Hello Im having some problems with my computer
JChretien
Vancouver, BC, Canada
WIndows security center keeps disabling automatic updates, i get random popups and NOD32 keeps telling me i have a kryptik.bn trojan. I hit delete every time but it always comes back! Help please
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:29 AM, on 11/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\BELKIN~1\BELKIN~4.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin Automatic Power Management Software\jre\bin\javaw.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Belkin Automatic Power Management Software\BelkinAPM.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Chidori\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\Belkin Automatic Power Management Software\jre\bin\javaw.exe
C:\PROGRA~1\BELKIN~1\BELKIN~3.EXE
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Belkin Automatic Power Management Software\jre\bin\javaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AS00_Gear311T] C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BelkinAPM] C:\Program Files\Belkin Automatic Power Management Software\BelkinAPM.exe
O4 - HKLM\..\Run: [ecb97926] rundll32.exe "C:\WINDOWS\system32\ftbrowan.dll",b
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" boot "C:\Documents and Settings\Chidori\Local Settings\Application Data\NVIDIA Corporation\nTune\Profiles\overclocked.nsu"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chidori\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {3A52566B-6018-485B-B713-8B9FF660D8E8} (ilhtrapp Object) - http://dvrlink.net/webdvr/webdvr2.5.10.2_233.0.0.0.cab
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) - http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
O20 - AppInit_DLLs: oehshi.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BelkinAPMmanager - Macrovision - C:\PROGRA~1\BELKIN~1\BE8806~1.EXE
O23 - Service: BelkinAPMmonitor - Macrovision - C:\PROGRA~1\BELKIN~1\BELKIN~4.EXE
O23 - Service: BelkinAPMRMI - Macrovision - C:\PROGRA~1\BELKIN~1\BELKIN~3.EXE
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 6304 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:29 AM, on 11/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\BELKIN~1\BELKIN~4.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin Automatic Power Management Software\jre\bin\javaw.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Belkin Automatic Power Management Software\BelkinAPM.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Chidori\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\Belkin Automatic Power Management Software\jre\bin\javaw.exe
C:\PROGRA~1\BELKIN~1\BELKIN~3.EXE
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Belkin Automatic Power Management Software\jre\bin\javaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AS00_Gear311T] C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BelkinAPM] C:\Program Files\Belkin Automatic Power Management Software\BelkinAPM.exe
O4 - HKLM\..\Run: [ecb97926] rundll32.exe "C:\WINDOWS\system32\ftbrowan.dll",b
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" boot "C:\Documents and Settings\Chidori\Local Settings\Application Data\NVIDIA Corporation\nTune\Profiles\overclocked.nsu"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chidori\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {3A52566B-6018-485B-B713-8B9FF660D8E8} (ilhtrapp Object) - http://dvrlink.net/webdvr/webdvr2.5.10.2_233.0.0.0.cab
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) - http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
O20 - AppInit_DLLs: oehshi.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BelkinAPMmanager - Macrovision - C:\PROGRA~1\BELKIN~1\BE8806~1.EXE
O23 - Service: BelkinAPMmonitor - Macrovision - C:\PROGRA~1\BELKIN~1\BELKIN~4.EXE
O23 - Service: BelkinAPMRMI - Macrovision - C:\PROGRA~1\BELKIN~1\BELKIN~3.EXE
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 6304 bytes
0
Comments
Step 1:
Please download to your desktop:
Malwarebytes' Anti-Malware (MBAM)
Random's System Iformation Tool (RSIT)
Step 2:
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
- Then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform full scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When completed, a log will open in Notepad. please copy and paste the log into your next reply.
- If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Step 3:In your next reply, please include:
Database version: 1401
Windows 5.1.2600 Service Pack 2
11/16/2008 10:20:31 AM
mbam-log-2008-11-16 (10-20-31).txt
Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|L:\|P:\|)
Objects scanned: 249388
Time elapsed: 2 hour(s), 10 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 16
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 28
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\ddcDvvUN.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ftbrowan.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\oehshi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\iifEwvvW.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{47080957-7903-41fc-b655-ceba0a65e64a} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iifewvvw (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{47080957-7903-41fc-b655-ceba0a65e64a} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{652bb3d5-6e01-46aa-83cf-bbcc01f79dc8} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{652bb3d5-6e01-46aa-83cf-bbcc01f79dc8} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b7ef49d8-1dc0-4944-8f4a-42d3d21c2c5c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b7ef49d8-1dc0-4944-8f4a-42d3d21c2c5c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b7ef49d8-1dc0-4944-8f4a-42d3d21c2c5c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{47080957-7903-41fc-b655-ceba0a65e64a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{652bb3d5-6e01-46aa-83cf-bbcc01f79dc8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ecb97926 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{47080957-7903-41fc-b655-ceba0a65e64a} (Trojan.Vundo.H) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\ddcdvvun -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\ddcdvvun -> Delete on reboot.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\iifEwvvW.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ddcDvvUN.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\NUvvDcdd.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NUvvDcdd.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oehshi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ftbrowan.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\naworbtf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vlkgwpqj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jqpwgklv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wjhngkbi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ibkgnhjw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chidori\Local Settings\Temp\yaafjhkr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chidori\Local Settings\Temp\bxvxoddb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chidori\Local Settings\Temporary Internet Files\Content.IE5\912CMWXG\70bd6[1].dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chidori\Local Settings\Temporary Internet Files\Content.IE5\912CMWXG\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chidori\Local Settings\Temporary Internet Files\Content.IE5\912CMWXG\kb600179[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Chidori\Local Settings\Temporary Internet Files\Content.IE5\AKHJKGM1\70bd6[1].dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chidori\Local Settings\Temporary Internet Files\Content.IE5\AKHJKGM1\70bd6[2].dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chidori\Local Settings\Temporary Internet Files\Content.IE5\AKHJKGM1\kb600179[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chidori\Local Settings\Temporary Internet Files\Content.IE5\M5EYC2E7\70bd6[1].dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chidori\Local Settings\Temporary Internet Files\Content.IE5\QR1B3DWF\70bd6[1].dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chidori\Local Settings\Temporary Internet Files\Content.IE5\QR1B3DWF\index[1] (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\kdjiua.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\mhvvkf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\puoghwdm.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\cluudvqn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\muqqgeri.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\krgfyhvs.dll (Trojan.Vundo) -> Delete on reboot.
Logfile of random's system information tool 1.04 (written by random/random)
Run by Chidori at 2008-11-16 10:28:57
Microsoft Windows XP Professional Service Pack 2
System drive C: has 3 GB (11%) free of 29 GB
Total RAM: 2047 MB (61% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:02 AM, on 11/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Belkin Automatic Power Management Software\BelkinAPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Belkin Automatic Power Management Software\jre\bin\javaw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Chidori\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\BELKIN~1\BELKIN~4.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin Automatic Power Management Software\jre\bin\javaw.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\BELKIN~1\BELKIN~3.EXE
C:\Program Files\Belkin Automatic Power Management Software\jre\bin\javaw.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Chidori\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Chidori.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {02f17671-2d3f-a07a-77b4-1c52ca09ede7} - {7ede90ac-25c1-4b77-a70a-f3d217671f20} - C:\WINDOWS\system32\kdjiua.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {D366F4E4-FD2F-4E5C-A97E-14A3944EFD6E} - C:\WINDOWS\system32\tuvUKBtr.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AS00_Gear311T] C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BelkinAPM] C:\Program Files\Belkin Automatic Power Management Software\BelkinAPM.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" boot "C:\Documents and Settings\Chidori\Local Settings\Application Data\NVIDIA Corporation\nTune\Profiles\overclocked.nsu"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chidori\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {3A52566B-6018-485B-B713-8B9FF660D8E8} (ilhtrapp Object) - http://dvrlink.net/webdvr/webdvr2.5.10.2_233.0.0.0.cab
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) - http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
O20 - AppInit_DLLs: kdjiua.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BelkinAPMmanager - Macrovision - C:\PROGRA~1\BELKIN~1\BE8806~1.EXE
O23 - Service: BelkinAPMmonitor - Macrovision - C:\PROGRA~1\BELKIN~1\BELKIN~4.EXE
O23 - Service: BelkinAPMRMI - Macrovision - C:\PROGRA~1\BELKIN~1\BELKIN~3.EXE
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 6802 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\GoogleUpdateTaskUser.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7ede90ac-25c1-4b77-a70a-f3d217671f20}]
C:\WINDOWS\system32\kdjiua.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D366F4E4-FD2F-4E5C-A97E-14A3944EFD6E}]
C:\WINDOWS\system32\tuvUKBtr.dll []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-03 208952]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-03 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-03 455168]
"AS00_Gear311T"=C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe [2004-11-11 475136]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2007-09-17 8491008]
"NVMixerTray"=C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe [2004-06-03 131072]
"nod32kui"=C:\Program Files\Eset\nod32kui.exe [2007-09-25 950664]
"UltraMon"=C:\Program Files\UltraMon\UltraMon.exe [2006-10-12 304640]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2007-09-17 81920]
"WinVNC"=C:\Program Files\UltraVNC\WinVNC.exe [2006-06-18 712704]
"itype"=C:\Program Files\Microsoft IntelliType Pro\itype.exe [2008-06-10 1442888]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]
"BelkinAPM"=C:\Program Files\Belkin Automatic Power Management Software\BelkinAPM.exe [2008-11-10 114688]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"=C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe [2007-07-03 81920]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2006-12-31 15360]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2007-10-18 5724184]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]
"Google Update"=C:\Documents and Settings\Chidori\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 133104]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
C:\WINDOWS\KHALMNPR.EXE [2007-04-11 56080]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
C:\WINDOWS\KHALMNPR.EXE [2007-04-11 56080]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE [2007-08-06 200704]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe [2008-02-22 144784]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Chidori^Start Menu^Programs^Startup^MagicDisc.lnk]
C:\PROGRA~1\MAGICD~1\MAGICD~1.EXE [2007-09-05 557568]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FLEXnet Licensing Service"=3
"Bonjour Service"=2
"StarWindServiceAE"=2
"npkcmsvc"=2
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Documents and Settings\Chidori\Start Menu\Programs\Startup
hamachi.lnk - C:\Program Files\Hamachi\hamachi.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="kdjiua.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WdfLoadGroup]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\uTorrent\utorrent.exe"="C:\Program Files\uTorrent\utorrent.exe:*:Enabled:μTorrent"
"C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe"="C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM)"
"C:\Program Files\Pando Networks\Pando\pando.exe"="C:\Program Files\Pando Networks\Pando\pando.exe:*:Enabled:Pando Application"
"H:\FEAR\FEARXP\FEARXP.exe"="H:\FEAR\FEARXP\FEARXP.exe:*:Enabled:FEARXP"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
======List of files/folders created in the last 1 months======
2008-11-16 10:28:57 ----D---- C:\rsit
2008-11-16 01:15:37 ----SH---- C:\WINDOWS\system32\svhyfgrk.ini
2008-11-16 01:04:29 ----D---- C:\Documents and Settings\Chidori\Application Data\Malwarebytes
2008-11-16 01:04:23 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-16 01:04:23 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-11-15 11:12:21 ----D---- C:\Program Files\Trend Micro
2008-11-13 11:05:13 ----A---- C:\WINDOWS\system32\lzfidg.dll
2008-11-13 11:05:12 ----A---- C:\WINDOWS\system32\cygeqdrf.dll
2008-11-13 10:19:35 ----ASH---- C:\WINDOWS\system32\rtBKUvut.ini2
2008-11-13 10:19:14 ----A---- C:\WINDOWS\wininit.ini
2008-11-13 09:54:06 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-11-13 09:54:06 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-10 22:28:08 ----A---- C:\WINDOWS\system32\TrayIcon12.dll
2008-11-10 22:28:08 ----A---- C:\WINDOWS\system32\smemory.dll
2008-11-10 22:28:08 ----A---- C:\WINDOWS\system32\jspWinRnia.DLL
2008-11-10 22:28:08 ----A---- C:\WINDOWS\system32\jspWinRni.DLL
2008-11-10 22:28:08 ----A---- C:\WINDOWS\system32\jspWinNm.DLL
2008-11-10 22:28:08 ----A---- C:\WINDOWS\system32\jspWin.dll
2008-11-10 22:18:52 ----D---- C:\Program Files\Belkin Bulldog Plus
2008-11-10 16:56:44 ----D---- C:\Program Files\Easy Duplicate Finder
2008-11-09 23:30:55 ----A---- C:\WINDOWS\system32\e79abd58-.txt
2008-11-09 23:30:39 ----ASH---- C:\WINDOWS\system32\rtBKUvut.ini
2008-11-09 12:00:40 ----D---- C:\Documents and Settings\Chidori\Application Data\Apple Computer
2008-11-09 12:00:19 ----A---- C:\WINDOWS\system32\GEARAspi.dll
2008-11-09 11:59:54 ----D---- C:\Program Files\iPod
2008-11-09 11:59:52 ----D---- C:\Program Files\iTunes
2008-11-09 11:59:52 ----D---- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-05 00:18:42 ----D---- C:\Program Files\Common Files\Apple
2008-11-05 00:18:38 ----D---- C:\Program Files\QuickTime
2008-11-05 00:18:37 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-11-05 00:18:28 ----D---- C:\Program Files\Apple Software Update
2008-11-05 00:18:28 ----D---- C:\Documents and Settings\All Users\Application Data\Apple
2008-11-05 00:11:52 ----SHD---- C:\Config.Msi
2008-11-05 00:04:20 ----D---- C:\Program Files\CCleaner
======List of files/folders modified in the last 1 months======
2008-11-16 10:26:54 ----D---- C:\Program Files\Mozilla Firefox
2008-11-16 10:25:19 ----D---- C:\WINDOWS\Temp
2008-11-16 10:24:49 ----D---- C:\Documents and Settings\Chidori\Application Data\Hamachi
2008-11-16 10:23:48 ----D---- C:\WINDOWS\system32
2008-11-16 10:23:47 ----RD---- C:\Program Files
2008-11-16 10:23:47 ----D---- C:\WINDOWS\system32\drivers
2008-11-16 10:23:03 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-16 10:22:52 ----D---- C:\Documents and Settings\Chidori\Application Data\uTorrent
2008-11-16 08:10:13 ----D---- C:\Program Files\Belkin Automatic Power Management Software
2008-11-16 01:15:47 ----D---- C:\WINDOWS\Prefetch
2008-11-15 11:45:29 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-15 11:30:31 ----A---- C:\WINDOWS\NeroDigital.ini
2008-11-13 10:19:14 ----D---- C:\WINDOWS
2008-11-10 22:21:52 ----HD---- C:\Program Files\InstallShield Installation Information
2008-11-10 22:20:04 ----HD---- C:\WINDOWS\inf
2008-11-10 14:35:21 ----D---- C:\Program Files\Zoom Player
2008-11-09 12:00:43 ----SHD---- C:\WINDOWS\Installer
2008-11-09 12:00:19 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-11-09 11:59:43 ----D---- C:\Program Files\Bonjour
2008-11-05 00:18:42 ----D---- C:\Program Files\Common Files
2008-11-05 00:18:30 ----SD---- C:\WINDOWS\Tasks
2008-11-05 00:08:56 ----D---- C:\WINDOWS\Minidump
2008-11-05 00:08:56 ----D---- C:\WINDOWS\Debug
2008-11-04 23:45:11 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-04 23:43:41 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-11-04 17:50:23 ----D---- C:\WINDOWS\Help
2008-10-29 09:52:19 ----D---- C:\Program Files\EA Games
2008-10-29 09:42:07 ----RSD---- C:\WINDOWS\Fonts
2008-10-26 21:12:56 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-10-26 21:09:26 ----D---- C:\WINDOWS\system32\CatRoot
2008-10-26 21:07:40 ----D---- C:\WINDOWS\RegisteredPackages
2008-10-23 09:10:03 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-18 17:48:16 ----A---- C:\WINDOWS\cdplayer.ini
2008-10-17 09:52:52 ----D---- C:\Program Files\Combined Community Codec Pack
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2006-12-31 37376]
R1 ATITool;ATITool Overclocking Utility; C:\WINDOWS\system32\DRIVERS\ATITool.sys [2006-11-10 24064]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
R1 nod32drv;nod32drv; C:\WINDOWS\system32\drivers\nod32drv.sys [2007-09-25 15424]
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2007-08-06 33052]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2006-12-31 12032]
R2 AMON;AMON; C:\WINDOWS\system32\drivers\amon.sys [2007-09-25 512096]
R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.9; C:\WINDOWS\system32\DRIVERS\mdc8021x.sys [2007-09-25 15781]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2006-12-31 88448]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2006-12-31 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2006-12-31 55936]
R2 nxsIO32;NextSensor Kernel I/O Driver; \??\C:\WINDOWS\System32\DRIVERS\nxsIO32.sys []
R2 UltraMonUtility;UltraMon Utility Driver; \??\C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys []
R2 vnccom;vnccom; C:\WINDOWS\System32\Drivers\vnccom.SYS [2004-06-26 6016]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2006-12-31 60800]
R3 AWINDIS5;AWINDIS5 Protocol Driver; \??\C:\WINDOWS\system32\AWINDIS5.SYS []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2007-11-16 25280]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys [2007-04-11 34832]
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys [2007-04-11 36112]
R3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\WINDOWS\system32\DRIVERS\mcdbus.sys [2007-09-05 92544]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NETGEAR_WG311T_SERVICE;NETGEAR WG311T Wireless Adapter Service; C:\WINDOWS\system32\DRIVERS\wg311tn5.sys [2004-08-13 395840]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2006-12-31 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-09-17 6853088]
R3 nvax;Service for NVIDIA(R) nForce(TM) Audio Enumerator; C:\WINDOWS\system32\drivers\nvax.sys [2004-05-25 48640]
R3 NVENET;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENET.sys [2004-01-29 93764]
R3 nvnforce;Service for NVIDIA(R) nForce(TM) Audio; C:\WINDOWS\system32\drivers\nvapu.sys [2004-05-25 396032]
R3 NVR0Dev;NVR0Dev; \??\C:\WINDOWS\nvoclock.sys []
R3 UltraMonMirror;UltraMonMirror; C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys [2006-09-24 3584]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2006-12-31 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2006-12-31 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2006-12-31 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2006-12-31 17024]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 vncdrv;vncdrv; C:\WINDOWS\system32\DRIVERS\vncdrv.sys [2004-06-26 4736]
R3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S2 npkcrypt;npkcrypt; \??\I:\Nexon\Mabinogi\npkcrypt.sys []
S3 ahifhj1f;ahifhj1f; C:\WINDOWS\system32\drivers\ahifhj1f.sys []
S3 ENTECH;ENTECH; \??\C:\WINDOWS\system32\DRIVERS\ENTECH.sys []
S3 L8042Kbd;Logitech SetPoint Keyboard Driver; C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys [2007-04-11 20496]
S3 L8042mou;SetPoint PS/2 Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\L8042mou.Sys [2007-04-11 63248]
S3 LMouKE;SetPoint Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouKE.Sys [2007-04-11 79376]
S3 LUsbFilt;Logitech SetPoint KMDF USB Filter; C:\WINDOWS\System32\Drivers\LUsbFilt.Sys [2007-04-11 28688]
S3 npkcusb;npkcusb; \??\I:\Nexon\Mabinogi\npkcusb.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2006-12-31 73472]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 BelkinAPMmonitor;BelkinAPMmonitor; C:\PROGRA~1\BELKIN~1\BELKIN~4.EXE [2008-11-10 114688]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 NOD32krn;NOD32 Kernel Service; C:\Program Files\Eset\nod32krn.exe [2007-09-25 549256]
R2 nTuneService;nTune Service; C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe [2007-07-03 131072]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-09-17 155716]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 winvnc;VNC Server; C:\Program Files\UltraVNC\WinVNC.exe [2006-06-18 712704]
R3 BelkinAPMRMI;BelkinAPMRMI; C:\PROGRA~1\BELKIN~1\BELKIN~3.EXE [2008-11-10 114688]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 BelkinAPMmanager;BelkinAPMmanager; C:\PROGRA~1\BELKIN~1\BE8806~1.EXE [2008-11-10 114688]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2006-12-31 14336]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S4 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2007-10-27 654848]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]
S4 npkcmsvc;npkcmsvc; I:\Nexon\Mabinogi\npkcmsvc.exe [2007-08-02 80528]
S4 StarWindServiceAE;StarWind AE Service; C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2007-05-28 275968]
EOF
info.txt logfile of random's system information tool 1.04 2008-11-16 10:29:03
======Uninstall list======
-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->MsiExec /X{65F1CF63-31E0-450B-96F3-4A88BE7361A6}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3Dカスタム少女-->MsiExec.exe /X{311EBF70-9282-41D1-BAB0-AD22220301B9}
7-Zip 4.52 beta-->"C:\Program Files\7-Zip\Uninstall.exe"
abcAVI-->"C:\Program Files\abcAVI\unins000.exe"
ACDSee Classic-->C:\PROGRA~1\ACDSee32\UNWISE.EXE C:\PROGRA~1\ACDSee32\INSTALL.LOG
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings-->MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Illustrator CS3-->C:\Program Files\Common Files\Adobe\Installers\a04a925a57548091300ada368235fc6\Setup.exe
Adobe Illustrator CS3-->MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}
Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3-->C:\Program Files\Common Files\Adobe\Installers\719d6f144d0c086a0dfa7ff76bb9ac1\Setup.exe
Adobe Photoshop CS3-->MsiExec.exe /I{3D7E3EC9-46CF-4359-9289-39CE01DFB82F}
Adobe Setup-->MsiExec.exe /I{4F3E17F8-F1C8-4A4B-9EB8-1EE2D190CDA9}
Adobe Setup-->MsiExec.exe /I{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C}
Adobe Shockwave Player-->C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
AGEIA PhysX v7.07.09-->MsiExec.exe /X{65F1CF63-31E0-450B-96F3-4A88BE7361A6}
AoA Audio Extractor 1.0-->"C:\Program Files\AoA Audio Extractor\unins000.exe"
Apple Mobile Device Support-->MsiExec.exe /I{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ATITool Overclocking Utility-->"C:\Program Files\ATITool\Uninstall.exe"
Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"
AviSynth 2.5-->"C:\Program Files\AviSynth 2.5\Uninstall.exe"
Belkin Automatic Power Management Software-->"C:\Program Files\Belkin Automatic Power Management Software\UninstallerData\Uninstall.exe"
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
Call of Duty(R) 4 - Modern Warfare(TM)-->C:\Program Files\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
CDDRV_Installer-->MsiExec.exe /I{8CC990CD-87C8-475C-AC32-8A7984E2FCFA}
Combined Community Codec Pack 2008-09-21 16:18-->"C:\Program Files\Combined Community Codec Pack\unins000.exe"
Command & Conquer Generals-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{06F80017-8F98-4C94-B868-52358569FC32}
Command and ConquerTM Generals Zero Hour-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F3E9C243-122E-4D6B-ACC1-E1FEC02F6CA1}
CoreAVC Professional Edition (remove only)-->"C:\Program Files\CoreCodec\CoreAVC Professional Edition\CoreAVC Professional Edition-uninstall.exe"
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader-->C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Decrypter (Remove Only)-->"C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2-->"C:\Program Files\DVD Shrink\unins000.exe"
Easy Duplicate Finder v. 2.1-->"C:\Program Files\Easy Duplicate Finder\unins000.exe"
eMule-->"C:\Program Files\eMule\Uninstall.exe"
FEAR Extraction Point-->C:\Program Files\InstallShield Installation Information\{909BBDB7-BABE-434C-9124-863A9F8D1CF8}\setup.exe -runfromtemp -l0x0009 -removeonly
Flash Slideshow Maker Pro 4.85-->C:\Program Files\Flash Slideshow Maker Professional\uninst.exe
Foxit Reader-->C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
FreeRIP v3.081-->"C:\Program Files\FreeRIP3\unins000.exe"
Futuremark SystemInfo-->C:\Program Files\InstallShield Installation Information\{BEE64C14-BEF1-4610-8A68-A16EAA47B882}\setup.exe -runfromtemp -l0x0009 -removeonly
Gordian Knot Rip Pack 0.35.0-->C:\Program Files\GordianKnot\uninst.exe
Haali Media Splitter-->"C:\Program Files\Haali\MatroskaSplitter\uninstall.exe"
Hamachi 1.0.3.0-->C:\Program Files\Hamachi\uninstall.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
ILLUSION ã™ãã…~るメイト『写真撮影会ã€-->MsiExec.exe /X{A4A132BC-D64F-4B89-91F2-60DDF5199D55}
ILLUSION ã™ãã…~るメイト-->MsiExec.exe /X{6746BEC6-EE67-4173-A2FF-D9A21D8FF27D}
iTunes-->MsiExec.exe /I{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}
Java(TM) 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
KhalInstallWrapper-->MsiExec.exe /I{56918C0C-0D87-4CA6-92BF-4975A43AC719}
Logitech SetPoint-->C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe -runfromtemp -l0x0009 -removeonly
lolifox (0.3.6)-->C:\Program Files\lolifox\uninstall\helper.exe
MagicDisc 2.5.79-->C:\PROGRA~1\MAGICD~1\UNWISE.EXE C:\PROGRA~1\MAGICD~1\INSTALL.LOG
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MatrixMixer (remove only)-->C:\Program Files\MatrixMixer\uninstall.exe
MechWarrior 2-->C:\WINDOWS\uninst.exe -fC:\Mech2\DeIsL1.isu
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0 Service Pack 1-->MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}
Microsoft .NET Framework 3.5-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\setup.exe
Microsoft .NET Framework 3.5-->MsiExec.exe /I{2FC099BD-AC9B-33EB-809C-D332E1B27C40}
Microsoft Calculator Plus-->MsiExec.exe /I{83073C45-3003-4671-9A86-243AAADD915A}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Pro Photo Tools-->MsiExec.exe /I{A05CF147-BEED-4880-BF9B-4EAF22C77FFD}
Microsoft RAW Image Thumbnailer and Viewer for Windows XP Version 1.0 (Build 50)-->MsiExec.exe /X{2E5A5B57-57FC-4C79-A239-9DB280ADEC2A}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Windows Journal Viewer-->MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA8}
mIRC-->"F:\Backup\mIRC\mirc.exe" -uninstall
Morgan Stream Switcher-->"C:\Program Files\Morgan\mmswitch\uninst.exe"
Mozilla Firefox (3.0.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB925673)-->MsiExec.exe /I{FE9126DB-5F84-495A-BB46-3C724F1C2D08}
Nero 6 Ultra Edition-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NETGEAR Wireless Adapter WG311T-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A49306CE-84C6-4024-BAD2-80FE34679069}\Setup.exe" -l0x9
Nikon RAW Codec-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C8616041-2802-4DE2-B3BD-6285AAD65C2A}\Setup.exe" -l0x9 -removeonly
NOD32 antivirus system-->C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NOD32 FiX v2.1-->"C:\Program Files\Eset\unins000.exe"
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
NVIDIA nTune-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF} /l1033
NvMixer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D7A6C517-11F2-419F-B5BB-27772B939698}\Setup.exe" -uninstall
PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
PowerISO-->"C:\Program Files\PowerISO\uninstall.exe"
PrimoPDF-->"C:\WINDOWS\PrimoPDF4\uninstall.exe" "/U:C:\Program Files\activePDF\PrimoPDF\Uninstall\uninstallPrimoPDF4.xml"
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
Real Alternative 1.7.5-->"C:\Program Files\Real Alternative\unins000.exe"
Red Alert Windows 95-->C:\WINDOWS\RAUNINST.EXE C:\WINDOWS\UNINST.EXE -fC:\WESTWOOD\REDALERT\DeIsL1.isu
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Slab DSP - Virtuoso v1.0 (remove only)-->"C:\Program Files\Winamp\Plugins\Virtuoso\uninst.exe"
SpeedFan (remove only)-->"C:\Program Files\SpeedFan\uninstall.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Tweak UI-->"C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
UltraMon-->MsiExec.exe /I{E67FF1A2-23C1-4102-84E9-42115F77AD32}
UltraVNC v1.0.2-->"C:\Program Files\UltraVNC\unins000.exe"
Unreal Anthology-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14AA72DA-DB40-4A34-93A6-401A81D7AF9E}\Setup.exe" -l0x9 -removeonly
VobSub v2.23 (Remove Only)-->"C:\Program Files\Gabest\VobSub\uninstall.exe"
VU Meter for Winamp-->C:\Program Files\Winamp\Plugins\SXUNINST.EXE
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant-->MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
x264vfw - H.264/MPEG-4 AVC codec (remove only)-->C:\WINDOWS\system32\x264vfw-uninstall.exe
XnView 1.92.1-->"C:\Program Files\XnView\unins000.exe"
XviD MPEG-4 Video Codec-->"C:\Program Files\XviD\unins000.exe"
YAMAHA Wave Sound Decorator-->MsiExec.exe /I{100E6299-4AA4-425E-9915-57B7011A908F}
Zoom Player (remove only)-->"C:\Program Files\Zoom Player\uninstall.exe"
らã☆ã™ãŸ デスクトップアクセサリー-->MsiExec.exe /I{7B689946-FC65-4DA3-9537-3FD23641905C}
======Security center information======
AV: ESET NOD32 antivirus system 2.70
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
"PROCESSOR_REVISION"=0a00
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
EOF
Please print out these instructions or save them to your dekstop with Notepad, so that you can operate with all browser windows closed.
Step 1:
Run HijackThis and click on Do a system scan only.
When the scan is complete, place a check next to the following entries:
O2 - BHO: {02f17671-2d3f-a07a-77b4-1c52ca09ede7} - {7ede90ac-25c1-4b77-a70a-f3d217671f20} - C:\WINDOWS\system32\kdjiua.dll (file missing)
O2 - BHO: (no name) - {D366F4E4-FD2F-4E5C-A97E-14A3944EFD6E} - C:\WINDOWS\system32\tuvUKBtr.dll (file missing)
O16 - DPF: {3A52566B-6018-485B-B713-8B9FF660D8E8} (ilhtrapp Object) - http://dvrlink.net/webdvr/webdvr2.5.10.2_233.0.0.0.cab
O20 - AppInit_DLLs: kdjiua.dll
Now close all open windows/programs and click on Fix Checked.
Step 2:
Please download OTMoveIt3 by OldTimer and save it to your desktop.
- Double-click OTMoveIt3.exe to run it.
- Copy the lines in the codebox below.
- Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar), and paste it in your next reply.
- Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.Reboot your computer at this stage.
Step 3:
Click on Start and then Run.
Type Notepad C:\WINDOWS\wininit.ini and click OK.
Notepad will open.
Please copy & paste the whole contents of that file here.
In your next reply, please include
I came across this thread from a web search because I was having the same problem.
I had to register for the forum just to thank you for your expertise. I was following along and kinda reverse engineering the things you outlined as most of the items on my computer were named differently. But I followed up to your last post and viola, the virus seems to be gone.
I am interested to see what your response will be once the OP posts his winnt.ini file. I had an entry in it, I just commented it out until I see what your instructions were.
The entry looked like:
[Rename]
NUL=C:\DOCUME~1\(my username)\LOCALS~1\Temp\VIES5E0B
Again, thank you so much, there is no telling how many other people you may be helping that you aren't even aware of.
Unable to stop service ahifhj1f .
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_DLLS"|"" /E : value set successfully!
========== FILES ==========
File/Folder C:\WINDOWS\system32\svhyfgrk.ini not found.
File/Folder C:\WINDOWS\system32\lzfidg.dll not found.
File/Folder C:\WINDOWS\system32\cygeqdrf.dll not found.
File/Folder C:\WINDOWS\system32\rtBKUvut.ini2 not found.
File/Folder C:\WINDOWS\system32\e79abd58-.txt not found.
File/Folder C:\WINDOWS\system32\rtBKUvut.ini not found.
File/Folder C:\WINDOWS\system32\drivers\ahifhj1f.sys not found.
File/Folder C:\WINDOWS\system32\tuvUKBtr.dl not found.
File/Folder C:\WINDOWS\system32\kdjiua.dll not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Chidori\LOCALS~1\Temp\etilqs_jGIibbJAtgfgBLij99S0 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Chidori\LOCALS~1\Temp\~DF1923.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Chidori\LOCALS~1\Temp\~DF1928.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Chidori\LOCALS~1\Temp\~DF3368.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Chidori\LOCALS~1\Temp\~DF3390.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_4f8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Chidori\Local Settings\Application Data\Mozilla\Firefox\Profiles\1qczdj0s.des\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Chidori\Local Settings\Application Data\Mozilla\Firefox\Profiles\1qczdj0s.des\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Chidori\Local Settings\Application Data\Mozilla\Firefox\Profiles\1qczdj0s.des\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Chidori\Local Settings\Application Data\Mozilla\Firefox\Profiles\1qczdj0s.des\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Chidori\Local Settings\Application Data\Mozilla\Firefox\Profiles\1qczdj0s.des\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 11172008_003524
Files moved on Reboot...
File C:\DOCUME~1\Chidori\LOCALS~1\Temp\etilqs_jGIibbJAtgfgBLij99S0 not found!
File C:\DOCUME~1\Chidori\LOCALS~1\Temp\~DF1923.tmp not found!
File C:\DOCUME~1\Chidori\LOCALS~1\Temp\~DF1928.tmp not found!
File C:\DOCUME~1\Chidori\LOCALS~1\Temp\~DF3368.tmp not found!
File C:\DOCUME~1\Chidori\LOCALS~1\Temp\~DF3390.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_4f8.dat not found!
C:\Documents and Settings\Chidori\Local Settings\Application Data\Mozilla\Firefox\Profiles\1qczdj0s.des\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Chidori\Local Settings\Application Data\Mozilla\Firefox\Profiles\1qczdj0s.des\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Chidori\Local Settings\Application Data\Mozilla\Firefox\Profiles\1qczdj0s.des\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Chidori\Local Settings\Application Data\Mozilla\Firefox\Profiles\1qczdj0s.des\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Chidori\Local Settings\Application Data\Mozilla\Firefox\Profiles\1qczdj0s.des\urlclassifier3.sqlite moved successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:29 AM, on 11/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Chidori\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AS00_Gear311T] C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" boot "C:\Documents and Settings\Chidori\Local Settings\Application Data\NVIDIA Corporation\nTune\Profiles\overclocked.nsu"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chidori\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 5528 bytes
wininit.ini
[rename]
c:\tempjunk3057.tmp=C:\WINDOWS\system32\fwufmqhf.dll_old
nul=c:\tempjunk3057.tmp
Please note that instructions given under this topic are customised for JChretien's computer only. The tools used may cause damage if used on a computer with different infections. If you have any questions or requests, please start your own thread instead.
Please do an additional scan with Kaspersky Online Scanner
Note: Internet Explorer should be used
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, November 17, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, November 17, 2008 03:50:44
Records in database: 1389091
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
L:\
M:\
N:\
P:\
Scan statistics:
Files scanned: 250603
Threat name: 22
Infected objects: 36
Suspicious objects: 1
Duration of the scan: 07:46:36
File name / Threat name / Threats count
C:\Program Files\UltraVNC\WinVNC.exe/C:\Program Files\UltraVNC\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\Program Files\ESET\cache\FND0.NFI Infected: Trojan.Win32.Agent.amyt 1
C:\Program Files\ESET\cache\FND1.NFI Infected: Trojan.Win32.Monderb.wqe 1
C:\Program Files\ESET\infected\3KGQ3PDA.NQF Infected: Worm.Win32.Antinny.j 1
C:\Program Files\UltraVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\Program Files\UltraVNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 1
C:\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\_OTMoveIt\MovedFiles\11172008_002646\WINDOWS\system32\cygeqdrf.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.etr 1
C:\_OTMoveIt\MovedFiles\11172008_002646\WINDOWS\system32\lzfidg.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.etr 1
D:\Download\Matrix3DSetup.exe Infected: not-a-virus:AdWare.Win32.Quick.a 1
D:\Download\Matrix3DSetup.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
D:\Download\Matrix3DSetup.exe Infected: not-a-virus:AdWare.Win32.EZula.u 1
D:\Download\Matrix3DSetup.exe Infected: not-a-virus:AdWare.Win32.WebRebates.g 1
D:\Download\Matrix3DSetup.exe Infected: not-a-virus:AdWare.Win32.WebRebates.b 2
D:\Download\Matrix3DSetup.exe Infected: not-a-virus:AdWare.Win32.HelpExpress 1
D:\FlyakiteOSXv2.0.exe Infected: not-a-virus:NetTool.Win32.PsKill.a 1
E:\Backup\nov1105\desktop\NetTools4.zip Suspicious: Backdoor.Win32.VB.gen 1
E:\Backup\nov1105\mIRC\BACKUP\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.601 1
E:\Backup\nov1105\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 1
E:\Backup\Tracer\Tracer\TracerScript.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.571 1
E:\Backup\Tracer.zip Infected: not-a-virus:Client-IRC.Win32.mIRC.571 1
E:\blah\UPP\upp.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 1
E:\dap53.exe Infected: not-a-virus:AdWare.Win32.Dap.g 1
E:\Matrix3DSetup.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
E:\mirc612.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 1
E:\susetup1.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.40 1
E:\UPP\upp.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 1
E:\upp.zip Infected: not-a-virus:Client-IRC.Win32.mIRC.603 1
E:\vnc-3.3.3r9_x86_win32.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1
F:\Backup\mIRC\BACKUP\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.601 1
F:\Backup\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 1
H:\New Folder (2)\DrCorp\DrScriptv2w\DrScript.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.601 1
I:\Count Zero CG Collections\Vol.37 Gekkan Ohno Kanako (Genshiken).rar Infected: Exploit.HTML.CodeBaseExec 1
I:\Laptop Backup\Desktop\UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 2
I:\Laptop Backup\Desktop\UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 1
The selected area was scanned.
- Double-click OTMoveIt3.exe to run it.
- Copy the lines in the codebox below.
- Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar), and paste it in your next reply.
- Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.C:\WINDOWS\wininit.ini moved successfully.
OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 11202008_102926
Everything seems to be running fine. No more funny firefox popups, security center doesnt automatically disable automatic updates, and NOD32 does not report any issues. Thanks so much for your help!
There is one thing I'd like to point out at this point; although it's not my job to pass judgment on you. It appears from your logs that you're using cracked NOD32. Why so when there is plenty of free antivirus programs availabled? Why to steal from those who are trying to make computing more safe?
Please run OTMoveIt3:
- Click on the CleanUp! button. If your Firewall gives a warning about OTMoveIt wanting to download a file, allow it.
- Answer Yes to the prompt.
- The program will ask for a reboot. Answer Yes.
Empty your Recycle Bin after this.Please take time to read my "All Clean" speech:
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Clean up System Restore
You can find instructions on how to disable and enable System Restore from these guides:
Disable And Enable System Restore
Windows XP System Restore Guide
Make Your Internet Explorer More Secure
This can be done by following these simple instructions:
- From within Internet Explorer click on the tools menu and then click on Options
- Click once on the "Security" tab
- Click once on the "Internet" icon so it becomes highlighted
- Click once on the Custom Level button.
- Change the "Download signed ActiveX" controls to Prompt
- Change the "Download unsigned ActiveX" controls to Disable
- Change the "Initialize and script ActiveX controls" not marked as safe to Disable
- Change the "Launching programs and files in an IFRAME" to Prompt
- Change the "Navigate sub-frames across different domains" to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
Note that Internet Explorer is not the most secure browser. There are safer (and better) alternatives available like Opera and Firefox.Keep Your System Up to date
It is imperative that you keep your Windows, Antivirus, and other softwares up to date. Otherwise you are not protected against new threats and your system is vulnerable and unsafe. Update your Antivirus software at least once a week, and visit Microsoft Windows Update site regularly.
Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware
Additional Utilities and Tips to Enhance Your Safety
- MVPS Hosts file --- The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
- Comodo BOCLEAN --- Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
- Winpatrol --- Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software
Get more knowledge about how to protecet your computer and prevent malware issues by reading these short articles:Happy surfing!
This topic is now closed. If you wish it reopened, please send a Private Message to Trogan with a link to your thread.
If you are not the user who started this thread, you must start your own Thread instead