View Full Version : Virtumonde + a ton of other infections im sure
TheBladechild
2009-05-12, 11:39
Iv tried to fix this myself after reading some earlier posts on theses forums, but I'v probably did more harm then good. Heres my HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:28:12 AM, on 5/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Brownie\BrstsWnd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?action=minisearch&source=minisearch_dsl&mn=32897918
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O1 - Hosts: anner.info
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {ac940494-3e8d-bcab-6ff4-b221d98a62d4} - {4d26a89d-122b-4ff6-bacb-d8e3494049ca} - C:\WINDOWS\system32\rmvhar.dll
O2 - BHO: (no name) - {a50cc7d6-fe12-4731-a173-d8645ee9b928} - C:\WINDOWS\system32\wigudozi.dll (file missing)
O2 - BHO: adssite - {d2664ebb-ee0a-0693-81bc-b9f05f0b0c13} - C:\WINDOWS\system32\nsq4A.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CPMf7256025] Rundll32.exe "c:\windows\system32\guluzemu.dll",a
O4 - HKLM\..\Run: [f41653b9] rundll32.exe "C:\WINDOWS\system32\vezowolu.dll",b
O4 - HKLM\..\Run: [jukaveraki] Rundll32.exe "C:\WINDOWS\system32\dubavalu.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8822] command.com /c del "C:\WINDOWS\system32\wigudozi.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2996] cmd.exe /c del "C:\WINDOWS\system32\wigudozi.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1512] command.com /c del "C:\WINDOWS\system32\dubavalu.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8364] cmd.exe /c del "C:\WINDOWS\system32\dubavalu.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2864] command.com /c del "c:\windows\system32\guluzemu.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3201] cmd.exe /c del "c:\windows\system32\guluzemu.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7396] command.com /c del "C:\WINDOWS\system32\vezowolu.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1622] cmd.exe /c del "C:\WINDOWS\system32\vezowolu.dll_old"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\RunOnce: [SpybotDeletingB1158] command.com /c del "C:\WINDOWS\system32\wigudozi.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9753] cmd.exe /c del "C:\WINDOWS\system32\wigudozi.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4914] command.com /c del "C:\WINDOWS\system32\dubavalu.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4826] cmd.exe /c del "C:\WINDOWS\system32\dubavalu.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3213] command.com /c del "c:\windows\system32\guluzemu.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1537] cmd.exe /c del "c:\windows\system32\guluzemu.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7390] command.com /c del "C:\WINDOWS\system32\vezowolu.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6048] cmd.exe /c del "C:\WINDOWS\system32\vezowolu.dll_old"
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} (XMirage Control) - http://www.myfamily.com/plugins/ue/Install_UE.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\guluzemu.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\guluzemu.dll (file missing)
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 10525 bytes
Hello TheBladechild
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.
TheBladechild
2009-05-14, 03:49
Malwarebytes' Anti-Malware 1.36
Database version: 2128
Windows 5.1.2600 Service Pack 2
5/13/2009 6:39:16 PM
mbam-log-2009-05-13 (18-39-16).txt
Scan type: Quick Scan
Objects scanned: 91138
Time elapsed: 8 minute(s), 12 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 6
Registry Keys Infected: 26
Registry Values Infected: 13
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 51
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\ketedoti.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\liguzeju.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rmvhar.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bebuviza.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\guhefawa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\nsBrowserOpt.dll (Adware.Adrotator) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d26a89d-122b-4ff6-bacb-d8e3494049ca} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d26a89d-122b-4ff6-bacb-d8e3494049ca} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a50cc7d6-fe12-4731-a173-d8645ee9b928} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a50cc7d6-fe12-4731-a173-d8645ee9b928} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4d26a89d-122b-4ff6-bacb-d8e3494049ca} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9c8a568e-4201-478a-8536-526cf371d2e2} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dfefd25d-a08d-beef-a3b8-2fc8cbab0ba6 (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\HID_Layer (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2664ebb-ee0a-0693-81bc-b9f05f0b0c13} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d2664ebb-ee0a-0693-81bc-b9f05f0b0c13} (Adware.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f41653b9 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb7390 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd6048 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga7396 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc1622 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jukaveraki (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmf7256025 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb3213 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd1537 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga2864 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc3201 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\rmvhar.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bebuviza.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\azivubeb.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ketedoti.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\itodetek.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vezowolu.dll_old (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ulowozev.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\liguzeju.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\guhefawa.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\guluzemu.dll_old (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\instsp2.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\beromavu.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bitaloyo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bonopefo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dfefd25d-a08d-beef-a3b8-2fc8cbab0ba6.exe (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hafosivi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hobolaku.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kivebeki.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pozofohu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sekoseye.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sidubage.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sobonewu.dll (Trojan.Vundo.V) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\surikujo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tudalumu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vejepoka.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wibovaha.dll (Trojan.Vundo.V) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\levohaso.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nawodope.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yesigoju.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zagawube.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zifubogu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zufusosa.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hemudapa.dll (Trojan.Vundo.V) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\4c5feb72-e9d1-785e-c5c7-e1adb3eee19f.dll (Adware.Yoog) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zimusure.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sadeyoli.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nevorefa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ligamosa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nukatojo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lahofipe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hapijowi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\nsBrowserOpt.dll (Adware.Adrotator) -> Delete on reboot.
C:\WINDOWS\system32\nagefipi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zadasola.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bujumuto.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lijuhidi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jewipaje.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jogopamo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fubatuzo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\halihupe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nsq4A.dll (Adware.BHO) -> Quarantined and deleted successfully.
Heres my HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:48:10 PM, on 5/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?action=minisearch&source=minisearch_dsl&mn=32897918
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O1 - Hosts: anner.info
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {a50cc7d6-fe12-4731-a173-d8645ee9b928} - C:\WINDOWS\system32\wigudozi.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [jukaveraki] Rundll32.exe "C:\WINDOWS\system32\dubavalu.dll",s
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
Good Morning,
You had a lot of Vundo on this system but I need to see the complete Hijackthis log please.
Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Submit Reply and not start a New Thread.
TheBladechild
2009-05-14, 11:00
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:25 AM, on 5/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?action=minisearch&source=minisearch_dsl&mn=32897918
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O1 - Hosts: anner.info
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {a50cc7d6-fe12-4731-a173-d8645ee9b928} - C:\WINDOWS\system32\wigudozi.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [jukaveraki] Rundll32.exe "C:\WINDOWS\system32\dubavalu.dll",s
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} (XMirage Control) - http://www.myfamily.com/plugins/ue/Install_UE.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 8214 bytes
Much better, thank you.:bigthumb:
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O2 - BHO: (no name) - {a50cc7d6-fe12-4731-a173-d8645ee9b928} - C:\WINDOWS\system32\wigudozi.dll (file missing)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/game...ploader_v6.cab
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Go to your Add Remove Programs in the Control Panel and uninstall Viewpoint, it installs without your knowledge or consent, is considered Adware, uses system resources and is not needed for anything.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
With Vundo, there could be more.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
TheBladechild
2009-05-14, 14:27
ComboFix 09-05-13.02 - Owner 05/14/2009 5:12.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.741.360 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\aaqrnk.dll
c:\windows\system32\avonagoh.ini
c:\windows\system32\ayefgg.dll
c:\windows\system32\bakovoti.dll
c:\windows\system32\bakutuku.dll
c:\windows\system32\bezelora.dll
c:\windows\system32\bfqulg.dll
c:\windows\system32\bipologo.dll
c:\windows\system32\bitonuta.dll
c:\windows\system32\buffkw.dll
c:\windows\system32\bupozeje.dll
c:\windows\system32\buwapite.dll
c:\windows\system32\csdras.dll
c:\windows\system32\dadekaje.dll
c:\windows\system32\dcocre.dll
c:\windows\system32\ddmrxm.dll
c:\windows\system32\derokewo.dll
c:\windows\system32\digehoju.dll
c:\windows\system32\djbwcw.dll
c:\windows\system32\djezgq.dll
c:\windows\system32\dorehimo.dll
c:\windows\system32\dsssat.dll
c:\windows\system32\eaqhdp.dll
c:\windows\system32\fatemoko.dll
c:\windows\system32\febozika.dll
c:\windows\system32\fedomayu.dll
c:\windows\system32\fegopuyi.dll
c:\windows\system32\fenezaba.dll
c:\windows\system32\fijipenu.dll
c:\windows\system32\fiqfwj.dll
c:\windows\system32\fkiimq.dll
c:\windows\system32\folodepi.dll
c:\windows\system32\fqnxeg.dll
c:\windows\system32\fugedepi.dll
c:\windows\system32\fujopazo.dll
c:\windows\system32\fumavetu.dll
c:\windows\system32\gedezifu.dll
c:\windows\system32\giyifuvo.dll
c:\windows\system32\gutiyuya.dll
c:\windows\system32\gytsyj.dll
c:\windows\system32\gzpqvv.dll
c:\windows\system32\hateteze.dll
c:\windows\system32\helabiha.dll
c:\windows\system32\hewigaga.dll
c:\windows\system32\hiyoluge.dll
c:\windows\system32\hobubika.dll
c:\windows\system32\hoganova.dll
c:\windows\system32\hosobeki.dll
c:\windows\system32\hovebipu.dll
c:\windows\system32\hubeseyi.dll
c:\windows\system32\iehrvm.dll
c:\windows\system32\japawisi.dll
c:\windows\system32\jawohame.dll
c:\windows\system32\jmjgpe.dll
c:\windows\system32\jofapake.dll
c:\windows\system32\jolefayu.dll
c:\windows\system32\jutolatu.dll
c:\windows\system32\jxacet.dll
c:\windows\system32\kapidapu.dll
c:\windows\system32\kayenigu.dll
c:\windows\system32\kcindd.dll
c:\windows\system32\keznjf.dll
c:\windows\system32\kojoyapi.dll
c:\windows\system32\kovrcs.dll
c:\windows\system32\lejufomu.dll
c:\windows\system32\lgyhaw.dll
c:\windows\system32\lirikafu.dll
c:\windows\system32\madudori.dll
c:\windows\system32\mijinora.dll
c:\windows\system32\mizepiyu.dll
c:\windows\system32\movanama.dll
c:\windows\system32\mowoledo.dll
c:\windows\system32\muladaze.dll
c:\windows\system32\nerefivo.dll
c:\windows\system32\noguyiyu.dll
c:\windows\system32\nubobevu.dll
c:\windows\system32\pabehoso.dll
c:\windows\system32\pajiyina.dll
c:\windows\system32\pakesiju.dll
c:\windows\system32\pasaruwe.dll
c:\windows\system32\pijolowa.dll
c:\windows\system32\pizatoro.dll
c:\windows\system32\pqyhdt.dll
c:\windows\system32\qpekci.dll
c:\windows\system32\qryxac.dll
c:\windows\system32\qskjdf.dll
c:\windows\system32\raganapo.dll
c:\windows\system32\rewuguti.dll
c:\windows\system32\ribayiro.dll
c:\windows\system32\rifukeya.dll
c:\windows\system32\rihederi.dll
c:\windows\system32\rimozinu.dll
c:\windows\system32\rimqdi.dll
c:\windows\system32\sbepwz.dll
c:\windows\system32\seleziga.dll
c:\windows\system32\sinahuti.dll
c:\windows\system32\sivepena.dll
c:\windows\system32\slsfhn.dll
c:\windows\system32\snrgpp.dll
c:\windows\system32\subemipi.dll
c:\windows\system32\surojofi.dll
c:\windows\system32\susizano.dll
c:\windows\system32\tekijowe.dll
c:\windows\system32\tesutefa.dll
c:\windows\system32\tigayadi.dll
c:\windows\system32\titodopu.dll
c:\windows\system32\tuhezolo.dll
c:\windows\system32\uinpob.dll
c:\windows\system32\vabuwida.dll
c:\windows\system32\varapaji.dll
c:\windows\system32\vawejg.dll
c:\windows\system32\vawilodu.dll
c:\windows\system32\vedihome.dll
c:\windows\system32\veyoroda.dll
c:\windows\system32\vopcmr.dll
c:\windows\system32\vusilina.dll
c:\windows\system32\vxfpwu.dll
c:\windows\system32\wamejulu.dll
c:\windows\system32\wazemuwo.dll
c:\windows\system32\wimesabi.dll
c:\windows\system32\wizuyebi.dll
c:\windows\system32\womosasa.dll
c:\windows\system32\wopoliro.dll
c:\windows\system32\wurqlo.dll
c:\windows\system32\xlbljn.dll
c:\windows\system32\xqtebw.dll
c:\windows\system32\xujnox.dll
c:\windows\system32\yakmqj.dll
c:\windows\system32\yapafiyo.dll
c:\windows\system32\yaturite.dll
c:\windows\system32\yemiruje.exe
c:\windows\system32\ygqxxz.dll
c:\windows\system32\yikavaji.dll
c:\windows\system32\yodejetu.dll
c:\windows\system32\yogujagu.dll
c:\windows\system32\zalahobe.dll
c:\windows\system32\zcfvgl.dll
c:\windows\system32\zememaji.dll
c:\windows\system32\zisijubo.dll
c:\windows\system32\zkhiys.dll
c:\windows\system32\zofetehi.dll
c:\windows\system32\zohijiho.dll
c:\windows\system32\zophkr.dll
c:\windows\system32\ztylql.dll
.
((((((((((((((((((((((((( Files Created from 2009-04-14 to 2009-05-14 )))))))))))))))))))))))))))))))
.
2009-05-14 01:28 . 2009-05-14 01:28 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-05-14 01:28 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-14 01:28 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-14 01:28 . 2009-05-14 01:28 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-14 01:28 . 2009-05-14 01:28 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-07 04:29 . 2009-05-07 04:29 -------- d-----w c:\windows\Logs
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-13 10:53 . 2008-09-08 11:31 -------- d-----w c:\program files\mIRC
2009-05-12 09:03 . 2007-11-24 18:56 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-09 04:59 . 2005-03-04 21:17 26388 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-05-05 04:51 . 2008-08-16 00:19 -------- d-----w c:\program files\World of Warcraft
2009-04-27 23:00 . 2009-01-27 23:00 58368 --sha-w c:\windows\system32\hirisaki.exe
2009-04-27 11:00 . 2009-01-27 10:59 60928 --sha-w c:\windows\system32\gigijomo.exe
2009-04-06 10:51 . 2009-01-06 10:51 99328 ------w c:\windows\system32\jevaziji.dll
2009-04-06 09:36 . 2007-01-29 04:25 -------- d-----w c:\program files\Combined Community Codec Pack
2009-03-28 10:48 . 1601-01-01 00:12 99328 ------w c:\windows\system32\kuhodeha.dll
2009-03-27 10:48 . 1601-01-01 00:12 99328 ------w c:\windows\system32\leyeluto.dll
2009-03-27 10:48 . 1601-01-01 00:12 61440 --sha-w c:\windows\system32\suzumuvo.exe
2009-03-26 22:47 . 1601-01-01 00:12 61440 --sha-w c:\windows\system32\wojuveva.exe
2009-03-26 19:55 . 2009-03-26 19:56 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-26 19:55 . 2004-11-16 17:33 -------- d-----w c:\program files\Java
2009-03-25 22:47 . 1601-01-01 00:12 99840 ------w c:\windows\system32\yakiyayi.dll
2009-03-25 19:21 . 2006-06-28 00:41 -------- d-----w c:\program files\Lavasoft
2009-03-25 10:47 . 1601-01-01 00:12 100864 ------w c:\windows\system32\fidapude.dll
2009-03-24 22:46 . 1601-01-01 00:12 102400 ------w c:\windows\system32\piladoya.dll
2009-03-24 10:46 . 1601-01-01 00:12 102400 ------w c:\windows\system32\sebimike.dll
2009-03-23 22:46 . 1601-01-01 00:12 101376 ------w c:\windows\system32\nojozegi.dll
2009-03-23 10:46 . 1601-01-01 00:12 102400 ------w c:\windows\system32\terobugo.dll
2009-03-22 10:45 . 1601-01-01 00:12 100864 ------w c:\windows\system32\vilidunu.dll
2009-03-21 22:45 . 1601-01-01 00:12 100864 ------w c:\windows\system32\zahuyoru.dll
2009-03-19 10:44 . 1601-01-01 00:12 101376 ------w c:\windows\system32\titumeri.dll
2009-03-18 22:43 . 1601-01-01 00:12 102912 ------w c:\windows\system32\liyeriya.dll
2009-03-18 10:43 . 1601-01-01 00:12 102400 ------w c:\windows\system32\wimavogu.dll
2009-03-17 10:43 . 1601-01-01 00:12 102912 ------w c:\windows\system32\wasoteba.dll
2009-03-16 22:43 . 1601-01-01 00:12 101376 ------w c:\windows\system32\lefivonu.dll
2009-03-16 21:18 . 2009-05-07 04:30 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-03-16 21:18 . 2009-05-07 04:30 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-03-16 21:18 . 2009-05-07 04:30 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-03-16 21:18 . 2009-05-07 04:30 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-03-15 10:42 . 1601-01-01 00:12 103424 ------w c:\windows\system32\yezejugo.dll
2009-03-14 10:42 . 1601-01-01 00:12 99840 ------w c:\windows\system32\sikafupo.dll
2009-03-13 10:41 . 1601-01-01 00:12 102400 ------w c:\windows\system32\banupuyo.dll
2009-03-09 22:40 . 2009-03-09 22:40 79872 ------w c:\windows\system32\regikiho.dll
2009-03-09 22:27 . 2009-05-07 04:30 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-03-09 22:27 . 2009-05-07 04:30 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-03-09 22:27 . 2009-05-07 04:30 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-03-09 10:39 . 1601-01-01 00:12 79872 ------w c:\windows\system32\wapeyabi.dll
2009-03-08 22:39 . 1601-01-01 00:12 79872 ------w c:\windows\system32\vevinaho.dll
2009-03-08 10:39 . 1601-01-01 00:12 79872 ------w c:\windows\system32\punawuwu.dll
2009-03-07 22:38 . 1601-01-01 00:12 79872 ------w c:\windows\system32\rokavuya.dll
2009-03-07 10:38 . 1601-01-01 00:12 79872 ------w c:\windows\system32\redivegi.dll
2009-03-05 22:37 . 1601-01-01 00:12 79872 ------w c:\windows\system32\torawima.dll
2009-03-05 10:37 . 1601-01-01 00:12 79872 ------w c:\windows\system32\misogija.dll
2009-03-03 10:36 . 2009-03-03 10:36 79872 ------w c:\windows\system32\vayejopi.dll
2009-02-27 08:55 . 2006-07-12 02:35 348160 ----a-w c:\windows\system32\msvcr71.dll
2009-02-24 09:51 . 2009-02-24 09:51 621056 ----a-w c:\windows\system32\nsx1D8.dll
2009-02-24 09:51 . 2009-02-24 09:51 621056 ----a-w c:\windows\system32\nstB.dll
2009-02-24 09:51 . 2009-02-24 09:51 621056 ----a-w c:\windows\system32\nsa2A8.dll
2009-02-14 18:29 . 2009-02-14 18:29 34 ----a-w c:\windows\system32\BD2140.DAT
2007-10-22 11:49 . 2007-10-22 11:49 1805306 ----a-w c:\program files\NOV2007_d3dx9_36_x64.cab
2007-10-22 11:49 . 2007-10-22 11:49 867848 ----a-w c:\program files\NOV2007_d3dx10_36_x64.cab
2007-10-22 11:49 . 2007-10-22 11:49 807132 ----a-w c:\program files\NOV2007_d3dx10_36_x86.cab
2007-10-22 11:49 . 2007-10-22 11:49 49392 ----a-w c:\program files\NOV2007_X3DAudio_x64.cab
2007-10-22 11:49 . 2007-10-22 11:49 44850 ----a-w c:\program files\dxdllreg_x86.cab
2007-10-22 11:49 . 2007-10-22 11:49 21744 ----a-w c:\program files\NOV2007_X3DAudio_x86.cab
2007-10-22 11:49 . 2007-10-22 11:49 200010 ----a-w c:\program files\NOV2007_XACT_x64.cab
2007-10-22 11:49 . 2007-10-22 11:49 1712608 ----a-w c:\program files\NOV2007_d3dx9_36_x86.cab
2007-10-22 11:49 . 2007-10-22 11:49 151512 ----a-w c:\program files\NOV2007_XACT_x86.cab
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 57344]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-10-18 135168]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 40960]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-26 148888]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2008-09-18 880640]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-27 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-05-18 543232]
"ShowWnd"="ShowWnd.exe" - c:\windows\ShowWnd.exe [2003-09-19 36864]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SoundMan.exe [2006-07-22 86016]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\alcwzrd.exe [2006-05-05 2808832]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Manga\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.1.8125-to-2.4.2.8278-enUS-downloader.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 12:45 AM 124832]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;c:\windows\system32\drivers\SCR33X2K.sys [4/6/2004 5:24 AM 64088]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [11/7/2007 10:23 PM 742216]
S3 SQLAgent$AUTODESKVAULT;SQLAgent$AUTODESKVAULT;c:\program files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlagent.EXE [5/3/2005 9:42 PM 323584]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7045261e-2f04-11dd-b2cb-00111194701c}]
\Shell\AutoRun\command - G:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7dc98ca4-8ab7-11dc-b218-00111194701c}]
\Shell\AutoRun\command - K:\autoplay.exe
.
Contents of the 'Scheduled Tasks' folder
2009-05-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]
.
- - - - ORPHANS REMOVED - - - -
BHO-{a50cc7d6-fe12-4731-a173-d8645ee9b928} - c:\windows\system32\wigudozi.dll
HKCU-Run-Aim6 - (no file)
HKLM-Run-jukaveraki - c:\windows\system32\dubavalu.dll
.
------- Supplementary Scan -------
.
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://my.juno.com/s/search?action=minisearch&source=minisearch_dsl&mn=32897918
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} - hxxp://www.myfamily.com/plugins/ue/Install_UE.exe
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\m0p7e1io.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www1.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www1.yoog.com/search.php?q=
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\m0p7e1io.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - plugin: c:\windows\system32\npmirage.dll
---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www1.yoog.com/search.php?q=
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www1.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-14 05:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(508)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-14 5:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-14 12:23
ComboFix2.txt 2007-11-30 03:34
Pre-Run: 3,943,362,560 bytes free
Post-Run: 3,970,154,496 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
365 --- E O F --- 2008-05-04 11:54
HKJ:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:00 AM, on 5/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?action=minisearch&source=minisearch_dsl&mn=32897918
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} (XMirage Control) - http://www.myfamily.com/plugins/ue/Install_UE.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 7606 bytes
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
c:\windows\system32\hirisaki.exe
c:\windows\system32\gigijomo.exe
c:\windows\system32\jevaziji.dll
c:\windows\system32\kuhodeha.dll
c:\windows\system32\leyeluto.dll
c:\windows\system32\suzumuvo.exe
c:\windows\system32\wojuveva.exe
c:\windows\system32\yakiyayi.dll
c:\windows\system32\fidapude.dll
c:\windows\system32\piladoya.dll
c:\windows\system32\sebimike.dll
c:\windows\system32\nojozegi.dll
c:\windows\system32\terobugo.dll
c:\windows\system32\vilidunu.dll
c:\windows\system32\zahuyoru.dll
c:\windows\system32\titumeri.dll
c:\windows\system32\liyeriya.dll
c:\windows\system32\wimavogu.dll
c:\windows\system32\wasoteba.dll
c:\windows\system32\lefivonu.dll
c:\windows\system32\sikafupo.dll
c:\windows\system32\banupuyo.dll
c:\windows\system32\regikiho.dll
c:\windows\system32\wapeyabi.dll
c:\windows\system32\vevinaho.dll
c:\windows\system32\punawuwu.dll
c:\windows\system32\rokavuya.dll
c:\windows\system32\redivegi.dll
c:\windows\system32\torawima.dll
c:\windows\system32\misogija.dll
c:\windows\system32\vayejopi.dll
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
TheBladechild
2009-05-14, 21:16
ComboFix 09-05-14.02 - Owner 05/14/2009 12:09.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.741.440 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
FILE ::
c:\windows\system32\banupuyo.dll
c:\windows\system32\fidapude.dll
c:\windows\system32\gigijomo.exe
c:\windows\system32\hirisaki.exe
c:\windows\system32\jevaziji.dll
c:\windows\system32\kuhodeha.dll
c:\windows\system32\lefivonu.dll
c:\windows\system32\leyeluto.dll
c:\windows\system32\liyeriya.dll
c:\windows\system32\misogija.dll
c:\windows\system32\nojozegi.dll
c:\windows\system32\piladoya.dll
c:\windows\system32\punawuwu.dll
c:\windows\system32\redivegi.dll
c:\windows\system32\regikiho.dll
c:\windows\system32\rokavuya.dll
c:\windows\system32\sebimike.dll
c:\windows\system32\sikafupo.dll
c:\windows\system32\suzumuvo.exe
c:\windows\system32\terobugo.dll
c:\windows\system32\titumeri.dll
c:\windows\system32\torawima.dll
c:\windows\system32\vayejopi.dll
c:\windows\system32\vevinaho.dll
c:\windows\system32\vilidunu.dll
c:\windows\system32\wapeyabi.dll
c:\windows\system32\wasoteba.dll
c:\windows\system32\wimavogu.dll
c:\windows\system32\wojuveva.exe
c:\windows\system32\yakiyayi.dll
c:\windows\system32\zahuyoru.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\banupuyo.dll
c:\windows\system32\fidapude.dll
c:\windows\system32\gigijomo.exe
c:\windows\system32\hirisaki.exe
c:\windows\system32\jevaziji.dll
c:\windows\system32\kuhodeha.dll
c:\windows\system32\lefivonu.dll
c:\windows\system32\leyeluto.dll
c:\windows\system32\liyeriya.dll
c:\windows\system32\misogija.dll
c:\windows\system32\nojozegi.dll
c:\windows\system32\piladoya.dll
c:\windows\system32\punawuwu.dll
c:\windows\system32\redivegi.dll
c:\windows\system32\regikiho.dll
c:\windows\system32\rokavuya.dll
c:\windows\system32\sebimike.dll
c:\windows\system32\sikafupo.dll
c:\windows\system32\suzumuvo.exe
c:\windows\system32\terobugo.dll
c:\windows\system32\titumeri.dll
c:\windows\system32\torawima.dll
c:\windows\system32\vayejopi.dll
c:\windows\system32\vevinaho.dll
c:\windows\system32\vilidunu.dll
c:\windows\system32\wapeyabi.dll
c:\windows\system32\wasoteba.dll
c:\windows\system32\wimavogu.dll
c:\windows\system32\wojuveva.exe
c:\windows\system32\yakiyayi.dll
c:\windows\system32\zahuyoru.dll
.
((((((((((((((((((((((((( Files Created from 2009-04-14 to 2009-05-14 )))))))))))))))))))))))))))))))
.
2009-05-14 01:28 . 2009-05-14 01:28 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-05-14 01:28 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-14 01:28 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-14 01:28 . 2009-05-14 01:28 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-14 01:28 . 2009-05-14 01:28 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-07 04:29 . 2009-05-07 04:29 -------- d-----w c:\windows\Logs
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-13 10:53 . 2008-09-08 11:31 -------- d-----w c:\program files\mIRC
2009-05-12 09:03 . 2007-11-24 18:56 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-09 04:59 . 2005-03-04 21:17 26388 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-05-05 04:51 . 2008-08-16 00:19 -------- d-----w c:\program files\World of Warcraft
2009-04-06 09:36 . 2007-01-29 04:25 -------- d-----w c:\program files\Combined Community Codec Pack
2009-03-26 19:55 . 2009-03-26 19:56 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-26 19:55 . 2004-11-16 17:33 -------- d-----w c:\program files\Java
2009-03-25 19:21 . 2006-06-28 00:41 -------- d-----w c:\program files\Lavasoft
2009-03-16 21:18 . 2009-05-07 04:30 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-03-16 21:18 . 2009-05-07 04:30 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-03-16 21:18 . 2009-05-07 04:30 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-03-16 21:18 . 2009-05-07 04:30 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-03-15 10:42 . 1601-01-01 00:12 103424 ------w c:\windows\system32\yezejugo.dll
2009-03-09 22:27 . 2009-05-07 04:30 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-03-09 22:27 . 2009-05-07 04:30 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-03-09 22:27 . 2009-05-07 04:30 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-02-27 08:55 . 2006-07-12 02:35 348160 ----a-w c:\windows\system32\msvcr71.dll
2009-02-24 09:51 . 2009-02-24 09:51 621056 ----a-w c:\windows\system32\nsx1D8.dll
2009-02-24 09:51 . 2009-02-24 09:51 621056 ----a-w c:\windows\system32\nstB.dll
2009-02-24 09:51 . 2009-02-24 09:51 621056 ----a-w c:\windows\system32\nsa2A8.dll
2009-02-14 18:29 . 2009-02-14 18:29 34 ----a-w c:\windows\system32\BD2140.DAT
2007-10-22 11:49 . 2007-10-22 11:49 1805306 ----a-w c:\program files\NOV2007_d3dx9_36_x64.cab
2007-10-22 11:49 . 2007-10-22 11:49 867848 ----a-w c:\program files\NOV2007_d3dx10_36_x64.cab
2007-10-22 11:49 . 2007-10-22 11:49 807132 ----a-w c:\program files\NOV2007_d3dx10_36_x86.cab
2007-10-22 11:49 . 2007-10-22 11:49 49392 ----a-w c:\program files\NOV2007_X3DAudio_x64.cab
2007-10-22 11:49 . 2007-10-22 11:49 44850 ----a-w c:\program files\dxdllreg_x86.cab
2007-10-22 11:49 . 2007-10-22 11:49 21744 ----a-w c:\program files\NOV2007_X3DAudio_x86.cab
2007-10-22 11:49 . 2007-10-22 11:49 200010 ----a-w c:\program files\NOV2007_XACT_x64.cab
2007-10-22 11:49 . 2007-10-22 11:49 1712608 ----a-w c:\program files\NOV2007_d3dx9_36_x86.cab
2007-10-22 11:49 . 2007-10-22 11:49 151512 ----a-w c:\program files\NOV2007_XACT_x86.cab
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 57344]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-10-18 135168]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 40960]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-26 148888]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2008-09-18 880640]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-27 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-05-18 543232]
"ShowWnd"="ShowWnd.exe" - c:\windows\ShowWnd.exe [2003-09-19 36864]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SoundMan.exe [2006-07-22 86016]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\alcwzrd.exe [2006-05-05 2808832]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Manga\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.1.8125-to-2.4.2.8278-enUS-downloader.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 12:45 AM 124832]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;c:\windows\system32\drivers\SCR33X2K.sys [4/6/2004 5:24 AM 64088]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [11/7/2007 10:23 PM 742216]
S3 SQLAgent$AUTODESKVAULT;SQLAgent$AUTODESKVAULT;c:\program files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlagent.EXE [5/3/2005 9:42 PM 323584]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7045261e-2f04-11dd-b2cb-00111194701c}]
\Shell\AutoRun\command - G:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7dc98ca4-8ab7-11dc-b218-00111194701c}]
\Shell\AutoRun\command - K:\autoplay.exe
.
Contents of the 'Scheduled Tasks' folder
2009-05-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]
.
.
------- Supplementary Scan -------
.
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://my.juno.com/s/search?action=minisearch&source=minisearch_dsl&mn=32897918
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} - hxxp://www.myfamily.com/plugins/ue/Install_UE.exe
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\m0p7e1io.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www1.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www1.yoog.com/search.php?q=
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\m0p7e1io.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - plugin: c:\windows\system32\npmirage.dll
---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www1.yoog.com/search.php?q=
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www1.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-14 12:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-05-14 12:12
ComboFix-quarantined-files.txt 2009-05-14 19:12
ComboFix2.txt 2009-05-14 12:24
ComboFix3.txt 2007-11-30 03:34
Pre-Run: 3,999,678,464 bytes free
Post-Run: 3,977,863,168 bytes free
225 --- E O F --- 2008-05-04 11:54
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:01 PM, on 5/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?action=minisearch&source=minisearch_dsl&mn=32897918
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} (XMirage Control) - http://www.myfamily.com/plugins/ue/Install_UE.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 7549 bytes
Hello,
Everything looks fine :bigthumb: How are things running now??
TheBladechild
2009-05-15, 00:29
Things are running great now, im still pretty sure i have some spyware, in particular I have this "yoog search" on my mini search engine in the top right of my firefox. Iv tried to remove it before but had no luck.
Yoog Search has to go
You need to enable windows to Show all Files and Folders
Instructions for your Operating System HERE (http://www.bleepingcomputer.com/tutorials/tutorial62.html)
You need to do this in Safemode.
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Go to C:\Documents and Settings\Administrator(or your name depending on the computer)\Application Data\Mozilla\Firefox\Profiles\(the name of your profile will appear as a folder.)\searchplugins
A file with yoog in the name will appear. Simply delete the file while in safe mode to completely remove Yoog.
Be sure to empty the recycle bin, then restart your computer in normal mode and it will be gone!
After a reboot, let me know if its gone
TheBladechild
2009-05-15, 08:29
Wow man thanks a lot, it took a while for me to find the Yoog file but i finally deleted it. Do you recommend a scan of spybot as a final check for any other problems?
You can run a free online Virus scanner to make sure its all gone
Please run this free online virus scanner from ESET (http://www.eset.eu/online-scanner)
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
TheBladechild
Still with us?
If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.