Virtumonde help please

**zuxtobeme** · 2008-11-22, 05:09

Im remaking my post because I did not follow the no bump of post policy.

again I have virtumonde on my system also some other malware was needing some help cleaning this up.

thanks

HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:29 PM, on 11/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\zuxtobeme.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6439
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {3CBEA788-BDEF-4990-9380-192BE8E1929F} - C:\WINDOWS\system32\pmkji.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {58C141FC-2062-439E-808F-40B07488DF61} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {80FAD938-3D43-4B91-AD62-61A11C4C4E6F} - (no file)
O2 - BHO: (no name) - {826baf10-c885-4de8-be14-5178cfa97328} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {B71333AD-1D9F-4329-A93D-70F5072C486E} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - AppInit_DLLs: rnqtyb.dll ipcdxb.dll ltjmrb.dll kyuxxq.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\profsyz.html

--
End of file - 6061 bytes

**Baabiouz** · 2008-11-22, 10:01

Hi

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

**zuxtobeme** · 2008-11-23, 00:27

as requested

ComboFix 08-11-22.02 - Owner 2008-11-22 15:13:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.69 [GMT -8:00]
Running from: c:\documents and settings\Owner.Melissa\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.Melissa\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner.Melissa\Desktop\Games.url
c:\documents and settings\Owner.Melissa\Desktop\Translator.url
c:\documents and settings\Owner.Melissa\Favorites\Download programs.url
c:\documents and settings\Owner.Melissa\Favorites\Games.url
c:\documents and settings\Owner.Melissa\Favorites\Translator.url
c:\documents and settings\Owner.Melissa\Favorites\Videos.url
c:\documents and settings\Owner.Melissa\Start Menu\Programs\Download programs.url
c:\documents and settings\Owner.Melissa\Start Menu\Programs\Games.url
c:\documents and settings\Owner.Melissa\Start Menu\Programs\Translator.url
c:\documents and settings\Owner.Melissa\Start Menu\Programs\Videos.url
c:\program files\Common Files\profsyz.html
c:\program files\kernel
c:\program files\kernel\kernel.exe
c:\windows\Fonts\a.zip
c:\windows\IA
c:\windows\IA\KE.vbs
c:\windows\system32\bjnrjubw.ini
c:\windows\system32\ciwwstsu.ini
c:\windows\system32\cqfdyvag.ini
c:\windows\system32\cqhxkbet.ini
c:\windows\system32\crdggcmy.ini
c:\windows\system32\eiusmruw.ini
c:\windows\system32\eplrdxxi.ini
c:\windows\system32\esittvrq.ini
c:\windows\system32\facyctpt.dll
c:\windows\system32\fbptwxfm.ini
c:\windows\system32\fgodtvvf.ini
c:\windows\system32\gdjbbcbh.ini
c:\windows\system32\hcssjebq.ini
c:\windows\system32\htpavdji.ini
c:\windows\system32\ijkmp.ini
c:\windows\system32\ijkmp.ini2
c:\windows\system32\ijyfuxey.ini
c:\windows\system32\impfarjg.ini
c:\windows\system32\ipcdxb.dll
c:\windows\system32\jjulcbws.ini
c:\windows\system32\jqejuefa.ini
c:\windows\system32\jrgtudpw.ini
c:\windows\system32\jxqgovmr.ini
c:\windows\system32\ltjmrb.dll
c:\windows\system32\magqxfbh.ini
c:\windows\system32\mjjfsxvc.ini
c:\windows\system32\mqgxwiky.ini
c:\windows\system32\MSINET.oca
c:\windows\system32\mtdhafag.ini
c:\windows\system32\mwxfkdlw.ini
c:\windows\system32\mxyppopw.ini
c:\windows\system32\nqfomqki.ini
c:\windows\system32\ntumtjqx.ini
c:\windows\system32\pbgxgvne.ini
c:\windows\system32\ptprnuxj.ini
c:\windows\system32\qbekrefp.ini
c:\windows\system32\qbuooumd.ini
c:\windows\system32\rnqtyb.dll
c:\windows\system32\ryoxehdc.ini
c:\windows\system32\shndtjqo.ini
c:\windows\system32\slwndort.ini
c:\windows\system32\smnijhhp.ini
c:\windows\system32\sqnyrltb.ini
c:\windows\system32\tfaypuwd.ini
c:\windows\system32\tinjjlvt.ini
c:\windows\system32\uaqkgptg.ini
c:\windows\system32\ujaswbhy.ini
c:\windows\system32\uxmeurhf.ini
c:\windows\system32\vaatnajr.ini
c:\windows\system32\vecfwewb.ini
c:\windows\system32\vxvnrfhd.ini
c:\windows\system32\weexmusg.ini
c:\windows\system32\winsrc.dll.tmp
c:\windows\system32\wudfxqhd.ini
c:\windows\system32\yeplyovh.dll
c:\windows\system32\yrnjqowf.ini
c:\windows\system32\z1
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TNIDRIVER
-------\Service_TnIDriver

((((((((((((((((((((((((( Files Created from 2008-10-22 to 2008-11-22 )))))))))))))))))))))))))))))))
.

2008-11-21 20:35 . 2008-11-21 20:35 <DIR> d-------- C:\fsaua.data
2008-11-21 18:29 . 2008-11-21 18:29 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-21 18:29 . 2008-11-21 18:29 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-20 22:09 . 2008-11-20 22:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-20 22:09 . 2008-11-20 22:09 <DIR> d-------- c:\documents and settings\Owner.Melissa\Application Data\Malwarebytes
2008-11-20 22:09 . 2008-11-20 22:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-20 22:09 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-20 22:09 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-20 09:49 . 2008-11-20 09:49 <DIR> d-------- c:\program files\Trend Micro
2008-11-20 08:05 . 2008-11-20 08:05 24,576 --a------ c:\windows\system32\VundoFixSVC.exe
2008-11-20 07:52 . 2008-11-20 22:55 <DIR> d-------- C:\VundoFix Backups
2008-11-06 19:49 . 2008-11-20 08:15 <DIR> d-------- c:\program files\RogueRemover FREE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-22 04:22 --------- d-----w c:\program files\Napster
2008-11-22 04:22 --------- d-----w c:\documents and settings\All Users\Application Data\Napster
2008-11-22 02:29 --------- d-----w c:\program files\Java
2008-11-20 16:06 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-07 00:58 --------- d-----w c:\program files\BigFix
2008-11-07 00:53 --------- d-----w c:\program files\Google
2008-09-25 23:53 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-25 21:02 --------- d-----w c:\documents and settings\Owner.Melissa\Application Data\LimeWire
2008-03-12 06:06 1,132 ----a-w c:\documents and settings\Owner.Melissa\Application Data\wklnhst.dat
2008-01-18 22:39 246 ----a-w c:\program files\Common Files\lavul
2007-02-18 10:47 774,144 ----a-w c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-11-11 1236992]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-21 136600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2008-09-18 1757]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
NA [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMa7d896a4]
--a------ 2008-09-17 15:28 95744 c:\windows\system32\eamtynsj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 19:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2005-08-12 16:16 1121792 c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-13 23:42 212992 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2005-02-25 18:24 966656 c:\windows\creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2005-12-27 10:20 413696 c:\windows\stsystra.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"64801:TCP"= 64801:TCP:PORT_64801
"19923:TCP"= 19923:TCP:PORT_19923
"22700:TCP"= 22700:TCP:PORT_22700
"50938:TCP"= 50938:TCP:PORT_50938
"33363:TCP"= 33363:TCP:PORT_33363
"6114:TCP"= 6114:TCP:PORT_6114
"57423:TCP"= 57423:TCP:PORT_57423
"59405:TCP"= 59405:TCP:PORT_59405
"16204:TCP"= 16204:TCP:PORT_16204

.
Contents of the 'Scheduled Tasks' folder

2008-10-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2006-12-30 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 11:00]

2006-12-30 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 11:00]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3CBEA788-BDEF-4990-9380-192BE8E1929F} - c:\windows\system32\pmkji.dll
BHO-{58C141FC-2062-439E-808F-40B07488DF61} - (no file)
BHO-{80FAD938-3D43-4B91-AD62-61A11C4C4E6F} - (no file)
BHO-{826baf10-c885-4de8-be14-5178cfa97328} - (no file)
BHO-{B71333AD-1D9F-4329-A93D-70F5072C486E} - (no file)
MSConfigStartUp-a4eba538 - c:\windows\system32\ljJBsTmj.dll
MSConfigStartUp-CrashDump - c:\windows\system32\dumpreport.exe
MSConfigStartUp-ieupdate - c:\windows\system32\ieexplorer32.exe
MSConfigStartUp-kernel - c:\program files\kernel\kernel.exe
MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Owner.Melissa\Application Data\Mozilla\Firefox\Profiles\nwq5yfb5.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-22 15:19:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\rsaenh.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(936)
c:\windows\system32\msprivs.dll
c:\windows\system32\rsaenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-22 15:22:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-22 23:22:19

Pre-Run: 39,332,888,576 bytes free
Post-Run: 39,334,756,352 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer

244 --- E O F --- 2008-06-26 05:44:42

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:26:33 PM, on 11/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\zuxtobeme.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6439
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5739 bytes

**Baabiouz** · 2008-11-23, 13:38

Hi

Step #1 - HijackThis fixing
Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Step #2 - Downloading Antivirus
You are missing one important program on that computer: An antivirus.
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can and run a complete scan of the computer:

Install it and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

Step #3 - Downloading Firewall
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) ZoneAlarm
(At installing Zonealarm, please uncheck this option "include a ZoneAlarm Spy Blocker...". The Toolbar is not recommended... You can read more about it here.)
2) Agnitum
3) Sunbelt/Kerio
4) Comodo
(at installing Comodo, please uncheck these options: "Install Comodo SafeSurf..", "Make Comodo my default search provider" and "Make Comodo Search my homepage")

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Step #4 - Scanning your computer
Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here and save to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
Note:
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Or via the Logs tab when Malwarebytes' Anti-Malware is started.

Step #5- Posting results
Please post a fresh HijackThis log and Mbam results back here

How's your PC working now?

**zuxtobeme** · 2008-11-24, 01:44

well I downloaded and installed one of the anti virus's you reconmended.

it detected 90 harmful files/folders

here is a log from that anti virus

Avira AntiVir Personal
Report file date: Sunday, November 23, 2008 09:49

Scanning for 1046419 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: MELISSA

Version information:
BUILD.DAT : 8.2.0.336 16933 Bytes 10/30/2008 11:40:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 18:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 17:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 22:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 17:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:40:20
ANTIVIR1.VDF : 7.1.0.56 411136 Bytes 11/9/2008 17:40:23
ANTIVIR2.VDF : 7.1.0.89 221184 Bytes 11/16/2008 17:40:25
ANTIVIR3.VDF : 7.1.0.123 165376 Bytes 11/23/2008 17:40:28
Engineversion : 8.2.0.35
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 20:05:56
AESCRIPT.DLL : 8.1.1.15 332156 Bytes 11/23/2008 17:40:50
AESCN.DLL : 8.1.1.5 123251 Bytes 11/23/2008 17:40:48
AERDL.DLL : 8.1.1.3 438645 Bytes 11/23/2008 17:40:46
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/23/2008 17:40:43
AEOFFICE.DLL : 8.1.0.30 196986 Bytes 11/23/2008 17:40:40
AEHEUR.DLL : 8.1.0.71 1487222 Bytes 11/23/2008 17:40:39
AEHELP.DLL : 8.1.2.0 119159 Bytes 11/23/2008 17:40:34
AEGEN.DLL : 8.1.1.5 323956 Bytes 11/23/2008 17:40:33
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 20:05:56
AECORE.DLL : 8.1.5.1 172406 Bytes 11/23/2008 17:40:30
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 20:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 18:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 19:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 11/23/2008 17:40:28
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 21:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 18:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 22:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 03:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 22:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 22:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 23:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 23:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, November 23, 2008 09:49

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'CLI.exe' - '1' Module(s) have been scanned
Scan process 'CLI.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'mcrdsvc.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'WLTRAY.EXE' - '1' Module(s) have been scanned
Scan process 'CLI.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'PRISMXL.SYS' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'ehSched.exe' - '1' Module(s) have been scanned
Scan process 'ehrecvr.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'BCMWLTRY.EXE' - '1' Module(s) have been scanned
Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
44 processes with 44 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '62' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudXPAntivirus1.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '498a9873.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4997a012.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl1.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4997a016.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl4.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4997a019.qua'!
C:\Documents and Settings\Owner.Melissa\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-48bdc5db
[0] Archive type: ZIP
--> vmain.class
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.B.1 exploit
[NOTE] The file was moved to '495da391.qua'!
C:\Documents and Settings\Owner.Melissa\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-1976ce1e.zip
[0] Archive type: ZIP
--> vmain.class
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.B.1 exploit
[NOTE] The file was moved to '4996a3e3.qua'!
C:\Qoobox\Quarantine\C\Program Files\Common Files\profsyz.html.vir
[DETECTION] Is the TR/Click.HTML.IFrame.DN Trojan
[NOTE] The file was moved to '4998a70c.qua'!
C:\Qoobox\Quarantine\C\Program Files\kernel\kernel.exe.vir
[DETECTION] Is the TR/Dldr.Adload.PN Trojan
[NOTE] The file was moved to '499ba705.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\Fonts\a.zip.vir
[0] Archive type: ZIP
--> Setup.exe
[1] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '49a3a6d2.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\ipcdxb.dll.vir
[DETECTION] Is the TR/Vundo.FUL.5 Trojan
[NOTE] The file was moved to '498ca719.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\ltjmrb.dll.vir
[DETECTION] Is the TR/Vundo.FUL.5 Trojan
[NOTE] The file was moved to '4993a71f.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\rnqtyb.dll.vir
[DETECTION] Is the TR/Monder.tdz Trojan
[NOTE] The file was moved to '499aa71f.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\yeplyovh.dll.vir
[DETECTION] Is the TR/Vundo.FUL.5 Trojan
[NOTE] The file was moved to '4999a717.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP179\A0045497.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4959a6f5.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP179\A0046497.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48f939b6.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP179\A0046533.exe
[DETECTION] Is the TR/Dldr.VB.hpv.3 Trojan
[NOTE] The file was moved to '4959a6f6.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP181\A0046593.exe
[DETECTION] Is the TR/Dldr.VB.hpv.3 Trojan
[NOTE] The file was moved to '4959a6f9.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP182\A0046697.exe
[DETECTION] Is the TR/Dldr.VB.hpv.3 Trojan
[NOTE] The file was moved to '4959a6fe.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP183\A0047698.exe
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4959a6ff.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP183\A0047709.vbs
[DETECTION] Is the TR/Small.WY Trojan
[NOTE] The file was moved to '4959a700.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP183\A0047711.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48f93841.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP183\A0047713.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4959a702.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP183\A0047715.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48f93843.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP183\A0047716.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4959a701.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP183\A0047717.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48f93842.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP183\A0047718.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4959a703.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP183\A0047719.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4959a704.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP183\A0047721.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48f93845.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP183\A0047726.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48f93844.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP183\A0047727.exe
[DETECTION] Is the TR/Dldr.Agent.haq.1 Trojan
[NOTE] The file was moved to '4959a705.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP184\A0048752.dll
[DETECTION] Is the TR/FraudPack.aed Trojan
[NOTE] The file was moved to '4959a706.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP184\A0048775.dll
[DETECTION] Is the TR/BHO.aqp Trojan
[NOTE] The file was moved to '48f93846.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP184\A0049762.dll
[DETECTION] Is the TR/Dldr.Agent.akhh Trojan
[NOTE] The file was moved to '48f93847.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP184\A0049763.dll
[DETECTION] Is the TR/Dldr.Agent.akhh Trojan
[NOTE] The file was moved to '4959a708.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP184\A0049795.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4959a707.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP184\A0049865.dll
[DETECTION] Is the TR/FraudPack.glx Trojan
[NOTE] The file was moved to '4959a70a.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050273.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4959a718.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050275.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48f93859.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050277.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4959a71a.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050279.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4959a719.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050280.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '48f9385a.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050282.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4959a71b.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050283.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48f9385b.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050284.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4959a71c.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050285.exe
[DETECTION] Is the TR/QLowZones.S Trojan
[NOTE] The file was moved to '48f9385d.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050286.exe
[DETECTION] Is the TR/QLowZones.S Trojan
[NOTE] The file was moved to '4959a71e.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050287.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48f9385c.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050288.exe
[DETECTION] Is the TR/QLowZones.S Trojan
[NOTE] The file was moved to '4959a71d.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050289.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48f9385e.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050290.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48f9385f.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050291.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4959a720.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050292.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48f93861.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050293.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4959a71f.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050294.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48f93860.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050295.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4959a721.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050296.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4959a722.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050297.exe
[DETECTION] Is the TR/QLowZones.S Trojan
[NOTE] The file was moved to '48f93863.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050298.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4959a724.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050299.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48f93862.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050300.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4959a723.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050301.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48f93864.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050302.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4959a725.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050303.dll
[DETECTION] Is the TR/Vundo.dvx.2 Trojan
[NOTE] The file was moved to '48f93865.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050304.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4959a726.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050305.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48f93866.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050306.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4959a727.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050307.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48f93868.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050308.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48f93867.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050309.exe
[DETECTION] Is the TR/QLowZones.S Trojan
[NOTE] The file was moved to '4959a728.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050310.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48f93869.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050311.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4959a72a.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050312.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4959a729.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050314.exe
[DETECTION] Is the TR/Dldr.CWS.gen.2 Trojan
[NOTE] The file was moved to '48c90a14.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050315.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48c90a16.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050317.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48c90a15.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050318.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48c90a17.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050319.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48c90a19.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP185\A0050320.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48c90a1b.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP188\A0050387.dll
[DETECTION] Is the TR/Vundo.FUL.5 Trojan
[NOTE] The file was moved to '4959a72c.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP188\A0050392.dll
[DETECTION] Is the TR/Vundo.FUL.5 Trojan
[NOTE] The file was moved to '4959a72d.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP188\A0050405.dll
[DETECTION] Is the TR/Monder.tdz Trojan
[NOTE] The file was moved to '48c90a1e.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP188\A0050421.dll
[DETECTION] Is the TR/Vundo.FUL.5 Trojan
[NOTE] The file was moved to '4959a72e.qua'!
C:\WINDOWS\system32\bmustc.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '499eaa04.qua'!
C:\WINDOWS\system32\cbXNFWoN.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4981a9fb.qua'!
C:\WINDOWS\system32\cewnrqtx.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49a0aa00.qua'!
C:\WINDOWS\system32\cjanseeu.dll
[DETECTION] Is the TR/Monder.tdz Trojan
[NOTE] The file was moved to '498aaa05.qua'!
C:\WINDOWS\system32\eamtynsj.dll
[DETECTION] Is the TR/Monder.plo Trojan
[NOTE] The file was moved to '4996aa06.qua'!
C:\WINDOWS\system32\gfevwryn.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '498eaa0e.qua'!
C:\WINDOWS\system32\hgGayabY.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4970aa10.qua'!
C:\WINDOWS\system32\irgwfy.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4990aa20.qua'!
C:\WINDOWS\system32\kyyuvylt.dll
[DETECTION] Is the TR/Vundo.FUL.5 Trojan
[NOTE] The file was moved to '49a2aa2a.qua'!
C:\WINDOWS\system32\mlJDtsPI.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4973aa21.qua'!
C:\WINDOWS\system32\nnnljgDu.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4997aa2e.qua'!
C:\WINDOWS\system32\ofdkffld.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '498daa2a.qua'!
C:\WINDOWS\system32\qdnpuwbg.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4997aa2c.qua'!
C:\WINDOWS\system32\rqRIxXQH.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497baa3c.qua'!
C:\WINDOWS\system32\urqNeCVp.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '499aaa4a.qua'!
C:\WINDOWS\system32\xxyxuVnn.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49a2aa5c.qua'!
C:\WINDOWS\system32\ardCo18\ardCo182328.exe
[DETECTION] Is the TR/Dldr.VB.caw.4 Trojan
[NOTE] The file was moved to '498daa56.qua'!
C:\WINDOWS\system32\mC02\mC022328.exe
[DETECTION] Is the TR/Dldr.VB.hpv.3 Trojan
[NOTE] The file was moved to '4959aa47.qua'!
C:\WINDOWS\system32\olixds18\olixds182328.exe
[DETECTION] Is the TR/Dldr.VB.eyc.7 Trojan
[NOTE] The file was moved to '4992aa74.qua'!
Begin scan in 'D:\' <RECOVERY>

End of the scan: Sunday, November 23, 2008 11:15
Used time: 1:26:30 Hour(s)

The scan has been done completely.

6487 Scanning directories
420240 Files were scanned
97 viruses and/or unwanted programs were found
4 Files were classified as suspicious:
0 files were deleted
0 files were repaired
101 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
420137 Files not concerned
48802 Archives were scanned
2 Warnings
101 Notes

dont know if that is helpful or not. I will post back with Malware log and a new HJT logg in a sec

**zuxtobeme** · 2008-11-24, 02:50

Malwarebytes' Anti-Malware 1.30
Database version: 1414
Windows 5.1.2600 Service Pack 2

11/23/2008 5:45:11 PM
mbam-log-2008-11-23 (17-45-11).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 121615
Time elapsed: 58 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

and the HJT logg

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:00 PM, on 11/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\zuxtobeme.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6439
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\RunOnce: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe" -z -o
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6501 bytes

**Baabiouz** · 2008-11-24, 12:22

Hi

Looks clean, great job!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Next we remove all used tools.

Please download OTCleanIt and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide

Malwarebytes' Anti-Malware Scanning Guide
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!

**zuxtobeme** · 2008-11-25, 03:05

done

done

done

and

done

Thank you very much for you help. much appreciated. laptop is running flawlessly. now to get some more memory.. since i have all these programs running all the time.

**Baabiouz** · 2008-11-25, 06:10

You're welcome

Thread: Virtumonde help please

Thread Tools

Display

Virtumonde help please

Posting Permissions