Virtumonde Attacks! Please Help!!!

ale_lilo17 · Feb 27, 2008

WELL I BASICALLY GOT INFECTED WITH A LOT OF COOKIES AND TROJANS.

I RAN SPYBOT, BUT CANT SEEM TO GET RID OF VIRTUMONDE. AND I DONT REALLY HAVE CONTROL OVER THE COMPUTER FOR LONG, THE DOCK, TASKBAR, DESKTOP DISSAPEARS AND I CANT GO THROUGH MY FILES EITHER.
I DONT KNOW WHAT ELSE I COULD POSSIBLY DO ON THE COUNT OF I'M TOTALLY ILLITERATE WHEN IT COMES TO COMPUTERS.
PLEASE HELP:bigthumb:

km2357 · Feb 28, 2008

Hello and welcome to Safer Networking.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Step # 1: Download and Run HijackThis
Download HJTInstall.exe to your Desktop.

Doubleclick HJTInstall.exe to install it.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Step # 2: Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

Post the HiJackThis Log and Uninstall List in your next post/reply.

ale_lilo17 · Mar 1, 2008

Logfile of Trend Micro HijackThis v2.0.2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:57 PM, on 2/29/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\PeoplePC\ISP6530\Browser\Bartshel.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1202344956\ee\aolsoftware.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PeoplePC\ISP6530\Browser\PPShared.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\PeoplePC\ISP6530\Browser\Bartshel.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\PeoplePC Accelerated\PeoplePC.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B08B6E3-5A27-483E-A143-59E5D6A3F39B} - (no file)
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {428DD93C-9F23-4A93-9B2B-9B125D6C023A} - (no file)
O2 - BHO: (no name) - {43F445FB-3113-4DCD-A3AC-82AFD6C44D43} - C:\Windows\system32\qopmj.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O2 - BHO: (no name) - {C2ED0EF3-A8E2-41B0-84C5-1D2F5A1D9717} - (no file)
O2 - BHO: (no name) - {E741C985-C44B-4C27-92A8-6BB0FA8CC6F1} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SnapfishMediaDetector] C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6530\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\mljij.dll,#1
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1202344956\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [24afb788] rundll32.exe "C:\Windows\system32\vieilsln.dll",b
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Snapfish Media Detector.lnk = C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5169B131-CB99-4EF9-9A89-D8783BCF1D72}: NameServer = 209.244.0.3 209.244.0.4
O20 - Winlogon Notify: cbxvsrs - C:\Windows\SYSTEM32\cbxvsrs.dll
O20 - Winlogon Notify: tuvttut - C:\Windows\SYSTEM32\tuvttut.dll
O20 - Winlogon Notify: wvurqrr - C:\Windows\SYSTEM32\wvurqrr.dll
O20 - Winlogon Notify: wvuursr - C:\Windows\SYSTEM32\wvuursr.dll
O20 - Winlogon Notify: xxyvwuu - C:\Windows\SYSTEM32\xxyvwuu.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 11884 bytes

ale_lilo17 · Mar 1, 2008

Uninstall List

Activation Assistant for the 2007 Microsoft Office suites
Adobe Reader 8
AppCore
AV
Canon PhotoRecord
Canon PIXMA iP1500
ccCommon
Ciao Bella
Coffee Tycoon
Diner Dash 2
Diner Dash 4 Hometown Hero (remove only)
Easy-WebPrint
GTAIII
Hardware Diagnostic Tools
HijackThis 2.0.2
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Frontend
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential 2.0
HP Total Care Advisor
HP Update
Lemonade Tycoon 2
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Microsoft Age of Empires Gold
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSRedist
MSXML 4.0 SP2 (KB936181)
muvee autoProducer 6.0
My HP Games
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
NVIDIA Drivers
PeoplePC Online
PeoplePC

eoplePal Toolbar 6.5
Python 2.4.3
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Rhapsody
Rhapsody Player Engine
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Excel 2007 (KB936509)
Security Update for Office 2007 (KB934062)
Security Update for Office 2007 (KB936514)
Security Update for the 2007 Microsoft Office System (KB936960)
Snapfish Media Detector
SPBBC 32bit
Spybot - Search & Destroy
Symantec Real Time Storage Protection Component
SymNet
Update for Office 2007 (KB932080)
Update for Office 2007 (KB934391)
Update for Office 2007 (KB934393)
Update for Word 2007 (KB934173)
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar

km2357 · Mar 1, 2008

Step # 1: Disable Teatimer

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

This is a two step process.
First step:

Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.

Step # 2: Download and Run ComboFix

We'll begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

ale_lilo17 · Mar 1, 2008

I DONT KNOW WHERE TO GO IN ORDER TO DISABLE TEA TIMER.....
AND IM NOT SURE WHERE TO FIND THE SPYBOT ICON IN THE SYSTEM TRAY

km2357 · Mar 1, 2008

Hi. Please don't type in all-caps, it means you are shouting when you do that.

In the System tray, do you see an icon that looks like a blue/white calendar with a padlock symbol? That's SpyBot S&D's icon. Next depending on what version of SpyBot S&D you have, you want to do the following:

If you have the new version 1.5, Right click on the SpyBot Icon. Then click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.

If you have Version 1.4, Right click on the SpyBot Icon,then click on Exit Spybot S&D Resident.

Second step, For Either Version :

Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.

Let me know if you have any more problems.

ale_lilo17 · Mar 4, 2008

ComboFix Log

ComboFix 08-03-01.3 - Murillo 2008-03-03 19:11:40.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.230 [GMT -6:00]
Running from: C:\Users\Murillo\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\agdpvnvv.dll
C:\Windows\system32\aqkiywdo.dll
C:\Windows\system32\atglwiku.dll
C:\Windows\System32\bbjccyhd.ini
C:\Windows\System32\bitacwwh.ini
C:\Windows\system32\cbxvsrs.dll
C:\Windows\system32\cgsglyfd.dll
C:\Windows\system32\cphsyaoh.dll
C:\Windows\system32\cscmjbtk.dll
C:\Windows\system32\cuduvwyd.dll
C:\Windows\system32\dapkiulu.dll
C:\Windows\system32\defijmsu.dll
C:\Windows\system32\dhyccjbb.dll
C:\Windows\system32\etepotgc.dll
C:\Windows\System32\fedbshlv.ini
C:\Windows\System32\fghjl.ini
C:\Windows\System32\fghjl.ini2
C:\Windows\system32\ghiktvir.dll
C:\Windows\system32\hdidxkob.dll
C:\Windows\system32\hgdcc.dll
C:\Windows\system32\hjvscuib.dll
C:\Windows\System32\hkkmp.bak1
C:\Windows\System32\hkkmp.ini
C:\Windows\system32\hmekgbpr.dll
C:\Windows\System32\hoayshpc.ini
C:\Windows\system32\hwwcatib.dll
C:\Windows\system32\iajovihb.dll
C:\Windows\System32\iiorgujm.ini
C:\Windows\System32\ikvoyapx.ini
C:\Windows\system32\iykpxlwm.dll
C:\Windows\System32\jdumldpw.ini
C:\Windows\system32\jlogqwjp.dll
C:\Windows\System32\jmpoq.bak1
C:\Windows\System32\jmpoq.bak2
C:\Windows\System32\jmpoq.ini
C:\Windows\System32\jmpoq.ini2
C:\Windows\System32\jmpoq.tmp
C:\Windows\System32\jpsrtlga.ini
C:\Windows\system32\jtrhpixt.dll
C:\Windows\system32\knbfufrn.dll
C:\Windows\System32\ktbjmcsc.ini
C:\Windows\system32\lfteijoa.dll
C:\Windows\system32\ljhgf.dll
C:\Windows\system32\ljhgg.dll
C:\Windows\system32\lkpjywtu.dll
C:\Windows\system32\llkdvfil.dll
C:\Windows\system32\lmdbfktt.dll
C:\Windows\System32\ltgjqbdr.ini
C:\Windows\system32\lwimlgwx.dll
C:\Windows\System32\mbswxaqx.ini
C:\Windows\system32\mjugroii.dll
C:\Windows\system32\muixyybv.dll
C:\Windows\System32\nisanpdp.ini
C:\Windows\system32\nlhwhswe.dll
C:\Windows\System32\nlslieiv.ini
C:\Windows\system32\nrmkbptw.dll
C:\Windows\system32\ohwobjok.dll
C:\Windows\system32\oqaxfygh.dll
C:\Windows\system32\osivvhiv.dll
C:\Windows\system32\ovpvaopg.dll
C:\Windows\System32\pjwqgolj.ini
C:\Windows\system32\prxghcat.dll
C:\Windows\system32\puarwguv.dll
C:\Windows\system32\qhhjlasg.dll
C:\Windows\system32\qopmj.dll
C:\Windows\system32\rdbqjgtl.dll
C:\Windows\System32\rdjtnmos.ini
C:\Windows\system32\rtgjmsme.dll
C:\Windows\system32\rynebuow.dll
C:\Windows\system32\siyuhcpt.dll
C:\Windows\system32\somntjdr.dll
C:\Windows\system32\thtomanp.dll
C:\Windows\system32\tuvttut.dll
C:\Windows\system32\twibytxs.dll
C:\Windows\system32\ubeetvbi.dll
C:\Windows\system32\uddrnesl.dll
C:\Windows\System32\usmjifed.ini
C:\Windows\system32\uspsucpv.dll
C:\Windows\system32\vieilsln.dll
C:\Windows\system32\vlhsbdef.dll
C:\Windows\System32\vugwraup.ini
C:\Windows\System32\wmcrnqtc.ini
C:\Windows\System32\woubenyr.ini
C:\Windows\system32\wpdlmudj.dll
C:\Windows\system32\wvurqrr.dll
C:\Windows\system32\wvuursr.dll
C:\Windows\system32\xaygenkj.dll
C:\Windows\system32\xbylncrc.dll
C:\Windows\system32\xpayovki.dll
C:\Windows\system32\xtevsnxn.dll
C:\Windows\system32\xxyvwuu.dll
C:\Windows\system32\ynjllfon.dll
C:\Windows\system32\ysrfvpjj.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-03-03 18:57 . 2008-01-09 19:40 39,424 --a------ C:\Windows\System32\nnnom.dll
2008-03-02 21:15 . 2008-03-02 21:15 98,134 --a------ C:\Windows\BM279c8414.xml
2008-03-02 21:15 . 2008-03-02 21:15 22 --a------ C:\Windows\pskt.ini
2008-03-01 21:55 . 2008-03-01 21:55 <DIR> d-------- C:\Temp
2008-02-29 21:54 . 2008-02-29 21:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-27 21:11 . 2008-01-09 19:40 39,424 --a------ C:\Windows\System32\hgdde.dll
2008-02-24 17:26 . 2008-03-01 20:29 2,434 --a------ C:\Windows\wininit.ini
2008-02-24 16:45 . 2008-02-24 16:52 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-02-24 16:45 . 2008-02-24 16:52 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-02-24 16:45 . 2008-02-24 16:45 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-17 15:05 . 2008-01-09 19:40 39,424 --a------ C:\Windows\System32\fcyyw.dll
2008-02-14 17:54 . 2008-02-14 17:54 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-14 17:54 . 2008-02-14 17:54 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-14 17:51 . 2008-02-14 17:51 943,800 --a------ C:\Windows\System32\winload.exe
2008-02-14 17:51 . 2008-02-14 17:51 595,456 --a------ C:\Windows\System32\schedsvc.dll
2008-02-14 17:51 . 2008-02-14 17:51 115,200 --a------ C:\Windows\System32\loadperf.dll
2008-02-14 17:51 . 2008-02-14 17:51 39,424 --a------ C:\Windows\System32\lodctr.exe
2008-02-14 17:51 . 2008-02-14 17:51 32,256 --a------ C:\Windows\System32\unlodctr.exe
2008-02-14 17:51 . 2008-02-14 17:51 23,552 --a------ C:\Windows\System32\nshhttp.dll
2008-02-14 17:51 . 2008-02-14 17:51 17,408 --a------ C:\Windows\System32\prflbmsg.dll
2008-02-14 17:45 . 2008-02-14 17:45 803,328 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-02-14 17:45 . 2008-02-14 17:45 216,632 --a------ C:\Windows\System32\drivers\netio.sys
2008-02-14 17:45 . 2008-02-14 17:45 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-02-14 17:45 . 2008-02-14 17:45 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-02-14 17:45 . 2008-02-14 17:45 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-02-14 17:43 . 2008-02-14 17:43 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-02-14 17:43 . 2008-02-14 17:43 824,832 --a------ C:\Windows\System32\wininet.dll
2008-02-14 17:42 . 2008-02-14 17:42 1,831,424 --a------ C:\Windows\System32\inetcpl.cpl
2008-02-14 17:42 . 2008-02-14 17:42 56,320 --a------ C:\Windows\System32\iesetup.dll
2008-02-14 17:42 . 2008-02-14 17:42 26,624 --a------ C:\Windows\System32\ieUnatt.exe
2008-02-06 19:54 . 2008-02-14 17:57 <DIR> dr------- C:\Users\Public\Documents
2008-02-06 18:43 . 2008-02-06 18:43 <DIR> d-------- C:\Users\All Users\AOL
2008-02-06 18:43 . 2008-02-06 18:43 <DIR> d-------- C:\ProgramData\AOL
2008-02-06 18:43 . 2006-11-01 14:18 33,588 --a------ C:\Windows\System32\drivers\wanatw4.sys
2008-02-06 18:42 . 2008-02-06 18:43 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-02-06 18:42 . 2008-02-06 18:46 1,165 --ah----- C:\IPH.PH

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 01:16 --------- d-----w C:\Program Files\Microsoft Works
2008-02-25 01:14 340 ----a-w C:\Users\Murillo\AppData\Roaming\wklnhst.dat
2008-02-14 23:52 54,784 ----a-w C:\Windows\system32\drivers\i8042prt.sys
2008-02-14 23:52 495,160 ----a-w C:\Windows\system32\drivers\Wdf01000.sys
2008-02-14 23:52 35,384 ----a-w C:\Windows\system32\drivers\WdfLdr.sys
2008-02-14 23:52 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys
2008-02-14 23:52 34,360 ----a-w C:\Windows\system32\drivers\mouclass.sys
2008-02-14 23:52 19,968 ----a-w C:\Windows\system32\drivers\sermouse.sys
2008-02-14 23:42 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-04 04:29 --------- d-----w C:\ProgramData\Symantec
2008-02-04 00:50 --------- d-----w C:\Program Files\HP Games
2008-01-22 03:42 152 ----a-w C:\Users\Eliseo\AppData\Roaming\wklnhst.dat
2008-01-22 03:07 --------- d-----w C:\Users\Murillo\AppData\Roaming\Template
2008-01-16 19:22 --------- d-----w C:\Users\Eliseo\AppData\Roaming\WildTangent
2008-01-15 00:48 --------- d-----w C:\Users\Eliseo\AppData\Roaming\Yahoo!
2008-01-15 00:32 --------- d-----w C:\Users\Eliseo\AppData\Roaming\Template
2008-01-12 23:19 --------- d-----w C:\Users\Eliseo\AppData\Roaming\Snapfish
2008-01-12 01:17 --------- d-----w C:\Users\Murillo\AppData\Roaming\Yahoo!
2008-01-12 00:29 --------- d-----w C:\Users\Murillo\AppData\Roaming\Snapfish
2008-01-09 18:46 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-06 01:54 68 ----a-w C:\Users\Alejandra\AppData\Roaming\wklnhst.dat
2008-01-06 01:47 --------- d-----w C:\Users\Alejandra\AppData\Roaming\Template
2006-11-02 12:50 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]
2007-03-12 10:32 232960 --a------ C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{A8FB8EB3-183B-4598-924D-86F0E5E37085}
{327C2873-E90D-4C37-AA9D-10AC9BABA46C}

[HKEY_CLASSES_ROOT\clsid\{a8fb8eb3-183b-4598-924d-86f0e5e37085}]
[HKEY_CLASSES_ROOT\PeoplePal Toolbar]
[HKEY_CLASSES_ROOT\TypeLib\{994D628D-4D22-4DB9-B6DB-F7D9F1635817}]
[HKEY_CLASSES_ROOT\PeoplePal Toolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A8FB8EB3-183B-4598-924D-86F0E5E37085}"= C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll [2007-03-12 10:32 232960]

[HKEY_CLASSES_ROOT\clsid\{a8fb8eb3-183b-4598-924d-86f0e5e37085}]
[HKEY_CLASSES_ROOT\PeoplePal Toolbar]
[HKEY_CLASSES_ROOT\TypeLib\{994D628D-4D22-4DB9-B6DB-F7D9F1635817}]
[HKEY_CLASSES_ROOT\PeoplePal Toolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 12:42 1232896]
"HPADVISOR"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-03-12 18:44 1773568]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 06:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-02 06:34 1004136]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 07:42 65536]
"OsdMaestro"="C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 04:59 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-01 09:38 4390912 C:\Windows\RtHDVCpl.exe]
"SnapfishMediaDetector"="C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe" [2007-03-02 15:55 1441792]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 15:59 115816]
"Bart Station"="C:\Program Files\PeoplePC\ISP6530\BIN\PPCOLink.exe" [2007-03-12 17:04 26208]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-06 15:07 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-07-06 20:15 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-07-06 20:15 8466432]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-06 20:15 81920]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
"MSServer"="C:\Windows\system32\nnnom.dll" [2008-01-09 19:40 39424]
"HostManager"="C:\Program Files\Common Files\AOL\1202344956\ee\AOLSoftware.exe" [2006-09-25 18:52 50736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

C:\Users\Eliseo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

C:\Users\Murillo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Snapfish Media Detector.lnk - C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe [2007-03-02 15:55:02 1441792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdoyc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8336E42D-957B-4F7A-B12C-19F2F5F0A3C5}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{59F2D171-82AE-4740-AEAE-52B15526DB7B}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{770E6D62-A573-412B-886D-532ACFFEA94D}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A79C0B29-8A0A-4C6C-8551-F9DBE917FC4B}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6F086771-0208-4031-8DBF-94FF9C50833C}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E2AA857C-99D1-4B53-A95B-AD235565D89C}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B63C0B7A-0502-470C-A2B1-FD44CCF8AAC2}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{351F1021-853E-48FD-9E26-746506C1E141}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{18E247CE-86C4-4BB6-9667-D29B98ADAFC8}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{198D1F16-C272-4180-92D8-F14DDD07CB43}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{D84D9754-8933-487D-AE9A-329D787892C2}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{7D00CBC7-27AD-4F54-B2FF-602FC8FFBBE7}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{81FB19F5-E412-457C-A020-8E31C8012D0C}"= UDP:C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
"{92F76B9A-1882-4DA0-843F-ABA305650EDF}"= TCP:C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
"{C6700E70-7E0C-4CCE-820E-EBF98810B163}"= UDP:C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
"{61C9A68D-DCFB-45DE-B6C1-0BC90FA4A87C}"= TCP:C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20071011.001\IDSvix86.sys [2007-09-13 08:49]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-01-09 08:32]
R3 VST_DPV;VST_DPV;C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 01:41]
R3 VSTHWBS2;VSTHWBS2;C:\Windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 01:41]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-02-12 02:00:00 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Claudia.job"
- c:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK:
"2008-03-04 01:47:45 C:\Windows\Tasks\User_Feed_Synchronization-{3AF92E68-AD9F-4390-8CDA-6497CE1E6AE8}.job"
- C:\Windows\system32\msfeedssync.exe
"2008-03-04 01:47:45 C:\Windows\Tasks\User_Feed_Synchronization-{895DC1FC-5B31-491A-A511-1F71DD557EAC}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 19:41:09
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\PeoplePC\ISP6530\Browser\Bartshel.exe
.
**************************************************************************
.
Completion time: 2008-03-03 19:48:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-04 01:48:32
.
2008-03-01 22:46:54 --- E O F ---

ale_lilo17 · Mar 4, 2008

HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:14 PM, on 3/3/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\Explorer.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\PeoplePC\ISP6530\Browser\Bartshel.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\notepad.exe
C:\Program Files\PeoplePC\ISP6530\Browser\PPShared.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SnapfishMediaDetector] C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6530\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\nnnom.dll,#1
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1202344956\ee\AOLSoftware.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Snapfish Media Detector.lnk = C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9542 bytes

km2357 · Mar 4, 2008

Thanks for the logs.

Step # 1: Add/Remove Programs

Go to start > control panel > programs and features.
Right click on each instance of:

PeoplePCeoplePal Toolbar 6.5
Click Uninstall & then follow the prompts to remove it.

Step # 2: Run CFScript

Please delete the version of ComboFix you have on your computer, I need you to download the latest version of ComboFix by sUBs here and save it to your Desktop.

Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

File:: 

C:\Windows\System32\nnnom.dll
C:\Windows\BM279c8414.xml
C:\Windows\pskt.ini
C:\Windows\System32\hgdde.dll
C:\Windows\System32\fcyyw.dll
C:\Windows\System32\kdoyc.exe

Registry:: 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSServer"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"=""

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Step # 3: Remove Hijackthis Entries

Right click on HijackThis and click Run as administrator
Click on do a system scan only
Place a checkmark next to these lines(if still present)

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)

O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)

Then close all windows except HijackThis and click Fix Checked

In your next post/reply, I need to see the ComboFix log and a fresh HiJackThis Log.

ale_lilo17 · Mar 5, 2008

ComboFix Log

ComboFix 08-03-04.4 - Murillo 2008-03-04 17:12:23.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.266 [GMT -6:00]
Running from: C:\Users\Murillo\Desktop\ComboFix.exe
Command switches used :: C:\Users\Murillo\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Windows\BM279c8414.xml
C:\Windows\pskt.ini
C:\Windows\System32\fcyyw.dll
C:\Windows\System32\hgdde.dll
C:\Windows\System32\kdoyc.exe
C:\Windows\System32\nnnom.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\BM279c8414.xml
C:\Windows\pskt.ini
C:\Windows\system32\cbawx.dll
C:\Windows\System32\fcyyw.dll
C:\Windows\System32\hgdde.dll
C:\Windows\System32\kdoyc.exe
C:\Windows\System32\xwabc.ini
C:\Windows\System32\xwabc.ini2

.
--------------- FMove ---------------

.
((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-03-04 16:41 . 2008-01-09 19:40 39,424 --a------ C:\Windows\System32\byxyy.dll
2008-03-01 21:55 . 2008-03-01 21:55 <DIR> d-------- C:\Temp
2008-02-29 21:54 . 2008-02-29 21:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-24 17:26 . 2008-03-01 20:29 2,434 --a------ C:\Windows\wininit.ini
2008-02-24 16:45 . 2008-02-24 16:52 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-02-24 16:45 . 2008-02-24 16:52 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-02-24 16:45 . 2008-02-24 16:45 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-14 17:54 . 2008-02-14 17:54 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-14 17:54 . 2008-02-14 17:54 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-14 17:51 . 2008-02-14 17:51 943,800 --a------ C:\Windows\System32\winload.exe
2008-02-14 17:51 . 2008-02-14 17:51 595,456 --a------ C:\Windows\System32\schedsvc.dll
2008-02-14 17:51 . 2008-02-14 17:51 115,200 --a------ C:\Windows\System32\loadperf.dll
2008-02-14 17:51 . 2008-02-14 17:51 39,424 --a------ C:\Windows\System32\lodctr.exe
2008-02-14 17:51 . 2008-02-14 17:51 32,256 --a------ C:\Windows\System32\unlodctr.exe
2008-02-14 17:51 . 2008-02-14 17:51 23,552 --a------ C:\Windows\System32\nshhttp.dll
2008-02-14 17:51 . 2008-02-14 17:51 17,408 --a------ C:\Windows\System32\prflbmsg.dll
2008-02-14 17:45 . 2008-02-14 17:45 803,328 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-02-14 17:45 . 2008-02-14 17:45 216,632 --a------ C:\Windows\System32\drivers\netio.sys
2008-02-14 17:45 . 2008-02-14 17:45 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-02-14 17:45 . 2008-02-14 17:45 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-02-14 17:45 . 2008-02-14 17:45 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-02-14 17:43 . 2008-02-14 17:43 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-02-14 17:43 . 2008-02-14 17:43 824,832 --a------ C:\Windows\System32\wininet.dll
2008-02-14 17:42 . 2008-02-14 17:42 1,831,424 --a------ C:\Windows\System32\inetcpl.cpl
2008-02-14 17:42 . 2008-02-14 17:42 56,320 --a------ C:\Windows\System32\iesetup.dll
2008-02-14 17:42 . 2008-02-14 17:42 26,624 --a------ C:\Windows\System32\ieUnatt.exe
2008-02-06 19:54 . 2008-02-14 17:57 <DIR> dr------- C:\Users\Public\Documents
2008-02-06 18:43 . 2008-02-06 18:43 <DIR> d-------- C:\Users\All Users\AOL
2008-02-06 18:43 . 2008-02-06 18:43 <DIR> d-------- C:\ProgramData\AOL
2008-02-06 18:43 . 2006-11-01 14:18 33,588 --a------ C:\Windows\System32\drivers\wanatw4.sys
2008-02-06 18:42 . 2008-02-06 18:43 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-02-06 18:42 . 2008-02-06 18:46 1,165 --ah----- C:\IPH.PH

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 23:07 --------- d-----w C:\Program Files\HP Games
2008-02-25 01:16 --------- d-----w C:\Program Files\Microsoft Works
2008-02-25 01:14 340 ----a-w C:\Users\Murillo\AppData\Roaming\wklnhst.dat
2008-02-14 23:42 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-04 04:29 --------- d-----w C:\ProgramData\Symantec
2008-01-22 03:42 152 ----a-w C:\Users\Eliseo\AppData\Roaming\wklnhst.dat
2008-01-22 03:07 --------- d-----w C:\Users\Murillo\AppData\Roaming\Template
2008-01-16 19:22 --------- d-----w C:\Users\Eliseo\AppData\Roaming\WildTangent
2008-01-15 00:48 --------- d-----w C:\Users\Eliseo\AppData\Roaming\Yahoo!
2008-01-15 00:32 --------- d-----w C:\Users\Eliseo\AppData\Roaming\Template
2008-01-12 23:19 --------- d-----w C:\Users\Eliseo\AppData\Roaming\Snapfish
2008-01-12 01:17 --------- d-----w C:\Users\Murillo\AppData\Roaming\Yahoo!
2008-01-12 00:29 --------- d-----w C:\Users\Murillo\AppData\Roaming\Snapfish
2008-01-10 01:40 39,424 ----a-w C:\Windows\System32\urspp.dll
2008-01-10 01:40 39,424 ----a-w C:\Windows\System32\cbxwt.dll
2008-01-09 18:46 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-09 18:42 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-06 01:54 68 ----a-w C:\Users\Alejandra\AppData\Roaming\wklnhst.dat
2008-01-06 01:47 --------- d-----w C:\Users\Alejandra\AppData\Roaming\Template
2008-01-04 20:28 25,557 ----a-w C:\Windows\System32\nullnanpaup.exe
2007-12-12 20:20 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-12 20:20 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-12 20:20 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-12 20:13 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-12 20:13 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2006-11-02 12:50 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 12:42 1232896]
"HPADVISOR"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-03-12 18:44 1773568]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 06:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-02 06:34 1004136]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 07:42 65536]
"OsdMaestro"="C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 04:59 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-01 09:38 4390912 C:\Windows\RtHDVCpl.exe]
"SnapfishMediaDetector"="C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe" [2007-03-02 15:55 1441792]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 15:59 115816]
"Bart Station"="C:\Program Files\PeoplePC\ISP6530\BIN\PPCOLink.exe" [2007-03-12 17:04 26208]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-06 15:07 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-07-06 20:15 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-07-06 20:15 8466432]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-06 20:15 81920]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
"HostManager"="C:\Program Files\Common Files\AOL\1202344956\ee\AOLSoftware.exe" [2006-09-25 18:52 50736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

C:\Users\Eliseo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

C:\Users\Murillo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Snapfish Media Detector.lnk - C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe [2007-03-02 15:55:02 1441792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8336E42D-957B-4F7A-B12C-19F2F5F0A3C5}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{59F2D171-82AE-4740-AEAE-52B15526DB7B}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{770E6D62-A573-412B-886D-532ACFFEA94D}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A79C0B29-8A0A-4C6C-8551-F9DBE917FC4B}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6F086771-0208-4031-8DBF-94FF9C50833C}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E2AA857C-99D1-4B53-A95B-AD235565D89C}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B63C0B7A-0502-470C-A2B1-FD44CCF8AAC2}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{351F1021-853E-48FD-9E26-746506C1E141}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{18E247CE-86C4-4BB6-9667-D29B98ADAFC8}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{198D1F16-C272-4180-92D8-F14DDD07CB43}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{D84D9754-8933-487D-AE9A-329D787892C2}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{7D00CBC7-27AD-4F54-B2FF-602FC8FFBBE7}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{81FB19F5-E412-457C-A020-8E31C8012D0C}"= UDP:C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
"{92F76B9A-1882-4DA0-843F-ABA305650EDF}"= TCP:C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
"{C6700E70-7E0C-4CCE-820E-EBF98810B163}"= UDP:C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
"{61C9A68D-DCFB-45DE-B6C1-0BC90FA4A87C}"= TCP:C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-04 02:00:00 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Claudia.job"
- c:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK:
"2008-03-04 23:25:00 C:\Windows\Tasks\User_Feed_Synchronization-{3AF92E68-AD9F-4390-8CDA-6497CE1E6AE8}.job"
- C:\Windows\system32\msfeedssync.exe
"2008-03-04 23:25:00 C:\Windows\Tasks\User_Feed_Synchronization-{895DC1FC-5B31-491A-A511-1F71DD557EAC}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 17:21:57
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\PeoplePC\ISP6530\Browser\Bartshel.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\cscript.exe
.
**************************************************************************
.
Completion time: 2008-03-04 17:29:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-04 23:28:53
ComboFix2.txt 2008-03-04 01:48:40
.
2008-03-01 22:46:54 --- E O F ---

ale_lilo17 · Mar 5, 2008

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:16:52 PM, on 3/4/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\AOL\1202344956\ee\aolsoftware.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
C:\Program Files\PeoplePC\ISP6530\Browser\Bartshel.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\PeoplePC\ISP6530\Browser\PPShared.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PeoplePC\ISP6530\Browser\Bartshel.exe
C:\Program Files\PeoplePC Accelerated\PeoplePC.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Presario&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SnapfishMediaDetector] C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6530\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1202344956\ee\AOLSoftware.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Snapfish Media Detector.lnk = C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5169B131-CB99-4EF9-9A89-D8783BCF1D72}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9352 bytes

ale_lilo17 · Mar 5, 2008

=)

Now i dont know if you have totally finished working your "magic" but i can already see improvement. I can finally look at my photos! Thank you so much.:bigthumb:

km2357 · Mar 5, 2008

ale_lilo17 said:
Now i dont know if you have totally finished working your "magic" but i can already see improvement. I can finally look at my photos! Thank you so much.:bigthumb:

That's great.

: We still have some more work to do.

Step # 1 Upload Files

Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
C:\Windows\System32\nullnanpaup.exe
Click Submit.
Please post the results of this scan to this thread.

If Jotti is busy, Go to VirusTotal and scan the file(s) there.

Step # 2 Update Adobe Acrobat Reader

There is a newer version of Adobe Acrobat Reader available. (See Note below)

First, go to Add/Remove Programs and uninstall all previous versions.
Please go to this link Adobe Acrobat Reader Download Link
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts

Note: Adobe 8 is a large program and if you prefer a smaller program you can get Foxit 2.0 instead from http://www.foxitsoftware.com/pdf/rd_intro.php

Step # 3: Run CFScript

Please delete the version of ComboFix you have on your computer, I need you to download the latest version of ComboFix by sUBs here and save it to your Desktop.

Also delete the CFScript.txt from your Desktop, you will be creating and running a new one.

Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Code:
```
File:: 

C:\Windows\System32\byxyy.dll
C:\Windows\System32\urspp.dll
C:\Windows\System32\cbxwt.dll
```
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Step # 4: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Right-click on ATF Cleaner.exe and choose Run as Administrator

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Step # 5 Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

Right-click on mbam-setup.exe and choose Run as Administrator and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
You can also access the log by doing the following:
- Click on the Malwarebytes' Anti-Malware icon to launch the program.
- Click on the Logs tab.
- Click on the log at the bottom of those listed to highlight it.
- Click Open.

In your next post/reply, I need to see the results from either Jotti or Virustotal, the ComboFix Log, the MalwareBytes Anti-Malware log, and a fresh HiJackThis log. If you can't fit everything into one post, use multiple posts/replies to get it all in.

km2357 · Mar 7, 2008

ale_lilo17? Do you still need help?

ale_lilo17 · Mar 8, 2008

Scan

A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

ale_lilo17 · Mar 8, 2008

ComboFix Log

ComboFix 08-03-07.4 - Murillo 2008-03-08 11:52:43.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.261 [GMT -6:00]
Running from: C:\Users\Murillo\Desktop\ComboFix.exe
Command switches used :: C:\Users\Murillo\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Windows\System32\byxyy.dll
C:\Windows\System32\cbxwt.dll
C:\Windows\System32\urspp.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\System32\byxyy.dll
C:\Windows\System32\cbxwt.dll
C:\Windows\System32\urspp.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.

2008-03-08 11:43 . 2008-03-08 11:44 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-07 17:04 . 2008-03-07 17:05 <DIR> d-------- C:\Program Files\PeoplePC Accelerated
2008-03-07 17:03 . 2007-06-14 21:00 42,080 --------- C:\Windows\System32\ppcwebi.dll
2008-03-07 15:34 . 2008-03-07 15:34 <DIR> d-------- C:\Users\Eliseo\AppData\Roaming\WildTangent
2008-03-05 18:20 . 2008-03-05 18:20 <DIR> d-------- C:\Users\Eliseo\AppData\Roaming\Snapfish
2008-03-05 18:19 . 2008-03-05 18:19 <DIR> dr------- C:\Users\Eliseo\Videos
2008-03-05 18:19 . 2008-03-05 18:19 <DIR> dr------- C:\Users\Eliseo\Searches
2008-03-05 18:19 . 2008-03-05 18:19 <DIR> dr------- C:\Users\Eliseo\Saved Games
2008-03-05 18:19 . 2008-03-05 18:19 <DIR> dr------- C:\Users\Eliseo\Pictures
2008-03-05 18:19 . 2008-03-05 18:19 <DIR> dr------- C:\Users\Eliseo\Music
2008-03-05 18:19 . 2008-03-05 18:20 <DIR> dr------- C:\Users\Eliseo\Links
2008-03-05 18:19 . 2008-03-05 18:19 <DIR> dr------- C:\Users\Eliseo\Downloads
2008-03-05 18:19 . 2008-03-07 15:37 <DIR> dr------- C:\Users\Eliseo\Documents
2008-03-05 18:19 . 2008-03-05 18:19 <DIR> dr------- C:\Users\Eliseo\Contacts
2008-03-05 18:19 . 2006-11-02 06:37 <DIR> d-------- C:\Users\Eliseo\AppData\Roaming\Media Center Programs
2008-03-05 18:19 . 2008-03-05 18:19 <DIR> d--h----- C:\Users\Eliseo\AppData
2008-03-01 21:55 . 2008-03-01 21:55 <DIR> d-------- C:\Temp
2008-02-29 21:54 . 2008-02-29 21:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-24 17:26 . 2008-03-01 20:29 2,434 --a------ C:\Windows\wininit.ini
2008-02-24 16:45 . 2008-02-24 16:52 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-02-24 16:45 . 2008-02-24 16:52 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-02-24 16:45 . 2008-02-24 16:45 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-14 17:54 . 2008-02-14 17:54 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-14 17:54 . 2008-02-14 17:54 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-14 17:51 . 2008-02-14 17:51 943,800 --a------ C:\Windows\System32\winload.exe
2008-02-14 17:51 . 2008-02-14 17:51 595,456 --a------ C:\Windows\System32\schedsvc.dll
2008-02-14 17:51 . 2008-02-14 17:51 115,200 --a------ C:\Windows\System32\loadperf.dll
2008-02-14 17:51 . 2008-02-14 17:51 39,424 --a------ C:\Windows\System32\lodctr.exe
2008-02-14 17:51 . 2008-02-14 17:51 32,256 --a------ C:\Windows\System32\unlodctr.exe
2008-02-14 17:51 . 2008-02-14 17:51 23,552 --a------ C:\Windows\System32\nshhttp.dll
2008-02-14 17:51 . 2008-02-14 17:51 17,408 --a------ C:\Windows\System32\prflbmsg.dll
2008-02-14 17:45 . 2008-02-14 17:45 803,328 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-02-14 17:45 . 2008-02-14 17:45 216,632 --a------ C:\Windows\System32\drivers\netio.sys
2008-02-14 17:45 . 2008-02-14 17:45 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-02-14 17:45 . 2008-02-14 17:45 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-02-14 17:45 . 2008-02-14 17:45 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-02-14 17:43 . 2008-02-14 17:43 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-02-14 17:43 . 2008-02-14 17:43 824,832 --a------ C:\Windows\System32\wininet.dll
2008-02-14 17:42 . 2008-02-14 17:42 1,831,424 --a------ C:\Windows\System32\inetcpl.cpl
2008-02-14 17:42 . 2008-02-14 17:42 56,320 --a------ C:\Windows\System32\iesetup.dll
2008-02-14 17:42 . 2008-02-14 17:42 26,624 --a------ C:\Windows\System32\ieUnatt.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 23:35 --------- d-----w C:\Program Files\PeoplePC
2008-03-04 23:07 --------- d-----w C:\Program Files\HP Games
2008-02-25 01:16 --------- d-----w C:\Program Files\Microsoft Works
2008-02-25 01:14 340 ----a-w C:\Users\Murillo\AppData\Roaming\wklnhst.dat
2008-02-14 23:42 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-07 00:43 --------- d-----w C:\ProgramData\AOL
2008-02-07 00:43 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-04 04:29 --------- d-----w C:\ProgramData\Symantec
2008-01-22 03:07 --------- d-----w C:\Users\Murillo\AppData\Roaming\Template
2008-01-12 01:17 --------- d-----w C:\Users\Murillo\AppData\Roaming\Yahoo!
2008-01-12 00:29 --------- d-----w C:\Users\Murillo\AppData\Roaming\Snapfish
2008-01-09 18:46 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-09 18:42 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-06 01:54 68 ----a-w C:\Users\Alejandra\AppData\Roaming\wklnhst.dat
2008-01-04 20:28 25,557 ----a-w C:\Windows\System32\nullnanpaup.exe
2007-12-12 20:20 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-12 20:20 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-12 20:20 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-12 20:13 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-12 20:13 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2006-11-02 12:50 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]
2007-07-26 11:39 235520 --a------ C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A8FB8EB3-183B-4598-924D-86F0E5E37085}"= "C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll" [2007-07-26 11:39 235520]

[HKEY_CLASSES_ROOT\clsid\{a8fb8eb3-183b-4598-924d-86f0e5e37085}]
[HKEY_CLASSES_ROOT\PeoplePal Toolbar]
[HKEY_CLASSES_ROOT\TypeLib\{994D628D-4D22-4DB9-B6DB-F7D9F1635817}]
[HKEY_CLASSES_ROOT\PeoplePal Toolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A8FB8EB3-183B-4598-924D-86F0E5E37085}"= C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll [2007-07-26 11:39 235520]

[HKEY_CLASSES_ROOT\clsid\{a8fb8eb3-183b-4598-924d-86f0e5e37085}]
[HKEY_CLASSES_ROOT\PeoplePal Toolbar]
[HKEY_CLASSES_ROOT\TypeLib\{994D628D-4D22-4DB9-B6DB-F7D9F1635817}]
[HKEY_CLASSES_ROOT\PeoplePal Toolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 12:42 1232896]
"HPADVISOR"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-03-12 18:44 1773568]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 06:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-02 06:34 1004136]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 07:42 65536]
"OsdMaestro"="C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 04:59 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-01 09:38 4390912 C:\Windows\RtHDVCpl.exe]
"SnapfishMediaDetector"="C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe" [2007-03-02 15:55 1441792]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 15:59 115816]
"Bart Station"="C:\Program Files\PeoplePC\ISP6600\BIN\PPCOLink.exe" [2007-08-07 10:22 25944]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-06 15:07 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-07-06 20:15 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-07-06 20:15 8466432]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-06 20:15 81920]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
"HostManager"="C:\Program Files\Common Files\AOL\1202344956\ee\AOLSoftware.exe" [2006-09-25 18:52 50736]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

C:\Users\Murillo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Snapfish Media Detector.lnk - C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe [2007-03-02 15:55:02 1441792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8336E42D-957B-4F7A-B12C-19F2F5F0A3C5}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{59F2D171-82AE-4740-AEAE-52B15526DB7B}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{770E6D62-A573-412B-886D-532ACFFEA94D}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A79C0B29-8A0A-4C6C-8551-F9DBE917FC4B}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6F086771-0208-4031-8DBF-94FF9C50833C}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E2AA857C-99D1-4B53-A95B-AD235565D89C}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B63C0B7A-0502-470C-A2B1-FD44CCF8AAC2}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{351F1021-853E-48FD-9E26-746506C1E141}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{18E247CE-86C4-4BB6-9667-D29B98ADAFC8}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{198D1F16-C272-4180-92D8-F14DDD07CB43}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{D84D9754-8933-487D-AE9A-329D787892C2}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{7D00CBC7-27AD-4F54-B2FF-602FC8FFBBE7}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{81FB19F5-E412-457C-A020-8E31C8012D0C}"= UDP:C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
"{92F76B9A-1882-4DA0-843F-ABA305650EDF}"= TCP:C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
"{C6700E70-7E0C-4CCE-820E-EBF98810B163}"= UDP:C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
"{61C9A68D-DCFB-45DE-B6C1-0BC90FA4A87C}"= TCP:C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20071011.001\IDSvix86.sys [2007-09-13 08:49]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-01-09 08:32]
R3 VST_DPV;VST_DPV;C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 01:41]
R3 VSTHWBS2;VSTHWBS2;C:\Windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 01:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d905edf7-0ad5-11dc-bac0-806e6f6e6963}]
\shell\AutoRun\command - E:\Setup.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-04 02:00:00 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Claudia.job"
- c:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK:
"2008-03-08 18:00:00 C:\Windows\Tasks\User_Feed_Synchronization-{3AF92E68-AD9F-4390-8CDA-6497CE1E6AE8}.job"
- C:\Windows\system32\msfeedssync.exe
"2008-03-08 18:00:00 C:\Windows\Tasks\User_Feed_Synchronization-{895DC1FC-5B31-491A-A511-1F71DD557EAC}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 12:01:06
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-08 12:01:57
ComboFix-quarantined-files.txt 2008-03-08 18:01:55
ComboFix2.txt 2008-03-04 23:29:03
ComboFix3.txt 2008-03-04 01:48:40
.
2008-03-04 23:58:53 --- E O F ---

ale_lilo17 · Mar 8, 2008

The ATF-cleaner does not let me click on Firefox or Opera.
Only on Main and Information.
What can I do?

km2357 · Mar 8, 2008

Do you have either Firefox or Opera installed? If not those buttons/tabs will be greyed out. If they are, you can skip those parts and just do this one:

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

After that is done, please download and run MalwareBytes' Anti-Malware. And post the results from the scan and a fresh HiJackThis log.

ale_lilo17 · Mar 9, 2008

Malwarebytes Log

Malwarebytes' Anti-Malware 1.07
Database version: 470

Scan type: Quick Scan
Objects scanned: 31138
Time elapsed: 5 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\ProgramData\Microsoft\Windows\Start Menu\Online Security Guide.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Security Troubleshooting.url (Rogue.Link) -> Quarantined and deleted successfully.

Virtumonde Attacks! Please Help!!!

New member

Security Expert -Emeritus

New member

New member

Security Expert -Emeritus

New member

Security Expert -Emeritus

New member

New member

Security Expert -Emeritus

New member

New member

New member

Security Expert -Emeritus

Security Expert -Emeritus

New member

New member

New member

Security Expert -Emeritus

New member