View Full Version : Another Vitumonde
You guys will be hero's when you figure out how to automate the Vitumonde removal.
Here is my HJT log ... good luck.
Thanks,
Stew
--------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:22 PM, on 1/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {fc021629-acd0-42aa-89fb-b5187e7de796} - C:\WINDOWS\system32\fonemike.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [boyezezowa] Rundll32.exe "C:\WINDOWS\system32\hekeyapi.dll",s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [CPM4a8f37db] Rundll32.exe "c:\windows\system32\fabapufu.dll",a
O4 - HKLM\..\Run: [49bc0447] rundll32.exe "C:\WINDOWS\system32\kurufihu.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [boyezezowa] Rundll32.exe "C:\WINDOWS\system32\hekeyapi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [boyezezowa] Rundll32.exe "C:\WINDOWS\system32\hekeyapi.dll",s (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - AppInit_DLLs: c:\windows\system??\yajihobi.dll c:\windows\system32\hupetetu.dll c:\windows\system32\rugahojo.dll c:\windows\system32\numuligi.dll c:\windows\system32\sohafafe.dll c:\windows\system32\jobaruse.dll c:\windows\system32\pinapuwe.dll C:\WINDOWS\system32\barumoju.dll c:\windows\system32\ c:\windows\system32\rugifati.dll c:\windows\system32\fabapufu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fabapufu.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fabapufu.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 13328 bytes
pskelley
2009-01-10, 13:29
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
I apologize for the wait, volunteers are swamped at all forums with infected computers. If you have resolved your issues, please post to let me know so I can close this topic.
You guys will be hero's when you figure out how to automate the Vitumonde removal.
Hi Stew, it can be done to a certain extent, but the databases would have to be hugh as the hackers constantly change the files they infect with.
1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.
2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
Thanks...Phil
I noticed that you didn't ask for another HJT log file, so I didn't send it.
1) Done
2) ComboFix Log File
ComboFix 09-01-09.03 - HP_Administrator 2009-01-10 7:36:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.511 [GMT -8:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\IE4 Error Log.txt
c:\windows\system32\ahomokol.ini
c:\windows\system32\avayafot.ini
c:\windows\system32\avunetaf.ini
c:\windows\system32\bikusono.dll
c:\windows\system32\bohusika.dll
c:\windows\system32\dazetaha.dll
c:\windows\system32\epatalik.ini
c:\windows\system32\etoyufib.ini
c:\windows\system32\ewamapup.ini
c:\windows\system32\fenoyoyu.dll
c:\windows\system32\gasesila.dll
c:\windows\system32\gotapajo.dll
c:\windows\system32\gufivozo.dll
c:\windows\system32\hamohive.dll
c:\windows\system32\ibegazah.ini
c:\windows\system32\ijomimun.ini
c:\windows\system32\isivijub.ini
c:\windows\system32\izahadur.ini
c:\windows\system32\iziboyow.ini
c:\windows\system32\kegezadu.dll
c:\windows\system32\kiyumote.dll
c:\windows\system32\nilujete.dll
c:\windows\system32\okarasow.ini
c:\windows\system32\okisomun.ini
c:\windows\system32\otatokij.ini
c:\windows\system32\owaligis.ini
c:\windows\system32\ozirusat.ini
c:\windows\system32\ozovifug.ini
c:\windows\system32\pawajinu.dll
c:\windows\system32\rutihuku.dll
c:\windows\system32\sifajade.dll
c:\windows\system32\tasurizo.dll
c:\windows\system32\tusihivi.dll
c:\windows\system32\ubivosid.ini
c:\windows\system32\udobayos.ini
c:\windows\system32\uhifuruk.ini
c:\windows\system32\ukuhitur.ini
c:\windows\system32\uvilebez.ini
c:\windows\system32\woyobizi.dll
c:\windows\system32\wutivoba.dll
c:\windows\system32\zakisohi.dll
D:\Autorun.inf
----- BITS: Possible infected sites -----
hxxp://77.74.48.105
.
((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 )))))))))))))))))))))))))))))))
.
2009-01-05 21:35 . 2009-01-05 21:35 <DIR> d-------- c:\program files\Trend Micro
2009-01-04 09:51 . 2009-01-04 09:51 <DIR> d-------- c:\documents and settings\bri\Application Data\McAfee
2009-01-03 13:11 . 2009-01-03 13:11 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Sonic
2009-01-03 13:10 . 2009-01-03 13:10 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Leadertech
2009-01-03 13:06 . 2009-01-03 13:06 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\McAfee
2009-01-01 16:26 . 2009-01-01 16:26 <DIR> d-------- c:\documents and settings\amy\Application Data\McAfee
2009-01-01 15:03 . 2009-01-01 15:03 <DIR> d-------- c:\documents and settings\s.evans\Application Data\McAfee
2009-01-01 11:58 . 2009-01-10 08:01 10,969 --a------ c:\windows\system32\Config.MPF
2009-01-01 11:57 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2009-01-01 11:54 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-01-01 11:54 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-01-01 11:54 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-01-01 11:54 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-01-01 11:54 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-01-01 11:53 . 2009-01-01 11:53 <DIR> d-------- c:\program files\McAfee.com
2009-01-01 11:53 . 2009-01-01 11:54 <DIR> d-------- c:\program files\Common Files\McAfee
2009-01-01 11:53 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-01-01 11:52 . 2009-01-02 10:49 <DIR> d-------- c:\program files\McAfee
2009-01-01 11:42 . 2009-01-01 15:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-28 19:10 . 2008-12-28 19:10 <DIR> d-------- c:\program files\Myopoly8
2008-12-28 19:09 . 2008-12-28 19:09 286,720 --------- c:\windows\Setup1.exe
2008-12-28 19:09 . 2008-12-28 19:09 73,216 --a------ c:\windows\ST6UNST.EXE
2008-12-25 11:47 . 2009-01-03 10:37 36 --a------ c:\windows\marscam.ini
2008-12-25 11:44 . 2004-08-03 22:58 5,504 --a------ c:\windows\system32\drivers\MSTEE.sys
2008-12-25 11:44 . 2004-08-03 22:58 5,504 --a------ c:\windows\system32\dllcache\mstee.sys
2008-12-25 11:43 . 2008-12-25 11:43 <DIR> d-------- c:\program files\DIFX
2008-12-25 11:42 . 2008-12-25 11:42 <DIR> d-------- c:\program files\Mars
2008-12-17 22:48 . 2008-12-17 22:48 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-17 20:17 . 2009-01-04 21:34 1,045 --a------ c:\windows\wininit.ini
2008-12-17 19:37 . 2009-01-04 21:29 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-17 19:37 . 2009-01-04 21:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-10 15:30 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-03 18:52 --------- d-----w c:\program files\Google
2009-01-03 18:44 --------- d-----w c:\program files\PartyGaming
2009-01-03 18:43 --------- d-----w c:\program files\PartyGaming.Net
2008-12-23 22:29 --------- d-----w c:\documents and settings\All Users\Application Data\Rosetta Stone
2008-12-22 02:00 --------- d-----w c:\program files\Norton Security Scan
2008-12-18 06:48 --------- d-----w c:\program files\Java
2008-12-12 01:25 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-11 02:01 --------- d-----w c:\program files\Common Files\Symantec Shared
2007-10-03 00:52 49,912 ----a-w c:\documents and settings\bri\Application Data\GDIPFONTCACHEV1.DAT
2007-09-24 23:30 49,912 ----a-w c:\documents and settings\amy\Application Data\GDIPFONTCACHEV1.DAT
2007-09-23 19:55 49,912 ----a-w c:\documents and settings\s.evans\Application Data\GDIPFONTCACHEV1.DAT
2005-09-16 02:19 0 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2008-09-22 21:53 31,744 --sha-w c:\windows\system32\barohozi.dll
1601-01-01 00:12 53,248 --sha-w c:\windows\system32\nonabefa.dll
1601-01-01 00:12 43,008 --sha-w c:\windows\system32\pitorewe.dll
2008-09-22 21:53 2,048 --sha-w c:\windows\system32\wihuzomi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-09 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 245760]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-17 339968]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-10 253952]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-26 180269]
"D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2005-03-18 1228800]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 49152]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 172032]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 c:\windows\LOGI_MWX.EXE]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"boyezezowa"=Rundll32.exe "c:\windows\system32\hiniripa.dll",s
"CPM4a8f37db"=Rundll32.exe "c:\windows\system32\jobaruse.dll",a
"49bc0447"=rundll32.exe "c:\windows\system32\gotapajo.dll",b
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\IMSI\\TCW90\\Program\\FindNews.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"=
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe"=
"c:\\WINDOWS\\system32\\HPZipm12.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=
"c:\\Program Files\\Logitech\\iTouch\\iTouch.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\hp\\KBD\\KBD.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\SymSCUI.exe"=
"c:\\WINDOWS\\system32\\verclsid.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\ehome\\ehRecvr.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\PhotoshopElementsFileAgent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\LightScribe\\LSSrvc.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb11.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=
R4 ScFBPNT;CanoScan FBP Port Driver;c:\windows\system32\drivers\SCFBPNT.SYS [2006-07-29 16288]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-03-22 450400]
.
Contents of the 'Scheduled Tasks' folder
2008-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2009-01-09 c:\windows\Tasks\HP Usg Daily FY04.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2004-06-07 03:53]
2009-01-01 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2009-01-08 c:\windows\Tasks\Norton Security Scan for amy.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 03:18]
2005-09-13 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 11:24]
2009-01-10 c:\windows\Tasks\User_Feed_Synchronization-{163BA779-FDC6-4D5C-BB31-3F2C62F65A7B}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-10 08:04:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(496)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-01-10 8:08:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-10 16:08:16
Pre-Run: 77,496,016,896 bytes free
Post-Run: 78,763,110,400 bytes free
277 --- E O F --- 2008-11-13 07:38:57
3) Uninstall List (with suggested removals)
1st Pricing
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Reader 8.1.2
Adobe Shockwave Player
Agere Systems PCI Soft Modem
AirPlus G
ANIO Service
ANIWZCS2 Service
AnswerWorks 5.0 English Runtime
Apple Mobile Device Support
Apple Software Update
Aquatica 3D
Aquatica Scenery Maker
ATI Control Panel
ATI Display Driver
Audacity 1.3.0
BlackBerry Desktop Software 4.1
BlackBerry Desktop Software 4.1
Bonjour
Canon EOS 20D WIA Driver
Canon Utilities Digital Photo Professional 2.1
Canon Utilities EOS Capture 1.1
Canon Utilities EOS Viewer Utility 1.1
Canon Utilities PhotoStitch 3.1
Command Prompt Here PowerToy
Easy Internet Sign-up
EasyGPS 2.9.4
Enterprise Architect 4.10
GemMaster Mystic
Google Earth
Google Updater
Help and Support Additions
HijackThis 2.0.2
HP Boot Optimizer
HP Deskjet Printer Preload
HP Image Zone 4.8.6
HP Image Zone for Media Center PC
HP Image Zone Plus 4.8.6
HP Photosmart Cameras 4.5
HP PSC & OfficeJet 4.7
HP Software Update
HP Tunes
HPIZplus450
IntelliMover Data Transfer Demo
InterVideo WinDVD Player
iPod for Windows 2006-06-28
iTunes
Java(TM) 6 Update 11
KBD
Kids Programming Language
Legacy 7.0
Legacy Charting 7.0
Lemonade Tycoon for Windows
LiveUpdate 2.6 (Symantec Corporation)
LiveUpdate BVRP Software
Logitech iTouch Software
Logitech MouseWare 9.79
Mall Tycoon 3
Mango Plumo's Space Adventure
McAfee SecurityCenter
mobile PhoneTools
Monitor Calibration Wizard 1.0
Motorola Driver Installation 3.2.0
MSN
MSN Toolbar
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 4.0
muvee autoProducer unPlugged - HPD
Myopoly8
Natural Color
Norton Security Center
Norton Security Scan
Norton Security Scan (Symantec Corporation)
OpenOffice.org Installer 1.0
Oregon Trail(R) 5
Otto
PC-Doctor for Windows
Pet Vet (remove only)
Pet Vet 3D Animal Hospital
Photo Viewer
Photosmart 320,370,7400,8100,8400 Series
PS2
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2008
QuickTime
RawShooter essentials 2005
RawShooter essentials 2006
RealPlayer
Rhapsody Player Engine
Rosetta Stone V3
ScanCraft CS-P
scilab-4.0
SeaWorld Adventure Park Tycoon
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Sonic Encoders
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spybot - Search & Destroy
Talking Typing Teacher 4 Kids
TurboCAD Deluxe v9
TurboCAD Symbols
Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369)
Updates from HP
Windows Driver Package - (mr7910) Image (08/08/2006 1.4.0.0)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10 Hotfix [See KB889858 for more information]
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB895678
***************
Thanks agains,
Stew
pskelley
2009-01-10, 17:49
When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
Please read the directions carefully, I don't know how I could have made my need for a new HJT log any plainer?:sad:
Sorry, I tried to get you everything.
New HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:01 AM, on 1/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 11545 bytes
pskelley
2009-01-10, 20:22
1) It is not good to have two antivirus programs running at once. Looks like McAfee is your program of choice but see this:
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Since I don't see an option to uninstall, have a look here for help removing these leftovers:
http://basconotw.mvps.org/SymRem.htm
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
3) Open notepad and copy/paste the text in the codebox below into it:
File::
c:\windows\system32\barohozi.dll
c:\windows\system32\nonabefa.dll
c:\windows\system32\pitorewe.dll
c:\windows\system32\wihuzomi.dll
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript and the log from MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html
How is the computer running now, any malware issues?
Thanks
This can be done as time permits, but it is important.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.
Adobe Reader 8.1.2 <<< out of date and unsafe, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php
Norton Security Center
Norton Security Scan
Norton Security Scan (Symantec Corporation)
I doubt you need those if you are running McAfee?
1) I found the Norton uninstallers and ran it.
2) Done.
3a) ComboFix Log File
ComboFix 09-01-09.03 - HP_Administrator 2009-01-10 14:08:42.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.506 [GMT -8:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
FILE ::
c:\windows\system32\barohozi.dll
c:\windows\system32\nonabefa.dll
c:\windows\system32\pitorewe.dll
c:\windows\system32\wihuzomi.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\barohozi.dll
c:\windows\system32\nonabefa.dll
c:\windows\system32\pitorewe.dll
c:\windows\system32\wihuzomi.dll
.
((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 )))))))))))))))))))))))))))))))
.
2009-01-05 21:35 . 2009-01-05 21:35 <DIR> d-------- c:\program files\Trend Micro
2009-01-04 09:51 . 2009-01-04 09:51 <DIR> d-------- c:\documents and settings\bri\Application Data\McAfee
2009-01-03 13:11 . 2009-01-03 13:11 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Sonic
2009-01-03 13:10 . 2009-01-03 13:10 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Leadertech
2009-01-03 13:06 . 2009-01-03 13:06 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\McAfee
2009-01-01 16:26 . 2009-01-01 16:26 <DIR> d-------- c:\documents and settings\amy\Application Data\McAfee
2009-01-01 15:03 . 2009-01-01 15:03 <DIR> d-------- c:\documents and settings\s.evans\Application Data\McAfee
2009-01-01 11:58 . 2009-01-10 13:56 10,969 --a------ c:\windows\system32\Config.MPF
2009-01-01 11:57 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2009-01-01 11:54 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-01-01 11:54 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-01-01 11:54 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-01-01 11:54 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-01-01 11:54 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-01-01 11:53 . 2009-01-01 11:53 <DIR> d-------- c:\program files\McAfee.com
2009-01-01 11:53 . 2009-01-01 11:54 <DIR> d-------- c:\program files\Common Files\McAfee
2009-01-01 11:53 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-01-01 11:52 . 2009-01-02 10:49 <DIR> d-------- c:\program files\McAfee
2009-01-01 11:42 . 2009-01-01 15:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-28 19:10 . 2008-12-28 19:10 <DIR> d-------- c:\program files\Myopoly8
2008-12-28 19:09 . 2008-12-28 19:09 286,720 --------- c:\windows\Setup1.exe
2008-12-28 19:09 . 2008-12-28 19:09 73,216 --a------ c:\windows\ST6UNST.EXE
2008-12-25 11:47 . 2009-01-03 10:37 36 --a------ c:\windows\marscam.ini
2008-12-25 11:44 . 2004-08-03 22:58 5,504 --a------ c:\windows\system32\drivers\MSTEE.sys
2008-12-25 11:44 . 2004-08-03 22:58 5,504 --a------ c:\windows\system32\dllcache\mstee.sys
2008-12-25 11:43 . 2008-12-25 11:43 <DIR> d-------- c:\program files\DIFX
2008-12-25 11:42 . 2008-12-25 11:42 <DIR> d-------- c:\program files\Mars
2008-12-17 22:48 . 2008-12-17 22:48 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-17 20:17 . 2009-01-04 21:34 1,045 --a------ c:\windows\wininit.ini
2008-12-17 19:37 . 2009-01-04 21:29 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-17 19:37 . 2009-01-04 21:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-10 21:57 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-10 15:30 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-03 18:52 --------- d-----w c:\program files\Google
2009-01-03 18:44 --------- d-----w c:\program files\PartyGaming
2009-01-03 18:43 --------- d-----w c:\program files\PartyGaming.Net
2008-12-23 22:29 --------- d-----w c:\documents and settings\All Users\Application Data\Rosetta Stone
2008-12-18 06:48 --------- d-----w c:\program files\Java
2008-12-12 01:25 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-15 16:57 332,800 ----a-w c:\windows\system32\dllcache\netapi32.dll
2007-10-03 00:52 49,912 ----a-w c:\documents and settings\bri\Application Data\GDIPFONTCACHEV1.DAT
2007-09-24 23:30 49,912 ----a-w c:\documents and settings\amy\Application Data\GDIPFONTCACHEV1.DAT
2007-09-23 19:55 49,912 ----a-w c:\documents and settings\s.evans\Application Data\GDIPFONTCACHEV1.DAT
2005-09-16 02:19 0 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
.
((((((((((((((((((((((((((((( snapshot@2009-01-10_ 8.07.38.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-09 04:01:33 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-10 21:53:29 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-09 04:01:33 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-10 21:53:29 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-09 04:01:33 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-10 21:53:29 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-02 16:19:02 53,640 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-10 21:51:48 53,640 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-02 16:19:02 382,022 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-10 21:51:48 382,022 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-10 21:57:47 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_588.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-09 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 245760]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-17 339968]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-10 253952]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-26 180269]
"D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2005-03-18 1228800]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 49152]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 172032]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 c:\windows\LOGI_MWX.EXE]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"boyezezowa"=Rundll32.exe "c:\windows\system32\hiniripa.dll",s
"CPM4a8f37db"=Rundll32.exe "c:\windows\system32\jobaruse.dll",a
"49bc0447"=rundll32.exe "c:\windows\system32\gotapajo.dll",b
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\IMSI\\TCW90\\Program\\FindNews.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"=
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe"=
"c:\\WINDOWS\\system32\\HPZipm12.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=
"c:\\Program Files\\Logitech\\iTouch\\iTouch.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\hp\\KBD\\KBD.exe"=
"c:\\WINDOWS\\system32\\verclsid.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\ehome\\ehRecvr.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\PhotoshopElementsFileAgent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\LightScribe\\LSSrvc.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb11.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=
R4 ScFBPNT;CanoScan FBP Port Driver;c:\windows\system32\drivers\SCFBPNT.SYS [2006-07-29 16288]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-03-22 450400]
.
Contents of the 'Scheduled Tasks' folder
2008-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2009-01-09 c:\windows\Tasks\HP Usg Daily FY04.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2004-06-07 03:53]
2009-01-01 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2005-09-13 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 11:24]
2009-01-10 c:\windows\Tasks\User_Feed_Synchronization-{163BA779-FDC6-4D5C-BB31-3F2C62F65A7B}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-10 14:13:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(504)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-10 14:16:32
ComboFix-quarantined-files.txt 2009-01-10 22:15:30
Pre-Run: 85,229,477,888 bytes free
Post-Run: 85,215,432,704 bytes free
232 --- E O F --- 2008-11-13 07:38:57
3b) HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:18:58 PM, on 1/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 11226 bytes
4) ATF Cleaner: Done
5) MBAM Log: NOTICE, I saved the log file before I removed the selected files, but they all said removed.
Malwarebytes' Anti-Malware 1.32
Database version: 1638
Windows 5.1.2600 Service Pack 2
1/10/2009 4:41:56 PM
mbam-log-2009-01-10 (16-41-46).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 293457
Time elapsed: 2 hour(s), 12 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 93
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\barohozi.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bohusika.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dazetaha.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fenoyoyu.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gasesila.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gotapajo.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gufivozo.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hamohive.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kegezadu.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nilujete.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pawajinu.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pitorewe.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rutihuku.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sifajade.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tasurizo.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tusihivi.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\woyobizi.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wutivoba.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\zakisohi.dll.vir (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP810\A0137264.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP810\A0137265.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP810\A0137266.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP815\A0138522.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP815\A0138864.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP815\A0138865.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP815\A0138866.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP815\A0138867.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP817\A0138969.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP820\A0139149.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP820\A0139119.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP820\A0139121.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP821\A0139173.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP821\A0139203.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP821\A0139204.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP823\A0139325.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP823\A0139326.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP826\A0144832.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP826\A0144851.exe (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP826\A0144858.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP828\A0145544.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP828\A0145612.exe (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP829\A0145692.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP830\A0145732.exe (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP830\A0145768.exe (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP830\A0145840.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP830\A0145842.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP838\A0146821.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP840\A0146897.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147872.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147873.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147878.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147879.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147880.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147881.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147882.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147883.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147885.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147886.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147888.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147889.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147890.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147891.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147892.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147893.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147894.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147895.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147896.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147897.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147898.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147902.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147884.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147957.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147958.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147962.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147963.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147964.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147965.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147972.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147973.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147980.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147981.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147982.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147983.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147990.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147991.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147992.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147966.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147984.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP845\A0148163.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP845\A0148165.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\fepuzega.dll.tmp (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\mejimaba.dll.tmp (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\lejufomu.dll.tmp (Trojan.Vundo) -> No action taken.
Lastly: I turned McAfee back on and restarted my computer and I haven't seen any pop-ups in a while. I also updated SpyBot again and it just found two tracking cookies and NO TROJANS's.
Thanks again,
Stew
I found the final MBAM log file that shows the probems fixed below.
Malwarebytes' Anti-Malware 1.32
Database version: 1638
Windows 5.1.2600 Service Pack 2
1/10/2009 4:44:04 PM
mbam-log-2009-01-10 (16-44-04).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 293457
Time elapsed: 2 hour(s), 12 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 93
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\barohozi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bohusika.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dazetaha.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fenoyoyu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gasesila.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gotapajo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gufivozo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hamohive.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kegezadu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nilujete.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pawajinu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pitorewe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rutihuku.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sifajade.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tasurizo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tusihivi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\woyobizi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wutivoba.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\zakisohi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP810\A0137264.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP810\A0137265.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP810\A0137266.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP815\A0138522.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP815\A0138864.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP815\A0138865.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP815\A0138866.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP815\A0138867.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP817\A0138969.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP820\A0139149.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP820\A0139119.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP820\A0139121.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP821\A0139173.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP821\A0139203.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP821\A0139204.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP823\A0139325.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP823\A0139326.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP826\A0144832.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP826\A0144851.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP826\A0144858.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP828\A0145544.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP828\A0145612.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP829\A0145692.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP830\A0145732.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP830\A0145768.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP830\A0145840.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP830\A0145842.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP838\A0146821.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP840\A0146897.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147872.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147873.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147878.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147879.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147880.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147881.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147882.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147883.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147885.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147886.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147888.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147889.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147890.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147891.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147892.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147893.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147894.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147895.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147896.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147897.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147898.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147902.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP841\A0147884.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147957.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147958.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147962.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147963.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147964.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147965.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147972.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147973.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147980.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147981.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147982.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147983.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147990.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147991.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147992.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147966.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP842\A0147984.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP845\A0148163.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP845\A0148165.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fepuzega.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mejimaba.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lejufomu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
:)
pskelley
2009-01-11, 02:51
Stew, all of the MBAM items say: No action taken ?
Make sure the next run you delete and quarantine anything found.
(ok, you posted while I was posting, finish those directions please)
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean the System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)
Update McAfee and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.
http://www.mcafee.com/us/support/
If all is well at this point, let me know and I will close the topic.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
All looks good! Thanks again.
Stew
pskelley
2009-01-11, 12:53
Thanks for taking the time to let me know, safe surfing and Happy New Year:)