In the open text box copy/paste appwiz.cpl Then click Ok.
Uninstall the following

Adobe Reader 7.0.9

Next.

You should Download and Install the newest version of Adobe Reader for reading pdf files, due to the vulnerabilities in earlier versions.
All versions numbered lower than 9.2 are vulnerable.

Go HERE and click on AdbeRdr920_en_US.exe to download the latest version of Adobe Acrobat Reader.
Save this file to your desktop and run it to install the latest version of Adobe Reader.

Next.

Re-run OTM

Right-click OTM.exe And select " Run as administrator " to run it.
Paste the following code under the area. Do not include the word Code.
Code: Select all
```
:Files
C:\ProgramData\mavozebu

:Commands
[emptytemp]
[Reboot]
```
- Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
- Push the large button.
- OTM may ask to reboot the machine. Please do so if asked.
- Copy everything in the Results window (under the green bar), and paste it in your next reply.
NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next.

Re-run - RSIT (Random's System Information Tool)

You should still have this program on your desktop.
- Right click on RSIT.exe and select "Run As Administrator" to run it. If Windows UAC prompts you, please allow it.
- Please read the disclaimer... click on Continue.
- RSIT will start running. When done... ONLY the "C:\RSIT\log.txt"...will be reproduced. ( it will be maximized )
- Please post ONLY the "log.txt", file contents in your next reply.
  (This log can be lengthy, so a separate post may be needed.)
Next.

Please Download SysProt Antirootkit
you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors.

Unzip it into a folder on your desktop.
- Double click Sysprot.exe to start the program.
- Click on the Log tab.
- In the Write to log box select all items and check Hidden Objects Only at the bottom of the window.
- Click on the Create Log button on the bottom right.
- After a few seconds a new window should appear.
- Select Scan Root Drive. Click on the Start button.
- When it is complete a new window will appear to indicate that the scan is finished.
- The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
Next.

ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
- Please go Here then click on:
  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
- Select the option YES, I accept the Terms of Use then click on:
- When prompted allow the Add-On/Active X to install.
- Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
- Now click on Advanced Settings and select the following:
- Now click on:
- The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
- When completed the Online Scan will begin automatically.
- Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
- When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
- Now click on:
- Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
- Copy and paste that log as a reply to this topic.

In your next reply.

1. OTM log.
2. RSIT log.txt
3. Sysprot log.
4. ESET log.
5. Please let me know how your computer is performing now.

Free Malware Removal Forum

getting popup ads - hijackthis log

getting popup ads - hijackthis log

Re: getting popup ads - hijackthis log

Re: getting popup ads - hijackthis log

Re: getting popup ads - hijackthis log

Re: getting popup ads - hijackthis log

Re: getting popup ads - hijackthis log

Re: getting popup ads - hijackthis log

Re: getting popup ads - hijackthis log

Re: getting popup ads - hijackthis log

Re: getting popup ads - hijackthis log

Re: getting popup ads - hijackthis log

Re: getting popup ads - hijackthis log

Re: getting popup ads - hijackthis log

Re: getting popup ads - hijackthis log

Re: getting popup ads - hijackthis log

Who is online