View Full Version : Rundll and virtimonde
dorlowski
2008-12-13, 05:48
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:21 PM, on 12/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Intuit\QuickBooks Customer Manager\QBCMAgent.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Intuit\DatabaseServer\QBDBMgr.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {9451b5e2-1ec3-4adf-9369-1c64c849db0b} - C:\WINDOWS\system32\vutikonu.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QBCMAgent] C:\Program Files\Intuit\QuickBooks Customer Manager\QBCMAgent.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [CPM251a25c3] Rundll32.exe "c:\windows\system32\wobarale.dll",a
O4 - HKLM\..\Run: [nowuruyoto] Rundll32.exe "C:\WINDOWS\system32\funugipi.dll",s
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [nowuruyoto] Rundll32.exe "C:\WINDOWS\system32\funugipi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [nowuruyoto] Rundll32.exe "C:\WINDOWS\system32\funugipi.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} (CPlayFirstFashionDasControl Object) - http://www.shockwave.com/content/fashiondash/sis/fashiondashweb.1.0.0.21.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101232212334
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://68.16.222.20/activex/AxisCamControl.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://dogsaspen.dyndns.org:8082/activex/AMC.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nutrihealthgroup.local
O17 - HKLM\Software\..\Telephony: DomainName = nutrihealthgroup.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nutrihealthgroup.local
O20 - AppInit_DLLs: c:\windows\system32\yimazitu.dll c:\windows\system32\nomifeyi.dll C:\WINDOWS\system32\nukiyofi.dll c:\windows\system32\wobarale.dll c:\windows\system32\wowinule.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wobarale.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wobarale.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Systems Management Data Manager (dcstor32) - Unknown owner - C:\Temp\DSET\dataeng\bin\dcstor32.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mr2kserv - Unknown owner - C:\Temp\DSET\sm\mr2kserv.exe (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 10444 bytes
chryssi2001
2008-12-17, 18:36
Hello dorlowski,
I will be assisting you with your malware issues.
Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
Please bookmark or favourite this page. In case you need it as reference or etc.
----------------------------------------------
Download and run Combofix
Please visit this webpage for download links, and instructions for running the tool:
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
* IMPORTANT !!! Save ComboFix.exe to your Desktop
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this topic (http://www.bleepingcomputer.com/forums/topic114351.html) if you need help to disable your protection programs.
Please post back, the C:\ComboFix.txt and a new HijackThis log.
dorlowski
2008-12-18, 00:48
Thank you so much for your reply. Here is the C:\Combofix.txt
ComboFix 08-12-16.03 - sbaker 2008-12-17 17:33:44.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.126 [GMT -6:00]
Running from: c:\documents and settings\sbaker\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\sbaker\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\7C2J1oLH.exe.a_a
c:\windows\system32\bafekefe.dll
c:\windows\system32\bohotute.dll
c:\windows\system32\bozuneyi.dll.vir
c:\windows\system32\bufezika.dll
c:\windows\system32\dajiwava.dll
c:\windows\system32\dutigoru.dll
c:\windows\system32\duweweba.dll
c:\windows\system32\fasirozi.dll
c:\windows\system32\fedeyipu.dll
c:\windows\system32\genetoda.dll
c:\windows\system32\gulidowu.dll
c:\windows\system32\kimulizi.dll
c:\windows\system32\lumuheze.dll.vir
c:\windows\system32\luruwono.dll
c:\windows\system32\miliyepa.dll
c:\windows\system32\msxml71.dll
c:\windows\system32\nozuzito.dll.vir
c:\windows\system32\petipado.dll
c:\windows\system32\peyeduli.dll
c:\windows\system32\raferafo.dll
c:\windows\system32\silohuru.dll
c:\windows\system32\teteripe.dll.vir
c:\windows\system32\torazovi.dll
c:\windows\system32\uninstall.exe
c:\windows\system32\vinomisu.dll
c:\windows\system32\wakozawa.dll.vir
c:\windows\system32\wibakihi.dll
c:\windows\system32\wiparugo.dll
c:\windows\system32\wobarale.dll
c:\windows\system32\wuleketo.dll
c:\windows\system32\zetoyago.dll
c:\windows\winhelp.ini
c:\windows\system32\userinit.exe . . . is infected!!
.
((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 )))))))))))))))))))))))))))))))
.
2008-12-17 16:21 . 2008-12-17 16:21 120 ---hs---- c:\windows\system32\uwodilug.ini
2008-12-15 20:08 . 2008-12-15 20:08 120 ---hs---- c:\windows\system32\ogayotez.ini
2008-12-15 19:10 . 2008-12-17 16:21 77,824 --a------ c:\windows\system32\7C2J1oLH.exe
2008-12-14 22:55 . 2004-08-04 02:56 24,576 --a------ c:\windows\system32\stu2.exe
2008-12-14 11:43 . 2008-12-14 11:43 120 ---hs---- c:\windows\system32\urogitud.ini
2008-12-13 23:43 . 2008-12-13 23:43 120 ---hs---- c:\windows\system32\izesuful.ini
2008-12-13 11:43 . 2008-12-13 11:43 120 ---hs---- c:\windows\system32\ufulilub.ini
2008-12-12 21:38 . 2008-12-12 21:38 <DIR> d-------- c:\documents and settings\sbaker\Application Data\Uniblue
2008-12-12 21:33 . 2008-12-12 21:33 <DIR> d-------- c:\program files\Trend Micro
2008-12-12 21:28 . 2008-12-12 21:28 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-12 17:59 . 2008-12-12 17:59 120 ---hs---- c:\windows\system32\apeyilim.ini
2008-12-11 19:21 . 2008-12-11 19:21 120 ---hs---- c:\windows\system32\awawetod.ini
2008-12-11 07:22 . 2008-12-11 07:22 120 ---hs---- c:\windows\system32\avawijad.ini
2008-12-10 19:45 . 2008-07-11 22:07 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-10 19:21 . 2008-12-10 19:21 120 ---hs---- c:\windows\system32\abewewud.ini
2008-12-10 07:21 . 2008-12-10 07:21 120 ---hs---- c:\windows\system32\uruholis.ini
2008-12-09 22:16 . 2008-12-09 22:16 <DIR> d--hs---- C:\FOUND.000
2008-12-09 21:19 . 2008-12-09 21:19 <DIR> d-------- c:\program files\ESET
2008-12-09 21:19 . 2008-12-09 21:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-12-09 19:21 . 2008-12-09 19:21 120 ---hs---- c:\windows\system32\izilumik.ini
2008-12-09 07:29 . 2008-12-09 07:29 120 ---hs---- c:\windows\system32\usimoniv.ini
2008-12-08 19:44 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-08 19:09 . 2008-12-12 19:27 438 --a------ c:\windows\wininit.ini
2008-12-06 14:00 . 2008-12-06 14:00 <DIR> d-------- c:\documents and settings\sbaker\Application Data\Move Networks
2008-11-23 17:33 . 2008-11-23 17:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\GameHouse
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-15 02:25 --------- d-----w c:\documents and settings\sbaker\Application Data\ViquaSoft
2008-11-09 23:27 --------- d-----w c:\documents and settings\sbaker\Application Data\PetShowCraze
2008-11-09 03:53 --------- d-----w c:\documents and settings\All Users\Application Data\Fugazo
2008-11-02 22:13 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-19 00:23 --------- d--h--w c:\program files\Zero G Registry
2008-10-19 00:23 --------- d-----w c:\program files\DiscwareLite
2008-10-18 04:13 --------- d-----w c:\documents and settings\All Users\Application Data\Fashion Solitaire 1.2
2008-10-18 04:02 --------- d-----w c:\program files\Shockwave.com
2008-10-18 03:54 --------- d-----w c:\documents and settings\All Users\Application Data\FarmFrenzy2
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-15 17:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-12 01:02 129,784 ------w c:\windows\system32\pxafs.dll
2008-10-12 01:02 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-10-12 01:02 116,472 ------w c:\windows\system32\pxcpyi64.exe
2008-10-03 18:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2007-12-12 17:00 56,912 ----a-w c:\documents and settings\sbaker\g2mdlhlpx.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-08-28 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-08-28 118784]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-21 40960]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"JobHisInit"="c:\program files\RMClient\JobHisInit.exe" [2003-05-29 135168]
"MplSetUp"="c:\program files\RMClient\MplSetUp.exe" [2000-11-04 40960]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-02-17 77824]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"QBCMAgent"="c:\program files\Intuit\QuickBooks Customer Manager\QBCMAgent.exe" [2004-06-25 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2006-01-06 348160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-02 136600]
"SoundMan"="SOUNDMAN.EXE" [2003-11-13 c:\windows\SOUNDMAN.EXE]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-02-08 806912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mpg4"= c:\windows\mpg4c32.dll
"vidc.mpg2"= c:\windows\mpg4c32.dll
"vidc.mpg3"= c:\windows\mpg4c32.dll
"vidc.GEOX"= c:\windows\GeoCodec.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\MOBSYNC.EXE"=
"c:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"=
"c:\\WINDOWS\\System32\\cscript.exe"=
"c:\\Program Files\\Symantec AntiVirus\\VPTray.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 dcdbas;Systems management base driver;c:\windows\system32\DRIVERS\dcdbas32.sys [2005-05-31 23552]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-08 28544]
R2 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2004-03-12 169192]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-11 24652]
R3 dcdipm;Systems management IPMI driver;c:\windows\system32\DRIVERS\dcdipm32.sys [2005-05-31 31744]
.
Contents of the 'Scheduled Tasks' folder
2008-12-17 c:\windows\Tasks\User_Feed_Synchronization-{7549B319-6F91-46D2-B33A-6C68FF2C58AD}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
2008-12-16 c:\windows\Tasks\At2.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At3.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At4.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At5.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At6.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At7.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At8.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At9.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At10.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At11.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At12.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At13.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At14.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At15.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At16.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At17.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At18.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At19.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At20.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At21.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At22.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At23.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At24.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At25.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At26.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At27.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At28.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At29.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At30.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At31.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At32.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At33.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At34.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At35.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At36.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At37.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At38.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At39.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At40.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At41.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At42.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At43.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At44.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At45.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At46.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At47.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-16 c:\windows\Tasks\At48.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At49.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At50.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At51.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At52.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At53.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At54.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At55.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At56.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At57.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At58.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At59.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At60.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At61.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At62.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At63.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At64.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At65.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At66.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At67.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At68.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At69.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At70.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At71.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\At72.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
2008-12-17 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2006-01-06 14:07]
2008-12-17 c:\windows\Tasks\HP Usg Login.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2006-01-06 14:07]
2008-12-16 c:\windows\Tasks\At1.job
- c:\windows\system32\7C2J1oLH.exe [2008-12-17 16:21]
.
- - - - ORPHANS REMOVED - - - -
BHO-{9451b5e2-1ec3-4adf-9369-1c64c849db0b} - c:\windows\system32\wibakihi.dll
HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
HKLM-Run-HPHUPD04 - c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe
HKLM-Run-CPM251a25c3 - c:\windows\system32\bozuneyi.dll
HKU-Default-Run-Cognac - c:\windows\TEMP\4.tmp.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
c:\windows\Downloaded Program Files\FashionDashWeb.1.0.0.21.dll - O16 -: {049A470D-F818-4E34-B14D-E4E237DADCF8}
hxxp://www.shockwave.com/content/fashiondash/sis/fashiondashweb.1.0.0.21.cab
c:\windows\Downloaded Program Files\FashionDashWeb.1.0.0.21.inf
O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://dogsaspen.dyndns.org:8082/activex/AMC.cab
c:\windows\Downloaded Program Files\setup.inf
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 17:38:49
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
c:\program files\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
c:\program files\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\SYMANTEC ANTIVIRUS\RTVSCAN.EXE
c:\program files\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Common Files\Intuit\DatabaseServer\QBDBMgr.exe
.
**************************************************************************
.
Completion time: 2008-12-17 17:42:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-17 23:42:08
Pre-Run: 46,578,892,800 bytes free
Post-Run: 46,549,958,656 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
360 --- E O F --- 2008-11-13 05:14:24
Here is the new Hijack this log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:44, on 2008-12-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Intuit\QuickBooks Customer Manager\QBCMAgent.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Intuit\DatabaseServer\QBDBMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QBCMAgent] C:\Program Files\Intuit\QuickBooks Customer Manager\QBCMAgent.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} (CPlayFirstFashionDasControl Object) - http://www.shockwave.com/content/fashiondash/sis/fashiondashweb.1.0.0.21.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101232212334
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://68.16.222.20/activex/AxisCamControl.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://dogsaspen.dyndns.org:8082/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nutrihealthgroup.local
O17 - HKLM\Software\..\Telephony: DomainName = nutrihealthgroup.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nutrihealthgroup.local
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Systems Management Data Manager (dcstor32) - Unknown owner - C:\Temp\DSET\dataeng\bin\dcstor32.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mr2kserv - Unknown owner - C:\Temp\DSET\sm\mr2kserv.exe (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 8908 bytes
I'm not sure if this is a problem or not, but Combofix did not change my clock after it was finished and closed. I haven't done a restart yet to see if this will change the clock back, but I thought I would let you know just in case!
chryssi2001
2008-12-18, 18:05
Hello dorlowski,
I'm not sure if this is a problem or not, but Combofix did not change my clock after it was finished and closed. I haven't done a restart yet to see if this will change the clock back, but I thought I would let you know just in case!
It's not a problem. Actually we'll be running Combofix again, don't worry about the time, if it changes you can bring it back as you want it to be.
----------------------------------------------
nutrihealthgroup.local
Do you recognise the above name?
Did you set it as your Domain?
If you didn't set it, or it belongs to your ISP or company we should fix it. Let me know.
----------------------------------------------
Upload a File to Jotti
Please visit http://virusscan.jotti.org/
Copy/paste this file and path into the white box at the top:
c:\windows\system32\userinit.exe
Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.
If more than one file with the same name excist, please upload them also.
----------------------------------------------
REMOVE VIEWPOINT
You have Viewpoint, Viewpoint Manager, Viewpoint Media Player installed on your system. These programs are not malware but are considered as foistware instead of malware since they are installed without user's approval, and for this reason I recommend you remove them.
To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):
Click Start, point to Settings, and then click Control Panel.
In Control Panel, double-click Add or Remove Programs.
In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
Do the same for each Viewpoint component.
----------------------------------------------
COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
http://forums.spybot.info/showthread.php?p=268347#post268347
Collect::
c:\windows\system32\uwodilug.ini
c:\windows\system32\ogayotez.ini
c:\windows\system32\7C2J1oLH.exe
c:\windows\system32\urogitud.ini
c:\windows\system32\izesuful.ini
c:\windows\system32\ufulilub.ini
c:\windows\system32\apeyilim.ini
c:\windows\system32\awawetod.ini
c:\windows\system32\avawijad.ini
c:\windows\system32\abewewud.ini
c:\windows\system32\uruholis.ini
c:\windows\system32\izilumik.ini
c:\windows\system32\usimoniv.ini
Folder::
C:\FOUND.000
c:\program files\Viewpoint
Driver::
Viewpoint Manager Service
File::
c:\windows\Tasks\At2.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At1.job
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"=-
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Post back:
Information about nutrihealthgroup.local.
Jotti results.
Combofix report.
A new HijackThis log.
dorlowski
2008-12-19, 01:03
Information about nutrihealthgroup.local
This computer is my mom's old work computer and Nutri Health Group was the company she worked for. So every employee would have to log on to the network every morning. When I got this computer the IT department was supposed to clear everything off of it, but never did. As a result I have all the settings that was on my mom's work computer.
Jotti results
Scan taken on 18 Dec 2008 23:18:13 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
Combofix report
ComboFix 08-12-16.03 - sbaker 2008-12-18 17:48:04.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.147 [GMT -6:00]
Running from: c:\documents and settings\sbaker\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\sbaker\Desktop\CFScript.txt
* Created a new restore point
FILE ::
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\FOUND.000
c:\program files\Viewpoint
c:\windows\system32\7C2J1oLH.exe
c:\windows\system32\abewewud.ini
c:\windows\system32\apeyilim.ini
c:\windows\system32\avawijad.ini
c:\windows\system32\awawetod.ini
c:\windows\system32\izesuful.ini
c:\windows\system32\izilumik.ini
c:\windows\system32\ogayotez.ini
c:\windows\system32\ufulilub.ini
c:\windows\system32\urogitud.ini
c:\windows\system32\uruholis.ini
c:\windows\system32\usimoniv.ini
c:\windows\system32\uwodilug.ini
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
((((((((((((((((((((((((( Files Created from 2008-11-18 to 2008-12-18 )))))))))))))))))))))))))))))))
.
2008-12-14 22:55 . 2004-08-04 02:56 24,576 --a------ c:\windows\system32\stu2.exe
2008-12-12 21:38 . 2008-12-12 21:38 <DIR> d-------- c:\documents and settings\sbaker\Application Data\Uniblue
2008-12-12 21:33 . 2008-12-12 21:33 <DIR> d-------- c:\program files\Trend Micro
2008-12-12 21:28 . 2008-12-12 21:28 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-10 19:45 . 2008-07-11 22:07 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-09 21:19 . 2008-12-09 21:19 <DIR> d-------- c:\program files\ESET
2008-12-09 21:19 . 2008-12-09 21:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-12-08 19:44 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-08 19:09 . 2008-12-12 19:27 438 --a------ c:\windows\wininit.ini
2008-12-06 14:00 . 2008-12-06 14:00 <DIR> d-------- c:\documents and settings\sbaker\Application Data\Move Networks
2008-11-23 17:33 . 2008-11-23 17:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\GameHouse
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-15 02:25 --------- d-----w c:\documents and settings\sbaker\Application Data\ViquaSoft
2008-11-09 23:27 --------- d-----w c:\documents and settings\sbaker\Application Data\PetShowCraze
2008-11-09 03:53 --------- d-----w c:\documents and settings\All Users\Application Data\Fugazo
2008-11-02 22:13 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-19 00:23 --------- d--h--w c:\program files\Zero G Registry
2008-10-19 00:23 --------- d-----w c:\program files\DiscwareLite
2008-10-18 04:13 --------- d-----w c:\documents and settings\All Users\Application Data\Fashion Solitaire 1.2
2008-10-18 04:02 --------- d-----w c:\program files\Shockwave.com
2008-10-18 03:54 --------- d-----w c:\documents and settings\All Users\Application Data\FarmFrenzy2
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-15 17:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-12 01:02 129,784 ------w c:\windows\system32\pxafs.dll
2008-10-12 01:02 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-10-12 01:02 116,472 ------w c:\windows\system32\pxcpyi64.exe
2008-10-03 18:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2007-12-12 17:00 56,912 ----a-w c:\documents and settings\sbaker\g2mdlhlpx.exe
.
((((((((((((((((((((((((((((( snapshot@2008-12-17_17.41.30.70 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-18 23:44:18 16,384 ----a-w c:\windows\Temp\Perflib_Perfdata_68c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-08-28 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-08-28 118784]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-21 40960]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"JobHisInit"="c:\program files\RMClient\JobHisInit.exe" [2003-05-29 135168]
"MplSetUp"="c:\program files\RMClient\MplSetUp.exe" [2000-11-04 40960]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-02-17 77824]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"QBCMAgent"="c:\program files\Intuit\QuickBooks Customer Manager\QBCMAgent.exe" [2004-06-25 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2006-01-06 348160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-02 136600]
"SoundMan"="SOUNDMAN.EXE" [2003-11-13 c:\windows\SOUNDMAN.EXE]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-02-08 806912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mpg4"= c:\windows\mpg4c32.dll
"vidc.mpg2"= c:\windows\mpg4c32.dll
"vidc.mpg3"= c:\windows\mpg4c32.dll
"vidc.GEOX"= c:\windows\GeoCodec.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\MOBSYNC.EXE"=
"c:\\WINDOWS\\System32\\cscript.exe"=
"c:\\Program Files\\Symantec AntiVirus\\VPTray.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 dcdbas;Systems management base driver;c:\windows\system32\DRIVERS\dcdbas32.sys [2005-05-31 23552]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-08 28544]
R2 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2004-03-12 169192]
R3 dcdipm;Systems management IPMI driver;c:\windows\system32\DRIVERS\dcdipm32.sys [2005-05-31 31744]
.
Contents of the 'Scheduled Tasks' folder
2008-12-18 c:\windows\Tasks\User_Feed_Synchronization-{7549B319-6F91-46D2-B33A-6C68FF2C58AD}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
2008-12-18 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2006-01-06 14:07]
2008-12-18 c:\windows\Tasks\HP Usg Login.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2006-01-06 14:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
c:\windows\Downloaded Program Files\FashionDashWeb.1.0.0.21.dll - O16 -: {049A470D-F818-4E34-B14D-E4E237DADCF8}
hxxp://www.shockwave.com/content/fashiondash/sis/fashiondashweb.1.0.0.21.cab
c:\windows\Downloaded Program Files\FashionDashWeb.1.0.0.21.inf
O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://dogsaspen.dyndns.org:8082/activex/AMC.cab
c:\windows\Downloaded Program Files\setup.inf
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-18 17:50:31
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-12-18 17:51:20
ComboFix-quarantined-files.txt 2008-12-18 23:51:20
ComboFix2.txt 2008-12-17 23:42:14
Pre-Run: 46,310,785,024 bytes free
Post-Run: 46,305,902,592 bytes free
303 --- E O F --- 2008-11-13 05:14:24
Hijack this log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:57, on 2008-12-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Intuit\QuickBooks Customer Manager\QBCMAgent.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Intuit\DatabaseServer\QBDBMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QBCMAgent] C:\Program Files\Intuit\QuickBooks Customer Manager\QBCMAgent.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} (CPlayFirstFashionDasControl Object) - http://www.shockwave.com/content/fashiondash/sis/fashiondashweb.1.0.0.21.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101232212334
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://68.16.222.20/activex/AxisCamControl.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://dogsaspen.dyndns.org:8082/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nutrihealthgroup.local
O17 - HKLM\Software\..\Telephony: DomainName = nutrihealthgroup.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nutrihealthgroup.local
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Systems Management Data Manager (dcstor32) - Unknown owner - C:\Temp\DSET\dataeng\bin\dcstor32.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mr2kserv - Unknown owner - C:\Temp\DSET\sm\mr2kserv.exe (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 8523 bytes
chryssi2001
2008-12-19, 10:29
Hello dorlowski,
This computer is my mom's old work computer and Nutri Health Group was the company she worked for. So every employee would have to log on to the network every morning. When I got this computer the IT department was supposed to clear everything off of it, but never did. As a result I have all the settings that was on my mom's work computer.
Thanks for the information.
----------------------------------------------
FIX HIJACKTHIS ENTRIES
Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nutrihealthgroup.local
O17 - HKLM\Software\..\Telephony: DomainName = nutrihealthgroup.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nutrihealthgroup.local
Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Post that log back here.
----------------------------------------------
Post back:
Malwarebytes' Anti-Malware report.
A new HijackThis log.
dorlowski
2008-12-20, 02:42
Malwarebytes Anti-Malware Report
Malwarebytes' Anti-Malware 1.31
Database version: 1523
Windows 5.1.2600 Service Pack 2
2008-12-19 19:39:51
mbam-log-2008-12-19 (19-39-51).txt
Scan type: Full Scan (C:\|)
Objects scanned: 152905
Time elapsed: 35 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 76
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SystemInit (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xdsfass (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vutikonu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nukiyofi.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1121\A0088701.DLL (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1127\A0091878.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1127\A0091893.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1130\A0092082.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1130\A0092093.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1130\A0092098.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1130\A0092099.DLL (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1130\A0092121.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1130\A0094122.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1130\A0094123.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1130\A0094124.DLL (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1130\A0094125.DLL (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1130\A0094126.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1131\A0095161.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1131\A0095162.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1131\A0095163.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1131\A0095164.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1131\A0095165.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1131\A0095166.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1131\A0095167.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1131\A0095168.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1131\A0095169.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1131\A0095170.DLL (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1131\A0095171.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1131\A0095172.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1131\A0095173.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1131\A0095175.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1131\A0095176.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1131\A0095177.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1131\A0095178.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1131\A0095179.DLL (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1131\A0095180.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1131\A0095181.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1131\A0095182.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1131\A0095183.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1131\A0095184.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1119\A0088566.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1119\A0088567.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1123\A0090820.DLL (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1123\A0090821.DLL (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1125\A0090859.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1125\A0090861.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1133\A0096289.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bafekefe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bohotute.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bozuneyi.dll.vir.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bufezika.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dajiwava.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dutigoru.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\duweweba.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fasirozi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fedeyipu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\genetoda.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gulidowu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kimulizi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lumuheze.dll.vir.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\luruwono.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\miliyepa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nozuzito.dll.vir.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\peyeduli.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\raferafo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\silohuru.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\teteripe.dll.vir.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\torazovi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vinomisu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wakozawa.dll.vir.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wibakihi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wiparugo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wobarale.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wuleketo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\zetoyago.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\7C2J1oLH.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\atmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
New HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:42, on 2008-12-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Intuit\QuickBooks Customer Manager\QBCMAgent.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Intuit\DatabaseServer\QBDBMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QBCMAgent] C:\Program Files\Intuit\QuickBooks Customer Manager\QBCMAgent.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} (CPlayFirstFashionDasControl Object) - http://www.shockwave.com/content/fashiondash/sis/fashiondashweb.1.0.0.21.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101232212334
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://68.16.222.20/activex/AxisCamControl.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://dogsaspen.dyndns.org:8082/activex/AMC.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Systems Management Data Manager (dcstor32) - Unknown owner - C:\Temp\DSET\dataeng\bin\dcstor32.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mr2kserv - Unknown owner - C:\Temp\DSET\sm\mr2kserv.exe (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 8521 bytes
chryssi2001
2008-12-20, 14:49
Hello dorlowski,
Update Adobe Reader
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version. Adobe Reader 9.
You can download it from http://www.adobe.com/products/acrobat/readstep2.html
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.
If you don't like Adobe Reader, you can download Foxit PDF Reader from here (http://www.filehippo.com/download_foxit/download/423817ca4028434efe3f6174b07468b0/FoxitReader30_enu_Setup.exe).
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.)
----------------------------------------------
Latest version of Java doesn't show in HijackThis log, so i want you to go in your Add/Remove programs, and see if you have the latest update which is "Java Runtime Environment Version 6 Update 11. If this is the one you have ignore the below instructions.
If you have an earlier version, follow the instructions below.
Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 11.
Go to Java Site (http://java.sun.com/javase/downloads/index.jsp)
Click to Download Java SE Runtime Environment (JRE) 6 Update 11
In Platform box choose Windows.
Check the box to Accept License Agreement and click Continue.
Click on Windows Offline Installation, click on the link under it which says "jre-6u11-windows-i586-p.exe" and save the downloaded file to your desktop.
Go to Start => Control Panel => Add or Remove Programs
Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
Reboot your computer
----------------------------------------------
Run Kaspersky Online AV Scanner
Note: Internet Explorer should be used.
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases
Click on My Computer under Scan and then put the kettle on!
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.
dorlowski
2008-12-21, 03:05
Kaspersky scan results
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, December 20, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 20, 2008 22:02:51
Records in database: 1493111
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
Scan statistics:
Files scanned: 79963
Threat name: 4
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 01:29:28
File name / Threat name / Threats count
C:\Documents and Settings\sbaker\.housecall6.6\Quarantine\A0087972.cpl.bac_a03776 Infected: not-a-virus:FraudTool.Win32.UltimateAntivirus.cx 1
C:\Documents and Settings\sbaker\.housecall6.6\Quarantine\A0088259.exe.bac_a03776 Infected: not-a-virus:FraudTool.Win32.MSAntivirus.au 1
C:\Documents and Settings\sbaker\.housecall6.6\Quarantine\A0088260.cpl.bac_a03776 Infected: not-a-virus:FraudTool.Win32.UltimateAntivirus.cx 1
C:\System Volume Information\_restore{CB265880-B395-4294-987A-9D2530DA0340}\RP1131\A0095185.exe Infected: Trojan-Downloader.Win32.Agent.auff 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Infected: Trojan-Downloader.Win32.Agent.auff 1
C:\Qoobox\Quarantine\[4]-Submit_2008-12-18@17.25.zip Infected: Trojan.Win32.Agent.awxo 1
C:\Qoobox\Quarantine\[4]-Submit_2008-12-18@17.47.zip Infected: Trojan.Win32.Agent.awxo 1
The selected area was scanned.
New HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:01, on 2008-12-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Intuit\QuickBooks Customer Manager\QBCMAgent.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Intuit\DatabaseServer\QBDBMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QBCMAgent] C:\Program Files\Intuit\QuickBooks Customer Manager\QBCMAgent.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} (CPlayFirstFashionDasControl Object) - http://www.shockwave.com/content/fashiondash/sis/fashiondashweb.1.0.0.21.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101232212334
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://68.16.222.20/activex/AxisCamControl.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://dogsaspen.dyndns.org:8082/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nutrihealthgroup.local
O17 - HKLM\Software\..\Telephony: DomainName = nutrihealthgroup.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nutrihealthgroup.local
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Systems Management Data Manager (dcstor32) - Unknown owner - C:\Temp\DSET\dataeng\bin\dcstor32.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mr2kserv - Unknown owner - C:\Temp\DSET\sm\mr2kserv.exe (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 8664 bytes
Description of how my PC is running
Things seems to be worker a lot better now. There are no longer popup websites while surfing on the internet, there are no error messages when windows first loads, and it's not trying to perform its own virus scan anymore. The help you've provided me definitely seems to be working and I am so grateful for that. Although it's crazy to me that every scan you get me to perform finds more infected files. I had no idea it could be that bad. I'm not sure if we're done yet, but thank you so much for all your help thus far.
chryssi2001
2008-12-21, 10:43
Hello dorlowski,
Things seems to be worker a lot better now. There are no longer popup websites while surfing on the internet, there are no error messages when windows first loads, and it's not trying to perform its own virus scan anymore. The help you've provided me definitely seems to be working and I am so grateful for that. Although it's crazy to me that every scan you get me to perform finds more infected files. I had no idea it could be that bad. I'm not sure if we're done yet, but thank you so much for all your help thus far.
Very good! You are welcome :)
This computer is my mom's old work computer and Nutri Health Group was the company she worked for. So every employee would have to log on to the network every morning. When I got this computer the IT department was supposed to clear everything off of it, but never did. As a result I have all the settings that was on my mom's work computer.
It seems these lines are back:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nutrihealthgroup.local
O17 - HKLM\Software\..\Telephony: DomainName = nutrihealthgroup.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nutrihealthgroup.local
We'll make another try to remove them in safe mode this time.
If they are still there after reboot, since they are not creating problems, we'll let them there, or you can contact your mother's old employee and tell them to help you remove them.
----------------------------------------------
Safe Mode
Print out these instructions or save them into a notepad on your desktop, because you will not have internet access while in Safe Mode.
Go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
----------------------------------------------
FIX HIJACKTHIS ENTRIES
Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nutrihealthgroup.local
O17 - HKLM\Software\..\Telephony: DomainName = nutrihealthgroup.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nutrihealthgroup.local
Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
Reboot the pc.
----------------------------------------------
Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following Folder:
C:\Documents and Settings\sbaker\.housecall6.6\Quarantine
Right-Click and empty it's contents.
----------------------------------------------
I can't see any firewall in your HijackThis log, so i assume you use windows firewall.
FIREWALL
Without a firewall your computer is susceptible to being hacked and taken over. If you use the Windows Firewall you might think that's sufficient but it only controls one way of the traffic (inbound). Simply using a Firewall in its default configuration can lower your risk greatly. It's preferable to install one of the suggested firewalls.
Vista users, must check compatibility with Vista before installation.
FREE FIREWALLS
Comodo (http://www.personalfirewall.comodo.com/) (Uncheck during installation "Install COMODO Antivirus (Recommended)", "Install Comodo SafeSurf", "Make Comodo my default search provider" and "Make Comodo Search my homepage")
Outpost (http://www.agnitum.com/products/outpostfree/download.php)
Sunbelt Kerio (http://www.sunbelt-software.com/Kerio.cfm)
Tutorial about Firewalls can be found here (http://www.bleepingcomputer.com/tutorials/tutorial60.html)
----------------------------------------------
Time for some housekeeping
Click START then RUN
Now type Combofix /u in the runbox and click OK
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
The above procedure will reset your System Restore and clear out the backups and quarantines created during the course of this fix.
----------------------------------------------
Congratulations your machine appears to be clean! :)
Here are some free programs I recommend that could help you improve your computer's security.
Spybot Search and Destroy 1.6
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
Install SpyWare Blaster 4.0
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Install WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)
Install FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)
Install MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 and newer versions should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.
Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)
Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.
Is your pc running slow?
Read What to do if your Computer is running slowly (http://www.malwareremoval.com/tutorials/runningslowly.php)
Happy safe surfing!
dorlowski
2008-12-22, 03:41
I was unable to start this computer in safe mode. When I log on to this computer, I have to put in the user name and password from my mom's work. When I started in safe mode, it still asked for a user name and password, but the ones I normally used did not work. I guess taking someone else's computer is causing more than a few problems. I did try to fix those selected problems in the regular mode though, but I'm not sure if that will help. Other than that I did all the other cleanups that you mentioned and installed those programs you mentioned to try and keep my computer as clean as possible. However, installing those programs has seemed to slow down the internet a bit, is that normal?
Also could you give me the instructions on how to change my clock back to what is was before I ran combofix. Right now it's on a 24-hour clock and the date is in the yyyy-mm-dd format. I'd like it be on the 12 hour clock and the date to read Dec 21 2008.
Again, thank you so much for all your help! I was so frustrated with all the malware, etc that was on this machine. But things are definitely better now and it's all thanks to you! I truly appreciate all the time you spent with me and I will be making a donation to your website!
Thanks again!
chryssi2001
2008-12-22, 14:01
Hello dorlowski,
Did you install all of them?
If you installed Winpatrol and you have Spybot with teatimer active, then Winpatrol is not needed.
FireTrust SiteHound may made your pc slower. Remove it and see if any difference.
You still can't boot in Safe mode?
Also could you give me the instructions on how to change my clock back to what is was before I ran combofix. Right now it's on a 24-hour clock and the date is in the yyyy-mm-dd format. I'd like it be on the 12 hour clock and the date to read Dec 21 2008.
Open Control Panel.
Double-click on Regional and Language settings icon.
In Regional Options tab, click on Customise.
Click on Time and Date tabs, and adjust Time and Date as you want them.
Click apply ok as many times needed and then close Regional Settings.
You may need to reboot your pc, if the changes do not show yet.
Let me know if it worked.
dorlowski
2008-12-23, 00:58
FireTrust Sitehound was the reason my computer had slowed down. I no longer have it installed.
I am still not able to reboot in safe mood.
My clock is back to its original format. Thank you!
chryssi2001
2008-12-23, 13:36
Hello dorlowski,
FireTrust Sitehound was the reason my computer had slowed down. I no longer have it installed.
I thought so, it sometimes creates slow downs.
My clock is back to its original format. Thank you!
You are welcome. :santa:
I am still not able to reboot in safe mood.
Run the tool below and tell me how it goes.
----------------------------------------------
SAFE BOOT REPAIR
Download avz4en.zip (http://z-oleg.com/avz4en.zip)
Unzip it to a folder on your desktop
Double click on AVZ.exe
Click on the file tab and then click on System recovery.
Put a checkmark next to Restore SafeBoot registry keys.
Click on Execute selected operations.
dorlowski
2008-12-24, 21:34
Hi chryssi2001,
I ran the program you suggested and I was still not able to reboot in safe mode. I then tried logging on again but choose the option safe mode with networking. I was then able to log on in safe mode. I ran hijack this and selected the entries that started with the number 17 and then selected fix checked. I rebooted my computer in normal mode and ran another hijack this log, but those entries were back. For some reason they keep coming back and I think they are there to stay!
chryssi2001
2008-12-24, 22:12
Hello dorlowski,
At least you can use Safe mode with Network support, i don't suggest to use it often, and visit the internet, as your Anti-Virus and firewall are not working and you are open to infections.
If they are still there after reboot, since they are not creating problems, we'll let them there, or you can contact your mother's old employee and tell them to help you remove them.
Yes those lines have to be removed from your mother's ex boss IT department.
They do not harm though, so do not worry.
If no other problem we can call this thread done.
dorlowski
2008-12-25, 17:41
I think we are done! Thank you again!
Happy Holidays and a Happy New Year to you!
chryssi2001
2008-12-25, 19:18
I think we are done! Thank you again!
You are welcome :)
Happy Holidays and a Happy New Year to you!
I hope you had a happy Christmas day, many wishes for a joyfull New Year to you too :santa:
----------------------------------------------
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.