View Full Version : Virtumonde
RusDWrench
2008-07-19, 21:36
Good day & pls help me out. Here is a copy of the logfile you request as a prerequisite. Thx.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:15:31, on 19/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca/
O2 - BHO: (no name) - {3A649CCA-631D-4511-BEEA-FCF79EB0E19F} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {A0FC5EE3-7584-4264-B372-295B126567FB} - (no file)
O2 - BHO: (no name) - {BB448A87-9502-4D04-AF34-B1A6976B5804} - C:\WINDOWS\system32\jkkIBUnn.dll
O2 - BHO: (no name) - {CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013} - C:\WINDOWS\system32\wvUlMeCs.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA7671] command /c del "C:\WINDOWS\system32\wvUlMeCs.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2395] cmd /c del "C:\WINDOWS\system32\wvUlMeCs.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA472] command /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7995] cmd /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Desktop Search.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} -
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120447395039
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120589756218
O16 - DPF: {8F4213B4-A970-4B3C-820D-343C693D5BF0} (SelfProvisioning.Wizard) - http://dsp02.eastlink.ca/SelfProvisioning.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} -
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15034/CTPID.cab
O20 - Winlogon Notify: winmfu32 - C:\WINDOWS\SYSTEM32\winmfu32.dll
O20 - Winlogon Notify: wvUlMeCs - C:\WINDOWS\SYSTEM32\wvUlMeCs.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
--
End of file - 7550 bytes
random/random
2008-07-20, 21:41
Please download show-vundo.vbs (http://linhadefensiva.uol.com.br/files/vbs/show-vundo.vbs) to your desktop
Double-click show-vundo.vbs to run it.
When completed, it will open a notepad window
Copy and paste the contents of that window as a reply to this topic
RusDWrench
2008-07-21, 02:01
Here is the requested data. Plz help.
=================================================
Relatório | BHOs, Winlogon Notify e AppInit_DLLs
=================================================
AppInit_DLLs
-------------------------------------------------
[Vazia]
-------------------------------------------------
Authentication Packages
-------------------------------------------------
[1] msv1_0
[2] C:\WINDOWS\system32\hgGaxyAs
-------------------------------------------------
Security Providers
-------------------------------------------------
msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
-------------------------------------------------
Explorer Execute Hooks
-------------------------------------------------
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="shell32.dll"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="C:\PROGRA~1\WIFD1F~1\MpShHook.dll"
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook"
"{CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013}"="C:\WINDOWS\system32\wvUlMeCs.dll"
-------------------------------------------------
Browser Helper Objects
-------------------------------------------------
[HKLM\SOFTWARE\Classes\CLSID\{1410DD64-BA2C-4EAD-A069-A95C6AA5EE9C}\]
[Indefinido] | [Indefinido]
[Indefinido]
[HKLM\SOFTWARE\Classes\CLSID\{18798A15-1D35-4E1E-BA70-F298077059AB}\]
[Indefinido] | [Indefinido]
C:\WINDOWS\system32\jkkIBUnn.dll
[HKLM\SOFTWARE\Classes\CLSID\{53707962-6F74-2D53-2644-206D7942484F}\]
Spybot-S&D IE Protection | [Indefinido]
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[HKLM\SOFTWARE\Classes\CLSID\{586CC0C7-6BC2-4FCA-A115-C680BC55D170}\]
[Indefinido] | [Indefinido]
[Indefinido]
[HKLM\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\]
SSVHelper Class | [Indefinido]
C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
[HKLM\SOFTWARE\Classes\CLSID\{BFE6CA9C-19A4-4F27-ABF8-8696211DE190}\]
[Indefinido] | [Indefinido]
C:\WINDOWS\system32\hgGaxyAs.dll
[HKLM\SOFTWARE\Classes\CLSID\{C0C027D6-C2EC-48D7-BE35-29B351A50795}\]
[Indefinido] | [Indefinido]
[Indefinido]
[HKLM\SOFTWARE\Classes\CLSID\{CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013}\]
[Indefinido] | [Indefinido]
C:\WINDOWS\system32\wvUlMeCs.dll
-------------------------------------------------
Winlogon Notify
-------------------------------------------------
[Nova] AtiExtEvent : Ati2evxx.dll
[Padrão] cryptnet : cryptnet.dll
[Nova] dimsntfy : %SystemRoot%\System32\dimsntfy.dll
[Padrão] Schedule : wlnotify.dll
[Padrão] sclgntfy : sclgntfy.dll
[Nova] WgaLogon : WgaLogon.dll
[Padrão] wlballoon : wlnotify.dll
[Nova] wvUlMeCs : wvUlMeCs.dll
Esta NÃO É uma lista de arquivos maliciosos!
random/random
2008-07-21, 12:31
Backup Your Registry with ERUNT
Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.
Note: to restore your registry, go to the folder and start ERDNT.exe
Copy the contents of the following codebox to a notepad window
REGEDIT4
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013}"=-
Save it to the desktop as fix.reg, making sure save as type is set to all files
Download UnDLL by ESET from here (http://www.nod32.it/tools/undll.zip)
Unzip/extact it to a folder on the desktop
Double click on UNDLL.EXE to start UnDLL
Click on Select infected DLL
Locate and select this file:
C:\WINDOWS\system32\jkkIBUnn.dll
Click Open
UnDLL will now attempt to delete the DLL file
If asked to restart your PC, click No
Repeat the above steps for the following files:
C:\WINDOWS\system32\wvUlMeCs.dll
C:\WINDOWS\SYSTEM32\winmfu32.dll
Locate Fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt
Once you have used UnDLL on all the files, restart your PC manually
Locate Fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt
Run HijackThis.
Click on Do a system scan only.
Place a checkmark next to these lines (if still present).
O2 - BHO: (no name) - {3A649CCA-631D-4511-BEEA-FCF79EB0E19F} - (no file)
O2 - BHO: (no name) - {A0FC5EE3-7584-4264-B372-295B126567FB} - (no file)
O2 - BHO: (no name) - {BB448A87-9502-4D04-AF34-B1A6976B5804} - C:\WINDOWS\system32\jkkIBUnn.dll
O2 - BHO: (no name) - {CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013} - C:\WINDOWS\system32\wvUlMeCs.dll
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} -
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} -
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} -
O20 - Winlogon Notify: winmfu32 - C:\WINDOWS\SYSTEM32\winmfu32.dll
O20 - Winlogon Notify: wvUlMeCs - C:\WINDOWS\SYSTEM32\wvUlMeCs.dll
Then close all windows except HijackThis and click Fix Checked.
Run show-vundo.vbs again and post the log, along with a new HijackThis log.
RusDWrench
2008-07-22, 00:07
Vundo-bho file:
=================================================
Relatório | BHOs, Winlogon Notify e AppInit_DLLs
=================================================
AppInit_DLLs
-------------------------------------------------
[Vazia]
-------------------------------------------------
Authentication Packages
-------------------------------------------------
[1] msv1_0
[2] C:\WINDOWS\system32\hgGaxyAs
-------------------------------------------------
Security Providers
-------------------------------------------------
msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
-------------------------------------------------
Explorer Execute Hooks
-------------------------------------------------
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="shell32.dll"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="C:\PROGRA~1\WIFD1F~1\MpShHook.dll"
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook"
"{CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013}"="C:\WINDOWS\system32\wvUlMeCs.dll"
-------------------------------------------------
Browser Helper Objects
-------------------------------------------------
[HKLM\SOFTWARE\Classes\CLSID\{1410DD64-BA2C-4EAD-A069-A95C6AA5EE9C}\]
[Indefinido] | [Indefinido]
[Indefinido]
[HKLM\SOFTWARE\Classes\CLSID\{18798A15-1D35-4E1E-BA70-F298077059AB}\]
[Indefinido] | [Indefinido]
[Indefinido]
[HKLM\SOFTWARE\Classes\CLSID\{1d766ce3-2a33-4f05-844a-fd48491d14e8}\]
[Indefinido] | {8e41d194-84df-a448-50f4-33a23ec667d1}
C:\WINDOWS\system32\dbzlvp.dll
[HKLM\SOFTWARE\Classes\CLSID\{53707962-6F74-2D53-2644-206D7942484F}\]
Spybot-S&D IE Protection | [Indefinido]
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[HKLM\SOFTWARE\Classes\CLSID\{586CC0C7-6BC2-4FCA-A115-C680BC55D170}\]
[Indefinido] | [Indefinido]
[Indefinido]
[HKLM\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\]
SSVHelper Class | [Indefinido]
C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
[HKLM\SOFTWARE\Classes\CLSID\{903ACF82-258A-4772-8D72-556D8B75D66B}\]
[Indefinido] | [Indefinido]
C:\WINDOWS\system32\hgGaxyAs.dll
[HKLM\SOFTWARE\Classes\CLSID\{BFE6CA9C-19A4-4F27-ABF8-8696211DE190}\]
[Indefinido] | [Indefinido]
[Indefinido]
[HKLM\SOFTWARE\Classes\CLSID\{C0C027D6-C2EC-48D7-BE35-29B351A50795}\]
[Indefinido] | [Indefinido]
[Indefinido]
[HKLM\SOFTWARE\Classes\CLSID\{CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013}\]
[Indefinido] | [Indefinido]
C:\WINDOWS\system32\wvUlMeCs.dll
-------------------------------------------------
Winlogon Notify
-------------------------------------------------
[Nova] AtiExtEvent : Ati2evxx.dll
[Padrão] cryptnet : cryptnet.dll
[Nova] dimsntfy : %SystemRoot%\System32\dimsntfy.dll
[Padrão] Schedule : wlnotify.dll
[Padrão] sclgntfy : sclgntfy.dll
[Nova] WgaLogon : WgaLogon.dll
[Padrão] wlballoon : wlnotify.dll
[Nova] wvUlMeCs : wvUlMeCs.dll
Esta NÃO É uma lista de arquivos maliciosos!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:06:05, on 21/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Russ Darrach\Desktop\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
O2 - BHO: (no name) - {1410DD64-BA2C-4EAD-A069-A95C6AA5EE9C} - (no file)
O2 - BHO: (no name) - {18798A15-1D35-4E1E-BA70-F298077059AB} - (no file)
O2 - BHO: {8e41d194-84df-a448-50f4-33a23ec667d1} - {1d766ce3-2a33-4f05-844a-fd48491d14e8} - C:\WINDOWS\system32\dbzlvp.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {586CC0C7-6BC2-4FCA-A115-C680BC55D170} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {903ACF82-258A-4772-8D72-556D8B75D66B} - C:\WINDOWS\system32\hgGaxyAs.dll
O2 - BHO: (no name) - {BFE6CA9C-19A4-4F27-ABF8-8696211DE190} - (no file)
O2 - BHO: (no name) - {C0C027D6-C2EC-48D7-BE35-29B351A50795} - (no file)
O2 - BHO: (no name) - {CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013} - C:\WINDOWS\system32\wvUlMeCs.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [BMd35567c0] Rundll32.exe "C:\WINDOWS\system32\desgbdxq.dll",s
O4 - HKLM\..\Run: [d066545c] rundll32.exe "C:\WINDOWS\system32\qfvumkmu.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCleaner_full.exe" -turbo -autostart -NOREBOOT
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Desktop Search.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120447395039
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120589756218
O16 - DPF: {8F4213B4-A970-4B3C-820D-343C693D5BF0} (SelfProvisioning.Wizard) - http://dsp02.eastlink.ca/SelfProvisioning.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15034/CTPID.cab
O20 - Winlogon Notify: wvUlMeCs - C:\WINDOWS\SYSTEM32\wvUlMeCs.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
--
End of file - 8398 bytes
random/random
2008-07-22, 00:15
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
RusDWrench
2008-07-23, 02:29
I have downloaded Malwarebytes' Anti-Malware software & ran it. It picked up 29 items & could not remove all with out restart. I restarted & reran, it picked up 4 more items. I was thinking that this wasn't going to work either. I rebooted again & reran once more - 0 items found. I then reconnected to the internet & found that there was an update. I have installed the update & am re-running Malwarebytes' Anti-Malware once again. It has passed the point of its scan where it previously picked up traces of Malware. I have enclosed the three logfiles for your records. I will post the (hopefully) last logfile in the morning. Should a person run this Anti-Malware program once a week as a preventative with Spybot, Ad-Aware, Windows Defender & F-Prot Anti-virus? Thank you for your prompt & very helpful advice in removing this very stubborn and tricky Trojen.
Malwarebytes' Anti-Malware 1.22
Database version: 976
Windows 5.1.2600 Service Pack 3
6:58:17 AM 22/07/2008
mbam-log-7-22-2008 (06-58-17).txt
Scan type: Full Scan (C:\|F:\|)
Objects scanned: 123528
Time elapsed: 2 hour(s), 42 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 21
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\hgGaxyAs.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\wvUlMeCs.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\dbzlvp.dll (Trojan.Vundo) -> Unloaded module successfully.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1d766ce3-2a33-4f05-844a-fd48491d14e8} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1d766ce3-2a33-4f05-844a-fd48491d14e8} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{90b9b683-eaee-4f5c-b1e9-625c1fa88bb3} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{90b9b683-eaee-4f5c-b1e9-625c1fa88bb3} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvulmecs (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WakeNet (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\DRam prosessor (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\hggaxyas -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\hggaxyas -> Delete on reboot.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\dbzlvp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\hgGaxyAs.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\sAyxaGgh.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sAyxaGgh.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\loasckhm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mhkcsaol.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qfvumkmu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\umkmuvfq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUlMeCs.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Russ Darrach\Desktop\backups\backup-20080721-185908-291.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\RegCleaner\Backups\JkkIBUnn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\WinRAR\Default.SFX (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F6D4FB3A-D8FB-43C9-A462-229603E48F6C}\RP509\A0121290.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F6D4FB3A-D8FB-43C9-A462-229603E48F6C}\RP509\A0121316.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F6D4FB3A-D8FB-43C9-A462-229603E48F6C}\RP511\A0122742.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F6D4FB3A-D8FB-43C9-A462-229603E48F6C}\RP514\A0123086.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F6D4FB3A-D8FB-43C9-A462-229603E48F6C}\RP518\A0126274.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ooidshuk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\avpojlhd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMd35567c0.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMd35567c0.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
Malwarebytes' Anti-Malware 1.22
Database version: 976
Windows 5.1.2600 Service Pack 3
6:52:01 PM 22/07/2008
mbam-log-7-22-2008 (18-52-01).txt
Scan type: Full Scan (C:\|F:\|)
Objects scanned: 123598
Time elapsed: 1 hour(s), 33 minute(s), 15 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\hgGaxyAs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sAyxaGgh.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sAyxaGgh.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUlMeCs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
Malwarebytes' Anti-Malware 1.22
Database version: 976
Windows 5.1.2600 Service Pack 3
9:07:23 PM 22/07/2008
mbam-log-7-22-2008 (21-07-23).txt
Scan type: Full Scan (C:\|F:\|)
Objects scanned: 123691
Time elapsed: 1 hour(s), 33 minute(s), 38 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
RusDWrench
2008-07-23, 12:34
Here is the scan with the updated Malwarebytes' Anti-Malware as i had mentioned in previous post. Is there anything else that i should do to ensure computer is clean?
Malwarebytes' Anti-Malware 1.22
Database version: 980
Windows 5.1.2600 Service Pack 3
6:52:21 AM 23/07/2008
mbam-log-7-23-2008 (06-52-21).txt
Scan type: Full Scan (C:\|F:\|)
Objects scanned: 123822
Time elapsed: 1 hour(s), 32 minute(s), 38 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
random/random
2008-07-23, 19:17
It looks like it might be gone.
Post a new HijackThis log and we'll see if there is anything left.
RusDWrench
2008-07-23, 23:45
Here is a copy of the latest HijackThis Log. I have noticed that i cannot update windows. It states 'Could not start the Automatic Updates service on Local Computer. Error 1058: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it'. As well not all the items are being immuned in Spybot. I noticed in the HijackThis Log that 020 - Winlogon Notify:wvUlMeCs - C:\WINDOWS\ is still present. I will wait for your reply before i attempt to remove it via previous methods. Thank you.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:36:04, on 23/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Russ Darrach\Desktop\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
O2 - BHO: (no name) - {1410DD64-BA2C-4EAD-A069-A95C6AA5EE9C} - (no file)
O2 - BHO: (no name) - {18798A15-1D35-4E1E-BA70-F298077059AB} - (no file)
O2 - BHO: (no name) - {1d766ce3-2a33-4f05-844a-fd48491d14e8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {586CC0C7-6BC2-4FCA-A115-C680BC55D170} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {90B9B683-EAEE-4F5C-B1E9-625C1FA88BB3} - (no file)
O2 - BHO: (no name) - {BFE6CA9C-19A4-4F27-ABF8-8696211DE190} - (no file)
O2 - BHO: (no name) - {C0C027D6-C2EC-48D7-BE35-29B351A50795} - (no file)
O2 - BHO: (no name) - {CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013} - (no file)
O2 - BHO: (no name) - {ECBA93A7-B0B2-44FB-A5CA-662A48B28A5B} - (no file)
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Desktop Search.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120447395039
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120589756218
O16 - DPF: {8F4213B4-A970-4B3C-820D-343C693D5BF0} (SelfProvisioning.Wizard) - http://dsp02.eastlink.ca/SelfProvisioning.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} -
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15034/CTPID.cab
O20 - Winlogon Notify: wvUlMeCs - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
--
End of file - 8351 bytes
random/random
2008-07-24, 12:27
Right click here (http://downloads.subratam.org/ResetTeaTimer.bat) and click save link as
Save it as resetteatimer.bat to your desktop
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
Double click on resetteatimer.bat and wait for it to finish
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
Run HijackThis.
Click on Do a system scan only.
Place a checkmark next to these lines (if still present).
O2 - BHO: (no name) - {1410DD64-BA2C-4EAD-A069-A95C6AA5EE9C} - (no file)
O2 - BHO: (no name) - {18798A15-1D35-4E1E-BA70-F298077059AB} - (no file)
O2 - BHO: (no name) - {1d766ce3-2a33-4f05-844a-fd48491d14e8} - (no file)
O2 - BHO: (no name) - {586CC0C7-6BC2-4FCA-A115-C680BC55D170} - (no file)
O2 - BHO: (no name) - {90B9B683-EAEE-4F5C-B1E9-625C1FA88BB3} - (no file)
O2 - BHO: (no name) - {BFE6CA9C-19A4-4F27-ABF8-8696211DE190} - (no file)
O2 - BHO: (no name) - {C0C027D6-C2EC-48D7-BE35-29B351A50795} - (no file)
O2 - BHO: (no name) - {CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013} - (no file)
O2 - BHO: (no name) - {ECBA93A7-B0B2-44FB-A5CA-662A48B28A5B} - (no file)
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} -
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} -
O20 - Winlogon Notify: wvUlMeCs - C:\WINDOWS\
Then close all windows except HijackThis and click Fix Checked.
I have noticed that i cannot update windows. It states 'Could not start the Automatic Updates service on Local Computer. Error 1058: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it'
Please try the fix that is described in this Microsoft article:
http://support.microsoft.com/kb/241584
As well not all the items are being immuned in Spybot
Have you got the latest version of Spybot installed (1.6)?
Please post back with a new HijackThis log and a description of any remaining problems.
RusDWrench
2008-07-25, 02:57
Here is the new HijackThis Log. It appears clean. I still cannot access WindowsUpdate. When running 'services.msc' in the update portion, when attempting to start the process is when i receive the message 'Could not start the Automatic Updates service on Local Computer. Error 1058: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it'. As far as i can see, this is the only issue remaining. I will be away for the weekend, but will try to check in with you on Friday before i leave. Spybot had picked up issue with someone changing auto update preference but Spybot was not able to change it back. Spybot is the most up-to-date version - 1.6.0.30. Thx again.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:43:55, on 24/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Russ Darrach\Desktop\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Desktop Search.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120447395039
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120589756218
O16 - DPF: {8F4213B4-A970-4B3C-820D-343C693D5BF0} (SelfProvisioning.Wizard) - http://dsp02.eastlink.ca/SelfProvisioning.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15034/CTPID.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
--
End of file - 7687 bytes
random/random
2008-07-25, 15:35
I need a spybot report to see what it's detecting
To do this:
Run a scan with Spybot
Right click in the results window and click Copy results to clipboard
Then use ctrl+v or right click>paste to paste the results a reply to this topic
RusDWrench
2008-07-29, 03:22
Spybot is not detecting anything - no problems found. Profile 1 was disabled under the Hardware Profile on the 'Log On' page in 'Automatic Updates Properties' in 'services.msc, as well as the windows registry was damaged. Microsoft states "This issue most likely occurs when the following registry key or its sub key is missing or corrupt."
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
If you would like a copy of the registry file Microsoft forwarded me, please let me know & I will be more than happy to forward to you. Thanks again for your help. I am very thankful.
random/random
2008-07-31, 18:42
You now appear to be clean. Congratulations!
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints (http://www.malwarecomplaints.info/index.php), you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.
Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
Turn System Restore off
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.Restart
Turn System Restore on
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Uncheck *Turn off System Restore*.
Click Apply, and then click OK.
Note: only do this once, and not on a regular basis
Make sure that you keep your antivirus updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
Two good antivirus programs free for non-commercial home use are Avast! (http://www.avast.com/eng/avast_4_home.html) and Antivir (http://www.free-av.com/)
Two good paid for antivirus programs are NOD32 (http://www.nod32.com/) and Bitdefender (http://www.bitdefender.com/)
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Comodo Firewall (http://www.personalfirewall.comodo.com/)or Online armor (http://www.tallemu.com/online_armor_free.html)
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here (http://www.bleepingcomputer.com/tutorials/tutorial60.html)
Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
Go here (http://www.update.microsoft.com/microsoftupdate/v6/muoptdefault.aspx) to check for & install updates to Microsoft applications
Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
Keep your non-Microsoft applications updated as well
Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector (http://secunia.com/software_inspector) - I suggest that you run it at least once a month
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
Install SpywareBlaster & make sure to update it regularly
SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster from here (http://www.javacoolsoftware.com/sbdownload.html)
Install and use Spybot Search & Destroy
Instructions are located here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
Make sure you update, reimmunize & scan regularly
Make use of the HOSTS file included with Spybot Search & Destroy
Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
Run Spybot Search & Destroy
Click on Mode, and then place a tick next to Advanced mode
Click Yes
In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
Click on Add Spybot-S&D hosts listNote: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
Click Start > Run Type services.msc & click OK
In the list, find the service called DNS Client & double click on it. On the dropdown box, change the setting from automatic to manual. Click OK & then close the Services windowFor a more detailed explanation of the HOSTS file, click here (http://forum.malwareremoval.com/viewtopic.php?t=22187)
Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date