Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HiJackThis Log + strange net behavior.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HiJackThis Log + strange net behavior.

Unread postby Chevalier » April 26th, 2009, 3:55 pm

Here is my HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:37:53 PM, on 4/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS.0\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS.0\system32\svchost.exe
c:\WINDOWS.0\system32\ZuneBusEnum.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS.0\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Documents and Settings\*Name Removed*\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS.0\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS.0\system32\ctfmon.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2bb7c11b-cf73-4c10-a6d1-698e2c6904d2} - C:\WINDOWS.0\system32\fagometo.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [50cf0e8f] rundll32.exe "C:\WINDOWS.0\system32\buyefalo.dll",b
O4 - HKLM\..\Run: [CPM53fc3d13] Rundll32.exe "c:\windows.0\system32\norefose.dll",a
O4 - HKLM\..\Run: [sogasozile] Rundll32.exe "C:\WINDOWS.0\system32\gohulayo.dll",s
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\*Name Removed*\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-20\..\Run: [sogasozile] Rundll32.exe "C:\WINDOWS.0\system32\gohulayo.dll",s (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O20 - AppInit_DLLs: c:\windows.0\system32\norefose.dll,C:\WINDOWS.0\system32\melidawa.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows.0\system32\norefose.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows.0\system32\norefose.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe

--
End of file - 4559 bytes

-----------------------------------------------------------------
My issue is that I seem to have a virus (or several) that appears to be effecting my computer's ability to access the internet. My main browser is Chrome (fully updated), but it used to be FireFox. I'm currently writing this post in FireFox, as Chrome refuses to load webpages anymore (possibly related to this). When I use FF now, I get pop-ups every so often for (obviously fake) Registry scrubbers, firewalls, etc. that I'm pretty sure are also related to the virus.

I tried Hi-Jack This after I ran a few virus scans and I was still having problems. I'm using an up-to-date version of Avast! Home Edition 4.8 for my main anti-virus protection. It's on and monitoring constantly. A scan with it turned up nothing. Then I tried using Ad-Aware SE, but my virus definition is 108 days old and I don't know how effective it was. I tried updating my definition file, but when my computer attempted to connect to Lavasoft's servers it would never progress past 5% in the update. Ad-Aware removed a number of tracking cookies and some registry keys.

If you need any other information, I'll be happy to provide it. I'm out of my league here at this point, so hopefully someone can help me.

Fake Edit: Actually, as I type this, Avast is repeatedly giving me warning screens about two rootkits it claims to have found. They are called C:\\Windows.0\system32\melidawa.dll and C:\\Windows.0\system32\gohulayo.dll. It doesn't appear to be able to delete them, and I have no idea what the implications of following the recommended "move to chest" action are. After this post I'll be replying from another PC. I don't think this is safe to use at all anymore.
Chevalier
Active Member
 
Posts: 9
Joined: April 26th, 2009, 3:42 pm
Advertisement
Register to Remove

Re: HiJackThis Log + strange net behavior.

Unread postby MWR 3 day Mod » April 30th, 2009, 2:50 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: HiJackThis Log + strange net behavior.

Unread postby Odd dude » May 2nd, 2009, 8:14 am

Hi, Chevalier

Sorry for the long wait - so many users, so little time....

It actually doesn't look too bad - I so far only see one big stinger in there.
If I'm right, this will make the pop-ups go away and it will take out those files Avast mentioned.
This virus which I'm seeing shouldn't affect your Google Chrome, so we may need to dig a little deeper afterwards.

Temporarily disable Avast
We need to temporarily disable Avast, so it won't interfere with what we need to do.

  • Right click the Avast tray icon and choose Stop on-access protection
  • Right click the tray icon again and click Program settings
  • On the left, click Troubleshooting
  • Check the box next to Disable avast! self-defense module
  • Click OK

Do not forget to reverse this process before going back on-line!

Disable the Avast self-defence module
The Avast self-defence module can cause blue screen errors when certain tools attempt to terminate Avast.

  • Launch Avast by double-clicking the tray icon
  • Click Menu > Settings > Troubleshooting
  • Put a check next to Disable Avast self-defence module and click OK
  • Close the program

Do not forget to reverse this process before going back on-line!

ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without expert guidance.

ComboFix uses very brute tactics to rip malware off your system. Do not panic if your antivirus software warns you about the file.

:!: Please disable all your antivirus software, firewalls, and antispyware software BEFORE running ComboFix!! :!:


  • Download ComboFix from here and save it to your desktop.
  • Disable ALL antivirus/antimalware programs before proceeding!
  • Now start ComboFix.
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it.
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts. When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • Do not touch the computer AT ALL while ComboFix is running! (Unless ComboFix needs you to do something ;))
  • When finished, the report will open. Reenable your protection software and post the log in your next reply.

If you cannot connect to the internet after running ComboFix, plug the cable/reciever/whatever you use to connect to the internet out and back in.


I would like you to post the ComboFix log, along with a new hijackthis log.

After you ran ComboFix there should be a file called C:\QooBox\Add-Remove Programs.txt
If you can find it, please attach it to your next post, using the Upload attachment screen you will see below the Submit button.

So I'm looking for:
- The combofix log
- A new hijackthis log
- (attached) Add-RemovePrograms.txt
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: HiJackThis Log + strange net behavior.

Unread postby Chevalier » May 2nd, 2009, 7:27 pm

Hey Odd,

We're all busy people here. No apologies needed :D

The ComboFix Log:

ComboFix 09-05-02.4 - *Name Removed* 05/02/2009 18:58.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1512 [GMT -4:00]
Running from: c:\documents and settings\*Name Removed*\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090426-0] *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\windows.0\system32\1589610.dll
c:\windows.0\system32\17718422.dll
c:\windows.0\system32\23402631.dll
c:\windows.0\system32\6605560.dll
c:\windows.0\system32\8195444.dll
c:\windows.0\system32\anumekav.ini
c:\windows.0\system32\buyefalo.dll
c:\windows.0\system32\norefose.dll
c:\windows.0\system32\olafeyub.ini
c:\windows.0\system32\peyubisu.dll
c:\windows.0\system32\vakemuna.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.

2009-04-26 18:48 . 2009-04-26 18:48 -------- d-----w c:\program files\Trend Micro
2009-04-26 04:10 . 2009-04-26 04:10 -------- d-sh--w c:\documents and settings\*Name Removed*\PrivacIE
2009-04-20 20:39 . 2009-04-20 20:39 -------- d-----w c:\documents and settings\*Second Name Removed*\.ApacheDirectoryStudio
2009-04-20 19:20 . 2009-04-20 19:20 -------- d-----w c:\documents and settings\*Second Name Removed\Application Data\vlc
2009-04-20 18:40 . 2009-04-25 21:10 -------- d-----w c:\program files\Apache Directory Studio
2009-04-15 18:14 . 2009-03-06 14:22 284160 -c----w c:\windows.0\system32\dllcache\pdh.dll
2009-04-15 18:14 . 2009-02-09 12:10 401408 -c----w c:\windows.0\system32\dllcache\rpcss.dll
2009-04-15 18:14 . 2009-02-06 11:11 110592 -c----w c:\windows.0\system32\dllcache\services.exe
2009-04-15 18:14 . 2009-02-09 12:10 473600 -c----w c:\windows.0\system32\dllcache\fastprox.dll
2009-04-15 18:14 . 2009-02-06 10:10 227840 -c----w c:\windows.0\system32\dllcache\wmiprvse.exe
2009-04-15 18:14 . 2009-02-09 12:10 453120 -c----w c:\windows.0\system32\dllcache\wmiprvsd.dll
2009-04-15 18:14 . 2009-02-09 12:10 729088 -c----w c:\windows.0\system32\dllcache\lsasrv.dll
2009-04-15 18:14 . 2009-02-09 12:10 617472 -c----w c:\windows.0\system32\dllcache\advapi32.dll
2009-04-15 18:14 . 2009-02-09 12:10 714752 -c----w c:\windows.0\system32\dllcache\ntdll.dll
2009-04-15 18:14 . 2008-05-03 11:55 2560 ------w c:\windows.0\system32\xpsp4res.dll
2009-04-15 18:13 . 2008-04-21 12:08 215552 -c----w c:\windows.0\system32\dllcache\wordpad.exe
2009-04-14 19:13 . 2009-04-14 19:13 -------- d-----w c:\documents and settings\*Second Name Removed*\Application Data\PC Suite
2009-04-14 18:17 . 2009-04-14 18:17 41808 ----a-w c:\windows.0\system32\xfcodec.dll
2009-04-13 23:16 . 2009-04-13 23:16 -------- d-----w c:\documents and settings\All Users.WINDOWS.0\Application Data\PC Suite
2009-04-13 23:16 . 2009-04-13 23:16 -------- d-----w c:\documents and settings\*Name Removed*\Application Data\PC Suite
2009-04-05 18:27 . 2009-04-05 18:27 -------- d-----w c:\documents and settings\*Second Name Removed*\.thumbnails
2009-04-05 18:27 . 2009-04-15 19:02 -------- d-----w c:\documents and settings\*Second Name Removed*\.gimp-2.6
2009-04-05 18:27 . 2009-04-05 18:27 -------- d-----w c:\documents and settings\*Second Name Removed*\.gegl-0.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 23:02 . 2006-07-16 00:21 6 ---ha-w c:\windows.0\Tasks\SA.DAT
2009-04-28 17:53 . 2007-07-03 16:47 -------- d-----w c:\program files\Azureus
2009-04-26 22:06 . 2008-06-30 22:54 -------- d-----w c:\program files\Xfire
2009-04-26 19:52 . 2006-09-04 14:41 -------- d-----w c:\program files\Mozilla Thunderbird
2009-04-26 19:24 . 2008-12-30 01:24 950 ----a-w c:\windows.0\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1935655697-839522115-1004.job
2009-04-26 16:10 . 2009-01-26 16:10 59904 --sha-w c:\windows.0\system32\mutirira.exe
2009-04-26 04:10 . 2009-01-26 04:10 59392 --sha-w c:\windows.0\system32\famuheno.exe
2009-04-25 18:52 . 2008-08-30 16:16 -------- d-----w c:\program files\mIRC
2009-04-15 15:51 . 2006-07-02 16:46 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-13 23:15 . 2009-04-13 23:14 -------- d-----w c:\program files\Samsung
2009-04-13 23:15 . 2009-04-13 23:15 -------- d-----w c:\program files\PC Connectivity Solution
2009-03-27 01:38 . 2006-08-21 01:22 59008 ----a-w c:\documents and settings\*Name Removed\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-23 00:17 . 2009-03-23 00:17 -------- d-----w c:\program files\Audacity 1.3 Beta (Unicode)
2009-03-21 13:44 . 2006-09-26 23:53 -------- d-----w c:\program files\Microsoft SQL Server
2009-03-18 19:41 . 2008-06-17 18:59 -------- d-----w c:\program files\Steam
2009-03-18 19:34 . 2006-07-15 20:50 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-18 19:29 . 2008-10-11 15:25 -------- d-----w c:\program files\Mount&Blade
2009-03-18 19:28 . 2006-07-15 20:47 -------- d-----w c:\program files\Creative
2009-03-08 08:34 . 2004-08-04 12:00 914944 ----a-w c:\windows.0\system32\wininet.dll
2009-03-08 08:34 . 2004-08-04 12:00 43008 ----a-w c:\windows.0\system32\licmgr10.dll
2009-03-08 08:33 . 2004-08-04 12:00 18944 ----a-w c:\windows.0\system32\corpol.dll
2009-03-08 08:33 . 2004-08-04 12:00 420352 ----a-w c:\windows.0\system32\vbscript.dll
2009-03-08 08:32 . 2004-08-04 12:00 72704 ----a-w c:\windows.0\system32\admparse.dll
2009-03-08 08:32 . 2004-08-04 12:00 71680 ----a-w c:\windows.0\system32\iesetup.dll
2009-03-08 08:31 . 2004-08-04 12:00 34816 ----a-w c:\windows.0\system32\imgutil.dll
2009-03-08 08:31 . 2004-08-04 12:00 48128 ----a-w c:\windows.0\system32\mshtmler.dll
2009-03-08 08:31 . 2004-08-04 12:00 45568 ----a-w c:\windows.0\system32\mshta.exe
2009-03-08 08:22 . 2004-08-04 12:00 156160 ----a-w c:\windows.0\system32\msls31.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows.0\system32\pdh.dll
2009-03-04 00:42 . 2009-03-03 01:44 34 ----a-w c:\documents and settings\*Third Name Removed*\jagex_runescape_preferences.dat
2009-02-19 13:34 . 2009-04-13 23:15 233472 ----a-w c:\windows.0\system32\FsUsbExService.Exe
2009-02-19 13:34 . 2009-04-13 23:15 36608 ----a-w c:\windows.0\system32\FsUsbExDisk.Sys
2009-02-19 13:34 . 2009-04-13 23:15 110592 ----a-w c:\windows.0\system32\FsUsbExDevice.Dll
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows.0\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows.0\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows.0\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows.0\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows.0\system32\win32k.sys
2009-02-07 23:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows.0\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows.0\system32\services.exe
2009-02-06 11:08 . 2004-08-04 12:00 2189056 ----a-w c:\windows.0\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows.0\system32\sc.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows.0\system32\secur32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-10-13 20058152]
"Google Update"="c:\documents and settings\*Name Removed*\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-05 133104]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"ctfmon.exe"="c:\windows.0\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-23 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
"NvCplDaemon"="c:\windows.0\system32\NvCpl.dll" [2008-09-17 13574144]

c:\documents and settings\*Second Name Removed*\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\StubInstaller.exe"=
"c:\\WINDOWS.0\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\clj3800winprnsys\\Temp\\InstEng\\Setup.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\UT2004\\System\\UT2004.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steamapps\\*name removed*\\team fortress 2\\hl2.exe"=
"c:\\Documents and Settings\\All Users.WINDOWS.0\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Steam\\steamapps\\*name removed*\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\*name removed*\\diprip warm up\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\*name removed*\\insurgency\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\*name removed*\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\*name removed*\\zombie panic! source\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Sony\\Media Manager for PSP\\MediaManager.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 FsUsbExDisk;FsUsbExDisk;c:\windows.0\system32\FsUsbExDisk.SYS [2009-02-19 36608]
R3 gbalink;GBA Link Driver (gbalink.sys);c:\windows.0\system32\Drivers\gbalink.sys [2001-03-08 19677]
R3 PortTalk;PortTalk;c:\windows.0\system32\Drivers\PortTalk.sys [2002-01-12 3567]
R3 TiglUsb;TiglUsb.sys TI-GRAPH / DIRECT LINK USB driver;c:\windows.0\system32\Drivers\TiglUsb.sys [2006-02-11 17024]
R4 FsUsbExService;FsUsbExService;c:\windows.0\system32\FsUsbExService.Exe [2009-02-19 233472]
R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 2805000]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S0 viasraid;viasraid;c:\windows.0\system32\DRIVERS\viasraid.sys [2004-04-28 77312]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows.0\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;c:\windows.0\system32\DRIVERS\getnd5b.sys [2003-09-02 44032]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42c526d8-5799-11dd-995d-00508debb752}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42c526d9-5799-11dd-995d-00508debb752}]
\Shell\AutoRun\command - F:\StartPortableApps.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows.0\system32\rundll32.exe" "c:\windows.0\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-26 c:\windows.0\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1935655697-839522115-1004.job
- c:\documents and settings\*name removed*\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 00:09]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2bb7c11b-cf73-4c10-a6d1-698e2c6904d2} - c:\windows.0\system32\fagometo.dll
HKCU-Run-Aim6 - (no file)
HKLM-Run-sogasozile - c:\windows.0\system32\gohulayo.dll
HKLM-Run-NPSStartup - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=aim
FF - ProfilePath - c:\documents and settings\*name removed*\Application Data\Mozilla\Firefox\Profiles\ql4wwgrf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/sli ... ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.igoogle.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/sli ... rab&query=
FF - component: c:\documents and settings\*name removed*\Application Data\Mozilla\Firefox\Profiles\ql4wwgrf.default\extensions\ubiquity@labs.mozilla.com\platform\WINNT_x86-msvc\components\ubiquity.dll
FF - plugin: c:\documents and settings\All Users.WINDOWS.0\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\*name removed*\Application Data\Mozilla\Firefox\Profiles\ql4wwgrf.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\*name removed*\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.00.12); user_pref(general.useragent.extra.zencast, );user_pref(general.useragent.extra.zencast, Creative ZENcast v1.00.12
FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: general.useragent.extra.zencast - .

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 19:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-776561741-1935655697-839522115-1004\Software\Sony Creative Software\M*e*d*i*a* *M*a*n*a*g*e*r* *f*o*r* *P*S*P*"!\3.0]
"Percents"="0 0.0965 0.2824 0.4212 0.5318 0.6753 0.6824 "
"Increment"=".016129"
"FRT"="TtSwhFNsJIiOj2/8w93rvtSll1UEbSPW7BMyEa9ukZy63wn0Xb+Pqw=="
"PLCK"="b4syOoSEzWw7QadghNR27VbnXZjrEqCM"
"PHSH"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(240)
c:\windows.0\system32\ieframe.dll
c:\windows.0\system32\OneX.DLL
c:\windows.0\system32\eappprxy.dll
c:\windows.0\system32\webcheck.dll
c:\windows.0\system32\WPDShServiceObj.dll
c:\windows.0\system32\PortableDeviceTypes.dll
c:\windows.0\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows.0\system32\nvsvc32.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows.0\system32\ZuneBusEnum.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows.0\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-02 19:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-02 23:06

Pre-Run: 32,790,626,304 bytes free
Post-Run: 34,612,781,056 bytes free

239 --- E O F --- 2009-04-16 13:01

==================================================================================


New HiJackThis Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:17:49 PM, on 5/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS.0\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS.0\system32\svchost.exe
c:\WINDOWS.0\system32\ZuneBusEnum.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Documents and Settings\*Name Removed*\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS.0\explorer.exe
C:\WINDOWS.0\system32\notepad.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\*Name Removed*\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe

--
End of file - 4347 bytes

Attached is the QooBox log. I should note (after reading all of the stickies) that I did have the version of Azureus that was marked unsafe on my computer but I uninstalled it several weeks ago. Other than that, I don't think I have any file sharing clients or other forbidden programs left on my computer. Is there anything left behind by that program that needs to be deleted manually or anything?
You do not have the required permissions to view the files attached to this post.
Chevalier
Active Member
 
Posts: 9
Joined: April 26th, 2009, 3:42 pm

Re: HiJackThis Log + strange net behavior.

Unread postby Odd dude » May 3rd, 2009, 3:29 am

Is there anything left behind by that program that needs to be deleted manually or anything?

Just one folder, and I'll have Combofix take it out for you :)

Run CFScript
Open notepad and copy/paste the following to it:

Code: Select all
folder::
c:\program files\Azureus

file::
c:\windows.0\system32\mutirira.exe
c:\windows.0\system32\famuheno.exe

registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001

reglock::
[HKEY_USERS\S-1-5-21-776561741-1935655697-839522115-1004\Software\Sony Creative Software\M*e*d*i*a* *M*a*n*a*g*e*r* *f*o*r* *P*S*P*"!\3.0]


Save this to your desktop as "CFScript.txt".

Disconnect from the internet, disable your antimalware software like you did before, and drag CFScript into ComboFix

Image

ComboFix will run again, please be patient and post the log like usual.


Submit a file for analysis
We need to have something checked for malware. Please go to Jotti's.
  • Click Browse next to File to upload & scan and copy and paste the first line of the following list into the browse box:
    Code: Select all
    c:\windows.0\system32\FsUsbExDisk.Sys
  • Click Submit. The file will now be scanned for malware and the results will be displayed from the screen. Select the part where the virus scan results are shown (the part starting with A-squared and ending with VBA32) and copy and paste this to notepad.
  • Repeat this procedure for any other files I have listed.
  • Copy and paste the whole notepad file you just made into your reply.



Do you recognize this program: er100LT?
My research has not really been helpful. If you don't recognize the program, you should uninstall it.

Please uninstall the following outdated software:
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 8.1.1
J2SE Development Kit 5.0 Update 7
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 11
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1

Download and install the newest Adobe Reader from here.
Download and install the latest Java from here. The site is a bit confusing; this is what you should do:
  • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 13.
  • Click the Download button to the right.
  • Choose the correct Platform. Also, check the box that says I agree to the Java SE Runtime Environment 6 License Agreement.
  • Now, click Continue.
  • Click on the filename under Windows Offline Installation and save it to your desktop.
  • Now, close all other windows. Including Internet Explorer.
  • You can now install Java by double-clicking the executable you just downloaded.


Post back:
- Combofix log
- Log from the virus check from Jotti

Also - one last question - your hijackthis log is still showing traces of an old OpenOffice 2.0. Is it OK if I clean that up in my next post, or do you still use version 2.0?
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: HiJackThis Log + strange net behavior.

Unread postby Chevalier » May 3rd, 2009, 4:24 pm

ComboFix Log:

ComboFix 09-05-02.4 - *Name Removed* 05/03/2009 15:43.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1634 [GMT -4:00]
Running from: c:\documents and settings\*Name Removed*\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\*Name Removed*\Desktop\cfscript.txt
AV: avast! antivirus 4.8.1335 [VPS 090502-0] *On-access scanning disabled* (Updated)

FILE ::
c:\windows.0\system32\famuheno.exe
c:\windows.0\system32\mutirira.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Azureus
c:\program files\Azureus\.install4j\_shfoldr.dll
c:\program files\Azureus\.install4j\autoUninstall.0
c:\program files\Azureus\.install4j\files.log
c:\program files\Azureus\.install4j\i4j_extf_0_5p83tu.utf8
c:\program files\Azureus\.install4j\i4j_extf_1_5p83tu_jhp9vg.png
c:\program files\Azureus\.install4j\i4j_extf_2_5p83tu.txt
c:\program files\Azureus\.install4j\i4j_extf_3_5p83tu_1kde336.ico
c:\program files\Azureus\.install4j\i4j_extf_4_5p83tu_62t8mu.icns
c:\program files\Azureus\.install4j\i4jdel.exe
c:\program files\Azureus\.install4j\i4jinst.dll
c:\program files\Azureus\.install4j\i4jparams.conf
c:\program files\Azureus\.install4j\i4jruntime.jar
c:\program files\Azureus\.install4j\inst_jre.cfg
c:\program files\Azureus\.install4j\install.prop
c:\program files\Azureus\.install4j\installation.log
c:\program files\Azureus\.install4j\installer.png
c:\program files\Azureus\.install4j\installerHeader.png
c:\program files\Azureus\.install4j\MessagesDefault
c:\program files\Azureus\.install4j\response.varfile
c:\program files\Azureus\.install4j\unicows.dll
c:\program files\Azureus\.install4j\uninstallerHeader.png
c:\program files\Azureus\.install4j\user.jar
c:\program files\Azureus\AzureusUpdater.exe
c:\program files\Azureus\plugins\azplugins\azplugins_2.1.4.jar
c:\program files\Azureus\plugins\azrating\azrating_1.3.1.jar
c:\program files\Azureus\plugins\azupdater\azupdater_1.8.5.zip
c:\program files\Azureus\plugins\azupdater\azupdater_1.8.8.zip
c:\program files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.3.jar
c:\program files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.4.jar
c:\program files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.5.jar
c:\program files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.8.jar
c:\program files\Azureus\plugins\azupdater\plugin.properties
c:\program files\Azureus\plugins\azupdater\plugin.properties_1.8.5
c:\program files\Azureus\plugins\azupdater\plugin.properties_1.8.8
c:\program files\Azureus\plugins\azupdater\Updater.jar
c:\program files\Azureus\plugins\azupdater\Updater.jar.bak
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.1.2.jar
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.1.7.jar
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.1.7.zip
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.2.jar
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.2.zip
c:\program files\Azureus\plugins\azupnpav\plugin.properties
c:\program files\Azureus\plugins\azupnpav\plugin.properties_0.1.7
c:\program files\Azureus\plugins\azupnpav\plugin.properties_0.2.2
c:\program files\Azureus\uninstall.exe
c:\windows.0\system32\famuheno.exe
c:\windows.0\system32\mutirira.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-03 to 2009-05-03 )))))))))))))))))))))))))))))))
.

2009-04-26 18:48 . 2009-04-26 18:48 -------- d-----w c:\program files\Trend Micro
2009-04-26 04:10 . 2009-04-26 04:10 -------- d-sh--w c:\documents and settings\*Name Removed*\PrivacIE
2009-04-20 20:39 . 2009-04-20 20:39 -------- d-----w c:\documents and settings\*Name Removed*\.ApacheDirectoryStudio
2009-04-20 19:20 . 2009-04-20 19:20 -------- d-----w c:\documents and settings\*Name Removed*\Application Data\vlc
2009-04-20 18:40 . 2009-05-03 17:51 -------- d-----w c:\program files\Apache Directory Studio
2009-04-15 18:14 . 2009-03-06 14:22 284160 -c----w c:\windows.0\system32\dllcache\pdh.dll
2009-04-15 18:14 . 2009-02-09 12:10 401408 -c----w c:\windows.0\system32\dllcache\rpcss.dll
2009-04-15 18:14 . 2009-02-06 11:11 110592 -c----w c:\windows.0\system32\dllcache\services.exe
2009-04-15 18:14 . 2009-02-09 12:10 473600 -c----w c:\windows.0\system32\dllcache\fastprox.dll
2009-04-15 18:14 . 2009-02-06 10:10 227840 -c----w c:\windows.0\system32\dllcache\wmiprvse.exe
2009-04-15 18:14 . 2009-02-09 12:10 453120 -c----w c:\windows.0\system32\dllcache\wmiprvsd.dll
2009-04-15 18:14 . 2009-02-09 12:10 729088 -c----w c:\windows.0\system32\dllcache\lsasrv.dll
2009-04-15 18:14 . 2009-02-09 12:10 617472 -c----w c:\windows.0\system32\dllcache\advapi32.dll
2009-04-15 18:14 . 2009-02-09 12:10 714752 -c----w c:\windows.0\system32\dllcache\ntdll.dll
2009-04-15 18:14 . 2008-05-03 11:55 2560 ------w c:\windows.0\system32\xpsp4res.dll
2009-04-15 18:13 . 2008-04-21 12:08 215552 -c----w c:\windows.0\system32\dllcache\wordpad.exe
2009-04-14 19:13 . 2009-04-14 19:13 -------- d-----w c:\documents and settings\*Name Removed*\Application Data\PC Suite
2009-04-14 18:17 . 2009-04-14 18:17 41808 ----a-w c:\windows.0\system32\xfcodec.dll
2009-04-13 23:16 . 2009-04-13 23:16 -------- d-----w c:\documents and settings\All Users.WINDOWS.0\Application Data\PC Suite
2009-04-13 23:16 . 2009-04-13 23:16 -------- d-----w c:\documents and settings\*Name Removed*\Application Data\PC Suite
2009-04-05 18:27 . 2009-04-05 18:27 -------- d-----w c:\documents and settings\*Name Removed*\.thumbnails
2009-04-05 18:27 . 2009-04-15 19:02 -------- d-----w c:\documents and settings\*Name Removed*\.gimp-2.6
2009-04-05 18:27 . 2009-04-05 18:27 -------- d-----w c:\documents and settings\*Name Removed*\.gegl-0.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 19:43 . 2006-07-16 00:21 6 ---ha-w c:\windows.0\Tasks\SA.DAT
2009-04-26 22:06 . 2008-06-30 22:54 -------- d-----w c:\program files\Xfire
2009-04-26 19:52 . 2006-09-04 14:41 -------- d-----w c:\program files\Mozilla Thunderbird
2009-04-26 19:24 . 2008-12-30 01:24 950 ----a-w c:\windows.0\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1935655697-839522115-1004.job
2009-04-25 18:52 . 2008-08-30 16:16 -------- d-----w c:\program files\mIRC
2009-04-15 15:51 . 2006-07-02 16:46 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-13 23:15 . 2009-04-13 23:14 -------- d-----w c:\program files\Samsung
2009-04-13 23:15 . 2009-04-13 23:15 -------- d-----w c:\program files\PC Connectivity Solution
2009-03-27 01:38 . 2006-08-21 01:22 59008 ----a-w c:\documents and settings\*Name Removed*\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-23 00:17 . 2009-03-23 00:17 -------- d-----w c:\program files\Audacity 1.3 Beta (Unicode)
2009-03-21 13:44 . 2006-09-26 23:53 -------- d-----w c:\program files\Microsoft SQL Server
2009-03-18 19:41 . 2008-06-17 18:59 -------- d-----w c:\program files\Steam
2009-03-18 19:34 . 2006-07-15 20:50 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-18 19:29 . 2008-10-11 15:25 -------- d-----w c:\program files\Mount&Blade
2009-03-18 19:28 . 2006-07-15 20:47 -------- d-----w c:\program files\Creative
2009-03-08 08:34 . 2004-08-04 12:00 914944 ----a-w c:\windows.0\system32\wininet.dll
2009-03-08 08:34 . 2004-08-04 12:00 43008 ----a-w c:\windows.0\system32\licmgr10.dll
2009-03-08 08:33 . 2004-08-04 12:00 18944 ----a-w c:\windows.0\system32\corpol.dll
2009-03-08 08:33 . 2004-08-04 12:00 420352 ----a-w c:\windows.0\system32\vbscript.dll
2009-03-08 08:32 . 2004-08-04 12:00 72704 ----a-w c:\windows.0\system32\admparse.dll
2009-03-08 08:32 . 2004-08-04 12:00 71680 ----a-w c:\windows.0\system32\iesetup.dll
2009-03-08 08:31 . 2004-08-04 12:00 34816 ----a-w c:\windows.0\system32\imgutil.dll
2009-03-08 08:31 . 2004-08-04 12:00 48128 ----a-w c:\windows.0\system32\mshtmler.dll
2009-03-08 08:31 . 2004-08-04 12:00 45568 ----a-w c:\windows.0\system32\mshta.exe
2009-03-08 08:22 . 2004-08-04 12:00 156160 ----a-w c:\windows.0\system32\msls31.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows.0\system32\pdh.dll
2009-03-04 00:42 . 2009-03-03 01:44 34 ----a-w c:\documents and settings\*Name Removed*\jagex_runescape_preferences.dat
2009-02-19 13:34 . 2009-04-13 23:15 233472 ----a-w c:\windows.0\system32\FsUsbExService.Exe
2009-02-19 13:34 . 2009-04-13 23:15 36608 ----a-w c:\windows.0\system32\FsUsbExDisk.Sys
2009-02-19 13:34 . 2009-04-13 23:15 110592 ----a-w c:\windows.0\system32\FsUsbExDevice.Dll
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows.0\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows.0\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows.0\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows.0\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows.0\system32\win32k.sys
2009-02-07 23:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows.0\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows.0\system32\services.exe
2009-02-06 11:08 . 2004-08-04 12:00 2189056 ----a-w c:\windows.0\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows.0\system32\sc.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows.0\system32\secur32.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-02_23.03.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-03 01:50 . 2009-05-03 01:50 16384 c:\windows.0\Temp\Perflib_Perfdata_5d0.dat
+ 2009-05-03 01:50 . 2009-05-03 01:50 16384 c:\windows.0\Temp\Perflib_Perfdata_530.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-10-13 20058152]
"Google Update"="c:\documents and settings\*Name Removed*\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-05 133104]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"ctfmon.exe"="c:\windows.0\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-23 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
"NvCplDaemon"="c:\windows.0\system32\NvCpl.dll" [2008-09-17 13574144]

c:\documents and settings\CREB iFax Support\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\StubInstaller.exe"=
"c:\\WINDOWS.0\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\clj3800winprnsys\\Temp\\InstEng\\Setup.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\UT2004\\System\\UT2004.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steamapps\\*Name Removed*\\team fortress 2\\hl2.exe"=
"c:\\Documents and Settings\\All Users.WINDOWS.0\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Steam\\steamapps\\*Name Removed*\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\*Name Removed*\\diprip warm up\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\*Name Removed*\\insurgency\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\*Name Removed*\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\*Name Removed*\\zombie panic! source\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Sony\\Media Manager for PSP\\MediaManager.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 FsUsbExDisk;FsUsbExDisk;c:\windows.0\system32\FsUsbExDisk.SYS [2009-02-19 36608]
R3 gbalink;GBA Link Driver (gbalink.sys);c:\windows.0\system32\Drivers\gbalink.sys [2001-03-08 19677]
R3 PortTalk;PortTalk;c:\windows.0\system32\Drivers\PortTalk.sys [2002-01-12 3567]
R3 TiglUsb;TiglUsb.sys TI-GRAPH / DIRECT LINK USB driver;c:\windows.0\system32\Drivers\TiglUsb.sys [2006-02-11 17024]
R4 FsUsbExService;FsUsbExService;c:\windows.0\system32\FsUsbExService.Exe [2009-02-19 233472]
R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 2805000]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S0 viasraid;viasraid;c:\windows.0\system32\DRIVERS\viasraid.sys [2004-04-28 77312]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows.0\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;c:\windows.0\system32\DRIVERS\getnd5b.sys [2003-09-02 44032]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42c526d8-5799-11dd-995d-00508debb752}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42c526d9-5799-11dd-995d-00508debb752}]
\Shell\AutoRun\command - F:\StartPortableApps.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows.0\system32\rundll32.exe" "c:\windows.0\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-26 c:\windows.0\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1935655697-839522115-1004.job
- c:\documents and settings\*Name Removed*\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 00:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=aim
FF - ProfilePath - c:\documents and settings\*Name Removed*\Application Data\Mozilla\Firefox\Profiles\ql4wwgrf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/sli ... ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.igoogle.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/sli ... rab&query=
FF - plugin: c:\documents and settings\All Users.WINDOWS.0\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\*Name Removed*\Application Data\Mozilla\Firefox\Profiles\ql4wwgrf.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\*Name Removed*\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.00.12); user_pref(general.useragent.extra.zencast, );user_pref(general.useragent.extra.zencast, Creative ZENcast v1.00.12
FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: general.useragent.extra.zencast - .

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 15:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-776561741-1935655697-839522115-1004\Software\Sony Creative Software\M*e*d*i*a* *M*a*n*a*g*e*r* *f*o*r* *P*S*P*"!\3.0]
"Percents"="0 0.0965 0.2824 0.4212 0.5318 0.6753 0.6824 "
"Increment"=".016129"
"FRT"="TtSwhFNsJIiOj2/8w93rvtSll1UEbSPW7BMyEa9ukZy63wn0Xb+Pqw=="
"PLCK"="b4syOoSEzWw7QadghNR27VbnXZjrEqCM"
"PHSH"=""
.
Completion time: 2009-05-03 15:48
ComboFix-quarantined-files.txt 2009-05-03 19:47
ComboFix2.txt 2009-05-02 23:07

Pre-Run: 34,525,630,464 bytes free
Post-Run: 34,518,106,112 bytes free

246 --- E O F --- 2009-04-16 13:01

==============================================================

I uninstalled and replaced all of the listed files. Also, I use Open Office 3 now. I don't know why 2 is still there. You can eradicate it.

Here is the Jotti log: Also, I should note that it said the file had been scanned before so it wouldn't be stored in the database.

A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Quick Heal
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

I don't recognize er100LT. I also don't see it anywhere as an uninstall-able program. I have no idea what it is.

Regards,
Chevalier
Chevalier
Active Member
 
Posts: 9
Joined: April 26th, 2009, 3:42 pm

Re: HiJackThis Log + strange net behavior.

Unread postby Odd dude » May 4th, 2009, 3:17 am

I'll check whether that program can be uninstalled.

Click Start>Run, copy and paste this into the run box:
Code: Select all
regedit /e "%Userprofile%\desktop\Results.txt" "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

Click OK.

A file titled Results.txt appears on your desktop - post its contents in your next post.

By the way - is this a business computer?
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: HiJackThis Log + strange net behavior.

Unread postby Chevalier » May 4th, 2009, 10:04 am

The results file contains over 2.25x the amount of allowed characters for a post on this forum. Should I attach it?

It's not a business computer, although I have a personal account for general use and a secondary account set up for when I need to work from home.
Chevalier
Active Member
 
Posts: 9
Joined: April 26th, 2009, 3:42 pm

Re: HiJackThis Log + strange net behavior.

Unread postby Odd dude » May 4th, 2009, 11:12 am

That's a lot bigger than I expected. I'll have you run another scan instead, that'll be easier on you, me, and your internet connection :)

RSIT
Please download random/random's system information tool (RSIT) and run it. At the disclaimer screen, choose a period of one month. Then click Continue. It will produce two logs:

  • log.txt (will be maximized)
  • info.txt (will be minimized)

Please post both in your next reply. If they won't fit into one post, divide them over multiple posts :)

After this we'll clean up the last things (whichever show up) with ComboFix and then I think we're done. By the way - how's the computer running now?
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: HiJackThis Log + strange net behavior.

Unread postby Chevalier » May 4th, 2009, 12:52 pm

Logfile of random's system information tool 1.06 (written by random/random)
Run by *Name Removed* at 2009-05-04 12:44:43
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 33 GB (22%) free of 153 GB
Total RAM: 2047 MB (60% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:48 PM, on 5/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Documents and Settings\*Name Removed*\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS.0\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS.0\system32\svchost.exe
c:\WINDOWS.0\system32\ZuneBusEnum.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\*Name Removed*\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\*Name Removed*\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\*Name Removed*\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\*Name Removed*\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\*Name Removed*\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\*Name Removed*\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\*Name Removed*\My Documents\Downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\*Name Removed*.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\*Name Removed*\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe

--
End of file - 4779 bytes

======Scheduled tasks folder======

C:\WINDOWS.0\tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1935655697-839522115-1004.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-05-03 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-05-03 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-02-05 81000]
"Zune Launcher"=c:\Program Files\Zune\ZuneLauncher.exe [2008-12-12 157312]
"NvCplDaemon"=C:\WINDOWS.0\system32\NvCpl.dll [2008-09-17 13574144]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-05-03 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2006-10-13 20058152]
"Google Update"=C:\Documents and Settings\*Name Removed*\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 133104]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-08-08 490952]
"ctfmon.exe"=C:\WINDOWS.0\system32\ctfmon.exe [2008-04-13 15360]

C:\Documents and Settings\*Name Removed*\Start Menu\Programs\Startup
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
OpenOffice.org 3.0.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe
Xfire.lnk - C:\Program Files\Xfire\xfire.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS.0\system32\WgaLogon.dll [2006-06-19 702768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS.0\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"AllowLegacyWebView"=
"AllowUnhashedWebView"=
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\StubInstaller.exe"="C:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\WINDOWS.0\system32\dpvsetup.exe"="C:\WINDOWS.0\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\clj3800winprnsys\Temp\InstEng\Setup.exe"="C:\clj3800winprnsys\Temp\InstEng\Setup.exe:*:Enabled:Hewlett-Packard Installer"
"C:\Program Files\mIRC\mirc.exe"="C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC"
"C:\Program Files\Winamp\winamp.exe"="C:\Program Files\Winamp\winamp.exe:*:Enabled:Winamp"
"C:\Program Files\Xfire\Xfire.exe"="C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire"
"C:\UT2004\System\UT2004.exe"="C:\UT2004\System\UT2004.exe:*:Enabled:UT2004"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Steam\steamapps\*Name Removed*\team fortress 2\hl2.exe"="C:\Program Files\Steam\steamapps\*Name Removed*\team fortress 2\hl2.exe:*:Enabled:hl2"
"C:\Documents and Settings\All Users.WINDOWS.0\Application Data\NexonUS\NGM\NGM.exe"="C:\Documents and Settings\All Users.WINDOWS.0\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager"
"C:\Program Files\Steam\steamapps\frozenjayge\garrysmod\hl2.exe"="C:\Program Files\Steam\steamapps\*Name Removed*\garrysmod\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Microsoft XNA\XNA Game Studio\v2.0\Bin\XnaTrans.exe"="C:\Program Files\Microsoft XNA\XNA Game Studio\v2.0\Bin\XnaTrans.exe:LocalSubNet:Enabled:XNA Game Studio 2.0 Transport"
"C:\Program Files\Microsoft XNA\XNA Game Studio\v2.0\Bin\XnaLiveProxy.exe"="C:\Program Files\Microsoft XNA\XNA Game Studio\v2.0\Bin\XnaLiveProxy.exe:LocalSubNet:Enabled:XNA Framework Games for Windows – LIVE"
"C:\Program Files\Steam\steamapps\*Name Removed*\diprip warm up\hl2.exe"="C:\Program Files\Steam\steamapps\*Name Removed*\diprip warm up\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\*Name Removed*\insurgency\hl2.exe"="C:\Program Files\Steam\steamapps\*Name Removed*\insurgency\hl2.exe:*:Disabled:hl2"
"C:\Program Files\Steam\steamapps\*Name Removed*\age of chivalry\hl2.exe"="C:\Program Files\Steam\steamapps\*Name Removed*\age of chivalry\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\*Name Removed*\zombie panic! source\hl2.exe"="C:\Program Files\Steam\steamapps\*Name Removed*\zombie panic! source\hl2.exe:*:Enabled:hl2"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\Sony\Media Manager for PSP\MediaManager.exe"="C:\Program Files\Sony\Media Manager for PSP\MediaManager.exe:*:Enabled:Media Manager for PSP 3.0"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe"="C:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe:*:Enabled:KTF MUSIC AoD Server"
"C:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe"="C:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe:*:Enabled:KTF MUSIC VoD Server"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Nexon\Combat Arms\CombatArms.exe"="C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe"
"C:\Nexon\Combat Arms\Engine.exe"="C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42c526d8-5799-11dd-995d-00508debb752}]
shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42c526d9-5799-11dd-995d-00508debb752}]
shell\AutoRun\command - F:\StartPortableApps.exe


======List of files/folders created in the last 1 months======

2009-05-04 12:44:43 ----D---- C:\rsit
2009-05-03 16:09:56 ----A---- C:\WINDOWS.0\system32\javaws.exe
2009-05-03 16:09:56 ----A---- C:\WINDOWS.0\system32\javaw.exe
2009-05-03 16:09:56 ----A---- C:\WINDOWS.0\system32\java.exe
2009-05-03 16:09:38 ----D---- C:\Program Files\Java
2009-05-03 16:09:11 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-05-03 15:56:24 ----SHD---- C:\Config.Msi
2009-05-03 15:48:19 ----A---- C:\ComboFix.txt
2009-05-03 15:43:16 ----D---- C:\ComboFix
2009-05-02 18:56:27 ----A---- C:\Boot.bak
2009-05-02 18:56:19 ----D---- C:\cmdcons
2009-05-02 18:54:48 ----A---- C:\WINDOWS.0\zip.exe
2009-05-02 18:54:48 ----A---- C:\WINDOWS.0\vFind.exe
2009-05-02 18:54:48 ----A---- C:\WINDOWS.0\SWXCACLS.exe
2009-05-02 18:54:48 ----A---- C:\WINDOWS.0\SWSC.exe
2009-05-02 18:54:48 ----A---- C:\WINDOWS.0\SWREG.exe
2009-05-02 18:54:48 ----A---- C:\WINDOWS.0\sed.exe
2009-05-02 18:54:48 ----A---- C:\WINDOWS.0\NIRCMD.exe
2009-05-02 18:54:48 ----A---- C:\WINDOWS.0\grep.exe
2009-05-02 18:54:42 ----D---- C:\WINDOWS.0\ERDNT
2009-05-02 18:54:39 ----D---- C:\Qoobox
2009-04-26 14:48:00 ----D---- C:\Program Files\Trend Micro
2009-04-20 14:40:45 ----D---- C:\Program Files\Apache Directory Studio
2009-04-16 09:01:35 ----HDC---- C:\WINDOWS.0\$NtUninstallKB959426$
2009-04-16 09:01:30 ----HDC---- C:\WINDOWS.0\$NtUninstallKB961373$
2009-04-16 08:59:25 ----HDC---- C:\WINDOWS.0\$NtUninstallKB956572$
2009-04-16 08:59:01 ----HDC---- C:\WINDOWS.0\$NtUninstallKB952004$
2009-04-16 08:58:52 ----HDC---- C:\WINDOWS.0\$NtUninstallKB960803$
2009-04-16 08:58:41 ----HDC---- C:\WINDOWS.0\$NtUninstallKB923561$
2009-04-15 14:14:00 ----N---- C:\WINDOWS.0\system32\xpsp4res.dll
2009-04-14 14:17:32 ----A---- C:\WINDOWS.0\system32\xfcodec.dll
2009-04-13 19:16:14 ----D---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\PC Suite
2009-04-13 19:16:13 ----D---- C:\Documents and Settings\*Name Removed*\Application Data\PC Suite
2009-04-13 19:15:55 ----A---- C:\WINDOWS.0\system32\nmwcdcls.dll
2009-04-13 19:15:38 ----D---- C:\WINDOWS.0\system32\Samsung_USB_Drivers
2009-04-13 19:15:34 ----A---- C:\WINDOWS.0\system32\FsUsbExService.Exe
2009-04-13 19:15:34 ----A---- C:\WINDOWS.0\system32\FsUsbExDevice.Dll
2009-04-13 19:15:17 ----D---- C:\Documents and Settings\*Name Removed*\Application Data\Samsung
2009-04-13 19:15:07 ----D---- C:\Program Files\PC Connectivity Solution
2009-04-13 19:14:53 ----D---- C:\Program Files\Samsung

======List of files/folders modified in the last 1 months======

2009-05-04 12:44:40 ----D---- C:\WINDOWS.0\Prefetch
2009-05-04 10:36:13 ----D---- C:\WINDOWS.0\Temp
2009-05-03 20:16:55 ----D---- C:\Program Files\Mozilla Thunderbird
2009-05-03 16:09:59 ----SHD---- C:\WINDOWS.0\Installer
2009-05-03 16:09:57 ----D---- C:\WINDOWS.0\system32
2009-05-03 16:09:41 ----A---- C:\WINDOWS.0\system32\deploytk.dll
2009-05-03 16:09:38 ----AD---- C:\Program Files
2009-05-03 16:09:24 ----D---- C:\Program Files\Adobe
2009-05-03 16:09:12 ----D---- C:\Documents and Settings\*Name Removed*\Application Data\Adobe
2009-05-03 16:09:12 ----D---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Adobe
2009-05-03 16:09:11 ----D---- C:\Program Files\Common Files
2009-05-03 16:08:44 ----D---- C:\Program Files\Common Files\Adobe
2009-05-03 15:48:21 ----D---- C:\WINDOWS.0
2009-05-03 15:46:04 ----A---- C:\WINDOWS.0\system.ini
2009-05-03 15:45:33 ----D---- C:\WINDOWS.0\system32\drivers
2009-05-03 15:45:33 ----D---- C:\WINDOWS.0\AppPatch
2009-05-03 15:43:45 ----D---- C:\WINDOWS.0\system32\CatRoot2
2009-05-03 15:43:32 ----A---- C:\WINDOWS.0\SchedLgU.Txt
2009-05-03 12:23:41 ----D---- C:\Program Files\Mozilla Firefox
2009-05-02 21:50:49 ----D---- C:\Documents and Settings\*Name Removed*\Application Data\Skype
2009-05-02 21:50:47 ----D---- C:\Documents and Settings\*Name Removed*\Application Data\Xfire
2009-05-02 19:00:45 ----D---- C:\WINDOWS.0\system32\config
2009-05-02 18:56:27 ----RASH---- C:\boot.ini
2009-04-26 18:06:10 ----D---- C:\Program Files\Xfire
2009-04-26 14:51:24 ----SD---- C:\WINDOWS.0\Downloaded Program Files
2009-04-25 21:42:42 ----D---- C:\WINDOWS.0\Minidump
2009-04-25 14:53:44 ----D---- C:\Documents and Settings\*Name Removed*\Application Data\mIRC
2009-04-25 14:52:33 ----D---- C:\Program Files\mIRC
2009-04-22 20:01:47 ----D---- C:\Documents and Settings\*Name Removed*\Application Data\gtk-2.0
2009-04-21 22:32:56 ----D---- C:\Documents and Settings\*Name Removed*\Application Data\Audacity
2009-04-21 13:58:18 ----HD---- C:\WINDOWS.0\inf
2009-04-17 23:38:40 ----A---- C:\WINDOWS.0\system32\PerfStringBackup.INI
2009-04-17 23:34:12 ----D---- C:\WINDOWS.0\system32\wbem
2009-04-16 09:01:37 ----RSHDC---- C:\WINDOWS.0\system32\dllcache
2009-04-16 09:01:32 ----A---- C:\WINDOWS.0\imsins.BAK
2009-04-16 08:59:14 ----HD---- C:\WINDOWS.0\$hf_mig$
2009-04-15 11:51:39 ----HD---- C:\Program Files\InstallShield Installation Information
2009-04-15 09:44:11 ----D---- C:\WINDOWS.0\WinSxS
2009-04-13 19:15:56 ----DC---- C:\WINDOWS.0\system32\DRVSTORE

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS.0\system32\drivers\Aavmker4.sys [2009-02-05 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS.0\system32\drivers\aswSP.sys [2009-02-05 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS.0\system32\drivers\aswTdi.sys [2009-02-05 51376]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS.0\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 NPPTNT2;NPPTNT2; \??\C:\WINDOWS.0\system32\npptNT2.sys []
R2 aswFsBlk;aswFsBlk; C:\WINDOWS.0\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS.0\system32\drivers\aswMon2.sys [2009-02-05 94032]
R2 zumbus;Zune Bus Enumerator Driver; C:\WINDOWS.0\system32\DRIVERS\zumbus.sys [2008-11-10 40832]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS.0\system32\drivers\ALCXWDM.SYS [2005-05-18 2319680]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS.0\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 aswRdr;aswRdr; C:\WINDOWS.0\system32\drivers\aswRdr.sys [2009-02-05 23152]
R3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver; C:\WINDOWS.0\system32\DRIVERS\getnd5b.sys [2003-09-02 44032]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS.0\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\WINDOWS.0\system32\DRIVERS\LHidFilt.Sys [2007-07-17 34960]
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\WINDOWS.0\system32\DRIVERS\LMouFilt.Sys [2007-07-17 36240]
R3 mouhid;Mouse HID Driver; C:\WINDOWS.0\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS.0\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS.0\system32\DRIVERS\nv4_mini.sys [2008-09-17 6132576]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS.0\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS.0\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS.0\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS.0\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 Wdf01000;Wdf01000; C:\WINDOWS.0\system32\DRIVERS\Wdf01000.sys [2008-03-27 503008]
S3 ayi2abap;ayi2abap; C:\WINDOWS.0\system32\drivers\ayi2abap.sys []
S3 CamDrL;Logitech QuickCam Pro 3000(CamDrl); C:\WINDOWS.0\system32\DRIVERS\Camdrl.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\BENKEN~1\LOCALS~1\Temp\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS.0\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 EagleNT;EagleNT; \??\C:\WINDOWS.0\system32\drivers\EagleNT.sys []
S3 FreshIO;FreshIO; \??\C:\Program Files\FreshDevices\FreshDiagnose\FreshIO.sys []
S3 FsUsbExDisk;FsUsbExDisk; \??\C:\WINDOWS.0\system32\FsUsbExDisk.SYS []
S3 gbalink;GBA Link Driver (gbalink.sys); C:\WINDOWS.0\System32\Drivers\gbalink.sys [2001-03-08 19677]
S3 LVUSBSta;Logitech USB Monitor Filter; C:\WINDOWS.0\system32\drivers\lvusbsta.sys []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS.0\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS.0\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS.0\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\WINDOWS.0\system32\DRIVERS\pccsmcfd.sys [2007-09-17 21632]
S3 PortTalk;PortTalk; C:\WINDOWS.0\System32\Drivers\PortTalk.sys [2002-01-12 3567]
S3 QCMerced;Logitech QuickCam Communicate; C:\WINDOWS.0\system32\DRIVERS\LVCM.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS.0\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM); C:\WINDOWS.0\system32\DRIVERS\sscdbus.sys [2007-07-03 80552]
S3 sscdmdfl;SAMSUNG Mobile Modem Filter; C:\WINDOWS.0\system32\DRIVERS\sscdmdfl.sys [2007-07-03 11944]
S3 sscdmdm;SAMSUNG Mobile Modem Drivers; C:\WINDOWS.0\system32\DRIVERS\sscdmdm.sys [2007-07-03 106792]
S3 streamip;BDA IPSink; C:\WINDOWS.0\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 TIEHDUSB;TIEHDUSB; C:\WINDOWS.0\system32\drivers\tiehdusb.sys [2004-02-04 49536]
S3 TiglUsb;TiglUsb.sys TI-GRAPH / DIRECT LINK USB driver; C:\WINDOWS.0\System32\Drivers\TiglUsb.sys [2006-02-10 17024]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS.0\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbscan;USB Scanner Driver; C:\WINDOWS.0\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS.0\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WinUSB;WinUSB; C:\WINDOWS.0\system32\DRIVERS\WinUSB.sys [2006-11-02 39368]
S3 WpdUsb;WpdUsb; C:\WINDOWS.0\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS.0\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS.0\system32\DRIVERS\wudfrd.sys [2008-01-18 83328]
S4 IntelIde;IntelIde; C:\WINDOWS.0\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-02-05 18752]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-02-05 138680]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-05-03 152984]
R2 MSSQL$SQLEXPRESS;SQL Server (SQLEXPRESS); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS.0\system32\nvsvc32.exe [2008-09-17 163908]
R2 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2008-11-24 239968]
R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2008-11-24 87904]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS.0\system32\svchost.exe [2008-04-13 14336]
R2 ZuneBusEnum;Zune Bus Enumerator; c:\WINDOWS.0\system32\ZuneBusEnum.exe [2008-12-12 60032]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-02-05 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-02-05 352920]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS.0\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS.0\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 usprserv;User Privilege Service; C:\WINDOWS.0\System32\svchost.exe [2008-04-13 14336]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 ZuneNetworkSvc;Zune Network Sharing Service; c:\Program Files\Zune\ZuneNss.exe [2008-12-12 5117568]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service; c:\WINDOWS.0\system32\ZuneWlanCfgSvc.exe [2008-12-12 243840]
S4 FsUsbExService;FsUsbExService; C:\WINDOWS.0\system32\FsUsbExService.Exe [2009-02-19 233472]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2008-11-24 45408]
S4 msvsmon80;Visual Studio 2005 Remote Debugger; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 2805000]
S4 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS.0\system32\HPZipm12.exe [2005-03-14 69632]
S4 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2008-04-07 430592]
S4 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

-----------------EOF-----------------
Chevalier
Active Member
 
Posts: 9
Joined: April 26th, 2009, 3:42 pm

Re: HiJackThis Log + strange net behavior.

Unread postby Chevalier » May 4th, 2009, 12:57 pm

info.txt logfile of random's system information tool 1.06 2009-05-04 12:44:50

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->MsiExec /X{95FC26FB-19FD-4A96-BBB1-B1062E8648F5}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS.0\INF\PCHealth.inf
Acrobat.com-->MsiExec.exe /X{287ECFA4-719A-2143-A09B-D6A12DE54E40}
Ad-Aware SE Personal-->C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 5.0-->C:\WINDOWS.0\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Flash Player 10 Plugin-->C:\WINDOWS.0\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Adobe Shockwave Player 11-->C:\WINDOWS.0\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS.0\system32\Adobe\SHOCKW~1\Install.log
Age of Chivalry-->"C:\Program Files\Steam\steam.exe" steam://uninstall/17510
AGEIA PhysX v7.11.13-->MsiExec.exe /X{95FC26FB-19FD-4A96-BBB1-B1062E8648F5}
AIM 6-->C:\Program Files\AIM6\uninst.exe
Apache Directory Studio - (remove only)-->"C:\Program Files\Apache Directory Studio\uninstall.exe"
Aspell English Dictionary-0.50-2-->"C:\Program Files\Aspell\unins001.exe"
Audacity 1.3.7 (Unicode)-->"C:\Program Files\Audacity 1.3 Beta (Unicode)\unins000.exe"
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Azureus Vuze-->C:\Program Files\Azureus\uninstall.exe
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS.0\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
DivX Content Uploader-->C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
er100LT-->MsiExec.exe /I{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}
FLV Player-->"C:\WINDOWS.0\FLV Player\uninstall.exe" "/U:C:\Program Files\FLV Player\Uninstall\uninstall.xml"
FreshDiagnose-->"C:\Program Files\FreshDevices\FreshDiagnose\unins000.exe"
Garry's Mod-->"C:\Program Files\Steam\steam.exe" steam://uninstall/4000
GIMP 2.6.3-->"C:\Program Files\GIMP-2.0\setup\unins000.exe"
GNU Aspell 0.50-3-->"C:\Program Files\Aspell\unins000.exe"
GTK+ Runtime 2.12.8 rev a (remove only)-->C:\Program Files\Common Files\GTK\2.0\uninst.exe
Guild Wars-->"C:\Program Files\Guild Wars\Gw.exe" -uninstall
Half-Life 2-->"C:\Program Files\Steam\steam.exe" steam://uninstall/220
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS.0\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS.0\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB932716-v2)-->"C:\WINDOWS.0\$NtUninstallKB932716-v2$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS.0\$NtUninstallKB952287$\spuninst\spuninst.exe"
HP Color LaserJet 3800-->"C:\Program Files\Hewlett-Packard\Install Engines\HP Color LaserJet 3800\setup.exe" /x
HP Color LaserJet 3800-->msiexec /x{4D5795B4-76AC-473B-82DA-0AE6CBB4BD8C}
Insurgency-->"C:\Program Files\Steam\steam.exe" steam://uninstall/17700
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
Logitech SetPoint 5.00-->MsiExec.exe /I{D3120436-1358-4253-9EB2-257FFE8CE1D9}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS.0\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS.0\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS.0\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Device Emulator version 1.0 - ENU-->MsiExec.exe /X{78B75C6D-E53C-424C-BF83-4B63BD4A6682}
Microsoft Document Explorer 2005-->C:\Program Files\Common Files\Microsoft Shared\Help 8\Microsoft Document Explorer 2005\install.exe
Microsoft Document Explorer 2005-->MsiExec.exe /X{44D4AF75-6870-41F5-9181-662EA05507E1}
Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{D1B01DC9-CBAF-45F9-A387-7D00C11B630E}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS.0\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7-->"C:\WINDOWS.0\$NtUninstallWdf01007$\spuninst\spuninst.exe"
Microsoft SQL Server 2005 Express Edition-->MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools-->MsiExec.exe /X{1389C6A4-4965-4AEC-9175-08B54A10FA48}
Microsoft SQL Server 2005 Tools Express Edition-->MsiExec.exe /I{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}
Microsoft SQL Server 2005-->"c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server Native Client-->MsiExec.exe /I{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}
Microsoft SQL Server Setup Support Files (English)-->MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer-->MsiExec.exe /I{56B4002F-671C-49F4-984C-C760FE3806B5}
Microsoft User-Mode Driver Framework Feature Pack 1.7-->"C:\WINDOWS.0\$NtUninstallWudf01007$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022-->MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}
Microsoft Visual J# 2.0 Redistributable Package-->C:\WINDOWS.0\Microsoft.NET\Framework\v2.0.50727\Microsoft Visual J# 2.0 Redistributable Package\install.exe
Microsoft Visual Studio 2005 Professional Edition - ENU Service Pack 1 (KB926601)-->C:\WINDOWS.0\system32\msiexec.exe /promptrestart /uninstall {D93F9C7C-AB57-44C8-BAD6-1494674BCAF7} /package {437AB8E0-FB69-4222-B280-A64F3DE22591}
Microsoft Visual Studio 2005 Professional Edition - ENU-->C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Studio 2005 Professional Edition - ENU\setup.exe
Microsoft WinUsb 1.0-->"C:\WINDOWS.0\$NtUninstallwinusb0100$\spuninst\spuninst.exe"
Microsoft XNA Framework Redistributable 2.0-->MsiExec.exe /I{245F6C7A-0C22-4DE0-8202-2AAA620A1D3A}
Microsoft XNA Game Studio 2.0 (ARP entry)-->MsiExec.exe /I{070B87FB-CD1A-45AA-9E5E-484E5964C6ED}
Microsoft XNA Game Studio 2.0 (Redists)-->MsiExec.exe /I{31EA6FCB-6C53-4BA7-BE88-9BA788899C2C}
Microsoft XNA Game Studio 2.0 (shared components)-->MsiExec.exe /I{C18DA187-6C0D-4B8E-99AE-74D5C588AFB6}
Microsoft XNA Game Studio 2.0 (spacewar)-->MsiExec.exe /I{3432C2AA-BB3E-44B3-B5ED-EF36E0241100}
Microsoft XNA Game Studio 2.0 (xnaliveproxy)-->MsiExec.exe /I{9B96628C-8898-4FED-9612-25631C27AB13}
Microsoft XNA Game Studio 2.0 Documentation-->MsiExec.exe /I{3B5A6E00-2B27-4E1A-8A33-E3A40DEFD4DC}
Microsoft XNA Game Studio 2.0-->c:\Program Files\Microsoft XNA\XNA Game Studio\v2.0\Setup\Bootstrapper.exe
Microsoft XNA Game Studio 2.0-->MsiExec.exe /I{2A5A6D00-2B27-4E1A-8A33-E3A40DFDF3EB}
mIRC-->C:\Program Files\mIRC\uninstall.exe _?=C:\Program Files\mIRC
Mozilla Firefox (3.0.9)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.21)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NetBeans IDE 5.0-->C:\Program Files\netbeans-5.0\_uninst\uninstaller.exe
NVIDIA Drivers-->C:\WINDOWS.0\system32\nvuninst.exe UninstallGUI
OpenOffice.org 3.0-->MsiExec.exe /I{F44DA61E-720D-4E79-871F-F6E628B33242}
PC Connectivity Solution-->MsiExec.exe /I{AC599724-5755-48C1-ABE7-ABB857652930}
Pidgin-->C:\Program Files\Pidgin\pidgin-uninst.exe
Pidgin-Encryption Plugin (remove only)-->C:\Program Files\Pidgin\pidgin-encryption-uninst.exe
PlayStation(R)Network Downloader-->MsiExec.exe /X{BC4CA8FA-41D2-4B81-8680-E9B7573D6500}
PlayStation(R)Store-->MsiExec.exe /X{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}
Privoxy 3.0.6-->"F:\Tor\Privoxy\privoxy_uninstall.exe"
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
SAMSUNG Mobile Composite Device Software-->C:\WINDOWS.0\system32\Samsung_USB_Drivers\6\SSBCUninstall.exe
SAMSUNG Mobile Modem Driver Set-->C:\WINDOWS.0\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
Samsung Mobile phone USB driver Software-->C:\WINDOWS.0\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software-->C:\WINDOWS.0\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
SAMSUNG Mobile USB Modem Software-->C:\WINDOWS.0\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
Samsung New PC Studio USB Driver Installer-->"C:\Program Files\InstallShield Installation Information\{AF7E85DC-317C-47F5-810E-B82EE093A612}\setup.exe" -runfromtemp -l0x0409 -removeonly
Samsung New PC Studio USB Driver Installer-->MsiExec.exe /I{AF7E85DC-317C-47F5-810E-B82EE093A612}
Samsung New PC Studio-->"C:\Program Files\InstallShield Installation Information\{F193FC0E-9E18-40FC-A974-509A1BDD240A}\setup.exe" -runfromtemp -l0x0409 -removeonly
Samsung New PC Studio-->MsiExec.exe /X{F193FC0E-9E18-40FC-A974-509A1BDD240A}
SamsungConnectivityCableDriver-->MsiExec.exe /X{7E84FAC8-C518-40F9-9807-7455301D6D25}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB937061)-->C:\WINDOWS.0\system32\msiexec.exe /promptrestart /uninstall {94E2AAC1-CAE5-4F73-B0D1-C471BA1F8E2A} /package {437AB8E0-FB69-4222-B280-A64F3DE22591}
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB947738)-->C:\WINDOWS.0\system32\msiexec.exe /promptrestart /uninstall {66DA9ADD-B1C4-4891-84D6-706E216B411B} /package {437AB8E0-FB69-4222-B280-A64F3DE22591}
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS.0\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS.0\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS.0\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS.0\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS.0\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS.0\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS.0\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS.0\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS.0\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS.0\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS.0\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS.0\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS.0\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS.0\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS.0\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS.0\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS.0\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS.0\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS.0\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS.0\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS.0\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS.0\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS.0\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS.0\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS.0\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS.0\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS.0\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS.0\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS.0\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS.0\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS.0\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS.0\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS.0\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS.0\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS.0\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS.0\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS.0\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS.0\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS.0\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS.0\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS.0\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS.0\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS.0\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS.0\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS.0\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS.0\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS.0\$NtUninstallKB961373$\spuninst\spuninst.exe"
Skype 2.5-->"C:\Program Files\Skype\Phone\unins000.exe"
Sony Media Manager for PSP 3.0-->MsiExec.exe /X{21C6344A-918B-4D35-ADB6-7614F97B78EA}
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
TeamSpeak 2 RC2-->"C:\Program Files\Teamspeak2_RC2\unins000.exe"
TiLP 6.81-->"C:\Program Files\TiLP\unins000.exe"
Tor 0.1.1.26-->"F:\Tor\Tor\Uninstall.exe"
Total Video Converter 3.11 070908-->"C:\Program Files\Total Video Converter\unins000.exe"
Unreal Tournament 2004-->C:\UT2004\System\Setup.exe uninstall "UT2004"
Update for Windows Internet Explorer 8 (KB968220)-->"C:\WINDOWS.0\ie8updates\KB968220-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS.0\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS.0\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS.0\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS.0\$NtUninstallKB967715$\spuninst\spuninst.exe"
Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
VideoLAN VLC media player 0.8.6c-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)-->C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /u C:\WINDOWS.0\system32\DRVSTORE\shpacm_18A9B92ED8DEDC602E49E767FA4BE98A30525207\shpacm.inf
Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)-->C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /u C:\WINDOWS.0\system32\DRVSTORE\shpusb_558D416BCEB984F35885804D3E1A9C3773F1B17C\shpusb.inf
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)-->C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS.0\system32\DRVSTORE\pccsmcfd_4A1E30386F4D0DEC8F5DF262CFBD8845EEBAB175\pccsmcfd.inf
Windows Internet Explorer 8-->"C:\WINDOWS.0\ie8\spuninst\spuninst.exe"
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant-->MsiExec.exe /I{9422C8EA-B0C6-4197-B8FC-DC797658CA00}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS.0\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS.0\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS.0\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Xfire (remove only)-->"C:\Program Files\Xfire\uninst.exe"
Zune Desktop Theme-->MsiExec.exe /X{7E20EFE6-E604-48C6-8B39-BA4742F2CDB4}
Zune Language Pack (ES)-->MsiExec.exe /X{EE4ACABF-531E-419A-9225-B8E0FA4955AF}
Zune Language Pack (FR)-->MsiExec.exe /X{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}
Zune-->c:\Program Files\Zune\ZuneSetup.exe /x
Zune-->MsiExec.exe /X{FF70513F-E3A7-402F-84FB-B7810A064BE2}

=====HijackThis Backups=====

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe [2009-04-26]
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) [2009-04-26]
O4 - HKLM\..\Run: [50cf0e8f] rundll32.exe "C:\WINDOWS.0\system32\buyefalo.dll",b [2009-04-26]
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE [2009-04-26]
O4 - HKLM\..\Run: [CPM53fc3d13] Rundll32.exe "c:\windows.0\system32\norefose.dll",a [2009-04-26]
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install [2009-04-26]
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe [2009-04-26]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 [2009-04-26]
O4 - HKUS\S-1-5-20\..\Run: [sogasozile] Rundll32.exe "C:\WINDOWS.0\system32\gohulayo.dll",s (User 'NETWORK SERVICE') [2009-04-26]
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [2009-04-26]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 [2009-04-26]
O4 - HKLM\..\Run: [sogasozile] Rundll32.exe "C:\WINDOWS.0\system32\gohulayo.dll",s [2009-04-26]
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit [2009-04-26]
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup [2009-04-26]
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [2009-04-26]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 [2009-04-26]
O1 - Hosts: 82.98.231.89 url.adtrgt.com [2009-04-26]
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-04-26]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 [2009-04-26]
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe [2009-04-26]
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net [2009-04-26]
O4 - HKUS\S-1-5-19\..\Run: [sogasozile] Rundll32.exe "C:\WINDOWS.0\system32\gohulayo.dll",s (User 'LOCAL SERVICE') [2009-04-26]
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE [2009-04-26]
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe [2009-04-26]
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe [2009-04-26]
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe [2009-04-26]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab [2009-04-26]
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll [2009-04-26]
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab [2009-04-26]
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Ba ... b57213.cab [2009-04-26]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab [2009-04-26]
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab [2009-04-26]
O23 - Service: FsUsbExService - Teruten - C:\WINDOWS.0\system32\FsUsbExService.Exe [2009-04-26]
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2009-04-26]
O20 - AppInit_DLLs: C:\WINDOWS.0\system32\melidawa.dll c:\windows.0\system32\norefose.dll [2009-04-26]
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2009-04-26]
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows.0\system32\norefose.dll [2009-04-26]
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows.0\system32\norefose.dll [2009-04-26]
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS.0\system32\HPZipm12.exe [2009-04-26]
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe [2009-04-26]
O4 - HKLM\..\Run: [50cf0e8f] rundll32.exe "C:\WINDOWS.0\system32\buyefalo.dll",b [2009-04-26]
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2009-04-26]
O20 - AppInit_DLLs: c:\windows.0\system32\norefose.dll,C:\WINDOWS.0\system32\melidawa.dll [2009-04-26]
O4 - HKUS\S-1-5-19\..\Run: [sogasozile] Rundll32.exe "C:\WINDOWS.0\system32\gohulayo.dll",s (User 'LOCAL SERVICE') [2009-04-26]
O4 - Global Startup: SetPointII.lnk = ? [2009-04-26]
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows.0\system32\norefose.dll [2009-04-26]
O2 - BHO: (no name) - {2bb7c11b-cf73-4c10-a6d1-698e2c6904d2} - C:\WINDOWS.0\system32\fagometo.dll [2009-04-26]
O4 - HKLM\..\Run: [CPM53fc3d13] Rundll32.exe "c:\windows.0\system32\norefose.dll",a [2009-04-26]
O4 - HKUS\S-1-5-20\..\Run: [sogasozile] Rundll32.exe "C:\WINDOWS.0\system32\gohulayo.dll",s (User 'NETWORK SERVICE') [2009-04-26]
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup [2009-04-26]
O4 - HKLM\..\Run: [sogasozile] Rundll32.exe "C:\WINDOWS.0\system32\gohulayo.dll",s [2009-04-26]
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows.0\system32\norefose.dll [2009-04-26]
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe [2009-04-26]
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2009-04-26]
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows.0\system32\norefose.dll [2009-04-26]
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows.0\system32\norefose.dll [2009-04-26]
O4 - HKLM\..\Run: [CPM53fc3d13] Rundll32.exe "c:\windows.0\system32\norefose.dll",a [2009-04-26]
O20 - AppInit_DLLs: c:\windows.0\system32\norefose.dll,C:\WINDOWS.0\system32\melidawa.dll [2009-04-26]
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe [2009-04-26]
O4 - HKUS\S-1-5-20\..\Run: [sogasozile] Rundll32.exe "C:\WINDOWS.0\system32\gohulayo.dll",s (User 'NETWORK SERVICE') [2009-04-26]
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup [2009-04-26]
O4 - HKUS\S-1-5-19\..\Run: [sogasozile] Rundll32.exe "C:\WINDOWS.0\system32\gohulayo.dll",s (User 'LOCAL SERVICE') [2009-04-26]
O4 - HKLM\..\Run: [50cf0e8f] rundll32.exe "C:\WINDOWS.0\system32\buyefalo.dll",b [2009-04-26]
O2 - BHO: (no name) - {2bb7c11b-cf73-4c10-a6d1-698e2c6904d2} - C:\WINDOWS.0\system32\fagometo.dll (file missing) [2009-04-26]
O4 - HKLM\..\Run: [sogasozile] Rundll32.exe "C:\WINDOWS.0\system32\gohulayo.dll",s [2009-04-26]
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2009-04-26]
O4 - HKLM\..\Run: [CPM53fc3d13] Rundll32.exe "c:\windows.0\system32\norefose.dll",a [2009-04-26]
O4 - HKUS\S-1-5-19\..\Run: [sogasozile] Rundll32.exe "C:\WINDOWS.0\system32\gohulayo.dll",s (User 'LOCAL SERVICE') [2009-04-26]
O2 - BHO: (no name) - {2bb7c11b-cf73-4c10-a6d1-698e2c6904d2} - C:\WINDOWS.0\system32\fagometo.dll (file missing) [2009-04-26]
O20 - AppInit_DLLs: c:\windows.0\system32\norefose.dll,C:\WINDOWS.0\system32\melidawa.dll [2009-04-26]
O4 - HKLM\..\Run: [sogasozile] Rundll32.exe "C:\WINDOWS.0\system32\gohulayo.dll",s [2009-04-26]
O4 - HKLM\..\Run: [50cf0e8f] rundll32.exe "C:\WINDOWS.0\system32\buyefalo.dll",b [2009-04-26]
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows.0\system32\norefose.dll [2009-04-26]
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows.0\system32\norefose.dll [2009-04-26]

======Security center information======

AV: avast! antivirus 4.8.1335 [VPS 090504-0]

======System event log======

Computer Name: BEN-69AA559DD56
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 13514
Source Name: Service Control Manager
Time Written: 20090503155705.000000-240
Event Type: error
User:

Computer Name: BEN-69AA559DD56
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 13511
Source Name: Service Control Manager
Time Written: 20090503155705.000000-240
Event Type: error
User:

Computer Name: BEN-69AA559DD56
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 13508
Source Name: Service Control Manager
Time Written: 20090503155705.000000-240
Event Type: error
User:

Computer Name: BEN-69AA559DD56
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 13505
Source Name: Service Control Manager
Time Written: 20090503155705.000000-240
Event Type: error
User:

Computer Name: BEN-69AA559DD56
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 13502
Source Name: Service Control Manager
Time Written: 20090503155705.000000-240
Event Type: error
User:

=====Application event log=====

Computer Name: BEN-69AA559DD56
Event Code: 3
Message: The configuration of the AdminConnection\TCP protocol in the SQL instance SQLEXPRESS is not valid.

Record Number: 10062
Source Name: SQLBrowser
Time Written: 20090224184210.000000-300
Event Type: warning
User:

Computer Name: BEN-69AA559DD56
Event Code: 20
Message:
Record Number: 10058
Source Name: Google Update
Time Written: 20090223063245.000000-300
Event Type: error
User: BEN-69AA559DD56\*Name Removed*

Computer Name: BEN-69AA559DD56
Event Code: 20
Message:
Record Number: 10050
Source Name: Google Update
Time Written: 20090221213236.000000-300
Event Type: error
User: BEN-69AA559DD56\*Name Removed*

Computer Name: BEN-69AA559DD56
Event Code: 20
Message:
Record Number: 10040
Source Name: Google Update
Time Written: 20090220190429.000000-300
Event Type: error
User: BEN-69AA559DD56\*Name Removed*

Computer Name: BEN-69AA559DD56
Event Code: 20
Message:
Record Number: 10039
Source Name: Google Update
Time Written: 20090220180432.000000-300
Event Type: error
User: BEN-69AA559DD56\*Name Removed*

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\PC Connectivity Solution;c:\Program Files\Microsoft SQL Server\90\Tools\binn
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 15 Stepping 0, AuthenticAMD
"PROCESSOR_REVISION"=0f00
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"PANGO_WIN32_NO_UNISCRIBE"=anything
"VS80COMNTOOLS"=C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\

-----------------EOF-----------------

The computer seems to be running excellently by the way. I happen to be posting this from Chrome now and all signs of the pop-ups appear to be gone. I haven't done much with it besides what you've instructed me to do and posting here though, since you haven't given the all clear yet.
Chevalier
Active Member
 
Posts: 9
Joined: April 26th, 2009, 3:42 pm

Re: HiJackThis Log + strange net behavior.

Unread postby Odd dude » May 4th, 2009, 2:41 pm

Just noticed one suspicious service remaining.

Submit a file for analysis
We need to have something checked for malware. Please go to Jotti's.
  • Click Browse next to File to upload & scan and copy and paste the first line of the following list into the browse box:
    Code: Select all
    C:\WINDOWS.0\system32\drivers\ayi2abap.sys
  • Click Submit. The file will now be scanned for malware and the results will be displayed from the screen. Select the part where the virus scan results are shown (the part starting with A-squared and ending with VBA32) and copy and paste this to notepad.
  • Repeat this procedure for any other files I have listed.
  • Copy and paste the whole notepad file you just made into your reply.

Uninstall Azureus Vuze, this forum has a policy to remove P2P programs because they can veeeeeeeeeeeeeeeeeeeeeeeeeeery easily bring in infections.

Delete the shortcut to Openoffice 2.0 from your startup folder (Start > All Programs > Start Up) and delete the folder Openoffice.org 2.0 from your C:\Program Files.

Delete the folder c:\rsit and re-run rsit. (Just to check Azureus is really gone - I know it's lame but it's the rules)

Apart from that one strange service of which I am having you upload the file, everything looks absolutely great. :)
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: HiJackThis Log + strange net behavior.

Unread postby Chevalier » May 4th, 2009, 5:32 pm

A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Quick Heal
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

I already uninstalled A.Vuze a while ago, by the way. That was what I was referencing back up when I said "I should note (after reading all of the stickies) that I did have the version of Azureus that was marked unsafe on my computer but I uninstalled it several weeks ago. Other than that, I don't think I have any file sharing clients or other forbidden programs left on my computer. Is there anything left behind by that program that needs to be deleted manually or anything?"

Is there anything else besides that specialized ComboFix thing you gave me that it needs to be totally deleted? I removed Open Office 2.0's shortcut from start-up.
Chevalier
Active Member
 
Posts: 9
Joined: April 26th, 2009, 3:42 pm

Re: HiJackThis Log + strange net behavior.

Unread postby Odd dude » May 5th, 2009, 2:12 am

Oh, ok, Azureus was still showing up in the uninstall list but if you uninstalled it that's fine. Wouldn't be the first time something that wasn't actually there showed up in the uninstall list.

Did you also delete this folder? C:\Program Files\Openoffice.org 2.0

As your computer is now running OK, you can:
- delete the all text files you made, if you haven't done so already (I'm referring to Results.txt, CFScript.txt, etc)
- delete RSIT.exe and the folder c:\rsit it made

Combofix needs special instructions:

Uninstall ComboFix
  • Disable all your antimalware programs like you did previously (Avast and its self-defence module)
  • Click Start > Run and enter:
    Code: Select all
    ComboFix /u
  • Click OK
  • ComboFix will now uninstall itself

And then you should be good to go!

Congratulations!

Image Image Image Image Image Image

As far as I can tell, you are CLEAN!


Image


Have a big cup of Image, sit back & relax, and now please follow a few of the following tips; they will dramatically reduce your chance of getting infected again.


  • Turn on Automatic Updates if you have not done so. It is MANDATORY to keep your Windows updated, otherwise you are vulnerable to exploits! To turn on Automatic Updates: click Start > Control Panel > Security Centre > Automatic Updates.

Below are optional items. They will increase your security, but are not really "needed". That said, I recommend following at least one of these tips.

  • Install WinPatrol from here. Instructions for use are here.

  • Install a custom hosts file. Let's say I have a directory of 640kb's worth of bad sites. Let's say I can make sure you will never be able to access those sites, so you will never get any infection from those sites. It's like blocking a site - without site blocking tools. How would you like to never be able to visit (a lot, but not all of the) malware-infected sites again? Well, now you can!
    First, we must disable a service, as Windows cannot work with a very large hosts file while that service is active. This will not affect anything else.
    The disabling routine:
    • Click Start, then Run
    • Copy and paste the following:
      Code: Select all
      sc config dnscache start= disabled
    • Click OK
    Next, you can download the custom hosts file from here. Installation instructions can be found there as well.

Please reply to this thread once more so we know it can be archived

Happy surfing!! :)
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: HiJackThis Log + strange net behavior.

Unread postby Chevalier » May 7th, 2009, 2:21 pm

Just a quick note- I've been pretty busy these past few days and will not be available until next week, but I do intend to utilize the antivirus measures you've suggested, so you can archive the thread if you want and I'll find it in the archives. You have been an incredible help, Odd dude. Thank you so much :D
Chevalier
Active Member
 
Posts: 9
Joined: April 26th, 2009, 3:42 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 292 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware