View Full Version : Virtumendo infection ... please HELP ...
I have been searching this site for a standard procedure to get rid of this virus but it seems like it is a case by case basis.
I have used spybot SD multiple time with the same result as everybody else. The virus always comes back. I have since disconnected the teatimer. I had run adaware too with no success.
I have downloaded ERUNT and made a backup per the instructions.
Now I just need some good soul willing to help me out of this ...
Thanks.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:11:43 PM, on 3/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: {bb691a35-8810-b88a-4614-9176409f5897} - {7985f904-6719-4164-a88b-018853a196bb} - C:\WINDOWS\system32\dwxvph.dll
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Common\_helper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {ee6914eb-9afd-4bae-a7dc-c4ef660bc470} - C:\WINDOWS\system32\mayonibe.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [VF0060 STISvc] RunDLL32.exe V0060Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [faguyelaju] Rundll32.exe "C:\WINDOWS\system32\difebebu.dll",s
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CPM0a3d035a] Rundll32.exe "c:\windows\system32\vunipoti.dll",a
O4 - HKLM\..\Run: [090e30c6] rundll32.exe "C:\WINDOWS\system32\lureboha.dll",b
O4 - HKLM\..\RunOnce: [SpybotDeletingA9528] command.com /c del "c:\windows\system32\vunipoti.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2755] cmd.exe /c del "c:\windows\system32\vunipoti.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1645] command.com /c del "C:\WINDOWS\system32\lureboha.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1997] cmd.exe /c del "C:\WINDOWS\system32\lureboha.dll_old"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB110] command.com /c del "c:\windows\system32\vunipoti.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3049] cmd.exe /c del "c:\windows\system32\vunipoti.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB564] command.com /c del "C:\WINDOWS\system32\lureboha.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2141] cmd.exe /c del "C:\WINDOWS\system32\lureboha.dll_old"
O4 - HKUS\S-1-5-19\..\Run: [faguyelaju] Rundll32.exe "C:\WINDOWS\system32\difebebu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [faguyelaju] Rundll32.exe "C:\WINDOWS\system32\difebebu.dll",s (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E927382D-F041-496E-B1CC-4DC7FCF6E223}: NameServer = 68.94.156.1 68.94.157.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {05f29796-3e59-4b51-acb3-7dc756f75386} - C:\WINDOWS\system32\mst123.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\pihuzura.dll c:\windows\system32\sesanujo.dll dwxvph.dll c:\windows\system32\setevari.dll c:\windows\system32\vunipoti.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vunipoti.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vunipoti.dll (file missing)
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 10838 bytes
Hi :)
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Hi Blade81,
Thanks for taking the time !
There seem to have been a couple issues when running the script but I guess you will see what happened below. Don't know if it is a problem. I wasn't sure if I was supposed to zip the second file or attach it and I had read in another post that we shouldn't attach files for safety reason so, the file being pretty small, I just attached it.
-----
DDS
-----
DDS (Ver_09-03-16.01) - NTFSx86
Run by test at 10:18:41.67 on Sat 03/28/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1232 [GMT -6:00]
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *disabled*
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\test\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {bb691a35-8810-b88a-4614-9176409f5897}: {7985f904-6719-4164-a88b-018853a196bb} - c:\windows\system32\dwxvph.dll
BHO: Browser Helper Object: {afd4ad01-58c1-47db-a404-fbe00a6c5486} - c:\program files\common\_helper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {ee6914eb-9afd-4bae-a7dc-c4ef660bc470} - c:\windows\system32\mayonibe.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRunOnce: [SpybotDeletingB110] command.com /c del "c:\windows\system32\vunipoti.dll_old"
uRunOnce: [SpybotDeletingD3049] cmd.exe /c del "c:\windows\system32\vunipoti.dll_old"
uRunOnce: [SpybotDeletingB564] command.com /c del "c:\windows\system32\lureboha.dll_old"
uRunOnce: [SpybotDeletingD2141] cmd.exe /c del "c:\windows\system32\lureboha.dll_old"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [VF0060 STISvc] RunDLL32.exe V0060Pin.dll,RunDLL32EP 513
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [faguyelaju] Rundll32.exe "c:\windows\system32\difebebu.dll",s
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [CPM0a3d035a] Rundll32.exe "c:\windows\system32\vunipoti.dll",a
mRun: [090e30c6] rundll32.exe "c:\windows\system32\lureboha.dll",b
mRunOnce: [SpybotDeletingA9528] command.com /c del "c:\windows\system32\vunipoti.dll_old"
mRunOnce: [SpybotDeletingC2755] cmd.exe /c del "c:\windows\system32\vunipoti.dll_old"
mRunOnce: [SpybotDeletingA1645] command.com /c del "c:\windows\system32\lureboha.dll_old"
mRunOnce: [SpybotDeletingC1997] cmd.exe /c del "c:\windows\system32\lureboha.dll_old"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: aol.com\free
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
TCP: {E927382D-F041-496E-B1CC-4DC7FCF6E223} = 68.94.156.1 68.94.157.1
Filter: text/html - {05f29796-3e59-4b51-acb3-7dc756f75386} - c:\windows\system32\mst123.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\windows\system32\pihuzura.dll c:\windows\system32\sesanujo.dll dwxvph.dll c:\windows\system32\setevari.dll c:\windows\system32\vunipoti.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vunipoti.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\vunipoti.dll
LSA: Notification Packages = scecli c:\windows\system32\pihuzura.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\test\applic~1\mozilla\firefox\profiles\4uot4mhy.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-25 64160]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-3-25 148496]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-10-30 353672]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-6-6 61952]
S3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [2008-7-19 196409]
=============== Created Last 30 ================
2009-03-27 16:09 <DIR> --d----- c:\program files\Trend Micro
2009-03-26 07:40 128,000 a--sh--- c:\windows\system32\dwxvph.dll
2009-03-25 21:06 4,681,469,952 a------- C:\TROPIC_THUNDER.ISO
2009-03-25 20:39 109,960 a------- c:\windows\system32\~GLH0022.TMP
2009-03-25 19:38 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-25 19:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-25 19:32 4,681,676,800 a------- C:\THE_MUMMY_TOMB_OF_THE_DRAGON.ISO
2009-03-25 19:31 128,512 a--sh--- c:\windows\system32\hxkfli.dll
2009-03-25 19:22 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-25 18:36 3,717,068,800 a------- C:\THE_WAY_OF_WAR.ISO
2009-03-25 18:17 4,008,744,960 a------- C:\SMOKE_JUMPER.ISO
2009-03-25 17:52 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-25 17:48 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-25 17:48 <DIR> --d----- c:\program files\Lavasoft
2009-03-25 07:31 129,024 a--sh--- c:\windows\system32\unfrzf.dll
2009-03-24 18:01 129,024 a--sh--- c:\windows\system32\bkcunk.dll
2009-03-23 07:48 2,713 ---sh--- c:\windows\system32\yejoyego.exe
2009-03-16 18:33 <DIR> --d----- c:\program files\DVD Shrink
2009-02-28 20:04 <DIR> --d----- c:\program files\Common
==================== Find3M ====================
2009-03-26 19:38 95,232 a--sh--- c:\windows\system32\lolanayo.dll
2009-03-26 19:38 89,088 -------- c:\windows\system32\vafefudo.dll
2009-03-26 19:38 61,440 a--sh--- c:\windows\system32\pegatijo.exe
2009-03-26 17:49 190,874,912 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-26 17:49 2,526,164 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-26 07:40 128,000 a--sh--- c:\windows\system32\yapafeju.dll
2009-03-26 07:39 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-25 07:31 129,024 a--sh--- c:\windows\system32\bibujoki.dll
2009-03-25 07:31 94,208 a--sh--- c:\windows\system32\gigurizi.dll
2009-03-25 07:31 89,600 -------- c:\windows\system32\hukuyuvu.dll
2009-03-24 18:01 89,088 -------- c:\windows\system32\bafagogi.dll
2009-03-24 18:01 129,024 a--sh--- c:\windows\system32\velijiko.dll
2009-03-24 18:01 95,232 a--sh--- c:\windows\system32\regijewo.dll
2009-03-20 18:19 67,904 a------- c:\docume~1\test\applic~1\GDIPFONTCACHEV1.DAT
2009-02-15 23:10 72,584 a------- c:\windows\zllsputility.exe
2009-02-15 23:10 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 05:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
0000-00-00 00:00 58,368 a--sh--- c:\windows\system32\difebebu.dll
0000-00-00 00:00 58,368 a--sh--- c:\windows\system32\mayonibe.dll
0000-00-00 00:00 58,368 a--sh--- c:\windows\system32\pihuzura.dll
2008-08-05 18:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071420080721\index.dat
2008-08-05 18:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080520080806\index.dat
============= FINISH: 10:19:53.90 ===============
---------
ATTACH
---------
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-03-16.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/17/2008 11:48:34 AM
System Uptime: 3/28/2009 2:44:19 AM (8 hours ago)
Motherboard: Quanta | | 30B9
Processor: AMD Turion(tm) 64 X2 Mobile Technology TL-50 | Socket S1 | 1607/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 62 GiB total, 15.767 GiB free.
D: is FIXED (FAT32) - 11 GiB total, 1.259 GiB free.
E: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP142: 2/3/2009 8:35:12 PM - System Checkpoint
RP143: 2/4/2009 9:49:33 PM - System Checkpoint
RP144: 2/5/2009 10:09:51 PM - System Checkpoint
RP145: 2/8/2009 5:51:13 PM - System Checkpoint
RP146: 2/9/2009 11:14:14 PM - System Checkpoint
RP147: 2/11/2009 8:33:27 AM - Software Distribution Service 3.0
RP148: 2/13/2009 5:05:51 PM - System Checkpoint
RP149: 2/16/2009 9:29:31 AM - System Checkpoint
RP150: 2/17/2009 6:58:24 PM - System Checkpoint
RP151: 2/19/2009 4:32:38 PM - System Checkpoint
RP152: 2/21/2009 12:16:36 PM - Unsigned driver install
RP153: 2/26/2009 7:29:38 AM - Software Distribution Service 3.0
RP154: 3/2/2009 7:10:34 PM - System Checkpoint
RP155: 3/6/2009 6:40:12 PM - System Checkpoint
RP156: 3/9/2009 6:30:21 PM - System Checkpoint
RP157: 3/10/2009 7:00:16 PM - System Checkpoint
RP158: 3/10/2009 6:49:49 PM - System Checkpoint
RP159: 3/11/2009 7:15:43 AM - Software Distribution Service 3.0
RP160: 3/12/2009 7:34:11 PM - System Checkpoint
RP161: 3/13/2009 7:06:16 PM - Removed AnswerWorks 5.0 English Runtime
RP162: 3/13/2009 7:06:25 PM - Removed TurboTax 2008 WinPerUserEducation
RP163: 3/13/2009 7:06:57 PM - Removed TurboTax 2008 WinPerProgramHelp
RP164: 3/13/2009 7:07:49 PM - Removed TurboTax 2008 WinPerTaxSupport
RP165: 3/13/2009 7:08:35 PM - Removed TurboTax 2008 WinPerFedFormset
RP166: 3/13/2009 7:10:37 PM - Removed TurboTax 2008 WinPerReleaseEngine
RP167: 3/13/2009 7:12:11 PM - Removed TurboTax 2008 wrapper
RP168: 3/15/2009 2:38:17 PM - Installed Windows Media Player 11
RP169: 3/15/2009 2:42:16 PM - Installed Windows XP MSCompPackV1.
RP170: 3/16/2009 3:49:30 PM - System Checkpoint
RP171: 3/17/2009 8:02:18 AM - Software Distribution Service 3.0
RP172: 3/20/2009 5:28:46 PM - System Checkpoint
RP173: 3/22/2009 9:36:40 AM - System Checkpoint
RP174: 3/23/2009 12:59:21 PM - System Checkpoint
RP175: 3/25/2009 4:57:51 PM - System Checkpoint
RP176: 3/27/2009 1:54:42 PM - System Checkpoint
==== Installed Programs ======================
AC3Filter (remove only)
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.5
AiO_Scan_CDA
AiOSoftwareNPI
Apple Software Update
ArcSoft VideoImpression 2
AutoUpdate
AviSynth 2.5
BufferChm
Camera Support Core Library
Camera Window DS
Camera Window DVC
Camera Window MC
Canon Camera Support Core Library
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window DVC for ZoomBrowser EX
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
Conexant HD Audio
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
Creative WebCam Center
Creative WebCam Live! Ultra Driver (1.01.03.0127)
Creative WebCam Live! Ultra User's Guide (English)
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Customer Experience Enhancement
Destinations
DivX
DocProc
DocProcQFolder
DVD-WMV
DVD Shrink 3.2
Easy Internet Sign-up
ERUNT 1.1j
eSupportQFolder
F300
F300_Help
Fax_CDA
FullDPAppQFolder
Get Yahoo! Messenger
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Help and Support
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart Premier Software 6.0
HP Photosmart, Officejet and Deskjet 7.0.A
HP Quick Launch Buttons 6.10 A2
HP QuickPlay 2.3
HP Solution Center 7.0
HP Update
HP User Guides 0032
HP Wireless Assistant 2.00 G2
HPPhotoSmartExpress
HPProductAssistant
HpSdpAppCoreApp
InstantShareDevices
InstantShareDevicesMFC
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 10
Java(TM) 6 Update 7
LightScribe 1.4.97.1
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MovieEdit Task
Mozilla Firefox (3.0.7)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 5.0
NetWaiting
NewCopy_CDA
NVIDIA Drivers
OCR Software by I.R.I.S 7.0
Office 2003 Trial Assistant
OptionalContentQFolder
Otto
PhotoGallery
PhotoStitch
ProductContextNPI
Quicken 2006
QuickTime
RandMap
RAW Image Task 1.2
Readme
RemoteCapture Task 1.1
Scan
ScannerCopy
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
SkinsHP1
Skype™ 3.8
Soft Data Fax Modem with SmartCP
SolutionCenter
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Sonic_PrimoSDK
SonicAC3Encoder
SonicMPEGEncoder
SpeechRedist
Spybot - Search & Destroy
Status
Steam
Synaptics Pointing Device Driver
Toolbox
TourSetup
TrayApp
Unload
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
VC 9.0 Runtime
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Vongo
Warcraft III: All Products
WebFldrs XP
WebReg
WinAce Archiver 2.0
Windows Genuine Advantage Validation Tool
Windows Internet Explorer 7
Windows Media Connect
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
Wireless Home Network Setup
XML Paper Specification Shared Components Pack 1.0
ZoneAlarm Security Suite
==== Event Viewer Messages From Past Week ========
3/22/2009 12:04:29 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/22/2009 12:04:29 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
3/22/2009 12:03:58 PM, error: Service Control Manager [7000] - The Media Center Extender Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/22/2009 12:03:58 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Media Center Extender Service service to connect.
3/22/2009 12:03:58 PM, error: Service Control Manager [7001] - The Message Queuing Triggers service depends on the Message Queuing service which failed to start because of the following error: The dependency service or group failed to start.
3/22/2009 12:03:58 PM, error: Service Control Manager [7001] - The Message Queuing service depends on the Distributed Transaction Coordinator service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
3/22/2009 12:03:58 PM, error: Service Control Manager [7000] - The Distributed Transaction Coordinator service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/22/2009 12:03:58 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Distributed Transaction Coordinator service to connect.
3/21/2009 12:53:19 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
3/25/2009 9:48:16 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
==== End Of File ===========================
Hi again,
Disable Ad-Watch (http://www.lavasoftsupport.com/index.php?showtopic=19804)
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds.txt log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Hi,
OK, it seemed to run OK. No problems so far.
Here is the log:
ComboFix 09-03-28.06 - test 2009-03-29 11:52:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1523 [GMT -6:00]
Running from: c:\documents and settings\test\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *disabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\test\LOCALS~1\Temp\tmp1.tmp
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Common\_helper.dll
c:\program files\Common\helper.dll
c:\program files\Common\helper.sig
c:\windows\system32\ahoberul.ini
c:\windows\system32\bafagogi.dll
c:\windows\system32\bibujoki.dll
c:\windows\system32\bkcunk.dll
c:\windows\system32\difebebu.dll
c:\windows\system32\dwxvph.dll
c:\windows\system32\gigurizi.dll
c:\windows\system32\hukuyuvu.dll
c:\windows\system32\hxkfli.dll
c:\windows\system32\lolanayo.dll
c:\windows\system32\mayonibe.dll
c:\windows\system32\pihuzura.dll
c:\windows\system32\regijewo.dll
c:\windows\system32\unfrzf.dll
c:\windows\system32\vafefudo.dll
c:\windows\system32\velijiko.dll
c:\windows\system32\yapafeju.dll
D:\Autorun.inf
----- BITS: Possible infected sites -----
hxxp://82.98.235.208
.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.
2009-03-27 16:09 . 2009-03-27 16:09 <DIR> d-------- c:\program files\Trend Micro
2009-03-27 13:05 . 2009-03-27 13:05 <DIR> d-------- c:\program files\ERUNT
2009-03-26 19:03 . 2009-03-26 19:03 0 --a------ c:\windows\nsreg.dat
2009-03-25 21:06 . 2009-03-25 21:43 4,681,469,952 --a------ C:\TROPIC_THUNDER.ISO
2009-03-25 20:39 . 2009-02-15 23:10 109,960 --a------ c:\windows\system32\~GLH0022.TMP
2009-03-25 19:38 . 2009-03-25 19:43 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-25 19:38 . 2009-03-25 19:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-25 19:22 . 2009-03-09 13:06 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-25 18:36 . 2009-03-25 18:55 3,717,068,800 --a------ C:\THE_WAY_OF_WAR.ISO
2009-03-25 18:17 . 2009-03-25 18:34 4,008,744,960 --a------ C:\SMOKE_JUMPER.ISO
2009-03-25 17:52 . 2009-03-25 17:52 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-03-25 17:52 . 2009-03-09 13:06 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-25 17:48 . 2009-03-25 17:48 <DIR> d-------- c:\program files\Lavasoft
2009-03-25 17:48 . 2009-03-25 17:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-25 17:48 . 2009-03-25 17:48 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-23 07:48 . 2009-03-23 07:48 2,713 ---hs---- c:\windows\system32\yejoyego.exe
2009-03-16 18:33 . 2009-03-16 18:33 <DIR> d-------- c:\program files\DVD Shrink
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 18:09 191,629,344 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-29 17:55 2,567,012 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-03-29 17:53 --------- d-----w c:\program files\Common
2009-03-29 17:26 --------- d-----w c:\documents and settings\test\Application Data\Skype
2009-03-29 16:33 --------- d-----w c:\documents and settings\test\Application Data\skypePM
2009-03-26 02:31 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-03-21 00:19 67,904 ----a-w c:\documents and settings\test\Application Data\GDIPFONTCACHEV1.DAT
2009-03-14 01:11 --------- d-----w c:\program files\Common Files\Intuit
2009-03-04 19:28 --------- d-----w c:\documents and settings\test\Application Data\MailFrontier
2009-02-16 05:10 72,584 ----a-w c:\windows\zllsputility.exe
2009-02-01 17:38 --------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-02-01 17:38 --------- d-----w c:\documents and settings\test\Application Data\Intuit
2009-02-01 17:36 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2008-08-06 00:23 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008071420080721\index.dat
2008-08-06 00:23 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080520080806\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 458752]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-11 136600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-18 7585792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-18 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 761946]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-11 102400]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"nwiz"="nwiz.exe" [2006-08-18 c:\windows\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2008-04-13 c:\windows\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-01 c:\windows\system32\CHDAudPropShortcut.exe]
"VF0060 STISvc"="V0060Pin.dll" [2004-10-31 c:\windows\system32\V0060Pin.dll]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-11-20 17:04 1410296 c:\program files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\steamapps\\steamxav\\half-life\\hl.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-25 64160]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-06-06 61952]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [2008-07-19 196409]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8b9c2ff-c48a-11dd-b11c-0016366f1240}]
\Shell\AutoRun\command - f:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - f:\system\viewer\FlipVideoforPC.exe
.
Contents of the 'Scheduled Tasks' folder
2009-03-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 13:06]
2009-02-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -
BHO-{7985f904-6719-4164-a88b-018853a196bb} - c:\windows\system32\dwxvph.dll
BHO-{ee6914eb-9afd-4bae-a7dc-c4ef660bc470} - c:\windows\system32\mayonibe.dll
HKLM-Run-090e30c6 - c:\windows\system32\lureboha.dll
HKLM-Run-CPM0a3d035a - c:\windows\system32\vunipoti.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
TCP: {E927382D-F041-496E-B1CC-4DC7FCF6E223} = 68.94.156.1 68.94.157.1
FF - ProfilePath - c:\documents and settings\test\Application Data\Mozilla\Firefox\Profiles\4uot4mhy.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 12:13:56
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????<?@? ????\??????Y?@?????<?@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\msdtc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-29 12:16:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-29 18:16:48
Pre-Run: 21,973,753,856 bytes free
Post-Run: 21,918,351,360 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
232 --- E O F --- 2009-03-17 14:07:00
Hi again,
Open notepad and copy/paste the text in the quotebox below into it:
DDS::
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
File::
c:\windows\system32\yejoyego.exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Uninstall old Adobe Reader versions and get the latest one here (http://www.filehippo.com/download_adobe_reader/) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader!
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 13 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif). If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
Hi Blade81,
OK, I'll work on all of that. I will be probably tomorrow by the time I get to run all of this.
Just curious ... Would you mind explaining to me what the little script does ? Just out of interest.
Here is the new combofix log:
ComboFix 09-03-29.02 - test 2009-03-29 17:59:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1543 [GMT -6:00]
Running from: c:\documents and settings\test\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\test\Desktop\CFScript.txt
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *disabled*
* Created a new restore point
FILE ::
c:\windows\system32\yejoyego.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\yejoyego.exe
.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.
2009-03-27 16:09 . 2009-03-27 16:09 <DIR> d-------- c:\program files\Trend Micro
2009-03-27 13:05 . 2009-03-27 13:05 <DIR> d-------- c:\program files\ERUNT
2009-03-26 19:03 . 2009-03-26 19:03 0 --a------ c:\windows\nsreg.dat
2009-03-25 21:06 . 2009-03-25 21:43 4,681,469,952 --a------ C:\TROPIC_THUNDER.ISO
2009-03-25 20:39 . 2009-02-15 23:10 109,960 --a------ c:\windows\system32\~GLH0022.TMP
2009-03-25 19:38 . 2009-03-25 19:43 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-25 19:38 . 2009-03-25 19:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-25 19:22 . 2009-03-09 13:06 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-25 18:36 . 2009-03-25 18:55 3,717,068,800 --a------ C:\THE_WAY_OF_WAR.ISO
2009-03-25 18:17 . 2009-03-25 18:34 4,008,744,960 --a------ C:\SMOKE_JUMPER.ISO
2009-03-25 17:52 . 2009-03-25 17:52 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-03-25 17:52 . 2009-03-09 13:06 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-25 17:48 . 2009-03-25 17:48 <DIR> d-------- c:\program files\Lavasoft
2009-03-25 17:48 . 2009-03-25 17:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-25 17:48 . 2009-03-25 17:48 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-16 18:33 . 2009-03-16 18:33 <DIR> d-------- c:\program files\DVD Shrink
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-30 00:01 192,301,344 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-29 17:55 2,567,012 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-03-29 17:53 --------- d-----w c:\program files\Common
2009-03-29 17:26 --------- d-----w c:\documents and settings\test\Application Data\Skype
2009-03-29 16:33 --------- d-----w c:\documents and settings\test\Application Data\skypePM
2009-03-27 01:38 61,440 --sha-w c:\windows\system32\pegatijo.exe
2009-03-26 02:31 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-03-25 23:57 3,041,792 ----a-w c:\windows\Internet Logs\xDB9.tmp
2009-03-21 18:52 2,880,733 ----a-w c:\windows\Internet Logs\tvDebug.Zip
2009-03-21 18:50 2,160,640 ----a-w c:\windows\Internet Logs\xDB8.tmp
2009-03-21 00:19 67,904 ----a-w c:\documents and settings\test\Application Data\GDIPFONTCACHEV1.DAT
2009-03-14 01:11 --------- d-----w c:\program files\Common Files\Intuit
2009-03-12 20:51 250,368 ----a-w c:\windows\Internet Logs\xDB7.tmp
2009-03-11 13:24 773,632 ----a-w c:\windows\Internet Logs\xDB6.tmp
2009-03-09 13:49 2,932,224 ----a-w c:\windows\Internet Logs\xDB5.tmp
2009-03-04 19:28 --------- d-----w c:\documents and settings\test\Application Data\MailFrontier
2009-03-03 00:49 164,926 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_02_18_48_52_small.dmp.zip
2009-02-16 05:10 72,584 ----a-w c:\windows\zllsputility.exe
2009-02-16 05:10 1,221,512 ----a-w c:\windows\system32\zpeng25.dll
2009-02-11 17:04 20,581,647 ----a-w c:\windows\Internet Logs\vsmon_on_demand_thread_2009_02_11_08_43_24_full.dmp.zip
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-04 03:29 167,329 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_02_03_21_29_03_small.dmp.zip
2009-02-01 17:38 --------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-02-01 17:38 --------- d-----w c:\documents and settings\test\Application Data\Intuit
2009-02-01 17:36 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-01-17 04:54 2,078,208 ----a-w c:\windows\Internet Logs\xDB4.tmp
2009-01-17 03:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll
2009-01-12 15:17 165,915 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_01_12_09_17_33_small.dmp.zip
2008-08-06 00:23 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008071420080721\index.dat
2008-08-06 00:23 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080520080806\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 458752]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-11 136600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-18 7585792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-18 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 761946]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-11 102400]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"nwiz"="nwiz.exe" [2006-08-18 c:\windows\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2008-04-13 c:\windows\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-01 c:\windows\system32\CHDAudPropShortcut.exe]
"VF0060 STISvc"="V0060Pin.dll" [2004-10-31 c:\windows\system32\V0060Pin.dll]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-11-20 17:04 1410296 c:\program files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\steamapps\\steamxav\\half-life\\hl.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-25 64160]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-06-06 61952]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [2008-07-19 196409]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8b9c2ff-c48a-11dd-b11c-0016366f1240}]
\Shell\AutoRun\command - f:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - f:\system\viewer\FlipVideoforPC.exe
.
Contents of the 'Scheduled Tasks' folder
2009-03-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 13:06]
2009-02-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
TCP: {E927382D-F041-496E-B1CC-4DC7FCF6E223} = 68.94.156.1 68.94.157.1
FF - ProfilePath - c:\documents and settings\test\Application Data\Mozilla\Firefox\Profiles\4uot4mhy.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 18:02:01
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????<?@? ????\??????Y?@?????<?@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-03-29 18:03:56
ComboFix-quarantined-files.txt 2009-03-30 00:03:53
ComboFix2.txt 2009-03-29 18:16:53
Pre-Run: 21,902,528,512 bytes free
Post-Run: 21,894,307,840 bytes free
187 --- E O F --- 2009-03-17 14:07:00
Kasperky scan did not return any problem.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, March 29, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, March 30, 2009 01:33:34
Records in database: 1985673
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Files scanned: 72749
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:32:58
No malware has been detected. The scan area is clean.
The selected area was scanned.
DDS:
DDS (Ver_09-03-16.01) - NTFSx86
Run by test at 21:21:13.65 on Sun 03/29/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1471 [GMT -6:00]
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *disabled*
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\test\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [VF0060 STISvc] RunDLL32.exe V0060Pin.dll,RunDLL32EP 513
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: aol.com\free
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {E927382D-F041-496E-B1CC-4DC7FCF6E223} = 68.94.156.1 68.94.157.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\test\applic~1\mozilla\firefox\profiles\4uot4mhy.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-25 64160]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-3-25 148496]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-10-30 353672]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-6-6 61952]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
S3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [2008-7-19 196409]
=============== Created Last 30 ================
2009-03-29 18:31 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-29 11:51 <DIR> a-dshr-- C:\cmdcons
2009-03-29 11:49 161,792 a------- c:\windows\SWREG.exe
2009-03-29 11:49 98,816 a------- c:\windows\sed.exe
2009-03-27 16:09 <DIR> --d----- c:\program files\Trend Micro
2009-03-25 21:06 4,681,469,952 a------- C:\TROPIC_THUNDER.ISO
2009-03-25 20:39 109,960 a------- c:\windows\system32\~GLH0022.TMP
2009-03-25 19:38 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-25 19:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-25 19:22 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-25 18:36 3,717,068,800 a------- C:\THE_WAY_OF_WAR.ISO
2009-03-25 18:17 4,008,744,960 a------- C:\SMOKE_JUMPER.ISO
2009-03-25 17:52 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-25 17:48 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-25 17:48 <DIR> --d----- c:\program files\Lavasoft
2009-03-16 18:33 <DIR> --d----- c:\program files\DVD Shrink
2009-02-28 20:04 <DIR> --d----- c:\program files\Common
==================== Find3M ====================
2009-03-29 21:20 193,641,760 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-29 18:31 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-29 18:27 2,580,356 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-26 19:38 61,440 a--sh--- c:\windows\system32\pegatijo.exe
2009-03-26 07:39 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-20 18:19 67,904 a------- c:\docume~1\test\applic~1\GDIPFONTCACHEV1.DAT
2009-02-15 23:10 72,584 a------- c:\windows\zllsputility.exe
2009-02-15 23:10 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 05:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-08-05 18:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071420080721\index.dat
2008-08-05 18:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080520080806\index.dat
============= FINISH: 21:21:48.93 ===============
ATTACH:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-03-16.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/17/2008 11:48:34 AM
System Uptime: 3/29/2009 6:27:28 PM (3 hours ago)
Motherboard: Quanta | | 30B9
Processor: AMD Turion(tm) 64 X2 Mobile Technology TL-50 | Socket S1 | 1607/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 62 GiB total, 20.453 GiB free.
D: is FIXED (FAT32) - 11 GiB total, 1.259 GiB free.
E: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP142: 2/3/2009 8:35:12 PM - System Checkpoint
RP143: 2/4/2009 9:49:33 PM - System Checkpoint
RP144: 2/5/2009 10:09:51 PM - System Checkpoint
RP145: 2/8/2009 5:51:13 PM - System Checkpoint
RP146: 2/9/2009 11:14:14 PM - System Checkpoint
RP147: 2/11/2009 8:33:27 AM - Software Distribution Service 3.0
RP148: 2/13/2009 5:05:51 PM - System Checkpoint
RP149: 2/16/2009 9:29:31 AM - System Checkpoint
RP150: 2/17/2009 6:58:24 PM - System Checkpoint
RP151: 2/19/2009 4:32:38 PM - System Checkpoint
RP152: 2/21/2009 12:16:36 PM - Unsigned driver install
RP153: 2/26/2009 7:29:38 AM - Software Distribution Service 3.0
RP154: 3/2/2009 7:10:34 PM - System Checkpoint
RP155: 3/6/2009 6:40:12 PM - System Checkpoint
RP156: 3/9/2009 6:30:21 PM - System Checkpoint
RP157: 3/10/2009 7:00:16 PM - System Checkpoint
RP158: 3/10/2009 6:49:49 PM - System Checkpoint
RP159: 3/11/2009 7:15:43 AM - Software Distribution Service 3.0
RP160: 3/12/2009 7:34:11 PM - System Checkpoint
RP161: 3/13/2009 7:06:16 PM - Removed AnswerWorks 5.0 English Runtime
RP162: 3/13/2009 7:06:25 PM - Removed TurboTax 2008 WinPerUserEducation
RP163: 3/13/2009 7:06:57 PM - Removed TurboTax 2008 WinPerProgramHelp
RP164: 3/13/2009 7:07:49 PM - Removed TurboTax 2008 WinPerTaxSupport
RP165: 3/13/2009 7:08:35 PM - Removed TurboTax 2008 WinPerFedFormset
RP166: 3/13/2009 7:10:37 PM - Removed TurboTax 2008 WinPerReleaseEngine
RP167: 3/13/2009 7:12:11 PM - Removed TurboTax 2008 wrapper
RP168: 3/15/2009 2:38:17 PM - Installed Windows Media Player 11
RP169: 3/15/2009 2:42:16 PM - Installed Windows XP MSCompPackV1.
RP170: 3/16/2009 3:49:30 PM - System Checkpoint
RP171: 3/17/2009 8:02:18 AM - Software Distribution Service 3.0
RP172: 3/20/2009 5:28:46 PM - System Checkpoint
RP173: 3/22/2009 9:36:40 AM - System Checkpoint
RP174: 3/23/2009 12:59:21 PM - System Checkpoint
RP175: 3/25/2009 4:57:51 PM - System Checkpoint
RP176: 3/27/2009 1:54:42 PM - System Checkpoint
RP177: 3/29/2009 11:50:03 AM - ComboFix created restore point
RP178: 3/29/2009 5:59:11 PM - ComboFix created restore point
RP179: 3/29/2009 6:16:57 PM - Removed Adobe Reader 7.0.5
RP180: 3/29/2009 6:24:03 PM - Removed J2SE Runtime Environment 5.0 Update 6
RP181: 3/29/2009 6:24:32 PM - Removed Java(TM) 6 Update 10
RP182: 3/29/2009 6:25:08 PM - Removed Java(TM) 6 Update 7
RP183: 3/29/2009 6:31:13 PM - Installed Java(TM) 6 Update 13
==== Installed Programs ======================
AC3Filter (remove only)
Ad-Aware
AiO_Scan_CDA
AiOSoftwareNPI
Apple Software Update
ArcSoft VideoImpression 2
AutoUpdate
AviSynth 2.5
BufferChm
Camera Support Core Library
Camera Window DS
Camera Window DVC
Camera Window MC
Canon Camera Support Core Library
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window DVC for ZoomBrowser EX
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
Conexant HD Audio
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
Creative WebCam Center
Creative WebCam Live! Ultra Driver (1.01.03.0127)
Creative WebCam Live! Ultra User's Guide (English)
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Customer Experience Enhancement
Destinations
DivX
DocProc
DocProcQFolder
DVD-WMV
DVD Shrink 3.2
Easy Internet Sign-up
ERUNT 1.1j
eSupportQFolder
F300
F300_Help
Fax_CDA
FullDPAppQFolder
Get Yahoo! Messenger
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Help and Support
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart Premier Software 6.0
HP Photosmart, Officejet and Deskjet 7.0.A
HP Quick Launch Buttons 6.10 A2
HP QuickPlay 2.3
HP Solution Center 7.0
HP Update
HP User Guides 0032
HP Wireless Assistant 2.00 G2
HPPhotoSmartExpress
HPProductAssistant
HpSdpAppCoreApp
InstantShareDevices
InstantShareDevicesMFC
Java(TM) 6 Update 13
LightScribe 1.4.97.1
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MovieEdit Task
Mozilla Firefox (3.0.7)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 5.0
NetWaiting
NewCopy_CDA
NVIDIA Drivers
OCR Software by I.R.I.S 7.0
Office 2003 Trial Assistant
OptionalContentQFolder
Otto
PhotoGallery
PhotoStitch
ProductContextNPI
Quicken 2006
QuickTime
RandMap
RAW Image Task 1.2
Readme
RemoteCapture Task 1.1
Scan
ScannerCopy
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
SkinsHP1
Skype™ 3.8
Soft Data Fax Modem with SmartCP
SolutionCenter
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Sonic_PrimoSDK
SonicAC3Encoder
SonicMPEGEncoder
SpeechRedist
Spybot - Search & Destroy
Status
Steam
Synaptics Pointing Device Driver
Toolbox
TourSetup
TrayApp
Unload
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
VC 9.0 Runtime
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Vongo
Warcraft III: All Products
WebFldrs XP
WebReg
WinAce Archiver 2.0
Windows Genuine Advantage Validation Tool
Windows Internet Explorer 7
Windows Media Connect
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
Wireless Home Network Setup
XML Paper Specification Shared Components Pack 1.0
ZoneAlarm Security Suite
==== Event Viewer Messages From Past Week ========
3/25/2009 5:18:03 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
3/22/2009 12:04:29 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/22/2009 12:04:29 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
3/22/2009 12:03:58 PM, error: Service Control Manager [7000] - The Media Center Extender Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/22/2009 12:03:58 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Media Center Extender Service service to connect.
3/22/2009 12:03:58 PM, error: Service Control Manager [7001] - The Message Queuing Triggers service depends on the Message Queuing service which failed to start because of the following error: The dependency service or group failed to start.
3/22/2009 12:03:58 PM, error: Service Control Manager [7001] - The Message Queuing service depends on the Distributed Transaction Coordinator service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
3/22/2009 12:03:58 PM, error: Service Control Manager [7000] - The Distributed Transaction Coordinator service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/22/2009 12:03:58 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Distributed Transaction Coordinator service to connect.
3/25/2009 9:48:16 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
3/29/2009 12:11:07 PM, error: Service Control Manager [7034] - The TrueVector Internet Monitor service terminated unexpectedly. It has done this 1 time(s).
3/29/2009 12:11:55 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
==== End Of File ===========================
Just curious ... Would you mind explaining to me what the little script does ? Just out of interest.
A few little things to help your system a bit ;)
How's the system running now?
Working Fine, Thanks. I haven't seen any pop ups in a while.
Regarding the script, part of it was used to remove the yejoyego virus but I was curious about the part for windows media player ? Does it have something to do with how I might have gotten the virus ?
Hi
The entry was fixed cos it doesn't belong there. Also, it may not be Windows Media Player related file. Bad files may have legit name too.
Anyway, I don't think that caused the infection. I recommend reading this (http://forums.spybot.info/showthread.php?t=279) topic to get some idea what might had caused the infection.
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
You may also delete dds.scr file and related logs now.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Hi Blade,
Everything seems to be fine. Ran the updates also.
Thanks a lot for your help on this ! Couldn't have done it by myself ...
Xmann
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.