View Full Version : Error:1058, i need help with malware!!!!!!!
hi
Am trying to fix my automatic updates problem i have on my computer. I already tried turning on my automatic updates by going on services.msc, i have done all the steps but it didnt work. It displays .....Error 1058: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.......My Background Intelligent Transfer Service are started properly. My anti-virus and my anti-adware are up to date...i already did a full scan of my computer but the problem is still there. And am sure am having a malware virus because i get alot of pop up's showing ad's or search engines poping in my screen for no reason. Theres also alot of pop ups message box telling me i have trojan and viruses in my computer.... then it does a scan...and after it tells me to download a "antivirus" software to remedy this. And theres also the fact that my computer is not acting like its use to...its more slow and sluggish...
So i really hope that you can help me figure out what my problem is and what i can do to fix it.
heres a hijackthis scan and logs....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:59:31 PM, on 08/02/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Documents and Settings\Diego\Desktop\hijackthis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {FA36F79A-6697-4C2F-AB1F-24718DC80D25} - (no file)
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [pamafiwope] Rundll32.exe "C:\WINDOWS\system32\fopihofu.dll",s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CPM57497065] Rundll32.exe "c:\windows\system32\nawobiti.dll",a
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [pamafiwope] Rundll32.exe "C:\WINDOWS\system32\fopihofu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [pamafiwope] Rundll32.exe "C:\WINDOWS\system32\fopihofu.dll",s (User 'NETWORK SERVICE')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PD - {999858A8-1412-41BB-8D0D-6C67F7AB11AF} - C:\Program Files\Pop up Blocker\pd.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219269518343
O20 - AppInit_DLLs: C:\WINDOWS\system32\kagohaku.dll C:\WINDOWS\system32\lasobemo.dll c:\windows\system32\fevahiva.dll xjtfny.dll krkrbw.dll vqrrew.dll wrelvl.dll c:\windows\system32\nawobiti.dll bdqulg.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nawobiti.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nawobiti.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 7574 bytes
shelf life
2009-02-08, 23:15
hi,
We will get a download to use. Its called Malwarebytes antimalware. Link and directions:
Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:
http://www.malwarebytes.org/mbam.php
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
*** Be sure that everything is checked, and click Remove Selected.***
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
please post the MBAM log in your reply
hi
so heres the MBAM log that u ask me for..... i actually did two scans because the first scan i did when i was about to have the notepad log the malwarebytes anti-malware program frozed ......but i actually have the two logs for the two scans i did...
so here are the two logs:
1.
Malwarebytes' Anti-Malware 1.33
Database version: 1739
Windows 5.1.2600 Service Pack 2
08/02/2009 8:12:02 PM
mbam-log-2009-02-08 (20-12-02).txt
Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 141586
Time elapsed: 2 hour(s), 3 minute(s), 16 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 6
Registry Keys Infected: 30
Registry Values Infected: 6
Registry Data Items Infected: 4
Folders Infected: 14
Files Infected: 116
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\khfDwvWm.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\nawobiti.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bdqulg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jkkKeeET.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bhmohihj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ssqNGXOI.dll (Trojan.Vundo) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22da954a-9080-42f2-aba5-b37096461fda} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{22da954a-9080-42f2-aba5-b37096461fda} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4f65d800-19b1-470f-8cad-ae5e2cbf3302} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4f65d800-19b1-470f-8cad-ae5e2cbf3302} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkkkeeet (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ae60ddb9-b3cf-49f2-958d-c73f53b7f6c8} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ae60ddb9-b3cf-49f2-958d-c73f53b7f6c8} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{22da954a-9080-42f2-aba5-b37096461fda} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ae60ddb9-b3cf-49f2-958d-c73f53b7f6c8} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4f65d800-19b1-470f-8cad-ae5e2cbf3302} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Registry Helper (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pamafiwope (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm57497065 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\547a43f9 (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\khfdwvwm -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\nawobiti.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\nawobiti.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\khfdwvwm -> Delete on reboot.
Folders Infected:
C:\Program Files\RelevantKnowledge (Spyware.Marketscore) -> Delete on reboot.
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\1.bin (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\2.bin (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\3.bin (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\SrchAstt (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\SrchAstt\1.bin (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\SrchAstt\2.bin (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\SrchAstt\3.bin (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Delete on reboot.
Files Infected:
C:\WINDOWS\system32\bdqulg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bhmohihj.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jkkKeeET.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\khfDwvWm.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mWvwDfhk.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mWvwDfhk.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bcfqlkhg.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ghklqfcb.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\csvjxavl.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lvaxjvsc.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iydlrvur.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ruvrldyi.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jiweyiyi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iyiyewij.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jtknkdqb.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bqdknktj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qcgyucrw.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wrcuygcq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vcpdroab.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\baordpcv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xdtlysaw.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wasyltdx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxywTJAQ.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\QAJTwyxx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\QAJTwyxx.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\nawobiti.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Diego\Local Settings\Temporary Internet Files\Content.IE5\1QCIHWS9\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Diego\Local Settings\Temporary Internet Files\Content.IE5\1QCIHWS9\img[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Diego\Local Settings\Temporary Internet Files\Content.IE5\LGA2CSO0\divx20[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Diego\Local Settings\Temporary Internet Files\Content.IE5\LGA2CSO0\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Diego\Local Settings\Temporary Internet Files\Content.IE5\LGA2CSO0\img[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Diego\Local Settings\Temporary Internet Files\Content.IE5\PF6VUIW0\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Diego\Local Settings\Temporary Internet Files\Content.IE5\PF6VUIW0\style[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Irina\Local Settings\Temporary Internet Files\Content.IE5\0R250LK9\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Irina\Local Settings\Temporary Internet Files\Content.IE5\4F0J25OD\img[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Irina\Local Settings\Temporary Internet Files\Content.IE5\6Z45O5MP\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Luis\Local Settings\Temp\khcfsiru.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Luis\Local Settings\Temp\pcxckwqm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Luis\Local Settings\Temporary Internet Files\Content.IE5\1B2BDTCI\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Luis\Local Settings\Temporary Internet Files\Content.IE5\5SXEZX41\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Luis\Local Settings\Temporary Internet Files\Content.IE5\5SXEZX41\img[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Luis\Local Settings\Temporary Internet Files\Content.IE5\5SXEZX41\img[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Luis\Local Settings\Temporary Internet Files\Content.IE5\5SXEZX41\img[3] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Luis\Local Settings\Temporary Internet Files\Content.IE5\5SXEZX41\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Luis\Local Settings\Temporary Internet Files\Content.IE5\AV9AQ9UV\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Luis\Local Settings\Temporary Internet Files\Content.IE5\V6NOPA0Q\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E03A412E-A9A9-4F2D-85D1-758E7437F9D4}\RP104\A0023039.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E03A412E-A9A9-4F2D-85D1-758E7437F9D4}\RP104\A0023040.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E03A412E-A9A9-4F2D-85D1-758E7437F9D4}\RP104\A0023041.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E03A412E-A9A9-4F2D-85D1-758E7437F9D4}\RP110\A0026786.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E03A412E-A9A9-4F2D-85D1-758E7437F9D4}\RP113\A0030835.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E03A412E-A9A9-4F2D-85D1-758E7437F9D4}\RP116\A0031040.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E03A412E-A9A9-4F2D-85D1-758E7437F9D4}\RP120\A0037121.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E03A412E-A9A9-4F2D-85D1-758E7437F9D4}\RP167\A0047937.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E03A412E-A9A9-4F2D-85D1-758E7437F9D4}\RP168\A0047952.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E03A412E-A9A9-4F2D-85D1-758E7437F9D4}\RP169\A0048957.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E03A412E-A9A9-4F2D-85D1-758E7437F9D4}\RP169\A0048958.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E03A412E-A9A9-4F2D-85D1-758E7437F9D4}\RP169\A0048960.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E03A412E-A9A9-4F2D-85D1-758E7437F9D4}\RP169\A0048962.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E03A412E-A9A9-4F2D-85D1-758E7437F9D4}\RP170\A0048987.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E03A412E-A9A9-4F2D-85D1-758E7437F9D4}\RP170\A0048989.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E03A412E-A9A9-4F2D-85D1-758E7437F9D4}\RP172\A0058971.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E03A412E-A9A9-4F2D-85D1-758E7437F9D4}\RP178\A0060993.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E03A412E-A9A9-4F2D-85D1-758E7437F9D4}\RP178\A0060994.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E03A412E-A9A9-4F2D-85D1-758E7437F9D4}\RP178\A0060995.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E03A412E-A9A9-4F2D-85D1-758E7437F9D4}\RP178\A0060996.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E03A412E-A9A9-4F2D-85D1-758E7437F9D4}\RP178\A0062041.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E03A412E-A9A9-4F2D-85D1-758E7437F9D4}\RP178\A0062042.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E03A412E-A9A9-4F2D-85D1-758E7437F9D4}\RP179\A0063046.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\augigkwb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dfkiadjq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jatvtcna.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJBRIab.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\njmjgqqj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nwvuwxam.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnoOFWP.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rxoqfuex.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdmlet.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cqfpmyap.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wlmtlruy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bcjivgsy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bfresswt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bmulno.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccdcCSk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hnfiynwy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mwpilssp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qbzgtq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRKCrPg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tnjsrigb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wsoeuaku.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jnifcwth.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jofgejuc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bvuhdrec.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ccfxytwx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xhyumthi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fulkoulc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ifxcpd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\raabcnmm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xtytoyrg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ysyrbg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tvqqei.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efcBtsSi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wnschswh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kuxypg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\RelevantKnowledge\rlservice.exe (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvbgmkha.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\qoMEvUnn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnonkIX.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kufubabe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRkiHBq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efcDTNGy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJCSiif.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqNGXOI.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ljJYOhHb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUmkiHx.dll (Trojan.vundo) -> Quarantined and deleted successfully.
2.
Malwarebytes' Anti-Malware 1.33
Database version: 1739
Windows 5.1.2600 Service Pack 2
08/02/2009 10:18:47 PM
mbam-log-2009-02-08 (22-18-47).txt
Scan type: Full Scan (C:\|)
Objects scanned: 141839
Time elapsed: 1 hour(s), 52 minute(s), 50 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 10
Registry Keys Infected: 17
Registry Values Infected: 4
Registry Data Items Infected: 4
Folders Infected: 14
Files Infected: 16
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\khfDwvWm.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wvbgmkha.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\nawobiti.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bdqulg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jkkKeeET.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\aqrkwlfk.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tnjsrigb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bhmohihj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\inclny.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ssqNGXOI.dll (Trojan.Vundo) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{262c27c9-92a5-4176-b145-fe49474cbc99} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{262c27c9-92a5-4176-b145-fe49474cbc99} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkkkeeet (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99e4e60c-655a-48a2-b066-fe7801de24fe} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{99e4e60c-655a-48a2-b066-fe7801de24fe} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ae60ddb9-b3cf-49f2-958d-c73f53b7f6c8} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ae60ddb9-b3cf-49f2-958d-c73f53b7f6c8} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ae60ddb9-b3cf-49f2-958d-c73f53b7f6c8} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{262c27c9-92a5-4176-b145-fe49474cbc99} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{99e4e60c-655a-48a2-b066-fe7801de24fe} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm57497065 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\khfdwvwm -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\nawobiti.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\nawobiti.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\khfdwvwm -> Delete on reboot.
Folders Infected:
C:\Program Files\RelevantKnowledge (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\2.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\2.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\3.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\tnjsrigb.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jkkKeeET.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\inclny.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\khfDwvWm.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mWvwDfhk.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mWvwDfhk.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvbgmkha.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ahkmgbvw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\nawobiti.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bdqulg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\aqrkwlfk.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bhmohihj.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Diego\Local Settings\Temporary Internet Files\Content.IE5\J1GL1EYT\index[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Diego\Local Settings\Temporary Internet Files\Content.IE5\PF6VUIW0\upd105320[2] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Diego\Local Settings\Temporary Internet Files\Content.IE5\PF6VUIW0\img[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqNGXOI.dll (Trojan.Vundo) -> Delete on reboot.
shelf life
2009-02-09, 22:45
hi,
ok good. Rescan and post a new hjt log. Looking better on your end now?
Hi
So yea after the mbam scann my computer looks much better...and i tried to put the automatic update back to automatic and it worked. So i think now my computer is free from malware (hope so) youll see with my hijackthis log. If so, i really appreciate the help that u gave me and really want to thank you for that. One last question do i have to do a mbam scan like once a week or do it once a month....
so heres the hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:34 PM, on 09/02/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Pop up Blocker\pd.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sun\StarOffice 8\program\soffice.exe
C:\Program Files\Sun\StarOffice 8\program\soffice.BIN
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Diego\Desktop\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/defaultf.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Registry Helper] "C:\Program Files\Registry Helper\LaunchRegistryHelper.Exe" "C:\Program Files\Registry Helper\RegistryHelper.Exe" /boot
O4 - HKCU\..\Run: [Disk Cleaner] "C:\Program Files\Disk Cleaner\LaunchDiskCleaner.Exe" "C:\Program Files\Disk Cleaner\DiskCleaner.Exe" /boot
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Pop up Blocker] "C:\Program Files\Pop up Blocker\pd.exe" Minimize
O4 - HKUS\S-1-5-19\..\Run: [pamafiwope] Rundll32.exe "C:\WINDOWS\system32\fopihofu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [pamafiwope] Rundll32.exe "C:\WINDOWS\system32\fopihofu.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1229272821-1303643608-682003330-1004\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Diego')
O4 - S-1-5-21-1229272821-1303643608-682003330-1004 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Diego')
O4 - S-1-5-21-1229272821-1303643608-682003330-1004 User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Diego')
O4 - Startup: StarOffice 8.lnk = C:\Program Files\Sun\StarOffice 8\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PD - {999858A8-1412-41BB-8D0D-6C67F7AB11AF} - C:\Program Files\Pop up Blocker\pd.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219269518343
O20 - AppInit_DLLs: C:\WINDOWS\system32\kagohaku.dll C:\WINDOWS\system32\lasobemo.dll c:\windows\system32\fevahiva.dll xjtfny.dll krkrbw.dll vqrrew.dll wrelvl.dll inclny.dll
O20 - Winlogon Notify: hgGaxXQJ - hgGaxXQJ.dll (file missing)
O20 - Winlogon Notify: urqQgdBU - urqQgdBU.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 9942 bytes
shelf life
2009-02-10, 03:13
hi,
ok good. You should- as good practice- keep MBAM updated as well as your AV and other anti-malware. MBAM must be checked manually for updates (the paid version has auto updating). I would check every 2 or 3 days for updates.
Your scanning frequency is really dependent on your computer habits. Engaging in bad habits- then I would scan more often. Here are some good and bad habits as examples:
http://www.virusvault.us/prevention1.html
In any case always check MBAM for updates before doing a scan with it. The paid version offers auto updating.
You have Limewire installed.There is plenty of malware distributed on p2p networks. Most people dont need another source for malware. You should also not have it start when you boot up. Only have it running when you are using it.
some p2p info for you:
http://www.virusvault.us/p2p.html
Registry Helper: This registry "cleaning tool" will not improve a computers performance. Its a myth. Hope you didnt pay money for it.
----------------------------------------
We will use hjt now:
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKUS\S-1-5-19\..\Run: [pamafiwope] Rundll32.exe "C:\WINDOWS\system32\fopihofu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [pamafiwope] Rundll32.exe "C:\WINDOWS\system32\fopihofu.dll",s (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\system32\kagohaku.dll C:\WINDOWS\system32\lasobemo.dll c:\windows\system32\fevahiva.dll xjtfny.dll krkrbw.dll vqrrew.dll wrelvl.dll inclny.dll
O20 - Winlogon Notify: hgGaxXQJ - hgGaxXQJ.dll (file missing)
O20 - Winlogon Notify: urqQgdBU - urqQgdBU.dll (file missing)
reboot computer, rescan and post a new hjt log
--------------------------------------------------------
you should read SmartShoppers privacy policy:
http://www.smartshopper.com/Legal/PrivacyPolicy.aspx
hi
So i did wat u asked and i notice that the... R3 - URLSearchHook: (no name)...is still there it didnt delete or repair......besides that yea my limewire doesnt start when i boot the computer and the registry cleaner program i have i didnt buy it....its like a 20 days free to try program.... so heres my new hijackthis log and youll see that R3 is still there and theres a other one to....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:29 PM, on 09/02/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Diego\Desktop\hijackthis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {FA36F79A-6697-4C2F-AB1F-24718DC80D25} - (no file)
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PD - {999858A8-1412-41BB-8D0D-6C67F7AB11AF} - C:\Program Files\Pop up Blocker\pd.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219269518343
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 7170 bytes
shelf life
2009-02-10, 23:59
hi,
not sure why it didnt delete. You can select them both again using hjt, the two R3's. These are really harmless registry items, the files they pointed to are gone. Also please check MBAM for updates and run it once more and post the MBAM log.
hi
so here are my two logs of my two scans...my mbam log and my hijackthis log
Malwarebytes' Anti-Malware 1.33
Database version: 1739
Windows 5.1.2600 Service Pack 2
10/02/2009 11:33:37 PM
mbam-log-2009-02-10 (23-33-37).txt
Scan type: Full Scan (C:\|)
Objects scanned: 146390
Time elapsed: 1 hour(s), 1 minute(s), 45 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
----------------------------------------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:21 PM, on 10/02/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Diego\Desktop\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PD - {999858A8-1412-41BB-8D0D-6C67F7AB11AF} - C:\Program Files\Pop up Blocker\pd.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219269518343
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 7090 bytes
shelf life
2009-02-11, 22:44
hi,
ok thanks for the info. Looks good to me. If all is good, you can make a new restore point. The how and why:
One of the features of Windows ME,XP and Vista is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot
Some info for you:
Reducing Your Risk To Malware:
The Short Version:
1) Keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other Software (http://secunia.com/vulnerability_scanning/online/) up to date to "patch" vulnerabilities.
2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, malware, toolbars etc.
3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless.
4) Refrain from clicking on links or attachments you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message.
5) Don't click on ads/pop ups or offers from websites requesting that you need to install software to your computer.
6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?
7) Set up and use limited accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing.*
8) Install and know the limitations of a software firewall.
9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. See also: Hardening or Securing Internet Explorer. (http://www.microsoft.com/downloads/details.aspx?FamilyID=6AA4C1DA-6021-468E-A8CF-AF4AFE4C84B2&displaylang=en)
10) If your habits include: warez, cracks etc or you install files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?
A longer version in link below.
Happy Safe Surfing.
hi
So i did what you ask me to do..the restore point.
So just want to say thank you very much for your help, i really appreciated it....have a good day!!!!
THX:):):)
didi07