View Full Version : Vundo and Friends
TATA Box
2009-01-05, 01:41
Hi,
I've been plagued for a couple of weeks by recurring virii and other pests that just won't stay away! Avira AV, Spybot S&D, ad-aware, and MB Anti-Malware report Vundo, Virtumonde and other nasties. When I run the scans and clean the system, I'm generally trouble free for a day or two until I somehow get infected again. Everything is kept up to date so I'm guessing there is some lingering undetectable fragment left. Any help would be much appreciated!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:28:43 PM, on 1/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\Program Files\itunes\iTunesHelper.exe
E:\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\WINDOWS\system32\HPZipm12.exe
E:\Avira\AntiVir PersonalEdition Premium\avmailc.exe
E:\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\mozilla\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: {6315cc60-12d7-8c99-8b44-c2b744e349f0} - {0f943e44-7b2c-44b8-99c8-7d2106cc5136} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {B505B0DC-CBC3-4116-893C-9C458062A3FF} - (no file)
O2 - BHO: (no name) - {FDB04E4D-A7EA-47FF-9503-23933B4DDBDE} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "E:\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://primis.ebrary.com/support/plugins/ebraryRdr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O20 - AppInit_DLLs: nbyzdy.dll wqjqau.dll vorptx.dll sichfw.dll
O20 - Winlogon Notify: ddcDuVnO - ddcDuVnO.dll (file missing)
O20 - Winlogon Notify: ljJBuVOg - ljJBuVOg.dll (file missing)
O20 - Winlogon Notify: qoMebxVl - qoMebxVl.dll (file missing)
O20 - Winlogon Notify: urqOFxUO - urqOFxUO.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 6349 bytes
Thanks for the help!
Hello TATA Box,
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Sorry for the delay but the forums are extremely busy, if you have not resolved this issue and still need assistance, post a new HJT log please
TATA Box
2009-01-10, 18:57
Thanks for the response. I also wanted to edit my previous post to include some other information but found out I could not so I'll give it to you here: I suspect that my rundll32.exe is not working properly or is infected. It does not always show up in taskmanager, but when it does, I notice that error sounds happen out of the blue without any messages.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:57 AM, on 1/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\WINDOWS\system32\HPZipm12.exe
E:\Avira\AntiVir PersonalEdition Premium\avmailc.exe
E:\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
E:\Program Files\itunes\iTunesHelper.exe
E:\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\mozilla\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
*.local
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program
Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {B505B0DC-CBC3-4116-893C-9C458062A3FF} - (no file)
O2 - BHO: (no name) - {FDB04E4D-A7EA-47FF-9503-23933B4DDBDE} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "E:\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program
Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program
Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) -
http://primis.ebrary.com/support/plugins/ebraryRdr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation
Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} -
http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) -
http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) -
http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) -
https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O20 - AppInit_DLLs: nbyzdy.dll wqjqau.dll vorptx.dll sichfw.dll kimcbp.dll
O20 - Winlogon Notify: ddcDuVnO - ddcDuVnO.dll (file missing)
O20 - Winlogon Notify: ljJBuVOg - ljJBuVOg.dll (file missing)
O20 - Winlogon Notify: qoMebxVl - qoMebxVl.dll (file missing)
O20 - Winlogon Notify: urqOFxUO - urqOFxUO.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program
Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH -
E:\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH -
E:\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - E:\Avira\AntiVir
PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH -
E:\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile
Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH -
E:\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program
Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common
Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 6226 bytes
TATA Box
2009-01-10, 18:59
Sorry, forgot to disable word wrap. Here is the corrected version:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:57 AM, on 1/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\WINDOWS\system32\HPZipm12.exe
E:\Avira\AntiVir PersonalEdition Premium\avmailc.exe
E:\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
E:\Program Files\itunes\iTunesHelper.exe
E:\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\mozilla\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {B505B0DC-CBC3-4116-893C-9C458062A3FF} - (no file)
O2 - BHO: (no name) - {FDB04E4D-A7EA-47FF-9503-23933B4DDBDE} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "E:\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://primis.ebrary.com/support/plugins/ebraryRdr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O20 - AppInit_DLLs: nbyzdy.dll wqjqau.dll vorptx.dll sichfw.dll kimcbp.dll
O20 - Winlogon Notify: ddcDuVnO - ddcDuVnO.dll (file missing)
O20 - Winlogon Notify: ljJBuVOg - ljJBuVOg.dll (file missing)
O20 - Winlogon Notify: qoMebxVl - qoMebxVl.dll (file missing)
O20 - Winlogon Notify: urqOFxUO - urqOFxUO.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 6226 bytes
Hello,
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {B505B0DC-CBC3-4116-893C-9C458062A3FF} - (no file)
O2 - BHO: (no name) - {FDB04E4D-A7EA-47FF-9503-23933B4DDBDE} - (no file)
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/A...oadcontrol.cab
O20 - AppInit_DLLs: nbyzdy.dll wqjqau.dll vorptx.dll sichfw.dll kimcbp.dll
O20 - Winlogon Notify: ddcDuVnO - ddcDuVnO.dll (file missing)
O20 - Winlogon Notify: ljJBuVOg - ljJBuVOg.dll (file missing)
O20 - Winlogon Notify: qoMebxVl - qoMebxVl.dll (file missing)
O20 - Winlogon Notify: urqOFxUO - urqOFxUO.dll (file missing)
You may not have run Malwarebytes correctly, do it this way and lets see what it finds, there will be more to do I am sure. If it bogs down on you, you can run it in Safemode with Network Support
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Network Support
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.
TATA Box
2009-01-11, 01:15
After following the instructions for HijackThis, MBAM didn't pick up anything for a change!
Malwarebytes' Anti-Malware 1.32
Database version: 1638
Windows 5.1.2600 Service Pack 3
1/10/2009 5:12:32 PM
mbam-log-2009-01-10 (17-12-32).txt
Scan type: Quick Scan
Objects scanned: 52861
Time elapsed: 2 minute(s), 30 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-----------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:10 PM, on 1/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\WINDOWS\system32\HPZipm12.exe
E:\Avira\AntiVir PersonalEdition Premium\avmailc.exe
E:\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
E:\Program Files\itunes\iTunesHelper.exe
E:\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\mozilla\firefox.exe
E:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "E:\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://primis.ebrary.com/support/plugins/ebraryRdr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 5299 bytes
Your log looks fine but there may be more we can't see
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
TATA Box
2009-01-11, 01:54
ComboFix 09-01-10.01 - Robert 2009-01-10 17:32:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1609 [GMT -6:00]
Running from: c:\documents and settings\Robert\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Robert\Application Data\inst.exe
c:\documents and settings\Robert\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\INSTALL.LOG
c:\windows\system32\java2.sys c:\windows\system32\snjava.dll
c:\windows\system32\msrdo20.dll
c:\windows\system32\rdocurs.dll
c:\windows\system32\tayckwku.ini
c:\windows\system32\txiartlm.ini
c:\windows\Tasks\avuiltzm.job
c:\windows\wiaserviv.log
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_seneka
((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 )))))))))))))))))))))))))))))))
.
2009-01-09 17:01 . 2009-01-09 17:01 0 -ra------ C:\logwmemory.bin
2009-01-09 16:56 . 2009-01-09 16:56 <DIR> d-------- c:\documents and settings\Robert\Application Data\Soldat
2009-01-08 21:44 . 2009-01-08 21:44 2,092 --a------ c:\windows\system32\ffkuz.dll
2008-12-24 12:43 . 2003-03-15 21:15 90,112 --a------ c:\windows\unvise32.exe
2008-12-22 21:51 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-22 21:51 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-22 20:47 . 2008-12-22 20:47 <DIR> d-------- c:\program files\iPod
2008-12-22 20:47 . 2008-12-22 20:47 <DIR> d-------- c:\program files\Bonjour
2008-12-22 20:47 . 2008-12-22 20:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-22 20:47 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-12-22 20:47 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-22 20:46 . 2008-12-22 20:47 <DIR> d-------- c:\program files\QuickTime
2008-12-22 20:46 . 2008-12-22 20:46 <DIR> d-------- c:\program files\Apple Software Update
2008-12-17 19:14 . 2008-12-17 19:14 <DIR> d-------- c:\documents and settings\Robert\Application Data\Malwarebytes
2008-12-17 19:13 . 2008-12-17 19:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-14 19:24 . 2008-12-18 17:45 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-13 13:33 . 2008-12-13 13:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-12-12 23:37 . 2008-12-12 23:37 <DIR> d-------- c:\documents and settings\Robert\Application Data\Avira
2008-12-12 23:19 . 2008-12-12 23:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-10 23:00 --------- d-----w c:\documents and settings\Robert\Application Data\Azureus
2009-01-06 21:42 --------- d-----w c:\documents and settings\Robert\Application Data\LimeWire
2008-12-23 02:47 --------- d-----w c:\program files\Common Files\Apple
2008-12-23 02:46 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-13 19:35 --------- d-----w c:\program files\Unity
2008-11-30 21:30 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-28 19:12 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-28 19:11 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-28 01:48 --------- d-----w c:\documents and settings\Robert\Application Data\Apple Computer
2008-11-26 19:15 --------- d-----w c:\documents and settings\Robert\Application Data\Twain
2008-07-12 16:53 47,360 ----a-w c:\documents and settings\Robert\Application Data\pcouffin.sys
2003-12-18 16:33 20,102 ----a-w c:\program files\Readme.txt
2003-09-03 12:46 10,960 ----a-w c:\program files\EULA.txt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="e:\program files\itunes\iTunesHelper.exe" [2008-11-20 290088]
"avgnt"="e:\avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-06-12 266497]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= e:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Program Files\\LimeWire\\LimeWire.exe"=
"e:\\Program Files\\Skype\\Phone\\Skype.exe"=
"e:\\Program Files\\Steam\\steamapps\\robertkadish@yahoo.com\\half-life\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\itunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 ViBus;ViBus;c:\windows\system32\drivers\ViBus.sys [2008-03-23 16896]
R0 ViPrt;VIA SATA IDE Device Driver;c:\windows\system32\drivers\ViPrt.sys [2008-03-23 52736]
R4 AntiVirMailService;Avira AntiVir Premium MailGuard;e:\avira\AntiVir PersonalEdition Premium\avmailc.exe [2008-12-12 164097]
R4 antivirwebservice;Avira AntiVir Premium WebGuard;e:\avira\AntiVir PersonalEdition Premium\avwebgrd.exe [2008-12-12 258305]
R4 AVEService;Avira AntiVir Premium MailGuard helper service;e:\avira\AntiVir PersonalEdition Premium\avesvc.exe [2008-12-12 41217]
S1 atitray;atitray;\??\e:\program files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys --> e:\program files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys [?]
S1 SysTool;SysTool Overclocking Utility;c:\windows\system32\drivers\SysTool.sys [2006-11-10 24064]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{709bf9aa-2dd9-11dd-a064-000c76ff2bbf}]
\Shell\AutoRun\command - I:\InstallTomTomHOME.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa40f882-303a-11dd-a06b-000c76ff2bbf}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
LSP: avsda.dll
Trusted Zone: asia.msi.com.tw
Trusted Zone: global.msi.com.tw
Trusted Zone: www.msi.com.tw
O16 -: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
c:\windows\Downloaded Program Files\MSIWDev.inf
FF - ProfilePath - c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\i6yk3f6a.default\
FF - prefs.js: browser.startup.homepage - hxxp://gmail.com/
FF - plugin: e:\program files\Adobe Reader\Reader\browser\nppdf32.dll
FF - plugin: e:\program files\itunes\Mozilla Plugins\npitunes.dll
FF - plugin: e:\program files\Java\jre1.6.0_05\bin\npjava11.dll
FF - plugin: e:\program files\Java\jre1.6.0_05\bin\npjava12.dll
FF - plugin: e:\program files\Java\jre1.6.0_05\bin\npjava13.dll
FF - plugin: e:\program files\Java\jre1.6.0_05\bin\npjava14.dll
FF - plugin: e:\program files\Java\jre1.6.0_05\bin\npjava32.dll
FF - plugin: e:\program files\Java\jre1.6.0_05\bin\npjpi160_05.dll
FF - plugin: e:\program files\Java\jre1.6.0_05\bin\npoji610.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-10 17:49:52
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(736)
c:\windows\system32\avsda.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
e:\program files\Lavasoft\Ad-Aware\aawservice.exe
e:\avira\AntiVir PersonalEdition Premium\sched.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-10 17:51:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-10 23:51:16
Pre-Run: 36,693,544,960 bytes free
Post-Run: 36,647,849,984 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
e:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
170 --- E O F --- 2008-12-18 13:17:31
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:54:50 PM, on 1/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\itunes\iTunesHelper.exe
E:\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
E:\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\WINDOWS\system32\HPZipm12.exe
E:\Avira\AntiVir PersonalEdition Premium\avmailc.exe
E:\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
E:\Program Files\mozilla\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "E:\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://primis.ebrary.com/support/plugins/ebraryRdr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 5593 bytes
Hi,
You need to enable windows to Show all Files and Folders
Instructions for your Operating System HERE (http://www.bleepingcomputer.com/tutorials/tutorial62.html)
c:\windows\system32\ffkuz.dll <-- Delete this file, let me know if it would not delete
Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://java.sun.com/javase/downloads/index.jsp) and install the update
Java SE Runtime Environment (JRE) 6 Update 11 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future
Everything else looks fine, how is your system behaving now??
TATA Box
2009-01-11, 02:35
Everything seems to be going well so far! :D: I hope that everything is fine and I haven't noticed any unusual activity, but I don't want to start feeling cocky; only time will tell if these pests are gone. Thank you so much for your time and expertise.. this has been bugging me for way too long!
I guess it's fine to remove all the applications that I used? Also is there a way to disable the recovery console option from showing every time Windows boots? I know it's only on screen for a few seconds, but still...
Once again, THANK YOU!:bigthumb:
Your the first one that asked me about deleting the Recovery Console so I am really not sure but I can check and get back to you. If your Operating System gets corrupted in the future ( and they sometimes do ) by a host of reasons you will wish you had it installed. It will restore your system in lew of having to do a complete format and reinstall of windows.
ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
Hijackthis <---Your call, hopefully you won't need it again, if you do you can redownload it
Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken
TATA Box
2009-01-11, 08:35
Thanks again, Ken! A couple of the vundo trojans came back, but I used MBAM and HijackThis to get rid of them again and I have been problem free for the last couple of hours. Also, the CastleCops site is down (looks to be permanently).
Cheers
Hi,
CastleCops <---This was one of the better forums and had a wealth of information for us guy removing this garbage, but the bad guys put them out of business. There site was constantly under attack and there old server could not take it anymore, we we're hoping that someone would come along and buy them , maybe someone will in the future. The people that write this garbage are not very nice, most of it comes from Russia from the RBN ( Russian Business Network ) that fronts as a legit company but there actually the Russian Mafia. Google them for more info.
Why don't you download and install Spybot Search and Destroy per my links , check for updates and run a scan, it will most likely find Vundo registry entries, when it does remove them.......REBOOT.... and run the scan again until it comes up clean, it may take a time or two to remove it all.
Then post a new HJT log and lets make sure its all gone
TATA Box
2009-01-11, 21:02
Interesting read about the RBN! Thought these kind of untraceable organizations only existed in movies.. anyway Spybot came up clean and here is the log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:35 PM, on 1/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
E:\Avira\AntiVir PersonalEdition Premium\avmailc.exe
E:\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
E:\Program Files\Adobe Reader\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\itunes\iTunesHelper.exe
E:\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe Reader\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "E:\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - E:\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 5505 bytes
Looks good :bigthumb:
It may need seem like it but there is big money in these dirtbags infecting your computer, especially when a rogue program is installed that will drive you nuts until you pay them , then guess what, it does not go away and you just gave your credit information to thieves.
My pleasure helping you, take care,
Ken:)
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.