View Full Version : Help with Virtumonde and maybe another
wolfgang239
2008-11-09, 23:33
I think i got hit with Virtumonde, spybot keeps showing this as on my pc every time i run spybot, even if i run spybot, clean, then run right after.
the affected pc is now disconnected physicaly from the internet, the ethernet cable is unplugged.
right now my CA (computer Associates) antivirus firewall is off on that pc, it says it was not installed and i know it was. also, i have on the bottom right of the task bar there is the windows security alerts icon there and it says that automatic updates are not running and that was set to on. if i go into automatic updates, it shows that it is on.
Thanks in advance!!
here is the hijackthis log i just ran on that pc:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:15:18 PM, on 11/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA9331] command /c del "C:\WINDOWS\system32\psrowsiq.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7424] cmd /c del "C:\WINDOWS\system32\psrowsiq.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1074] command /c del "C:\WINDOWS\system32\yxhupwap.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2312] cmd /c del "C:\WINDOWS\system32\yxhupwap.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB7817] command /c del "C:\WINDOWS\system32\psrowsiq.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD400] cmd /c del "C:\WINDOWS\system32\psrowsiq.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1662] command /c del "C:\WINDOWS\system32\yxhupwap.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD673] cmd /c del "C:\WINDOWS\system32\yxhupwap.dll_old"
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\StreamingStar\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\StreamingStar\HiDownload\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.4.24.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.4.24.0\gears.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\StreamingStar\HiDownload\hidownload.exe (HKCU)
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: jvncvb.dll wqhzru.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c91f52c13a90c5) (gupdate1c91f52c13a90c5) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
--
End of file - 14452 bytes
Bio-Hazard
2008-11-10, 09:55
Hello and Welcome to forums!
My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
I will be working on your Malware issues this may or may not solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
I f you don't know or understand something please don't hesitate to ask.
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Absence of symptoms does not mean that everything is clear.
NOTE: Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe
Bio-Hazard
2008-11-10, 10:04
Spybot S&D Teatimer
From your log i can see this that you are running a Spybot S&D Teatimer. This might interfere with fixes we are about to do so we need to disable it.
Disable Spybot's TeaTimer. This is a two step process.
First step:
Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident
Tea-Timer
(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
Rename HijackThis
You need to rename HiJackThis to enable it to find malware programmed to detect and hide from it.
Right click Start - Click Explore
Navigate to: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on HiJackThis.exe - click Rename
Type into the name box: goodscanner.exe
Press Enter
Double click on goodscanner.exe to open it
Select Do a system scan and save a logfile
Post a new log
Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to your desktop.
Alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
Alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:
Make sure the Perform Full Scan option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say The scan completed successfully. Click 'Show Results' to display all objects found.
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.[/color]
Download and Run ComboFix
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Double click on ComboFix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
Logs/Information to Post in Next Reply
Please post the following logs/Information in your reply:
ComboFix log (found at C:\Combofix.txt)
Malwarebytes' Anti-Malware Log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving
wolfgang239
2008-11-10, 20:17
Hello Bio-Hazard and thank you for your time in helping me.
As of now, the pc seems to be free of the Virtumonde infestation, but now my antivirus will not load. if i load it from START, ALL PROGRAMS, CA Internet Security Suite, CA Security Center, then i can load it and configure it. but there is no task bar icon like usual even if i load it through the start menu.
i'm assuming that a total reinstall of the CA Internet Security Suite software would be in order, correct?
Here are the new reports:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:08:21 AM, on 11/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Trend Micro\HijackThis\fastrun1.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {00010F88-BDD7-4828-84BA-4FBD6480A7E2} - (no file)
O2 - BHO: IE7Pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {09268BF8-2816-4716-91CA-0B6B72460AB7} - C:\WINDOWS\system32\rqRjjhGW.dll
O2 - BHO: (no name) - {0F2563C2-4A53-4297-AA9A-E2DBC10F51D5} - (no file)
O2 - BHO: (no name) - {1734BD0F-6EC9-41FE-9E7D-626D908DB17F} - C:\WINDOWS\system32\yaYSJbAQ.dll
O2 - BHO: {669c090a-7f51-d1aa-ad24-d3788011f4d2} - {2d4f1108-873d-42da-aa1d-15f7a090c966} - C:\WINDOWS\system32\wqhzru.dll
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {45B1E491-C25C-4CE2-9E15-4EB3A4B9A28D} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: VideoRaptorIePlugin Class - {90C8E8F8-A7C9-41E4-92E4-C679AE6FB78D} - C:\Program Files\RapidSolution\Videoraptor\VideoRaptorIePlugin.dll
O2 - BHO: (no name) - {D4B89DE8-4BF5-4E8C-9BCE-D589DC91346E} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA9331] command /c del "C:\WINDOWS\system32\psrowsiq.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7424] cmd /c del "C:\WINDOWS\system32\psrowsiq.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1074] command /c del "C:\WINDOWS\system32\yxhupwap.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2312] cmd /c del "C:\WINDOWS\system32\yxhupwap.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB7817] command /c del "C:\WINDOWS\system32\psrowsiq.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD400] cmd /c del "C:\WINDOWS\system32\psrowsiq.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1662] command /c del "C:\WINDOWS\system32\yxhupwap.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD673] cmd /c del "C:\WINDOWS\system32\yxhupwap.dll_old"
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\StreamingStar\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\StreamingStar\HiDownload\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.4.24.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.4.24.0\gears.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\StreamingStar\HiDownload\hidownload.exe (HKCU)
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: jvncvb.dll wqhzru.dll
O20 - Winlogon Notify: rqRjjhGW - C:\WINDOWS\SYSTEM32\rqRjjhGW.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c91f52c13a90c5) (gupdate1c91f52c13a90c5) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
--
End of file - 15697 bytes
Malwarebytes' Anti-Malware 1.30
Database version: 1379
Windows 5.1.2600 Service Pack 3
11/10/2008 9:52:49 AM
mbam-log-2008-11-10 (09-52-49).txt
Scan type: Full Scan (C:\|D:\|E:\|G:\|H:\|)
Objects scanned: 559549
Time elapsed: 3 hour(s), 1 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 21
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 24
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\jvncvb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rqRjjhGW.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wqhzru.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yaYSJbAQ.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0c81494b-4c7b-4f1a-9bce-1e681b67cb1e} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d4f1108-873d-42da-aa1d-15f7a090c966} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{09268bf8-2816-4716-91ca-0b6b72460ab7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{09268bf8-2816-4716-91ca-0b6b72460ab7} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqrjjhgw (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{09268bf8-2816-4716-91ca-0b6b72460ab7} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1734bd0f-6ec9-41fe-9e7d-626d908db17f} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{1734bd0f-6ec9-41fe-9e7d-626d908db17f} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d4f1108-873d-42da-aa1d-15f7a090c966} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2d4f1108-873d-42da-aa1d-15f7a090c966} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{09268bf8-2816-4716-91ca-0b6b72460ab7} (Trojan.Vundo.H) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\yaysjbaq -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\yaysjbaq -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP271\A0062338.ExE (Spyware.OnlineGames) -> Quarantined and deleted successfully.
G:\Unsorted\pAtch.ExE (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP236\A0056083.ExE (Spyware.OnlineGames) -> Quarantined and deleted successfully.
H:\- Keepers\From 8 Gig Pen Drive\- Storage\FLV.Recorder.v2.0.1.315.Incl.Keymaker-CORE\cr-flv21\CORE10k.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yaatpsof.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ycuwlabd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\amisrfpj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\amtfhtvg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\geqkbvtr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wiyfohba.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rcvaimcs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jvncvb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rsqysife.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tqgroltq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rmaakxwh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\flvwaemh.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJcArPj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRjjhGW.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yaYSJbAQ.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\QAbJSYay.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\QAbJSYay.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wqhzru.dll (Trojan.Vundo.H) -> Delete on reboot.
ComboFix 08-11-09.04 - HP_Administrator 2008-11-10 12:14:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3033 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
c:\documents and settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
c:\windows\system32\cbrdqcyv.dll
c:\windows\system32\imzaim.dll
c:\windows\system32\qqonqeuq.dll
c:\windows\system32\ysuewrhc.dll
E:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.
2008-11-10 07:06 . 2008-11-10 07:06 120 ---hs---- c:\windows\system32\vycqdrbc.ini
2008-11-10 06:13 . 2008-11-10 06:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-10 06:13 . 2008-11-10 06:13 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2008-11-10 06:13 . 2008-11-10 06:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-10 06:13 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-10 06:13 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-09 16:14 . 2008-11-09 16:14 <DIR> d-------- c:\program files\Trend Micro
2008-11-08 13:30 . 2008-11-08 13:30 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-11-08 12:48 . 2008-11-08 12:48 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Xilisoft Corporation
2008-11-08 12:45 . 2008-11-08 12:45 <DIR> d-------- c:\program files\Amadis Software
2008-11-08 12:45 . 2008-11-08 12:45 <DIR> d-------- C:\AmadisTMP
2008-11-08 12:31 . 2008-11-08 12:32 <DIR> d-------- c:\program files\Absolute Video Converter
2008-11-04 19:59 . 2008-11-04 20:09 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\ScripterRon
2008-11-04 19:56 . 2008-11-04 20:06 <DIR> d-------- c:\program files\WinHex
2008-11-04 19:53 . 2008-11-04 19:53 <DIR> d-------- c:\program files\BreakPoint Software
2008-11-04 19:46 . 2008-11-04 19:51 <DIR> d-------- c:\program files\AXE3
2008-11-04 19:43 . 2008-11-04 19:43 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\HEXelon
2008-11-03 14:29 . 2008-11-03 14:29 <DIR> d-------- c:\program files\SecondLifeFirstLookSLim
2008-11-03 14:23 . 2008-11-03 14:23 <DIR> d-------- c:\program files\SLim
2008-11-03 14:23 . 2008-11-03 14:23 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Vivox
2008-10-30 08:25 . 2008-09-07 13:31 20,207 --a------ c:\documents and settings\Fallout_default.ini
2008-10-30 06:08 . 2008-10-30 06:08 <DIR> d-------- c:\program files\Bethesda Softworks
2008-10-30 06:08 . 2008-10-30 06:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Fallout3
2008-10-30 06:05 . 2008-10-30 06:05 <DIR> d-------- c:\windows\system32\XPSViewer
2008-10-30 06:04 . 2008-10-30 06:04 <DIR> d-------- c:\program files\Reference Assemblies
2008-10-30 06:03 . 2006-06-29 12:07 14,048 --------- c:\windows\system32\spmsg2.dll
2008-10-30 06:02 . 2008-10-30 06:02 <DIR> d-------- c:\windows\system32\xlive
2008-10-25 19:20 . 2008-10-25 19:20 <DIR> d-------- c:\program files\Ubisoft
2008-10-23 18:01 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-20 05:04 . 2003-06-12 22:25 7,062 --a------ c:\windows\system32\audiopid.vxd
2008-10-18 02:22 . 2008-10-18 02:22 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Thinstall
2008-10-18 02:15 . 2008-10-18 02:15 <DIR> d-------- c:\program files\PCPitstop
2008-10-18 01:50 . 2008-10-24 03:46 <DIR> d-------- c:\program files\Trillian
2008-10-18 01:39 . 2008-10-18 01:39 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Trillian
2008-10-17 22:52 . 2008-10-20 05:07 <DIR> d-------- c:\program files\FrostWire
2008-10-17 22:52 . 2008-10-17 22:52 <DIR> d-------- c:\documents and settings\HP_Administrator\Incomplete
2008-10-17 22:52 . 2008-10-17 23:16 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\FrostWire
2008-10-17 17:55 . 2008-10-17 17:55 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-10-16 15:33 . 2008-10-16 15:35 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\MiniDm
2008-10-15 00:41 . 2008-10-15 00:41 116 --a------ c:\windows\system32\enabledvd.vbs
2008-10-15 00:40 . 2008-10-15 00:41 55,296 --a------ c:\windows\system32\disable.exe
2008-10-15 00:40 . 2008-10-15 00:40 117 --a------ c:\windows\system32\disabledvd.vbs
2008-10-15 00:14 . 2008-10-15 00:14 <DIR> d-------- c:\program files\Sierra
2008-10-14 22:54 . 2008-06-10 01:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-10-14 15:42 . 2008-08-14 05:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-14 15:42 . 2008-08-14 05:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-14 15:42 . 2008-08-14 04:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-14 15:42 . 2008-08-14 04:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-14 15:42 . 2008-09-15 07:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-10-14 15:41 . 2008-09-08 05:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-10-14 15:36 . 2008-10-14 15:36 <DIR> d-------- c:\program files\NVIDIA Corporation
2008-10-14 15:13 . 2008-10-14 15:13 <DIR> d-------- c:\windows\8AFFD400A2D54216A1AC62EC637F73EE.TMP
2008-10-14 15:09 . 2008-10-14 15:09 <DIR> d-------- c:\program files\Object Software
2008-10-14 14:59 . 2008-10-14 14:59 <DIR> d-------- c:\windows\Logs
2008-10-14 14:56 . 2008-10-14 14:56 <DIR> d-------- c:\windows\F579118563414E21A47F41B57AC749B5.TMP
2008-10-14 14:55 . 2008-10-14 14:55 <DIR> d-------- c:\program files\Netdevil
2008-10-14 14:33 . 2008-10-14 14:42 <DIR> d-------- c:\windows\NV9242700.TMP
2008-10-14 14:33 . 2008-10-14 14:33 <DIR> d-------- C:\NVIDIA
2008-10-14 14:33 . 2008-09-17 08:55 201,050 --a------ c:\windows\system32\nvapps.nvb
2008-10-14 14:23 . 2008-10-14 14:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2008-10-14 12:53 . 2008-10-14 12:53 <DIR> d-------- c:\program files\GSpot270a
2008-10-14 12:39 . 2008-10-14 14:39 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Download Manager
2008-10-12 16:56 . 2008-10-12 16:56 <DIR> d-------- c:\program files\IEPro
2008-10-12 16:56 . 2008-10-12 16:56 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\IEPro
2008-10-12 16:17 . 2008-10-12 16:17 <DIR> d-------- c:\program files\Paragon Software
2008-10-12 16:17 . 2007-09-20 14:18 4,244,744 --a------ c:\windows\system32\qtp-mt334.dll
2008-10-12 16:17 . 2007-09-20 14:18 247,560 --a------ c:\windows\system32\prgiso.dll
2008-10-12 16:17 . 2007-09-20 14:18 39,472 --a------ c:\windows\system32\drivers\hotcore3.sys
2008-10-12 16:17 . 2007-09-20 14:18 13,576 --a------ c:\windows\system32\wnaspi32.dll
2008-10-12 12:06 . 2008-10-12 12:06 <DIR> d-------- c:\program files\Runtime Software
2008-10-10 09:11 . 2008-10-10 09:11 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Micro-Sys
2008-10-10 09:10 . 2008-10-10 09:10 <DIR> d-------- c:\program files\Micro-Sys Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-10 17:23 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k7
2008-11-10 17:23 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k6
2008-11-10 17:23 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k5
2008-11-10 17:23 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k4
2008-11-10 17:23 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k3
2008-11-10 17:23 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k2
2008-11-10 17:23 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k1
2008-11-10 17:23 353,334 ----a-w c:\windows\system32\drivers\kmxcfg.u2k0
2008-11-10 00:15 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-09 01:40 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-08 17:46 --------- d-----w c:\program files\Xilisoft
2008-11-07 04:48 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Orbit
2008-11-07 03:04 --------- d-----w c:\program files\City of Heroes
2008-10-30 11:08 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-30 11:06 --------- d-----w c:\program files\MSBuild
2008-10-29 19:03 --------- d-----w c:\program files\FlashGet
2008-10-28 23:30 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\SecondLife
2008-10-28 10:52 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\LimeWire
2008-10-26 00:26 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-25 21:01 --------- d-----w c:\program files\DivX
2008-10-24 08:42 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-24 08:38 --------- d-----w c:\program files\SecondLife
2008-10-20 23:13 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\iMesh
2008-10-20 22:51 --------- d-----w c:\program files\Google
2008-10-20 10:03 --------- d-----w c:\program files\Creative
2008-10-18 19:03 --------- d-----w c:\program files\ConnectUO Desktop
2008-10-18 07:06 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Skype
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 03:54 --------- d-----w c:\program files\Java
2008-10-14 23:49 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-14 19:54 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-14 19:34 --------- d-----w c:\program files\AGEIA Technologies
2008-10-10 01:57 --------- d-----w c:\program files\SWF Decompiler Magic
2008-10-10 01:43 --------- d-----w c:\program files\Eltima Software
2008-10-10 01:25 --------- d-----w c:\program files\Fox Flash Decompiler
2008-10-10 00:33 --------- d-----w c:\program files\Common Files\Adobe
2008-10-10 00:31 --------- d-----w c:\program files\TechSmith
2008-10-09 22:18 --------- d-----w c:\program files\Common Files\TechSmith Shared
2008-10-09 22:18 --------- d-----w c:\documents and settings\All Users\Application Data\TechSmith
2008-10-09 12:48 --------- d-----w c:\program files\Spyware Doctor
2008-10-09 12:42 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-09 12:39 --------- d-----w c:\program files\Lavasoft
2008-10-09 01:58 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\PC Tools
2008-10-08 20:58 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\skypePM
2008-10-08 20:27 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Outerspace Software
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-10-02 22:50 81,920 ----a-w c:\windows\system32\frapsvid.dll
2008-10-02 16:25 --------- d-----w c:\program files\Dragon UnPACKer 5
2008-10-02 00:32 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-30 08:24 --------- d-----w c:\program files\Reflexive Arcade Games - Shooter
2008-09-30 01:58 92,728 ----a-w c:\windows\system32\Bass.dll
2008-09-30 01:21 --------- d-----w c:\program files\Helicopter Strike Force
2008-09-30 01:09 --------- d-----w c:\program files\ReflexiveArcade
2008-09-30 01:03 --------- d-----w c:\program files\GameHouse Games Collection
2008-09-29 10:51 3,194 ----a-w c:\documents and settings\HP_Administrator\Application Data\SAS7_000.DAT
2008-09-29 10:32 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Final Draft
2008-09-29 10:30 --------- d-----w c:\documents and settings\All Users\Application Data\Final Draft
2008-09-29 10:29 --------- d-----w c:\program files\Final Draft Tagger
2008-09-29 10:29 --------- d-----w c:\program files\Final Draft 7
2008-09-29 09:07 --------- d-----w c:\program files\WriteItNow3
2008-09-29 09:06 --------- d-----w c:\program files\Alcoda
2008-09-29 04:46 --------- d-----w c:\program files\MovieWriterPro
2008-09-29 04:44 --------- d-----w c:\program files\Ballistic Computing Inc
2008-09-29 04:41 --------- d-----w c:\program files\Grammar Expert Plus
2008-09-29 04:38 --------- d-----w c:\program files\Final Draft 6
2008-09-29 04:35 --------- d-----w c:\program files\Yadu Digital
2008-09-29 04:34 --------- d-----w c:\program files\Screenplay Systems
2008-09-29 04:00 --------- d-----w c:\program files\Celtx
2008-09-29 04:00 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Greyfirst
2008-09-29 03:39 --------- d-----w c:\program files\VSTplugins
2008-09-29 03:39 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Publish Providers
2008-09-29 03:38 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Sony
2008-09-29 03:37 --------- d-----w c:\program files\Sony Setup
2008-09-29 03:37 --------- d-----w c:\program files\Sony
2008-09-29 01:13 --------- d-----w c:\program files\UOAM
2008-09-28 15:23 --------- d-----w c:\program files\Creativity Software
2008-09-27 01:05 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Nuance
2008-09-27 01:00 --------- d-----w c:\program files\Common Files\ScanSoft Shared
2008-09-27 01:00 --------- d-----w c:\documents and settings\All Users\Application Data\ScanSoft
2008-09-27 00:56 --------- d-----w c:\program files\Common Files\Nuance
2008-09-27 00:55 --------- d-----w c:\program files\Nuance
2008-09-27 00:55 --------- d-----w c:\documents and settings\All Users\Application Data\Nuance
2008-09-27 00:40 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-09-25 11:32 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Move Networks
2008-06-20 19:38 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008062020080621\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-10 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-27 185896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-10-10 247024]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-09-09 234736]
"cafw"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-09-09 771312]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-09-09 173296]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-09-09 259312]
"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe" [2008-06-14 14088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-16 221184]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2008-10-22 1261200]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 c:\windows\arpwrmsg.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-23 c:\windows\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 282624]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= c:\windows\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalMachineRun"= 1 (0x1)
"DisableLocalMachineRunOnce"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 13:30 79368 c:\windows\system32\UmxWNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=jvncvb.dll imzaim.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo"= CSvidcap.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PMCLoader"=c:\program files\Pinnacle\TVCenter Pro\PMCLoader.exe
"PMCRemote"=c:\program files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe"
"updateMgr"=c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe"
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
"AdobeUpdater"=c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=c:\program files\Common Files\Nero\Lib\NeroCheck.exe
"PMCRemote"=c:\program files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"DMAScheduler"=c:\program files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" -r "c:\documents and settings\All Users\Application Data\Nuance\NaturallySpeaking10\Ereg.ini
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"PCDrProfiler"=
"DISCover"=c:\program files\DISC\DISCover.exe
"DiscUpdateManager"=c:\program files\DISC\DiscUpdateMgr.exe
"f8b61167"=rundll32.exe "c:\windows\system32\ysuewrhc.dll",b
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"c:\\Program Files\\EA Games\\Ultima Online 9th Anniversary Collection\\client.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"31393:TCP"= 31393:TCP:emule001
"18733:UDP"= 18733:UDP:emule002
"<NO NAME>"=
R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2007-09-20 39472]
R0 KmxStart;KmxStart;c:\windows\system32\DRIVERS\kmxstart.sys [2008-06-24 93712]
R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [2007-05-16 13440]
R1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxagent.sys [2008-06-24 63504]
R1 KmxFile;KmxFile;c:\windows\system32\DRIVERS\KmxFile.sys [2008-06-24 45584]
R1 KmxFw;KmxFw;c:\windows\system32\DRIVERS\kmxfw.sys [2008-06-24 115216]
R2 KmxCF;KmxCF;c:\windows\system32\DRIVERS\KmxCF.sys [2008-06-24 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\DRIVERS\KmxSbx.sys [2008-06-24 66576]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2008-01-21 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2008-01-21 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2008-06-24 281104]
R3 KmxCfg;KmxCfg;c:\windows\system32\DRIVERS\kmxcfg.sys [2008-06-24 88816]
R3 SUNPLUS;Micro Webcam Mobile;c:\windows\system32\Drivers\SP508hp.SYS [2001-03-29 93544]
S2 gupdate1c91f52c13a90c5;Google Update Service (gupdate1c91f52c13a90c5);c:\program files\Google\Update\GoogleUpdate.exe [2008-09-25 133104]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\Drivers\ICDUSB2.sys [2002-11-28 39048]
S3 musbehco;musbehco;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\musbehco.sys [ ]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2008-09-09 185584]
S3 USB28xxBGA;PCTV 330e/800e Device;c:\windows\system32\DRIVERS\emBDA.sys [2007-01-29 361728]
S3 USB28xxOEM;USB 28xx OEM Filter;c:\windows\system32\DRIVERS\emOEM.sys [2007-01-29 39680]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0186ef4-9ee7-11dd-afb6-0015f2f170c1}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
2008-10-12 c:\windows\Tasks\CAAntiSpywareScan_Daily as HP_Administrator at 1 06 AM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\caantispyware.exe [2008-09-09 02:26]
2008-11-10 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-25 16:07]
.
- - - - ORPHANS REMOVED - - - -
BHO-{00010F88-BDD7-4828-84BA-4FBD6480A7E2} - (no file)
BHO-{09268BF8-2816-4716-91CA-0B6B72460AB7} - c:\windows\system32\rqRjjhGW.dll
BHO-{1734BD0F-6EC9-41FE-9E7D-626D908DB17F} - c:\windows\system32\yaYSJbAQ.dll
BHO-{45B1E491-C25C-4CE2-9E15-4EB3A4B9A28D} - (no file)
BHO-{D4B89DE8-4BF5-4E8C-9BCE-D589DC91346E} - (no file)
BHO-{fe05decc-55d6-4b54-9c5c-a8ebab6dacdf} - c:\windows\system32\imzaim.dll
ShellExecuteHooks-{09268BF8-2816-4716-91CA-0B6B72460AB7} - c:\windows\system32\rqRjjhGW.dll
Notify-AtiExtEvent - (no file)
Notify-rqRjjhGW - rqRjjhGW.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\eb2nh8vu.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Google\Update\1.2.131.25\npGoogleOneClick6.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 12:26:22
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\Crypserv.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2008-11-10 12:35:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-10 17:34:51
Pre-Run: 334,705,954,816 bytes free
Post-Run: 334,908,432,384 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
407 --- E O F --- 2008-10-23 23:57:24
Bio-Hazard
2008-11-10, 21:18
Hello!
Well we got rid lot of stuff but we have still some work to do.
i'm assuming that a total reinstall of the CA Internet Security Suite software would be in order, correct?Yes that would be the right thing to do.
Use of P2P (Person to Person) file sharing programs
I see that you have signs of P2P program in your computer. Do you still have that installed? Please remove it before we can continue any further.
Please read HERE (http://forums.spybot.info/showpost.php?p=218503&postcount=4) the Safer Networks policy on the use of P2P file sharing programs.
There is:
emule
Utorrent
Limewire
Post a new HijackThis Log for me to see.
wolfgang239
2008-11-14, 03:38
well, i uninstalled the antivirus and reinstalled...or at least tried to.
every time i installed, it would say it was installed correctly...i would reboot and it would not work.
the system kept getting errors and crashing. so i decited to reformat and reinstall the OS.
as of now, its taking me the past few days to format and reinstall...
my system will not finish the install process.
Bio-Hazard
2008-11-14, 09:10
Hello1
Sorry to hear about your troubles. Have you been able to reformat and reinstall now?
wolfgang239
2008-11-15, 00:23
acording to the progress report, it was to take 16 hours to reinstall and configure windows... so, i let it go... 16 hours later, it popped up a log that said what it installed but nothing was on the PC except a basic OS of xp... i rebooted and it went right back into the same setup screen as before saying it was going to take 16 hours...
i have a feeling that the brand name pc i bought might have had some issues and they are now showing themselves after the warranty is expired..
maybe they are learning from the auto makers; build them to fail....but only after the warranty expires.l
wolfgang239
2008-11-15, 00:26
i forgot to add that what i am trying now is on a backup pc, i am formatting the hard drive and installing a new OS... then i will take the hard drive and install it into my main pc and see if i can bypass any issues that way
Bio-Hazard
2008-11-16, 17:55
Clean Install
I'll respect you decision to do a clean install.
Please make sure that you know what to do before beginning the operation.
Here are a few links that propably help:
When should I re-format? How should I reinstall? (http://www.dslreports.com/faq/10063)
Windows XP Clean install (http://windowsxp.mvps.org/XPClean.htm)
Then there are a couple of things you should do immediately after installing Windows and before surfing the net.
General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.
Set correct settings for files
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under Hidden files and folders if necessary select Do not show hidden files and folders.
If unchecked please check Hide protected operating system files (Recommended)
If necessary check Display content of system folders
If necessary Uncheck Hide file extensions for known file types.
Click OK
Make sure that you keep your antivirus updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Here are few FREE alternatives:
Avira AntiVir Personal (http://www.free-av.de/en/download/1/avira_antivir_personal__free_antivirus.html)- Free anti-virus software for Windows. Detects and removes more than 50000 viruses. Free support.
avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
AVG Anti-Virus Free Edition (http://free.grisoft.com/ww.download-avg-anti-virus-free-edition#tba2) - Free edition of the AVG anti-virus program for Windows.
Install and use a firewall with outbound protection
The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
NOTE: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
Here are few FREE alternatives:
Online-Armor Free (http://www.tallemu.com/downloads.html)
Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
Sunbelt/Kerio (Free version after 30 days) (http://www.sunbelt-software.com/Kerio-Download.cfm)
Comodo (http://www.personalfirewall.comodo.com/) (Uncheck during installation Install Comodo SafeSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!)
Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site (http://update.microsoft.com/microsoftupdate) on a regular basis.
NOTE: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
Update Non-Microsoft Programs
Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector (http://secunia.com/software_inspector) - I suggest that you run it at least once a month.
Make Internet Explorer More Secure
You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE (http://surfthenetsafely.com/ieseczone8.htm)
Recommended Programs
I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.
WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE (http://www.winpatrol.com/).
SpywareBlaster
SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE (http://www.webopedia.com/TERM/A/ActiveX_control.html). You can download SpywareBlaster from HERE (http://www.javacoolsoftware.com/sbdownload.html).
Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE (http://www.malwarebytes.org/mbam.php). Here are two tutorials: Malwarebytes' Anti-Malware Setup Guide (http://www.bfccomputers.com/forum/index.php?showtopic=1644) and Malwarebytes' Anti-Malware Scanning Guide (http://www.bfccomputers.com/forum/index.php?showtopic=1645).
Hosts File
For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE (http://forum.malwareremoval.com/viewtopic.php?t=22187) and for more information regarding host files read HERE (http://www.mvps.org/winhelp2002/hosts.htm).
Use an alternative Internet Browser
Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:Firefox (http://www.mozilla.com/en-US/firefox/) or Opera (http://www.opera.com/download/)
Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints >Malware Complaints< (http://www.malwarecomplaints.info/index.php). You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.
I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
Happy surfing and stay clean!
Bio-Hazard