PDA

View Full Version : Need help? Am i infected? How fix?



hinow
2009-03-03, 01:52
Hello good people at Safer Networking! Can i give you the lowdown on what my problem is/has been before u read my hijack-log? I'm a first timer. Thank you for Spybot, its the only thing i got running that i trust right now. I can't wait to paypal u, but please help more if u can! I'm using my 1st computer got in 04/05. Never a problem ever with viruses till now (09). I think this might have all started because i finally applied myself to trying to listen to all my music that's been on my comp that i have'nt been able to listen to for the last couple years. For 2 years i hadn't been able to listen to any of MY OWN music that i'd ripped to my comp from my own cd's. I think a Microsoft Automatic Update a couple of years ago screwed me somehow (wmp8-9, or 9to10, or 10-11....??) or i allowed it to convert all my stuff to "wma". Anyhow, after years and hundreds of hours of trying i somehow finally was able to convert all my music to "mp3" after stripping "DRM" using FairUse4WM.exe and dBpoweramp to convert to mp3. What a glorious day that was!! However i was warned to turn off MS Update so i don't get screwed again; maybe that's where the problem started. Or maybe i got a virus from some songs that i'd downloaded from Limewire that i'd downloaded to listen to because friggin Microsoft had kept me from listening to my own. Or maybe i picked something up installing/uninstalling programs during the ordeal of trying to find something to help me listen to my music library again. Anyways........

So now i have "problems". The comp seems a little slower. Sometimes when i boot, like every other time, it says, "Warning! The system has recovered from a serious error!" Do you want to report this to Microsoft...etc. etc. "
My Symantec runs once a week as scheduled but i can no longer manually run scans, i get "Could not start scan, Scan engine returned error 0x20000058" I've spent time trying to address this error doing googles searches that say to stop/start various srvcs but that doesnt work. It appears a virus has disable my manual symantec scanning.
I then decided to turn Microsoft update back on, however now i'm unable to do that either. When i try to do the Express or Custom install from Microsoft Update it says "[Error number: 0x800704DD] The website has encountered a problem and cannot display the page you are trying to view." So apparently maybe a virus has disabled my MS updating somehow. I believe, if i recall, that i've tried to follow some google-websearch related help again doing stop/start stuff with 'services', i.e, run: srvces, etc, etc, but again not helping.
So basically now i just run Spybot everyday as my only defense. It appears that symantec may still be working in the background, because every day i got a couple of symantec-pop-up-warnings about virus threats it detected and deleted or quarantined, e.g. here is a log exported from symantic's 'threat history' to excel to here. Hope it comes to you in a good linear format. Your "Before You Post" sticky says not to use the wraparound stuff so i hope its readable. Of these virus threats what caught my eye is that it appears that maybe the virus named kmlpgree.dll - a 'trojan vundo' which i've highlighted in bold and which auto-scan pop'd up hundreds of times for, may not have been removed. Also, all these threats were listed-type as 'file' except for one listed as 'file-heuristics', whatever that means, which i've highlighted in bold. Also, it appears this all may have started about the 10th of February, but i've of course since cleared by IE cache and done disk-cleanup. Also, i note a lot of these threats seem to be in system32 or system volume information \ restore......
One of the main problems i notice now is that everytime i start my computer it says that it can't find an important file called C:\Windows\system32\bxuoydoe.dll I think if i can figure out how to replace this file it may be the clue to getting everything else working again, but i can't find the file on google, etc. I tried doing a system boot using my original XP Pro system disks to see if there was a function for restoring single files like this but nothing that i tried worked. I couldn't get the 'recovery console' to show up in the command line. I also, as it were, apparently deleted all my 'system restore' points automatically by 'turning off system restore' based on some advice somewhere. That may sound bad but i had earlier tried to do a 'system restore' myself to the earliest known good system-restore point and it wouldnt let me anyways so i figure some unscrupulous virus screwed my system restore capability anyways. So that's the history here, "in a nutshell". Below you'll find first the "threat history" from symantec", next the "hijack log", next i was gonna include the 'recovery history' from Spybot but theres no way to copy that to clipboard or export it (u might want to allow that - for future reference) so i'll just have to mention that when i've run spybot, aside from the usual cookie/adware stuff it routinely catches, it seems like it's been catching the 'virtumonde' and/or the 'virtumonde.prx' virus alot. The last one it caught, as of yesturday, was Virtumonde.prx, with this checkbox info: Autorun settings (c468408a3); HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c468408a3 Seems like this might have something to do with the 'bxuoydoe.dll' 'missing entry i noted before. Also, after the hijack log i've included the Spybot System Startup export-file, and i'd note again that same infor having to do with the 'value' c46840a3 and the bxuoydoe.dll seems to be cropping up, which i highlited in bold again. I tried to 'toggle' or check/uncheck some of these last week to see if i could get the 'bxuoydoe.dll' file working again that my computer on startup always says is missing and i'm never quite sure if i should 'allow' or 'deny' change when the Spybot popup asking me to allow/or/deny pops up. Anyhow it seems i may have turned off some other stuff like my printer, adobe, etc. etc. Last i have included the Spybot 'Resident' log for you of recent activity. Anyhow, hope someone there can make sense of this, it would be much appreciated, and i'd much rather donate to spybot then have to take my chances and/or pay for some 'registry editor' or 'dll' fix thingy, etc. etc. Thanks alot, forum name: hinow :red:



SYMANTEC THREAT HISTORY
Date Filename Threat Threat Type Original Location Current Location
3/2/2009 11:20 A0080888.exe W32.Spamuzle.D File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP509\ Deleted
3/2/2009 6:31 azton.mt W32.Spamuzle.D File C:\WINDOWS\system32\ Deleted
3/1/2009 19:00 ypuweg.exe W32.Spamuzle.D File C:\ Deleted
2/28/2009 14:23 eicar.com EICAR Test String File C:\Documents and Settings\first user account\Desktop\ Deleted
2/28/2009 2:44 A0077621.dll Trojan Horse File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP504\ Quarantine
2/27/2009 21:11 A0077620.scr Backdoor.Trojan File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP504\ Deleted
2/27/2009 17:18 A0077619.exe Backdoor.Trojan File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP504\ Deleted
2/27/2009 0:31 cwxwwgtl.exe Trojan Horse File C:\ Quarantine
2/26/2009 13:13 wrhhchhm.dll Trojan Horse File C:\WINDOWS\system32\ Quarantine
2/26/2009 13:12 nvaux32.dll Trojan Horse File C:\WINDOWS\system32\ Quarantine
2/26/2009 13:11 xccefb090131.scr Backdoor.Trojan File C:\WINDOWS\system32\inf\ Quarantine
2/26/2009 13:09 xccef090131.exe Backdoor.Trojan File C:\WINDOWS\system\ Quarantine
2/26/2009 12:58 A0077570.dll Packed.Generic.200 File; Heuristics C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP503\ Quarantine
2/25/2009 16:23 UACtdiqtkle.dll Packed.Generic.200 File C:\WINDOWS\system32\ Deleted
2/22/2009 18:59 A0077464.dll Trojan.Vundo File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP499\ Deleted
2/22/2009 17:23 A0077463.dll Trojan.Vundo File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP499\ Deleted
2/21/2009 16:21 isetdz.dll Trojan.Vundo File C:\WINDOWS\system32\ Deleted
2/21/2009 16:21 bsbplilq.dll Trojan.Vundo File C:\WINDOWS\system32\ Deleted
2/19/2009 14:31 A0076356.dll Trojan.Vundo File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP492\ Deleted
2/19/2009 14:05 A0076355.dll Trojan.Vundo File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP492\ Deleted
2/19/2009 12:34 nwxway.dll Trojan.Vundo File C:\WINDOWS\system32\ Quarantine
2/19/2009 12:33 kjvwmdhg.dll Trojan.Vundo File C:\WINDOWS\system32\ Quarantine
2/19/2009 0:10 A0073286.dll Trojan.Metajuan File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP490\ Deleted
2/18/2009 23:10 A0073285.dll Packed.Generic.200 File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP490\ Deleted
2/18/2009 22:10 A0073284.dll Packed.Generic.200 File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP490\ Deleted
2/18/2009 21:10 A0073283.dll Trojan.Vundo File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP490\ Deleted
2/18/2009 11:34 ytuareun.dll Trojan.Metajuan File C:\WINDOWS\system32\ Deleted
2/18/2009 11:33 UACyqjbtoqx.dll Packed.Generic.200 File C:\WINDOWS\system32\ Deleted
2/18/2009 11:33 UACivrmpxdo.dll Packed.Generic.200 File C:\WINDOWS\system32\ Deleted
2/18/2009 11:32 dynopyxl.dll Trojan.Vundo File C:\WINDOWS\system32\ Deleted
2/18/2009 11:30 A0070182.dll Trojan.Metajuan File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP489\ Deleted
2/17/2009 19:15 PDATTC.DLL Trojan.Metajuan File C:\WINDOWS\SYSTEM32\ Deleted
2/17/2009 19:08 A0070178.dll Packed.Generic.200 File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP488\ Deleted
2/17/2009 18:08 A0070177.dll Trojan.Vundo File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP488\ Deleted
2/17/2009 17:08 A0070174.dll Trojan.Vundo File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP488\ Deleted
2/17/2009 16:08 A0070173.sys Hacktool.Rootkit File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP488\ Deleted
2/17/2009 15:13 UACRFUOYIWQ.DLL Packed.Generic.200 File C:\WINDOWS\SYSTEM32\ Deleted
2/17/2009 15:07 PEHYEV.DLL Trojan.Vundo File C:\WINDOWS\SYSTEM32\ Deleted
2/17/2009 15:04 UAColtmxeht.sys Hacktool.Rootkit File C:\WINDOWS\system32\drivers\ Deleted
2/14/2009 14:30 xyephkl.exe Trojan.Dropper File C:\ Deleted
2/14/2009 14:30 bbsuper3[1].htm Trojan.Dropper File C:\Documents and Settings\first user account\Local Settings\Temporary Internet Files\Content.IE5\SA58RJ56\ Deleted
2/14/2009 14:30 dykhyp.exe Trojan Horse File C:\ Quarantine
2/14/2009 14:30 bbsuper2[1].htm Trojan Horse File C:\Documents and Settings\first user account\Local Settings\Temporary Internet Files\Content.IE5\FB2EUXO5\ Quarantine
2/14/2009 14:30 xccdf16_090131a.dll Trojan Horse File C:\WINDOWS\ Quarantine
2/14/2009 14:30 xccdfb16_090131.dll Trojan Horse File C:\WINDOWS\system32\inf\ Quarantine
2/14/2009 14:30 xccdf32_090131a.dll W32.Hitapop File C:\WINDOWS\ Deleted
2/14/2009 14:30 flirxnj.exe Downloader File C:\ Deleted
2/14/2009 14:30 khreff[1].htm Downloader File C:\Documents and Settings\first user account\Local Settings\Temporary Internet Files\Content.IE5\2G3BDBDO\ Deleted
2/14/2009 14:30 flirxnj.exe Downloader File C:\ Deleted
2/14/2009 14:30 khreff[1].htm Downloader File C:\Documents and Settings\first user account\Local Settings\Temporary Internet Files\Content.IE5\FB2EUXO5\ Deleted
2/14/2009 14:29 Mdaxagesagub.dll Trojan Horse File C:\WINDOWS\ Quarantine
2/14/2009 0:56 A0069181.dll Trojan.Vundo File C:\System Volume Information\_restore{D1D76C29-F47C-45DA-808F-C33413762A3E}\RP487\ Deleted
2/13/2009 12:37 kmlpgree.dll Trojan.Vundo File C:\WINDOWS\system32\ C:\WINDOWS\system32\
2/13/2009 12:37 kmlpgree.dll Trojan.Vundo File C:\WINDOWS\system32\ C:\WINDOWS\system32\
2/13/2009 12:37 kmlpgree.dll Trojan.Vundo File C:\WINDOWS\system32\ C:\WINDOWS\system32\
2/13/2009 12:37 kmlpgree.dll Trojan.Vundo File C:\WINDOWS\system32\ C:\WINDOWS\system32\
2/13/2009 12:37 kmlpgree.dll Trojan.Vundo File C:\WINDOWS\system32\ C:\WINDOWS\system32\
2/13/2009 12:37 kmlpgree.dll Trojan.Vundo File C:\WINDOWS\system32\ C:\WINDOWS\system32\
2/13/2009 12:37 kmlpgree.dll Trojan.Vundo File C:\WINDOWS\system32\ C:\WINDOWS\system32\
2/12/2009 12:11 divx20[1] Trojan.Vundo File C:\Documents and Settings\first user account\Local Settings\Temporary Internet Files\Content.IE5\IA2M6OBV\ Quarantine
2/10/2009 2:28 img[1] Trojan.Metajuan File C:\Documents and Settings\first user account\Local Settings\Temporary Internet Files\Content.IE5\6XGSC7XY\ C:\Documents and Settings\first user account\Local Settings\Temporary Internet Files\Content.IE5\6XGSC7XY\
2/10/2009 2:21 apstpldr.dll[1].htm Trojan.Vundo File C:\Documents and Settings\first user account\Local Settings\Temporary Internet Files\Content.IE5\G24JGBSS\ Deleted




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:23:00 PM, on 3/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\first user account\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mediacom Online
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CBTB00001 - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\toolbars\SKYPEF~1\toolbar.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {f7aa622f-04d1-3458-cd04-a17a22863026} - {62036822-a71a-40dc-8543-1d40f226aa7f} - C:\WINDOWS\system32\pehyev.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O4 - HKLM\..\Run: [c46840a3] rundll32.exe "C:\WINDOWS\system32\bxuoydoe.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CommCtr] C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: GN-WP01GS Utility.lnk.disabled
O4 - Global Startup: HP OfficeJet T Series Startup.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: QuickPost - http://www.investorplaceblogs.com/cgi-bin/mt.cgi?__mode=reg_bm_js&bm_height=920&bm_show=t%2Cc%2Cac%2Cap%2Ccb%2Ce%2Cm%2Ck%2Ctg%2Cb
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O15 - Trusted Zone: http://video.msn.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: www.ncs.com
O15 - Trusted Zone: www.epenslot04.ic.ncs.com
O15 - Trusted Zone: www.ic.ncs.com
O15 - Trusted Zone: www.ncspearson.com
O15 - Trusted Zone: www.pearson.com
O15 - Trusted Zone: http://www.flexiblescoring-act.pearson.com
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://oxps.webex.com/client/T26L/event/ieatgpc.cab
O20 - AppInit_DLLs: pehyev.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c963b2ee80eec) (gupdate1c963b2ee80eec) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB (pnkbstrb) - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O24 - Desktop Component 0: (no name) - http://www.laetitiacastaonline.com/series0%20maillot/laetitia0003.jpg
O24 - Desktop Component 1: (no name) - http://jobs.uiowa.edu/template/hrHome/graphics/background_tile.gif
O24 - Desktop Component 2: (no name) - http://sthumbnails.match.com/sthumbnails/47/75/35144775A.jpeg
O24 - Desktop Component 3: (no name) - http://sthumbnails.match.com/sthumbnails/74/05/40647405A.jpeg

--
End of file - 8245 bytes



SPYBOT Export File - System Startup

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2009-02-26 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-01-22 Includes\Adware.sbi
2009-01-22 Includes\AdwareC.sbi
2009-01-22 Includes\Cookies.sbi
2009-01-06 Includes\Dialer.sbi
2009-01-22 Includes\DialerC.sbi
2009-01-22 Includes\HeavyDuty.sbi
2009-02-10 Includes\Hijackers.sbi
2009-02-10 Includes\HijackersC.sbi
2008-12-09 Includes\Keyloggers.sbi
2009-02-17 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2009-02-24 Includes\Malware.sbi
2009-02-24 Includes\MalwareC.sbi
2008-12-16 Includes\PUPS.sbi
2009-02-24 Includes\PUPSC.sbi
2009-01-22 Includes\Revision.sbi
2009-01-13 Includes\Security.sbi
2009-02-10 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2009-01-28 Includes\Spyware.sbi
2009-01-28 Includes\SpywareC.sbi
2008-06-03 Includes\Tracks.uti
2009-02-24 Includes\Trojans.sbi
2009-02-24 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Located: HK_LM:Run, c46840a3
command: rundll32.exe "C:\WINDOWS\system32\bxuoydoe.dll",b
file: C:\WINDOWS\system32\bxuoydoe.dll size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, c46840a3 (DISABLED)
command: rundll32.exe "C:\WINDOWS\system32\bxuoydoe.dll",b
file: C:\WINDOWS\system32\bxuoydoe.dll size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, ccApp (DISABLED)
command: "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
file: c:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 66680
MD5: 05A76D9DD303DEF4DCC8EE18EE8C58B9

Located: HK_LM:Run, NvCplDaemon (DISABLED)
command: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\NvCpl.dll
size: 4841472
MD5: 1D04D352F6E82C18D958B873EF3E3215

Located: HK_LM:Run, nwiz (DISABLED)
command: nwiz.exe /install
file: C:\WINDOWS\system32\nwiz.exe
size: 323584
MD5: 5D8D50D90CBF3B5CC32100425545394A

Located: HK_LM:Run, PtiuPbmd (DISABLED)
command: Rundll32.exe ptipbm.dll,SetWriteBack
file: C:\WINDOWS\system32\ptipbm.dll
size: 24576
MD5: A5781BF1DB046648F03D6ED4FEF92796

Located: HK_LM:Run, QuickTime Task (DISABLED)
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 413696
MD5: F34EB5D4F145ED5FE50033CA3A41ED24

Located: HK_LM:Run, SunJavaUpdateSched (DISABLED)
command: C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
file: C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
size: 83608
MD5: 9C1C80BBF8E6044980890E2D2D91091C

Located: HK_LM:Run, vptray (DISABLED)
command: c:\PROGRA~1\SYMANT~1\VPTray.exe
file: c:\PROGRA~1\SYMANT~1\VPTray.exe
size: 124232
MD5: 46AF9457FF9D22A5832490C546169363

Located: HK_CU:Run, CommCtr
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
file: C:\PROGRA~1\NET2PH~1\CommCtr.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, ctfmon.exe
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, SpybotSD TeaTimer
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2144088
MD5: 896A1DB9A972AD2339C2E8569EC926D1

Located: HK_CU:Run, Steam
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: C:\Valve\Steam\Steam.exe -silent
file: C:\Valve\Steam\Steam.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, CommCtr (DISABLED)
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
file: C:\PROGRA~1\NET2PH~1\CommCtr.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, ctfmon.exe (DISABLED)
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, NVIEW (DISABLED)
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: rundll32.exe nview.dll,nViewLoadHook
file: C:\WINDOWS\system32\nview.dll
size: 852038
MD5: 50E7B8475B394389D26ED552C772EADB

Located: HK_CU:Run, NvMediaCenter (DISABLED)
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
file: C:\WINDOWS\system32\NVMCTRAY.DLL
size: 49152
MD5: E00C45ED7E7B869DC7C13D534BA16938

Located: HK_CU:Run, SpybotSD TeaTimer (DISABLED)
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2144088
MD5: 896A1DB9A972AD2339C2E8569EC926D1

Located: HK_CU:Run, Steam (DISABLED)
where: s-1-5-21-1454471165-1004336348-682003330-1003...
command: C:\Valve\Steam\Steam.exe -silent
file: C:\Valve\Steam\Steam.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: Startup (common), Adobe Reader Speed Launch.lnk (DISABLED)
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
size: 29696
MD5: DFCB9ADE94A4F8A7C42EEF41101A30AD

Located: Startup (common), GN-WP01GS Utility.lnk (DISABLED)
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Gigabyte\Gigabyte WP01GS Wireless PCI Adapter SoftAP\Installer\WINXP\RaUI.exe
file: C:\Program Files\Gigabyte\Gigabyte WP01GS Wireless PCI Adapter SoftAP\Installer\WINXP\RaUI.exe
size: 720896
MD5: C219B3E34E323214F4FF6FF52A31B82E

Located: Startup (common), HP OfficeJet T Series Startup.lnk (DISABLED)
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
file: C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
size: 1175552
MD5: F8578193D3F323934AF37189FF50B939

Located: WinLogon, crypt32chain (DISABLED)
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet (DISABLED)
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll (DISABLED)
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, dimsntfy (DISABLED)
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, navlogon (DISABLED)
command: c:\WINDOWS\system32\NavLogon.dll
file: c:\WINDOWS\system32\NavLogon.dll
size: 83272
MD5: 0C08E4D83ED6DDF9DB4D683ADC03AE35

Located: WinLogon, sccertprop (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, schedule (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy (DISABLED)
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, senslogn (DISABLED)
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wgalogon (DISABLED)
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!



SPYBOT 'RESIDENT' LOG

2/19/2009 8:21:48 AM Allowed (based on lassh blacklist) value "KernelFaultCheck" (new data: "") deleted in System Startup global entry!
2/19/2009 1:19:12 PM Denied (based on user decision) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/19/2009 4:05:22 PM Denied (based on user decision) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/19/2009 7:55:37 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/20/2009 9:50:11 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/20/2009 9:52:28 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/20/2009 9:52:42 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/20/2009 9:58:04 PM Allowed (based on lassh blacklist) value "QuickTime Task" (new data: "") deleted in System Startup global entry!
2/20/2009 9:58:20 PM Allowed (based on lassh blacklist) value "QuickTime Task" (new data: ""C:\Program Files\QuickTime\qttask.exe" -atboottime") added in System Startup global entry!
2/20/2009 9:58:21 PM Allowed (based on lassh blacklist) value "NvMediaCenter" (new data: "") deleted in System Startup user entry!
2/20/2009 10:07:03 PM Denied (based on user decision) value "Steam" (new data: "") deleted in System Startup user entry!
2/20/2009 10:07:08 PM Denied (based on user decision) value "CommCtr" (new data: "") deleted in System Startup user entry!
2/20/2009 10:07:09 PM Denied (based on user decision) value "ctfmon.exe" (new data: "") deleted in System Startup user entry!
2/20/2009 10:07:10 PM Denied (based on user decision) value "SpybotSD TeaTimer" (new data: "") deleted in System Startup user entry!
2/20/2009 10:07:11 PM Allowed (based on lassh blacklist) value "ccApp" (new data: "") deleted in System Startup global entry!
2/20/2009 10:07:11 PM Allowed (based on lassh blacklist) value "vptray" (new data: "") deleted in System Startup global entry!
2/20/2009 10:07:11 PM Allowed (based on lassh blacklist) value "NvCplDaemon" (new data: "") deleted in System Startup global entry!
2/20/2009 10:07:11 PM Allowed (based on lassh blacklist) value "nwiz" (new data: "") deleted in System Startup global entry!
2/20/2009 10:07:11 PM Allowed (based on lassh blacklist) value "PtiuPbmd" (new data: "") deleted in System Startup global entry!
2/20/2009 10:07:12 PM Denied (based on user decision) value "SunJavaUpdateSched" (new data: "") deleted in System Startup global entry!
2/20/2009 10:07:12 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/20/2009 10:07:12 PM Allowed (based on lassh blacklist) value "QuickTime Task" (new data: "") deleted in System Startup global entry!
2/20/2009 10:07:33 PM Allowed (based on user decision) value "crypt32chain" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:08 PM Allowed (based on user decision) value "cryptnet" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:10 PM Allowed (based on user decision) value "cscdll" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:11 PM Allowed (based on user decision) value "dimsntfy" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:13 PM Allowed (based on user decision) value "NavLogon" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:14 PM Allowed (based on user decision) value "ScCertProp" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:16 PM Allowed (based on user decision) value "Schedule" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:17 PM Allowed (based on user decision) value "sclgntfy" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:18 PM Allowed (based on user decision) value "SensLogn" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:20 PM Allowed (based on user decision) value "termsrv" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:22 PM Allowed (based on user decision) value "WgaLogon" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:24 PM Allowed (based on user decision) value "wlballoon" (new data: "") deleted in Winlogon Notifiers!
2/20/2009 10:08:25 PM Allowed (based on lassh blacklist) value "NVIEW" (new data: "") deleted in System Startup user entry!
2/21/2009 4:08:51 PM Allowed (based on user decision) value "Steam" (new data: "") deleted in System Startup user entry!
2/21/2009 4:08:55 PM Allowed (based on user decision) value "SpybotSD TeaTimer" (new data: "") deleted in System Startup user entry!
2/21/2009 4:09:01 PM Allowed (based on user decision) value "ctfmon.exe" (new data: "") deleted in System Startup user entry!
2/21/2009 4:09:07 PM Allowed (based on user decision) value "CommCtr" (new data: "") deleted in System Startup user entry!
2/21/2009 4:09:15 PM Allowed (based on user decision) value "SunJavaUpdateSched" (new data: "") deleted in System Startup global entry!
2/21/2009 4:09:17 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/21/2009 4:09:29 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/21/2009 4:09:44 PM Allowed (based on user decision) value "c46840a3" (new data: "rundll32.exe "C:\WINDOWS\system32\bxuoydoe.dll"") changed in System Startup global entry!
2/21/2009 4:09:50 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/21/2009 4:10:31 PM Denied (based on user blacklist) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/26/2009 10:09:28 PM Allowed (based on lassh blacklist) value "KernelFaultCheck" (new data: "") deleted in System Startup global entry!
2/26/2009 10:26:29 PM Allowed (based on user decision) value "CommCtr" (new data: "C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto") added in System Startup user entry!
2/26/2009 10:26:31 PM Allowed (based on user decision) value "Steam" (new data: "C:\Valve\Steam\Steam.exe -silent") added in System Startup user entry!
2/26/2009 10:26:32 PM Allowed (based on user decision) value "c46840a3" (new data: "rundll32.exe "C:\WINDOWS\system32\bxuoydoe.dll",b") changed in System Startup global entry!
2/27/2009 1:42:35 AM Denied (based on user decision) value "c46840a3" (new data: "") deleted in System Startup global entry!
2/27/2009 1:45:27 AM Denied (based on user decision) value "SpybotSD TeaTimer" (new data: "") deleted in System Startup user entry!
2/27/2009 1:45:31 AM Denied (based on user decision) value "Steam" (new data: "") deleted in System Startup user entry!
2/27/2009 1:45:37 AM Denied (based on user decision) value "ctfmon.exe" (new data: "") deleted in System Startup user entry!
2/27/2009 1:45:38 AM Denied (based on user decision) value "CommCtr" (new data: "") deleted in System Startup user entry!
2/27/2009 1:46:13 AM Denied (based on user decision) value "c46840a3" (new data: "") deleted in System Startup global entry!
3/1/2009 11:05:52 PM Denied (based on user decision) value "c46840a3" (new data: "") deleted in System Startup global entry!
3/1/2009 11:09:22 PM Denied (based on user decision) value "c46840a3" (new data: "rundll32.exe "C:\WINDOWS\system32\bxuoydoe.dll"") changed in System Startup global entry!
3/1/2009 11:54:53 PM Denied (based on user decision) value "c46840a3" (new data: "") deleted in System Startup global entry!
3/2/2009 5:37:07 PM Denied (based on user decision) value "c46840a3" (new data: "") deleted in System Startup global entry!

pskelley
2009-03-05, 01:41
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Pinned (sticky) to the top of this forum, and posted above are the directions, make sure you have read and followed them

You really need to read the directions, you have posted information not requested, and you did not disable TeaTimer as instructed in the directions, and you have located HJT in an unsafe location.

1) Follow these directions to correctly locate HJT:
Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log. <<< close HJT until I request a HJT log later.

2) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

3) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

4) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

5) Please look at all 015 items in the HJT log and tell me if you added those to the "Trusted Zone"

6) Please do not post any information I do not request. Make sure you understand we remove malware, and that may or may not correct other issues you seem to have.

Recap: Post
a. information about the 015 items
b. combofix log
c. HJT log run after combofix
d. uninstall list

Thanks

pskelley
2009-03-10, 18:58
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.