View Full Version : Cant get spybot running in vista
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:08 AM, on 11/1/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1006&m=el1210-09
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1006&m=el1210-09
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Defender Pro Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [vamufukewe] Rundll32.exe "dajidomu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [inixs] C:\Windows\system32\minix32.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [inixs] C:\Windows\system32\minix32.exe (User 'Default user')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL huzisopo.dll avgrsstx.dll c:\windows\system32\rahupeke.dll
O21 - SSODL: bohifirib - {b6a16664-f04a-4a0c-9fc1-97a968d84934} - c:\windows\system32\rahupeke.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {b6a16664-f04a-4a0c-9fc1-97a968d84934} - c:\windows\system32\rahupeke.dll (file missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe
O23 - Service: Google Desktop Manager 5.7.807.15159 (GoogleDesktopManager-071508-051939) - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Defender Pro - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Defender Pro S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
--
End of file - 6741 bytes
Malwarebytes remove 55 trojans and malware before I got this far. I had not written in this forum yet but if its usefull I still have the logfile from malewarebyte. Just let me know and Ill post it. Thanks
I Have tried to remove the stuff myself and failed miserably. I have managed to pull 55 trojans from the computer but I still have something on there preventing spybot from installing and running properly. All I can get the scr. file to do is update the machine. I have tried malewarebytes, avg, and hitman pro. I had to remove the hard drive and scan it with another just to be able to get malewarebytes to scan it. Before the taskbar and everything was gone. Now its back but I cant uninstall avg for some reason and I cant get spybot to install( it always says sd.exe read only file). Here is the log from when I ran malewarebytes if it helps. Thanks
Malwarebytes' Anti-Malware 1.41
Database version: 3074
Windows 6.0.6001 Service Pack 1 (Safe Mode)
11/1/2009 2:45:21 AM
mbam-log-2009-11-01 (02-45-21).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 214644
Time elapsed: 19 minute(s), 45 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 8
Registry Data Items Infected: 5
Folders Infected: 2
Files Infected: 41
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a249bc15-23f2-42ad-f4e4-00aac39c0004} (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a249bc15-23f2-42ad-f4e4-00aac39c0004} (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a249bc15-23f2-42ad-f4e4-00aac39c0004} (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gasfkycrcnqptv (Rootkit.TDSS) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gojofivur (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gojofivur (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a249bc15-23f2-42ad-f4e4-00aac39c0004} (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vamufukewe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe rundll32.exe tftp.nfo beforegllav) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\ProgramData\17758084 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
Files Infected:
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024485.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024486.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024491.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024492.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024493.exe (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024494.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024495.dll (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024496.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024497.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024498.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024499.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024500.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024501.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024502.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024503.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024504.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024505.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024506.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024507.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024508.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024509.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024510.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024511.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024512.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024513.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024514.nfo (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024515.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024516.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024517.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\nelonezi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\reranavu.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Windows\System32\vabofoka.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\ProgramData\17758084\17758084 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\ProgramData\17758084\pc17758084ins (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Windows\System32\AVR09.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\Windows\System32\hivofupi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\niyihifi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\winhelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\System32\gasfkyexevxepp.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\gasfkyjtjbrudx.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
Hello sauce73
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Sorry for the delay, the forums are very busy. Your infected with a Rootkit, we need to run Combofix renamed or it won't run.
Its important that you follow these instructions and rename Combofix as this Rootkit infection will stop it from running if its not renamed.
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
I have managed to disable spybot and avg but not defender pro antivirus and cant find where to disable it at. I checked in services and processes and cant find it running. When I tried to start combofix it said defender pro antivirus running , please disable scanner
I have now even managed to uninstall defender pro 5-1 and it still says its running. I will not do anything else till u tell me. Thanks
Hi,
If you don't have the Run Command on the Start Menu you can add it like this
1. Right click on the Vista start menu and click Properties.
2. In the properties window select the Start Menu tab and click Customize.
3. Scroll down and tick the box to the side of Run Command. Click OK and now you can see Run Command in the start menu.
Go to Start> Run > and Type in services.msc and hit enter. Then look for defender pro , right click on it and select Properties and on the Startup type, change it to disabled
Its not listed under any services that I can see.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Defender Pro - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Defender Pro S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
Try Combofix again and if it still gives you issues then run it in Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
I cant find those files to fix. Here is the log from hijack
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:23 AM, on 11/5/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\cyrus\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1006&m=el1210-09
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1006&m=el1210-09
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [vamufukewe] Rundll32.exe "dajidomu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [inixs] C:\Windows\system32\minix32.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [inixs] C:\Windows\system32\minix32.exe (User 'Default user')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL huzisopo.dll avgrsstx.dll c:\windows\system32\rahupeke.dll
O21 - SSODL: bohifirib - {b6a16664-f04a-4a0c-9fc1-97a968d84934} - c:\windows\system32\rahupeke.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {b6a16664-f04a-4a0c-9fc1-97a968d84934} - c:\windows\system32\rahupeke.dll (file missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe
O23 - Service: Google Desktop Manager 5.7.807.15159 (GoogleDesktopManager-071508-051939) - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
--
End of file - 5401 bytes
Go ahead and Run Combofix, run it in Safemode if it won't let you run it in normal windows
ok here is the combofix log then the hijack log
ComboFix 09-11-05.05 - cyrus 11/06/2009 7:11.1.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1790.1015 [GMT -5:00]
Running from: c:\users\cyrus\Desktop\wtg.exe
AV: Defender Pro Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Defender Pro Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
SP: Defender Pro Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-1030263071-3691112099-3180659711-500
c:\$recycle.bin\S-1-5-21-2760852498-2543259003-1422614318-1000
c:\$recycle.bin\S-1-5-21-394663650-3959817544-126125822-500
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.
2009-11-06 12:18 . 2009-11-06 12:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-06 12:18 . 2009-11-06 12:18 -------- d-----w- c:\users\bob\AppData\Local\temp
2009-11-06 12:18 . 2009-11-06 13:04 -------- d-----w- c:\users\cyrus\AppData\Local\temp
2009-11-05 15:42 . 2009-11-05 15:42 -------- d-----w- C:\found.000
2009-11-01 11:45 . 2009-11-01 11:45 4096 d-----w- c:\program files\ERUNT
2009-11-01 10:34 . 2009-11-01 10:36 -------- d-----w- c:\windows\system32\ca-ES
2009-11-01 10:34 . 2009-11-01 10:36 -------- d-----w- c:\windows\system32\eu-ES
2009-11-01 10:34 . 2009-11-01 10:36 -------- d-----w- c:\windows\system32\vi-VN
2009-11-01 10:21 . 2009-11-01 10:21 -------- d-----w- c:\windows\system32\EventProviders
2009-11-01 10:14 . 2009-11-05 13:20 81984 ----a-w- c:\windows\system32\bdod.bin
2009-11-01 10:04 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-11-01 10:00 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-11-01 09:57 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-11-01 09:57 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-11-01 09:32 . 2009-11-01 09:31 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-01 07:23 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-01 07:23 . 2009-11-01 07:23 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 07:23 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-01 06:49 . 2009-11-01 06:49 -------- d-----w- c:\users\cyrus\AppData\Local\Adobe
2009-11-01 05:35 . 2009-11-01 07:22 12800 ----a-w- c:\windows\system32\bootdelete.exe
2009-11-01 04:33 . 2009-11-06 12:09 11904 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2009-10-31 03:12 . 2009-10-31 03:12 12288 d-----w- C:\$AVG8.VAULT$
2009-10-30 14:10 . 2009-10-30 14:10 -------- d-----w- c:\users\cyrus\AppData\Roaming\Malwarebytes
2009-10-30 14:10 . 2009-10-30 14:10 -------- d-----w- c:\programdata\Malwarebytes
2009-10-28 11:49 . 2009-11-01 08:02 680 ----a-w- c:\users\cyrus\AppData\Local\d3d9caps.dat
2009-10-28 11:44 . 2009-11-01 07:22 4096 d-----w- c:\programdata\Hitman Pro
2009-10-28 11:44 . 2009-10-28 11:44 -------- d-----w- c:\program files\Hitman Pro 3.5
2009-10-26 11:45 . 2009-10-30 11:58 70176 ----a-w- c:\users\cyrus\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-25 16:44 . 2009-10-25 16:44 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-25 16:43 . 2009-10-25 16:43 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-25 16:43 . 2009-10-25 16:43 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-25 16:43 . 2009-10-25 16:43 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-25 16:43 . 2009-11-01 09:27 4096 d-----w- c:\windows\system32\drivers\Avg
2009-10-25 16:43 . 2009-11-01 11:16 4096 d-----w- c:\programdata\avg8
2009-10-25 15:59 . 2009-10-25 15:59 -------- d-sh--w- c:\windows\system32\%APPDATA%
2009-10-25 15:46 . 2009-10-25 16:46 4096 d-----w- c:\programdata\AVG Security Toolbar
2009-10-25 15:22 . 2009-10-25 16:30 680 ----a-w- c:\users\bob\AppData\Local\d3d9caps.dat
2009-10-25 15:11 . 2009-10-25 15:11 -------- d-----w- c:\program files\AVG
2009-10-25 15:07 . 2009-11-01 11:04 4096 d-----w- c:\programdata\Spybot - Search & Destroy
2009-10-25 15:07 . 2009-11-01 10:59 8192 d-----w- c:\program files\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 14:05 . 2009-07-25 19:00 4096 d-----w- c:\program files\Common Files\BitDefender
2009-11-01 11:43 . 2008-09-05 00:48 -------- d-----w- c:\programdata\NVIDIA
2009-11-01 10:37 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-11-01 10:37 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-11-01 10:37 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Sidebar
2009-11-01 10:37 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Journal
2009-11-01 10:37 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Collaboration
2009-11-01 10:37 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Photo Gallery
2009-11-01 10:37 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Defender
2009-11-01 10:34 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-01 09:31 . 2008-09-05 01:05 -------- d-----w- c:\program files\Java
2009-10-30 13:41 . 2009-07-30 13:40 1054752 --sha-w- c:\windows\system32\mijinube.exe
2009-10-30 11:54 . 2008-09-05 00:37 4096 d--h--w- c:\program files\InstallShield Installation Information
2009-10-30 11:54 . 2008-09-05 00:37 -------- d-----w- c:\program files\profile
2009-10-02 01:22 . 2009-10-02 01:22 471664 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbD1E0.tmp.exe
2009-10-02 01:22 . 2009-10-02 01:22 471664 ----a-w- c:\programdata\Application Data\Google\Google Toolbar\Update\gtbD1E0.tmp.exe
2009-10-02 01:22 . 2009-10-02 01:22 471664 ----a-w- c:\programdata\Application Data\Application Data\Google\Google Toolbar\Update\gtbD1E0.tmp.exe
2009-10-02 01:22 . 2009-10-02 01:22 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbD1E0.tmp.exe
2009-10-02 01:22 . 2009-10-02 01:22 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbD1E0.tmp.exe
2009-10-02 01:22 . 2009-10-02 01:22 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbD1E0.tmp.exe
2009-10-02 01:22 . 2009-10-02 01:22 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbD1E0.tmp.exe
2009-10-02 01:22 . 2009-10-02 01:22 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbD1E0.tmp.exe
2009-10-02 01:22 . 2009-10-02 01:22 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbD1E0.tmp.exe
2009-10-02 01:22 . 2009-10-02 01:22 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbD1E0.tmp.exe
2009-10-02 01:22 . 2009-10-02 01:22 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbD1E0.tmp.exe
2009-10-02 01:22 . 2009-10-02 01:22 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbD1E0.tmp.exe
2009-09-23 00:59 . 2009-09-23 00:59 471664 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb7E24.tmp.exe
2009-09-23 00:59 . 2009-09-23 00:59 471664 ----a-w- c:\programdata\Application Data\Google\Google Toolbar\Update\gtb7E24.tmp.exe
2009-09-23 00:59 . 2009-09-23 00:59 471664 ----a-w- c:\programdata\Application Data\Application Data\Google\Google Toolbar\Update\gtb7E24.tmp.exe
2009-09-23 00:59 . 2009-09-23 00:59 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb7E24.tmp.exe
2009-09-23 00:59 . 2009-09-23 00:59 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb7E24.tmp.exe
2009-09-23 00:59 . 2009-09-23 00:59 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb7E24.tmp.exe
2009-09-23 00:59 . 2009-09-23 00:59 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb7E24.tmp.exe
2009-09-23 00:59 . 2009-09-23 00:59 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb7E24.tmp.exe
2009-09-23 00:59 . 2009-09-23 00:59 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb7E24.tmp.exe
2009-09-23 00:59 . 2009-09-23 00:59 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb7E24.tmp.exe
2009-09-23 00:59 . 2009-09-23 00:59 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb7E24.tmp.exe
2009-09-23 00:59 . 2009-09-23 00:59 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb7E24.tmp.exe
2009-09-21 16:10 . 2009-09-21 16:10 471664 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb1B7B.tmp.exe
2009-09-21 16:10 . 2009-09-21 16:10 471664 ----a-w- c:\programdata\Application Data\Google\Google Toolbar\Update\gtb1B7B.tmp.exe
2009-09-21 16:10 . 2009-09-21 16:10 471664 ----a-w- c:\programdata\Application Data\Application Data\Google\Google Toolbar\Update\gtb1B7B.tmp.exe
2009-09-21 16:10 . 2009-09-21 16:10 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb1B7B.tmp.exe
2009-09-21 16:10 . 2009-09-21 16:10 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb1B7B.tmp.exe
2009-09-21 16:10 . 2009-09-21 16:10 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb1B7B.tmp.exe
2009-09-21 16:10 . 2009-09-21 16:10 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb1B7B.tmp.exe
2009-09-21 16:10 . 2009-09-21 16:10 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb1B7B.tmp.exe
2009-09-21 16:10 . 2009-09-21 16:10 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb1B7B.tmp.exe
2009-09-21 16:10 . 2009-09-21 16:10 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb1B7B.tmp.exe
2009-09-21 16:10 . 2009-09-21 16:10 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb1B7B.tmp.exe
2009-09-21 16:10 . 2009-09-21 16:10 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb1B7B.tmp.exe
2009-09-20 13:46 . 2009-09-20 13:46 471664 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbE984.tmp.exe
2009-09-20 13:46 . 2009-09-20 13:46 471664 ----a-w- c:\programdata\Application Data\Google\Google Toolbar\Update\gtbE984.tmp.exe
2009-09-20 13:46 . 2009-09-20 13:46 471664 ----a-w- c:\programdata\Application Data\Application Data\Google\Google Toolbar\Update\gtbE984.tmp.exe
2009-09-20 13:46 . 2009-09-20 13:46 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbE984.tmp.exe
2009-09-20 13:46 . 2009-09-20 13:46 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbE984.tmp.exe
2009-09-20 13:46 . 2009-09-20 13:46 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbE984.tmp.exe
2009-09-20 13:46 . 2009-09-20 13:46 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbE984.tmp.exe
2009-09-20 13:46 . 2009-09-20 13:46 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbE984.tmp.exe
2009-09-20 13:46 . 2009-09-20 13:46 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbE984.tmp.exe
2009-09-20 13:46 . 2009-09-20 13:46 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbE984.tmp.exe
2009-09-20 13:46 . 2009-09-20 13:46 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbE984.tmp.exe
2009-09-20 13:46 . 2009-09-20 13:46 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbE984.tmp.exe
2009-09-19 20:25 . 2009-09-19 20:25 471664 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb5A10.tmp.exe
2009-09-19 20:25 . 2009-09-19 20:25 471664 ----a-w- c:\programdata\Application Data\Google\Google Toolbar\Update\gtb5A10.tmp.exe
2009-09-19 20:25 . 2009-09-19 20:25 471664 ----a-w- c:\programdata\Application Data\Application Data\Google\Google Toolbar\Update\gtb5A10.tmp.exe
2009-09-19 20:25 . 2009-09-19 20:25 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb5A10.tmp.exe
2009-09-19 20:25 . 2009-09-19 20:25 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb5A10.tmp.exe
2009-09-19 20:25 . 2009-09-19 20:25 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb5A10.tmp.exe
2009-09-19 20:25 . 2009-09-19 20:25 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb5A10.tmp.exe
2009-09-19 20:25 . 2009-09-19 20:25 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb5A10.tmp.exe
2009-09-19 20:25 . 2009-09-19 20:25 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb5A10.tmp.exe
2009-09-19 20:25 . 2009-09-19 20:25 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb5A10.tmp.exe
2009-09-19 20:25 . 2009-09-19 20:25 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb5A10.tmp.exe
2009-09-19 20:25 . 2009-09-19 20:25 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb5A10.tmp.exe
2009-09-18 16:56 . 2009-09-18 16:56 471664 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb9770.tmp.exe
2009-09-18 16:56 . 2009-09-18 16:56 471664 ----a-w- c:\programdata\Application Data\Google\Google Toolbar\Update\gtb9770.tmp.exe
2009-09-18 16:56 . 2009-09-18 16:56 471664 ----a-w- c:\programdata\Application Data\Application Data\Google\Google Toolbar\Update\gtb9770.tmp.exe
2009-09-18 16:56 . 2009-09-18 16:56 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb9770.tmp.exe
2009-09-18 16:56 . 2009-09-18 16:56 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb9770.tmp.exe
2009-09-18 16:56 . 2009-09-18 16:56 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb9770.tmp.exe
2009-09-18 16:56 . 2009-09-18 16:56 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb9770.tmp.exe
2009-09-18 16:56 . 2009-09-18 16:56 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb9770.tmp.exe
2009-09-18 16:56 . 2009-09-18 16:56 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb9770.tmp.exe
2009-09-18 16:56 . 2009-09-18 16:56 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb9770.tmp.exe
2009-09-18 16:56 . 2009-09-18 16:56 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb9770.tmp.exe
2009-09-18 16:56 . 2009-09-18 16:56 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb9770.tmp.exe
2009-09-18 02:14 . 2009-09-18 02:14 471664 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb2FE5.tmp.exe
2009-09-18 02:14 . 2009-09-18 02:14 471664 ----a-w- c:\programdata\Application Data\Google\Google Toolbar\Update\gtb2FE5.tmp.exe
2009-09-18 02:14 . 2009-09-18 02:14 471664 ----a-w- c:\programdata\Application Data\Application Data\Google\Google Toolbar\Update\gtb2FE5.tmp.exe
2009-09-18 02:14 . 2009-09-18 02:14 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb2FE5.tmp.exe
2009-09-18 02:14 . 2009-09-18 02:14 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb2FE5.tmp.exe
2009-09-18 02:14 . 2009-09-18 02:14 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb2FE5.tmp.exe
2009-09-18 02:14 . 2009-09-18 02:14 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb2FE5.tmp.exe
2009-09-18 02:14 . 2009-09-18 02:14 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb2FE5.tmp.exe
2009-09-18 02:14 . 2009-09-18 02:14 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb2FE5.tmp.exe
2009-09-18 02:14 . 2009-09-18 02:14 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb2FE5.tmp.exe
2009-09-18 02:14 . 2009-09-18 02:14 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb2FE5.tmp.exe
2009-09-18 02:14 . 2009-09-18 02:14 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb2FE5.tmp.exe
2009-09-16 16:11 . 2009-09-16 16:11 471664 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb4D44.tmp.exe
2009-09-16 16:11 . 2009-09-16 16:11 471664 ----a-w- c:\programdata\Application Data\Google\Google Toolbar\Update\gtb4D44.tmp.exe
2009-07-25 15:59 . 2009-07-25 15:59 10240 --sha-w- c:\windows\System32\mapopabe.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-19 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-19 92704]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-01 149280]
"combofix"="c:\wtg\CF12156.exe" [2009-11-06 318976]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-06-19 6244896]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
SetupExecute REG_MULTI_SZ \0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):bd,cf,30,45,e0,5a,ca,01
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-18]
"EnableNotifications\\Ref"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1030263071-3691112099-3180659711-1001]
"EnableNotifications\\Ref"=dword:00000001
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [10/25/2009 11:43 AM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [10/25/2009 11:43 AM 108552]
R1 ElRawDisk;ElRawDisk;c:\windows\System32\drivers\elrawdsk.sys [6/12/2009 4:08 AM 12800]
R2 ETService;Empowering Technology Service;c:\program files\EMACHINES\eMachines Recovery Management\Service\ETService.exe [10/11/2006 2:18 AM 24576]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [6/12/2009 4:07 AM 628584]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [6/12/2009 4:07 AM 628584]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [11/1/2009 5:57 AM 1153368]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [9/4/2008 8:07 PM 43552]
S3 GoogleDesktopManager-071508-051939;Google Desktop Manager 5.7.807.15159;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" --> c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [?]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/25/2009 11:43 AM 906520]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/25/2009 11:43 AM 298776]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-11-01 c:\windows\Tasks\Hitman Pro 3.5 Boot Task.job
- c:\program files\Hitman Pro 3.5\HitmanPro35.exe [2009-10-28 15:45]
2009-11-06 c:\windows\Tasks\User_Feed_Synchronization-{88B7284F-FA8A-4263-B5C9-6C34C08FD7BF}.job
- c:\windows\system32\msfeedssync.exe [2009-11-01 03:41]
.
.
------- Supplementary Scan -------
.
uSearch Bar = Preserve
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1006&m=el1210-09
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1006&m=el1210-09
.
.
------- File Associations -------
.
regedit=regedit.exe "%1"
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-eRecoveryService - (no file)
HKU-Default-Run-inixs - c:\windows\system32\minix32.exe
SharedTaskScheduler-{b6a16664-f04a-4a0c-9fc1-97a968d84934} - c:\windows\system32\rahupeke.dll
SSODL-bohifirib-{b6a16664-f04a-4a0c-9fc1-97a968d84934} - c:\windows\system32\rahupeke.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 08:04
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\msiserver]
"ImagePath"="%systemroot%\system32\msiexec /V"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,02,68,4e,9c,62,a9,a6,49,a3,61,8f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,02,68,4e,9c,62,a9,a6,49,a3,61,8f,\
[HKEY_LOCAL_MACHINE\system\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\agrsmsvc.exe
c:\windows\system32\WUDFHost.exe
c:\windows\System32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-11-06 8:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-06 13:07
Pre-Run: 44,223,422,464 bytes free
Post-Run: 43,753,533,440 bytes free
- - End Of File - - D06637684717AA440D9DC516DC68450A
now the hijack log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:47 AM, on 11/6/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\cyrus\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1006&m=el1210-09
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe
O23 - Service: Google Desktop Manager 5.7.807.15159 (GoogleDesktopManager-071508-051939) - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
--
End of file - 4026 bytes
Whats the next step? Thanks
Hi,
You need to enable windows to Show all Files and Folders
Instructions for your Operating System HERE (http://www.bleepingcomputer.com/tutorials/tutorial62.html)
c:\windows\system32\mijinube.exe <--Delete this file, let me know if it would not delete
Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.
c:\programdata\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbE984.tmp.exe
Please run this free online virus scanner from ESET (http://www.eset.eu/online-scanner)
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
Here is the virus report
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.09 -
AhnLab-V3 5.0.0.2 2009.11.06 -
AntiVir 7.9.1.61 2009.11.09 -
Antiy-AVL 2.0.3.7 2009.11.09 -
Authentium 5.2.0.5 2009.11.08 -
Avast 4.8.1351.0 2009.11.08 -
AVG 8.5.0.423 2009.11.09 -
BitDefender 7.2 2009.11.09 -
CAT-QuickHeal 10.00 2009.11.09 -
ClamAV 0.94.1 2009.11.09 -
Comodo 2895 2009.11.09 -
DrWeb 5.0.0.12182 2009.11.09 -
eSafe 7.0.17.0 2009.11.08 -
eTrust-Vet 35.1.7111 2009.11.09 -
F-Prot 4.5.1.85 2009.11.08 -
F-Secure 9.0.15370.0 2009.11.09 -
Fortinet 3.120.0.0 2009.11.09 -
GData 19 2009.11.09 -
Ikarus T3.1.1.74.0 2009.11.09 -
Jiangmin 11.0.800 2009.11.09 -
K7AntiVirus 7.10.891 2009.11.07 -
Kaspersky 7.0.0.125 2009.11.09 -
McAfee 5796 2009.11.08 -
McAfee+Artemis 5796 2009.11.08 -
McAfee-GW-Edition 6.8.5 2009.11.09 -
Microsoft 1.5202 2009.11.09 -
NOD32 4587 2009.11.09 -
Norman 6.03.02 2009.11.09 -
nProtect 2009.1.8.0 2009.11.09 -
Panda 10.0.2.2 2009.11.08 -
PCTools 7.0.3.5 2009.11.09 -
Prevx 3.0 2009.11.09 -
Rising 22.21.00.08 2009.11.09 -
Sophos 4.47.0 2009.11.09 -
Sunbelt 3.2.1858.2 2009.11.08 -
Symantec 1.4.4.12 2009.11.09 -
TheHacker 6.5.0.2.063 2009.11.06 -
TrendMicro 9.0.0.1003 2009.11.09 -
VBA32 3.12.10.11 2009.11.09 -
ViRobot 2009.11.9.2027 2009.11.09 -
VirusBuster 4.6.5.0 2009.11.08 -
Additional information
File size: 471664 bytes
MD5...: 71338bab3fc015cd4a10bc25858b1785
SHA1..: 556028afb0ef67001660b98a734da6c8bae8ecff
SHA256: 2f85eaa53efeceb338a02a419a2aa260b8de24d130fe92dff78dc8da0a57f76d
ssdeep: 6144:0fvHASFf8w+gajkHjnb8OLXxYsRxFbrxd8QZQ6vvKrBeWIY4Afy08npBNq:
0XbFf8wPaanbXFJZd8QZFvG0WIYzoq
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x29271
timedatestamp.....: 0x4a57e684 (Sat Jul 11 01:10:28 2009)
machinetype.......: 0x14c (I386)
( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3dbed 0x3dc00 6.66 12b14fc0189bc6e23c6c171b6f2d1650
.rdata 0x3f000 0xca18 0xcc00 4.90 18ab01311b0d973315e9274cb0b2bc17
.data 0x4c000 0xbb88 0x2000 4.11 9ded777a187febde17623bd3ed7bdbe0
.rsrc 0x58000 0x206bc 0x20800 5.87 3a5cd4261dc21d723fd0689a4570d9da
.reloc 0x79000 0x461e 0x4800 5.04 03837c480fba9935b8762157780fdd34
( 15 imports )
> KERNEL32.dll: WriteConsoleA, SetStdHandle, SetFilePointer, GetStringTypeW, GetStringTypeA, GetConsoleOutputCP, WriteConsoleW, SetEndOfFile, CreateFileA, CompareStringA, HeapCreate, MapViewOfFileEx, DuplicateHandle, WaitForMultipleObjects, SetThreadPriority, OpenProcess, ResumeThread, SetEvent, ResetEvent, CreateEventW, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, CreateFileW, GetLastError, LoadLibraryExW, lstrlenW, LeaveCriticalSection, EnterCriticalSection, GetModuleHandleA, GetCurrentThreadId, FindResourceExW, FindResourceW, GetExitCodeProcess, LoadResource, WaitForSingleObject, LockResource, CompareStringW, SizeofResource, FreeLibrary, RaiseException, GetVersion, GetCurrentProcess, GetProcAddress, DeleteCriticalSection, GetModuleFileNameW, MultiByteToWideChar, InitializeCriticalSection, SetLastError, InterlockedExchange, Sleep, FlushInstructionCache, CloseHandle, InterlockedDecrement, LoadLibraryW, CreateProcessW, OutputDebugStringA, LoadLibraryA, InterlockedIncrement, GetModuleHandleW, GetCommandLineW, lstrcmpiW, FlushFileBuffers, GetConsoleMode, GetConsoleCP, GetTimeZoneInformation, QueryPerformanceCounter, GetStartupInfoA, GetFileType, SetHandleCount, GetCommandLineA, GetEnvironmentStringsW, ExitProcess, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, IsValidCodePage, GetOEMCP, GetCPInfo, LCMapStringA, RtlUnwind, VirtualQuery, VirtualProtect, GetStartupInfoW, CreateThread, ExitThread, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, IsProcessorFeaturePresent, GetThreadLocale, GetLocaleInfoA, GetACP, GetVersionExA, GetProcessHeap, HeapSize, HeapReAlloc, SetEnvironmentVariableA, GetFileAttributesW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetModuleFileNameA, ProcessIdToSessionId, GetCurrentProcessId, GetTempFileNameW, GetFileAttributesExW, GetFileSizeEx, ReadFile, WriteFile, MoveFileExW, LCMapStringW, WideCharToMultiByte, DeleteFileW, GetVersionExW, GetSystemInfo, GetTickCount, SetThreadLocale, GetUserDefaultUILanguage, LocalAlloc, LocalFree, VerSetConditionMask, VerifyVersionInfoW, GetSystemTimeAsFileTime, Process32NextW, CreateToolhelp32Snapshot, Process32FirstW, TerminateProcess, InterlockedCompareExchange, ReleaseMutex, OpenEventW, CreateMutexW, CopyFileW, FindFirstFileW, FindNextFileW, FindClose, GetTempPathW, FormatMessageW, EnumResourceNamesW, EnumResourceLanguagesW, HeapDestroy, HeapAlloc, HeapFree, GetStdHandle
> USER32.dll: SetWindowRgn, DefWindowProcW, UnregisterClassA, MessageBoxIndirectW, GetActiveWindow, DialogBoxParamW, SetWindowLongW, CharNextW, DestroyWindow, SystemParametersInfoW, GetWindow, GetDlgItem, GetWindowLongW, SetTimer, EnableWindow, SetDlgItemTextW, EndDialog, SendMessageW, GetSystemMetrics, SetWindowPos, MapWindowPoints, GetClientRect, GetParent, GetWindowRect, LoadCursorW, GetClassInfoExW, RegisterClassExW, CallWindowProcW, GetClassNameW, BringWindowToTop, CreateWindowExW, MessageBoxW, PostMessageW, EnumChildWindows, FindWindowExW, IsWindowVisible, GetWindowThreadProcessId, IsWindowEnabled, RegisterClassW, LoadImageW, BeginPaint, EndPaint, IsWindow
> VERSION.dll: VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
> urlmon.dll: CreateAsyncBindCtx, CreateURLMonikerEx, RegisterBindStatusCallback
> WINTRUST.dll: WinVerifyTrust
> ADVAPI32.dll: CryptVerifySignatureW, CryptHashData, CryptCreateHash, CryptAcquireContextW, RegNotifyChangeKeyValue, ConvertSidToStringSidW, SetSecurityDescriptorOwner, ConvertStringSecurityDescriptorToSecurityDescriptorW, GetSidSubAuthorityCount, GetSidIdentifierAuthority, SetSecurityDescriptorGroup, IsValidSid, CopySid, GetSidLengthRequired, InitializeSid, GetLengthSid, GetSecurityDescriptorLength, GetSecurityDescriptorControl, MakeSelfRelativeSD, MakeAbsoluteSD, GetSecurityDescriptorDacl, GetAce, InitializeSecurityDescriptor, GetAclInformation, InitializeAcl, AddAce, SetSecurityDescriptorDacl, GetSidSubAuthority, GetSecurityDescriptorOwner, RegFlushKey, GetSecurityDescriptorGroup, GetSecurityDescriptorSacl, FreeSid, EqualSid, AllocateAndInitializeSid, GetTokenInformation, RegEnumValueW, RegQueryValueExW, CryptDestroyHash, CryptDestroyKey, RegDeleteKeyW, RegDeleteValueW, RegSetValueExW, RegCreateKeyExW, RegOpenKeyExW, OpenProcessToken, RegEnumKeyExW, RegQueryInfoKeyW, RegCloseKey
> ole32.dll: CoInitialize, CoTaskMemFree, CoCreateInstance, CoTaskMemAlloc, StringFromGUID2, CLSIDFromProgID, CoInitializeEx, CoCreateGuid, OleRun, CoUninitialize, CoTaskMemRealloc
> SHELL32.dll: ShellExecuteExW, SHGetFolderPathW, -
> OLEAUT32.dll: -, -, -, -
> SHLWAPI.dll: PathIsDirectoryW, PathAppendW, SHSetValueW, SHDeleteValueW, SHGetValueW, PathCombineW, StrCatBuffA, PathCanonicalizeW, PathFileExistsW
> GDI32.dll: CreateRectRgn
> USERENV.dll: UnloadUserProfile
> CRYPT32.dll: CertCreateContext, CryptImportPublicKeyInfo, CertEnumCertificatesInStore, CryptQueryObject, CertNameToStrW, CertFreeCertificateContext, CertDuplicateCertificateContext, CertVerifyCertificateChainPolicy, CertGetNameStringW, CertFreeCertificateChain, CertGetCertificateChain
> msi.dll: -, -, -
> WININET.dll: InternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile, HttpQueryInfoW
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
sigcheck:
publisher....: Google Inc.
copyright....: Copyright (c) 2000-2008
product......: Google Toolbar for Internet Explorer
description..: Google Toolbar Installer
original name: GoogleToolbarInstaller.exe
internal name: GoogleToolbarInstaller
file version.: 6, 2, 1910, 1554
comments.....: n/a
signers......: Google Inc
VeriSign Class 3 Code Signing 2004 CA
Class 3 Public Primary Certification Authority
signing date.: 2:16 AM 7/11/2009
verified.....: -
and here is the virus scan
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=81afef54a715844b966bf3f613536160
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-11-09 12:49:22
# local_time=2009-11-09 07:49:22 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 364549 364549 0 0
# compatibility_mode=2049 16777214 0 5 0 0 0 0
# compatibility_mode=5892 16776573 100 100 0 94377166 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=125089
# found=0
# cleaned=0
# scan_time=1323
Thankyou and what is the next step?
You appear to be clean, how are things running now ?
I cant seem to log in to the forum on this computer still. It says thankyou for logging in automatically redirect and then it logs out I guess. Should I go ahead and reinstall spybot and avg? Anything else? Thanks
It says thankyou for logging in automatically redirect <--Is it redirecting you to another site ? Are you using the correct username and password?
Could you explain this please??
it logs me in then when redirected im not logged in but on the page i was trying to log on at
Sounds like you may not have cookies enabled. Open IE and go to Tools > Internet Options > Privacy and make sure the slider for cookies is set to at least minimum or less for now
It also sounds like you are not putting in the correct password
Ok, Ill try that and when I tried to uninstall spybot and reinstall I got the same read only, cant execute spybot.exe error.
Open up IE and go to Tools > Internet Options> General Tab and delete all your Browsing History. Then go to the Advanced Tab and click on Reset Internet Explorer Setting > Reset.....let it do its thing, then x your way out , close IE, restart it and see if you can log in.
Please download OTM (http://oldtimer.geekstogo.com/OTM.exe) by OldTimer.
Save it to your desktop.
Please click OTM and then click >> run.
Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Processes
explorer.exe
:Services
:Reg
:Files
C:\Program Files\Spybot - Search & Destroy
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
Return to OTM, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Then download a new copy and install it
http://www.safer-networking.org/en/home/index.html
Let me know if any of this helped
Still no luck logging in. As soon as it says "thanks for logging in , page will redirect" , I redirect not logged in. I also still cant seem to download anything. I click save file and try to dave to desktop and then it starts saving and completes. When I go back to the desktop its not there. So I do a search for the file and still cant find it. If I try to run instead of save it still acts like its working and then just quits.
Try this
Please download Rooter Rootkit Detector (http://eric.71.mespages.googlepages.com/Rooter.exe) to your Desktop
Doubleclick it to start the tool.
A Notepad file containing the report will open, also found at %systemdrive% (usually C:\Rooter.txt.
Post the report for me to see.
Here it is
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows Vista Home Edition (6.0.6002) Service Pack 2
[32_bits] - x86 Family 15 Model 95 Stepping 3, AuthenticAMD
.
[wscsvc] (Security Center) RUNNING (state:4)
[MpsSvc] STOPPED (state:1) : Windows Firewall -> Disabled !
Windows Defender -> Enabled
User Account Control (UAC) -> Disabled !
.
Internet Explorer 8.0.6001.18828
.
C:\ [Fixed-NTFS] .. ( Total:66 Go - Free:37 Go )
D:\ [Fixed-NTFS] .. ( Total:66 Go - Free:66 Go )
E:\ [Removable]
F:\ [CD_Rom]
G:\ [Removable]
.
Scan : 08:12.45
Path : E:\Rooter.exe
User : cyrus ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
______ \SystemRoot\System32\smss.exe (440)
______ C:\Windows\system32\csrss.exe (508)
______ C:\Windows\system32\wininit.exe (556)
______ C:\Windows\system32\csrss.exe (564)
______ C:\Windows\system32\services.exe (608)
______ C:\Windows\system32\lsass.exe (640)
______ C:\Windows\system32\lsm.exe (648)
______ C:\Windows\system32\winlogon.exe (656)
______ C:\Windows\system32\svchost.exe (836)
______ C:\Windows\system32\nvvsvc.exe (884)
______ C:\Windows\system32\svchost.exe (912)
______ C:\Windows\System32\svchost.exe (944)
______ C:\Windows\System32\svchost.exe (1028)
______ C:\Windows\System32\svchost.exe (1112)
______ C:\Windows\system32\svchost.exe (1128)
Locked audiodg.exe (1196)
______ C:\Windows\system32\svchost.exe (1216)
______ C:\Windows\system32\SLsvc.exe (1236)
______ C:\Windows\system32\rundll32.exe (1292)
______ C:\Windows\system32\svchost.exe (1300)
______ C:\Windows\system32\svchost.exe (1456)
______ C:\Windows\System32\spoolsv.exe (1628)
______ C:\Windows\system32\svchost.exe (1652)
______ C:\Windows\system32\agrsmsvc.exe (1872)
______ C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe (1912)
______ C:\Program Files\iolo\common\lib\ioloServiceManager.exe (1976)
______ C:\Windows\system32\svchost.exe (428)
______ C:\Windows\system32\svchost.exe (488)
______ C:\Windows\System32\svchost.exe (844)
______ C:\Windows\system32\SearchIndexer.exe (1400)
______ C:\Windows\system32\WUDFHost.exe (468)
______ C:\Windows\system32\taskeng.exe (2524)
______ C:\Windows\system32\taskeng.exe (3652)
______ C:\Windows\system32\Dwm.exe (3700)
______ C:\Windows\Explorer.EXE (3780)
______ C:\Windows\System32\rundll32.exe (3908)
______ C:\Windows\RtHDVCpl.exe (3916)
______ C:\Program Files\Java\jre6\bin\jusched.exe (3924)
______ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (2952)
______ C:\Windows\system32\vssvc.exe (3564)
______ C:\Windows\System32\svchost.exe (1544)
______ C:\Program Files\Internet Explorer\iexplore.exe (3832)
______ C:\Program Files\Internet Explorer\iexplore.exe (2216)
______ C:\Windows\system32\wuauclt.exe (1068)
______ C:\Windows\System32\mobsync.exe (1348)
______ E:\Rooter.exe (3064)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:1048576 | Length:17179869184)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:17180917760 | Length:71415365632)
\Device\Harddisk0\Partition3 (Start_Offset:88596297216 | Length:71442975744)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\Hitman Pro 3.5 Boot Task.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
C:\Windows\Tasks\User_Feed_Synchronization-{88B7284F-FA8A-4263-B5C9-6C34C08FD7BF}.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 08:12.46
.
C:\Rooter$\Rooter_1.txt - (13/11/2009 | 08:12.46)
Not looking at anything bad. Is it just this forum you can't log into or is it other sites also. Can you log into sites you use like say eBay or a shopping site ?
It just let me log in for some reason.
just cant downoad anything still.
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Program Files\Spybot - Search & Destroy folder moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: bob
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 7137986 bytes
User: cyrus
->Temp folder emptied: 92829 bytes
->Temporary Internet Files folder emptied: 4565916 bytes
->Java cache emptied: 25493256 bytes
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Public
->Temp folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 22060 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 49286 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 35.63 mb
OTM by OldTimer - Version 3.1.1.0 log created on 11142009_032040
Files moved on Reboot...
Registry entries deleted on Reboot...
Win32.Agent.chh: [SBI $EC4787FA] Settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\8636065b-fef0-4255-b14f-54639f7900a4
Win32.Agent.chh: [SBI $EC4787FA] Settings (Registry value, fixing failed)
HKEY_USERS\S-1-5-18\Software\8636065b-fef0-4255-b14f-54639f7900a4
Microsoft.Windows.Explorer: [SBI $1931FF4D] Settings (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges
Microsoft.Windows.Explorer: [SBI $1931FF4D] Settings (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges
Virtumonde.sdn: [SBI $70056CE6] Data (File, fixed)
C:\Windows\System32\tolevoto
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
DoubleClick: Tracking cookie (Internet Explorer: cyrus) (Cookie, fixed)
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-11-14 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-10-08 Includes\Adware.sbi (*)
2009-11-10 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2009-10-13 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-10-27 Includes\HijackersC.sbi (*)
2009-10-20 Includes\Keyloggers.sbi (*)
2009-10-20 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-11-10 Includes\Malware.sbi (*)
2009-11-10 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-10-20 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-11-10 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-11-03 Includes\Spyware.sbi (*)
2009-11-10 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-11-10 Includes\Trojans.sbi (*)
2009-11-10 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
this is after running spybot
If you can't download this then your going to have to download it from a known clean computer and transfer by disk to the infected one. I was looking over your log and may have missed something. Lets check
Download and run Win32kDiag:
Download Win32kDiag from any of the following locations and save it to your Desktop.
Download Win32kDiag (Win32kDiag.exe) - #1 (http://ad13.geekstogo.com/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #2 (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #3 (http://rootrepeal.psikotick.com/Win32kDiag.exe)
Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.