Thread: Programs Restricted/no desktop/Virtumonde
View Single Post
Old 11-09-2008, 10:58 PM   #1 (permalink)
bajanknight
I helped the forums.
 
bajanknight's Avatar
 
Join Date: Nov 2008
Location: Florida
Posts: 34
OS: win xp home sp2


Send a message via MSN to bajanknight
Programs Restricted/no desktop/Virtumonde
Thanks in advance for your assistance.

Dell Dimension 2400 p4 2.8ghz 2gb ram
WinXP Home SP2

I have been attempting to help rescue a friends infected beyond belief PC. The goal is to get the system back to a point that a backup of important files can be done from the user account login.

Normal boot into the user account w/password ends with the display of users desktop wallpaper but nothing else... (no icons or start bar)
Unable to Ctrl Alt Del into Task Manager. Hard reset required.

Safemode bootup into admin is successful with black screen only result. Ctrl Alt Del does open Task Manager and gpupdate command resuscitates admins desktop icons and allows close to normal functionality. I managed to run ClamWin Portable Virus scanner and it cleaned many things. New Adaware would not run , message about administrator restricted. Spybot did install and run and cleaned many things, what is left either can't be removed due to it being in use, or reinstalls itself in the process of a reboot. The virtumonde.dll is one of those.

I have read the pre-steps to take and hope that I have followed the normal procedures.

Recovery Console installed and shows as an option in bootup.

Logfile of RSIT Copy/Pasted:

Logfile of random's system information tool 1.04 (written by random/random)
Run by Administrator at 2008-11-09 23:30:45
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 60 GB (79%) free of 76 GB
Total RAM: 2046 MB (86% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:56 PM, on 11/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {A3799CB4-CC4D-4367-AEF0-307D6EF89F7F} - C:\WINDOWS\system32\mlljg.dll
O2 - BHO: {77d5fa4b-c08a-ba3b-ead4-cfb5778d0c4b} - {b4c0d877-5bfc-4dae-b3ab-a80cb4af5d77} - C:\WINDOWS\system32\kcbgtcnu.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\RunOnce: [SpybotDeletingA9519] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3804] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6806] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAau.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1350] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAau.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6171] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA_kyf.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9339] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA_kyf.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3251] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAAbout.mht"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5520] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAAbout.mht"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7408] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAEula.mht"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3607] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAEula.mht"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4519] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Reset Cursor.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7788] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Reset Cursor.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4326] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Customer Support Center.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7234] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Customer Support Center.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9965] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Uninstall Instructions.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2754] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Uninstall Instructions.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3024] command /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3495] cmd /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA3896] command /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1707] cmd /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2619] command /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7137] cmd /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8943] command /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2491] cmd /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3178] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7475] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7240] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAau.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9395] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAau.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7743] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA_kyf.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4622] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA_kyf.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7347] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAAbout.mht"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4538] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAAbout.mht"
O4 - HKCU\..\RunOnce: [SpybotDeletingB497] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAEula.mht"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1761] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAEula.mht"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3792] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Reset Cursor.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3745] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Reset Cursor.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2934] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Customer Support Center.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3154] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Customer Support Center.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1312] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Uninstall Instructions.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4995] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Uninstall Instructions.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5066] command /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6844] cmd /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9161] command /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1914] cmd /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5601] command /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3315] cmd /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8289] command /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2483] cmd /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activ...v2.0.0.10.cab?
O17 - HKLM\System\CCS\Services\Tcpip\..\{777B9D40-F35A-471A-A863-F6E7B3FC9751}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{861BEBB0-E147-491F-B363-309EEC201B53}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F1519AE-0148-44FB-9E19-8D4A8112F5C6}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: ebk - {1E411CE8-FE8B-4973-B8E0-6EA2CC3C6B06} - C:\WINDOWS\System32\ebkp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdc_device - Unknown owner - C:\WINDOWS\System32\lxdccoms.exe (file missing)
O23 - Service: TTUQNRGA - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TTUQNRGA.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10337 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-07-07 1562448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3799CB4-CC4D-4367-AEF0-307D6EF89F7F}]
C:\WINDOWS\system32\mlljg.dll [2008-02-05 326240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b4c0d877-5bfc-4dae-b3ab-a80cb4af5d77}]
C:\WINDOWS\system32\kcbgtcnu.dll [2008-04-25 98880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} - Easy-WebPrint - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [2004-08-26 405504]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA9519"=command /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat []
"SpybotDeletingC3804"=cmd /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat []
"SpybotDeletingA6806"=command /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAau.dat []
"SpybotDeletingC1350"=cmd /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAau.dat []
"SpybotDeletingA6171"=command /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA_kyf.dat []
"SpybotDeletingC9339"=cmd /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA_kyf.dat []
"SpybotDeletingA3251"=command /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAAbout.mht []
"SpybotDeletingC5520"=cmd /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAAbout.mht []
"SpybotDeletingA7408"=command /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAEula.mht []
"SpybotDeletingC3607"=cmd /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAEula.mht []
"SpybotDeletingA4519"=command /c del C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Reset Cursor.lnk []
"SpybotDeletingC7788"=cmd /c del C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Reset Cursor.lnk []
"SpybotDeletingA4326"=command /c del C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Customer Support Center.lnk []
"SpybotDeletingC7234"=cmd /c del C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Customer Support Center.lnk []
"SpybotDeletingA9965"=command /c del C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Uninstall Instructions.lnk []
"SpybotDeletingC2754"=cmd /c del C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Uninstall Instructions.lnk []
"SpybotDeletingA3024"=command /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingC3495"=cmd /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotSnD"=C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 4891472]
"SpybotDeletingA3896"=command /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingC1707"=cmd /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingA2619"=command /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingC7137"=cmd /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingA8943"=command /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingC2491"=cmd /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
""= []
"GrpConv"=grpconv -o []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-07-07 2156368]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB3178"=command /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat []
"SpybotDeletingD7475"=cmd /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat []
"SpybotDeletingB7240"=command /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAau.dat []
"SpybotDeletingD9395"=cmd /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAau.dat []
"SpybotDeletingB7743"=command /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA_kyf.dat []
"SpybotDeletingD4622"=cmd /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA_kyf.dat []
"SpybotDeletingB7347"=command /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAAbout.mht []
"SpybotDeletingD4538"=cmd /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAAbout.mht []
"SpybotDeletingB497"=command /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAEula.mht []
"SpybotDeletingD1761"=cmd /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAEula.mht []
"SpybotDeletingB3792"=command /c del C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Reset Cursor.lnk []
"SpybotDeletingD3745"=cmd /c del C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Reset Cursor.lnk []
"SpybotDeletingB2934"=command /c del C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Customer Support Center.lnk []
"SpybotDeletingD3154"=cmd /c del C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Customer Support Center.lnk []
"SpybotDeletingB1312"=command /c del C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Uninstall Instructions.lnk []
"SpybotDeletingD4995"=cmd /c del C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Uninstall Instructions.lnk []
"SpybotDeletingB5066"=command /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingD6844"=cmd /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingB9161"=command /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingD1914"=cmd /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingB5601"=command /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingD3315"=cmd /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingB8289"=command /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingD2483"=cmd /c del C:\WINDOWS\SYSTEM32\mlljg.dll []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00d971c8]
C:\WINDOWS\system32\cnmhypvr.dll [2008-04-26 87104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
C:\WINDOWS\BCMSMMSG.exe [2003-06-02 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM03ea4254]
C:\WINDOWS\system32\oxvqlkrv.dll [2008-04-26 106048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe [2006-10-30 392832]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2005-05-13 278528]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe [2003-05-08 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2005-05-21 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe [2008-02-22 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2004-03-06 151597]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Lan Utility.lnk]
C:\PROGRA~1\WIRELE~1\WLANUT~1.EXE [2003-01-13 266240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Otx83.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MSIServer]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Otx83.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoDriveAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 3 months======

2008-11-09 23:30:45 ----D---- C:\rsit
2008-11-09 23:26:29 ----D---- C:\Program Files\Trend Micro
2008-11-09 23:21:30 ----SHD---- C:\RECYCLER
2008-11-09 22:39:38 ----D---- C:\WINDOWS\temp
2008-11-09 22:39:36 ----A---- C:\ComboFix.txt
2008-11-09 22:26:30 ----A---- C:\Boot.bak
2008-11-09 22:26:11 ----RASHD---- C:\cmdcons
2008-11-09 22:19:55 ----A---- C:\WINDOWS\NIRCMD.exe
2008-11-09 22:19:54 ----A---- C:\WINDOWS\zip.exe
2008-11-09 22:19:54 ----A---- C:\WINDOWS\VFIND.exe
2008-11-09 22:19:54 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-11-09 22:19:54 ----A---- C:\WINDOWS\SWSC.exe
2008-11-09 22:19:54 ----A---- C:\WINDOWS\SWREG.exe
2008-11-09 22:19:54 ----A---- C:\WINDOWS\sed.exe
2008-11-09 22:19:54 ----A---- C:\WINDOWS\grep.exe
2008-11-09 22:19:54 ----A---- C:\WINDOWS\fdsv.exe
2008-11-09 22:19:46 ----D---- C:\WINDOWS\ERDNT
2008-11-09 22:19:46 ----D---- C:\Qoobox
2008-11-08 17:32:07 ----D---- C:\Documents and Settings\Administrator\Application Data\TrueCrypt
2008-11-08 16:19:30 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-11-08 16:19:30 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-08 15:47:00 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-11-07 22:27:58 ----A---- C:\WINDOWS\gmer.ini
2008-11-07 22:27:55 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2008-11-07 22:27:54 ----A---- C:\WINDOWS\gmer.exe
2008-11-07 22:27:54 ----A---- C:\WINDOWS\gmer.dll
2008-11-07 01:47:30 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-07 01:28:44 ----D---- C:\WINDOWS\pss
2008-11-07 00:43:42 ----A---- C:\WINDOWS\ntbtlog.txt
2008-11-07 00:23:07 ----D---- C:\Program Files\CCleaner
2008-11-05 22:41:12 ----D---- C:\WINDOWS\ERUNT
2008-11-05 22:35:14 ----D---- C:\SDFix
2008-11-05 22:30:12 ----D---- C:\ClamWinPortable
2008-11-05 22:28:29 ----A---- C:\WINDOWS\system32\hidserv.dll

======List of files/folders modified in the last 3 months======

2008-11-09 23:28:48 ----D---- C:\Downloads
2008-11-09 23:26:29 ----AD---- C:\Program Files
2008-11-09 22:39:40 ----SHD---- C:\WINDOWS\SYSTEM32
2008-11-09 22:39:40 ----D---- C:\WINDOWS\system32\DRIVERS
2008-11-09 22:39:38 ----AD---- C:\WINDOWS
2008-11-09 22:38:40 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-09 22:33:55 ----A---- C:\WINDOWS\system.ini
2008-11-09 22:33:06 ----SHD---- C:\System Volume Information
2008-11-09 22:33:06 ----D---- C:\WINDOWS\system32\Restore
2008-11-09 22:31:44 ----D---- C:\WINDOWS\system32\CONFIG
2008-11-09 22:29:19 ----D---- C:\WINDOWS\AppPatch
2008-11-09 22:29:19 ----D---- C:\Program Files\Common Files
2008-11-09 22:26:30 ----RASH---- C:\BOOT.INI
2008-11-09 18:33:38 ----A---- C:\WINDOWS\ModemLog_BCM V.92 56K Modem.txt
2008-11-08 17:54:28 ----A---- C:\WINDOWS\wininit.ini
2008-11-08 16:58:04 ----HD---- C:\WINDOWS\INF
2008-11-08 16:57:40 ----D---- C:\Program Files\LiveAntispy
2008-11-08 16:57:35 ----AD---- C:\Program Files\Lycos
2008-11-08 15:46:24 ----D---- C:\New Folder
2008-11-07 22:38:11 ----D---- C:\WINDOWS\Minidump
2008-11-07 01:32:12 ----A---- C:\WINDOWS\WIN.INI
2008-11-07 00:45:31 ----SHD---- C:\WINDOWS\Installer
2008-11-07 00:42:19 ----D---- C:\WINDOWS\TWAIN_32
2008-11-07 00:41:39 ----D---- C:\Program Files\Canon
2008-11-07 00:38:38 ----D---- C:\backups
2008-11-07 00:23:23 ----D---- C:\WINDOWS\Resources
2008-11-07 00:23:04 ----D---- C:\Memorex Vault
2008-11-06 01:00:11 ----D---- C:\WINDOWS\Debug
2008-11-06 00:27:25 ----D---- C:\Documents and Settings\All Users\Application Data\mralotun
2008-11-05 23:18:58 ----RD---- C:\WINDOWS\Web
2008-11-05 23:18:42 ----D---- C:\WINDOWS\system32\Client

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 cdrbsvsd;cdrbsvsd; C:\WINDOWS\system32\drivers\cdrbsvsd.sys [2003-12-03 13566]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-04 14848]
R1 omci;OMCI WDM Device Driver; C:\WINDOWS\System32\DRIVERS\omci.sys [2002-11-08 17217]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2003-07-14 5621]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2003-07-14 23219]
R3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2005-03-07 14408]
R3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-11-07 85969]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-04 36096]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\System32\DRIVERS\p3.sys [2004-08-04 42496]
S1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0; C:\WINDOWS\System32\Drivers\usbscan.sys [2004-08-04 15104]
S2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2003-06-20 40448]
S2 IOPort;IOPort; \??\C:\WINDOWS\System32\DRIVERS\IOPORT.SYS []
S2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\System32\DRIVERS\nwlnkipx.sys [2004-08-04 88448]
S2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\System32\DRIVERS\nwlnknb.sys [2002-08-29 63232]
S2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\System32\DRIVERS\nwlnkspx.sys [2002-08-29 55936]
S2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2003-08-06 25685]
S2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2003-08-06 34837]
S2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2003-08-06 4117]
S2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2003-08-06 2233]
S2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2003-08-06 83284]
S2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2003-08-06 14229]
S2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2003-08-06 6357]
S2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2003-08-06 98068]
S2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2003-08-06 100373]
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-04-15 113504]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-04-15 78752]
S3 ADM8211;Wireless PC Card; C:\WINDOWS\System32\DRIVERS\WLANPCI.sys [2003-01-27 86656]
S3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2003-05-23 43136]
S3 BCMModem;BCM V.92 56K Modem; C:\WINDOWS\System32\DRIVERS\BCMSM.sys [2003-06-02 1101696]
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\System32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 GoProto;GoProto Protocol Driver; C:\WINDOWS\system32\DRIVERS\goprot51.sys [2008-01-22 28672]
S3 i81x;i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [2004-08-04 161020]
S3 iAimFP0;iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [2004-08-04 12415]
S3 iAimFP1;iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [2004-08-04 12127]
S3 iAimFP2;iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [2004-08-04 11775]
S3 iAimFP3;iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [2004-08-04 12063]
S3 iAimFP4;iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [2004-08-04 19455]
S3 iAimTV0;iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [2004-08-04 29311]
S3 iAimTV1;iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [2004-08-04 19551]
S3 iAimTV2;iAimTV2; C:\WINDOWS\System32\DRIVERS\wATV03nt.sys []
S3 iAimTV3;iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [2004-08-04 33599]
S3 iAimTV4;iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [2004-08-04 23615]
S3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2003-04-15 90907]
S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-08-04 1897408]
S3 SDDMI2;SDDMI2; \??\C:\WINDOWS\system32\DDMI2.sys []
S3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-02-28 545024]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-04 15104]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S3 WLANNDIS5;WLANNDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\WIRELE~1\WLANNDIS5.SYS []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agp440.sys [2004-08-04 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agpCPQ.sys [2004-08-04 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\alim1541.sys [2004-08-04 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\System32\DRIVERS\amdagp.sys [2004-08-04 43008]
S4 cbidf;cbidf; C:\WINDOWS\System32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\System32\DRIVERS\intelide.sys [2004-08-04 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\sisagp.sys [2004-08-04 41088]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\viaagp.sys [2004-08-04 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2004-08-04 267776]
S2 lxdc_device;lxdc_device; C:\WINDOWS\System32\lxdccoms.exe -service []
S2 SimpTcp;Simple TCP/IP Services; C:\WINDOWS\System32\tcpsvcs.exe [2002-08-29 19456]
S2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2005-09-13 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-04-13 33632]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-04-13 68952]
S3 iPodService;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2005-05-13 327680]
S3 TTUQNRGA;TTUQNRGA; C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TTUQNRGA.exe []
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]

-----------------EOF-----------------
Attached Files
File Type: txt rsitinfo_110908_1132.txt (17.5 KB, 1 views)
File Type: txt gmer_1109081120.txt (395.4 KB, 6 views)
bajanknight is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here