Cant get spybot running in vista

S

sauce73

New member
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:08 AM, on 11/1/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1006&m=el1210-09
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1006&m=el1210-09
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Defender Pro Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [vamufukewe] Rundll32.exe "dajidomu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [inixs] C:\Windows\system32\minix32.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [inixs] C:\Windows\system32\minix32.exe (User 'Default user')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL huzisopo.dll avgrsstx.dll c:\windows\system32\rahupeke.dll
O21 - SSODL: bohifirib - {b6a16664-f04a-4a0c-9fc1-97a968d84934} - c:\windows\system32\rahupeke.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {b6a16664-f04a-4a0c-9fc1-97a968d84934} - c:\windows\system32\rahupeke.dll (file missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe
O23 - Service: Google Desktop Manager 5.7.807.15159 (GoogleDesktopManager-071508-051939) - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Defender Pro - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Defender Pro S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 6741 bytes

Malwarebytes remove 55 trojans and malware before I got this far. I had not written in this forum yet but if its usefull I still have the logfile from malewarebyte. Just let me know and Ill post it. Thanks

I Have tried to remove the stuff myself and failed miserably. I have managed to pull 55 trojans from the computer but I still have something on there preventing spybot from installing and running properly. All I can get the scr. file to do is update the machine. I have tried malewarebytes, avg, and hitman pro. I had to remove the hard drive and scan it with another just to be able to get malewarebytes to scan it. Before the taskbar and everything was gone. Now its back but I cant uninstall avg for some reason and I cant get spybot to install( it always says sd.exe read only file). Here is the log from when I ran malewarebytes if it helps. Thanks


Malwarebytes' Anti-Malware 1.41
Database version: 3074
Windows 6.0.6001 Service Pack 1 (Safe Mode)

11/1/2009 2:45:21 AM
mbam-log-2009-11-01 (02-45-21).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 214644
Time elapsed: 19 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 8
Registry Data Items Infected: 5
Folders Infected: 2
Files Infected: 41

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a249bc15-23f2-42ad-f4e4-00aac39c0004} (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a249bc15-23f2-42ad-f4e4-00aac39c0004} (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a249bc15-23f2-42ad-f4e4-00aac39c0004} (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gasfkycrcnqptv (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gojofivur (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gojofivur (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a249bc15-23f2-42ad-f4e4-00aac39c0004} (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vamufukewe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe rundll32.exe tftp.nfo beforegllav) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\ProgramData\17758084 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024485.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024486.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024491.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024492.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024493.exe (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024494.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024495.dll (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024496.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024497.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024498.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024499.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024500.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024501.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024502.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024503.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024504.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024505.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024506.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024507.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024508.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024509.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024510.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024511.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024512.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024513.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024514.nfo (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024515.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024516.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEFD736B-8783-497C-8F9A-9D7C0635664B}\RP288\A0024517.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\nelonezi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\reranavu.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Windows\System32\vabofoka.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\ProgramData\17758084\17758084 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\ProgramData\17758084\pc17758084ins (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Windows\System32\AVR09.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\Windows\System32\hivofupi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\niyihifi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\winhelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\System32\gasfkyexevxepp.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\gasfkyjtjbrudx.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
 
Last edited by a moderator:
Hello sauce73

Welcome to Safer Networking.

Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Sorry for the delay, the forums are very busy. Your infected with a Rootkit, we need to run Combofix renamed or it won't run.


Its important that you follow these instructions and rename Combofix as this Rootkit infection will stop it from running if its not renamed.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

CF_download_FF.gif



CF_download_rename.gif


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
 
I have managed to disable spybot and avg but not defender pro antivirus and cant find where to disable it at. I checked in services and processes and cant find it running. When I tried to start combofix it said defender pro antivirus running , please disable scanner
 
I have now even managed to uninstall defender pro 5-1 and it still says its running. I will not do anything else till u tell me. Thanks
 
Hi,

If you don't have the Run Command on the Start Menu you can add it like this

1. Right click on the Vista start menu and click Properties.
2. In the properties window select the Start Menu tab and click Customize.
3. Scroll down and tick the box to the side of Run Command. Click OK and now you can see Run Command in the start menu.

Go to Start> Run > and Type in services.msc and hit enter. Then look for defender pro , right click on it and select Properties and on the Startup type, change it to disabled
 
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Defender Pro - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - Defender Pro S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe


Try Combofix again and if it still gives you issues then run it in Safemode


  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
  • Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode
 
I cant find those files to fix. Here is the log from hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:23 AM, on 11/5/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\cyrus\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1006&m=el1210-09
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1006&m=el1210-09
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [vamufukewe] Rundll32.exe "dajidomu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [inixs] C:\Windows\system32\minix32.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [inixs] C:\Windows\system32\minix32.exe (User 'Default user')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL huzisopo.dll avgrsstx.dll c:\windows\system32\rahupeke.dll
O21 - SSODL: bohifirib - {b6a16664-f04a-4a0c-9fc1-97a968d84934} - c:\windows\system32\rahupeke.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {b6a16664-f04a-4a0c-9fc1-97a968d84934} - c:\windows\system32\rahupeke.dll (file missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe
O23 - Service: Google Desktop Manager 5.7.807.15159 (GoogleDesktopManager-071508-051939) - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 5401 bytes
 
Go ahead and Run Combofix, run it in Safemode if it won't let you run it in normal windows
 
ok here is the combofix log then the hijack log
ComboFix 09-11-05.05 - cyrus 11/06/2009 7:11.1.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1790.1015 [GMT -5:00]
Running from: c:\users\cyrus\Desktop\wtg.exe
AV: Defender Pro Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Defender Pro Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
SP: Defender Pro Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1030263071-3691112099-3180659711-500
c:\$recycle.bin\S-1-5-21-2760852498-2543259003-1422614318-1000
c:\$recycle.bin\S-1-5-21-394663650-3959817544-126125822-500

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.

2009-11-06 12:18 . 2009-11-06 12:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-06 12:18 . 2009-11-06 12:18 -------- d-----w- c:\users\bob\AppData\Local\temp
2009-11-06 12:18 . 2009-11-06 13:04 -------- d-----w- c:\users\cyrus\AppData\Local\temp
2009-11-05 15:42 . 2009-11-05 15:42 -------- d-----w- C:\found.000
2009-11-01 11:45 . 2009-11-01 11:45 4096 d-----w- c:\program files\ERUNT
2009-11-01 10:34 . 2009-11-01 10:36 -------- d-----w- c:\windows\system32\ca-ES
2009-11-01 10:34 . 2009-11-01 10:36 -------- d-----w- c:\windows\system32\eu-ES
2009-11-01 10:34 . 2009-11-01 10:36 -------- d-----w- c:\windows\system32\vi-VN
2009-11-01 10:21 . 2009-11-01 10:21 -------- d-----w- c:\windows\system32\EventProviders
2009-11-01 10:14 . 2009-11-05 13:20 81984 ----a-w- c:\windows\system32\bdod.bin
2009-11-01 10:04 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-11-01 10:00 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-11-01 09:57 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-11-01 09:57 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-11-01 09:32 . 2009-11-01 09:31 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-01 07:23 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-01 07:23 . 2009-11-01 07:23 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 07:23 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-01 06:49 . 2009-11-01 06:49 -------- d-----w- c:\users\cyrus\AppData\Local\Adobe
2009-11-01 05:35 . 2009-11-01 07:22 12800 ----a-w- c:\windows\system32\bootdelete.exe
2009-11-01 04:33 . 2009-11-06 12:09 11904 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2009-10-31 03:12 . 2009-10-31 03:12 12288 d-----w- C:\$AVG8.VAULT$
2009-10-30 14:10 . 2009-10-30 14:10 -------- d-----w- c:\users\cyrus\AppData\Roaming\Malwarebytes
2009-10-30 14:10 . 2009-10-30 14:10 -------- d-----w- c:\programdata\Malwarebytes
2009-10-28 11:49 . 2009-11-01 08:02 680 ----a-w- c:\users\cyrus\AppData\Local\d3d9caps.dat
2009-10-28 11:44 . 2009-11-01 07:22 4096 d-----w- c:\programdata\Hitman Pro
2009-10-28 11:44 . 2009-10-28 11:44 -------- d-----w- c:\program files\Hitman Pro 3.5
2009-10-26 11:45 . 2009-10-30 11:58 70176 ----a-w- c:\users\cyrus\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-25 16:44 . 2009-10-25 16:44 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-25 16:43 . 2009-10-25 16:43 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-25 16:43 . 2009-10-25 16:43 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-25 16:43 . 2009-10-25 16:43 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-25 16:43 . 2009-11-01 09:27 4096 d-----w- c:\windows\system32\drivers\Avg
2009-10-25 16:43 . 2009-11-01 11:16 4096 d-----w- c:\programdata\avg8
2009-10-25 15:59 . 2009-10-25 15:59 -------- d-sh--w- c:\windows\system32\%APPDATA%
2009-10-25 15:46 . 2009-10-25 16:46 4096 d-----w- c:\programdata\AVG Security Toolbar
2009-10-25 15:22 . 2009-10-25 16:30 680 ----a-w- c:\users\bob\AppData\Local\d3d9caps.dat
2009-10-25 15:11 . 2009-10-25 15:11 -------- d-----w- c:\program files\AVG
2009-10-25 15:07 . 2009-11-01 11:04 4096 d-----w- c:\programdata\Spybot - Search & Destroy
2009-10-25 15:07 . 2009-11-01 10:59 8192 d-----w- c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 14:05 . 2009-07-25 19:00 4096 d-----w- c:\program files\Common Files\BitDefender
2009-11-01 11:43 . 2008-09-05 00:48 -------- d-----w- c:\programdata\NVIDIA
2009-11-01 10:37 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-11-01 10:37 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-11-01 10:37 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Sidebar
2009-11-01 10:37 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Journal
2009-11-01 10:37 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Collaboration
2009-11-01 10:37 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Photo Gallery
2009-11-01 10:37 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Defender
2009-11-01 10:34 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-01 09:31 . 2008-09-05 01:05 -------- d-----w- c:\program files\Java
2009-10-30 13:41 . 2009-07-30 13:40 1054752 --sha-w- c:\windows\system32\mijinube.exe
2009-10-30 11:54 . 2008-09-05 00:37 4096 d--h--w- c:\program files\InstallShield Installation Information
2009-10-30 11:54 . 2008-09-05 00:37 -------- d-----w- c:\program files\profile
2009-10-02 01:22 . 2009-10-02 01:22 471664 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbD1E0.tmp.exe
2009-10-02 01:22 . 2009-10-02 01:22 471664 ----a-w- c:\programdata\Application Data\Google\Google Toolbar\Update\gtbD1E0.tmp.exe
2009-10-02 01:22 . 2009-10-02 01:22 471664 ----a-w- c:\programdata\Application Data\Application Data\Google\Google Toolbar\Update\gtbD1E0.tmp.exe
2009-10-02 01:22 . 2009-10-02 01:22 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbD1E0.tmp.exe
2009-10-02 01:22 . 2009-10-02 01:22 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbD1E0.tmp.exe
2009-10-02 01:22 . 2009-10-02 01:22 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbD1E0.tmp.exe
2009-10-02 01:22 . 2009-10-02 01:22 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbD1E0.tmp.exe
2009-10-02 01:22 . 2009-10-02 01:22 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbD1E0.tmp.exe
2009-10-02 01:22 . 2009-10-02 01:22 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbD1E0.tmp.exe
2009-10-02 01:22 . 2009-10-02 01:22 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbD1E0.tmp.exe
2009-10-02 01:22 . 2009-10-02 01:22 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbD1E0.tmp.exe
2009-10-02 01:22 . 2009-10-02 01:22 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbD1E0.tmp.exe
2009-09-23 00:59 . 2009-09-23 00:59 471664 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb7E24.tmp.exe
2009-09-23 00:59 . 2009-09-23 00:59 471664 ----a-w- c:\programdata\Application Data\Google\Google Toolbar\Update\gtb7E24.tmp.exe
2009-09-23 00:59 . 2009-09-23 00:59 471664 ----a-w- c:\programdata\Application Data\Application Data\Google\Google Toolbar\Update\gtb7E24.tmp.exe
2009-09-23 00:59 . 2009-09-23 00:59 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb7E24.tmp.exe
2009-09-23 00:59 . 2009-09-23 00:59 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb7E24.tmp.exe
2009-09-23 00:59 . 2009-09-23 00:59 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb7E24.tmp.exe
2009-09-23 00:59 . 2009-09-23 00:59 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb7E24.tmp.exe
2009-09-23 00:59 . 2009-09-23 00:59 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb7E24.tmp.exe
2009-09-23 00:59 . 2009-09-23 00:59 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb7E24.tmp.exe
2009-09-23 00:59 . 2009-09-23 00:59 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb7E24.tmp.exe
2009-09-23 00:59 . 2009-09-23 00:59 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb7E24.tmp.exe
2009-09-23 00:59 . 2009-09-23 00:59 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb7E24.tmp.exe
2009-09-21 16:10 . 2009-09-21 16:10 471664 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb1B7B.tmp.exe
2009-09-21 16:10 . 2009-09-21 16:10 471664 ----a-w- c:\programdata\Application Data\Google\Google Toolbar\Update\gtb1B7B.tmp.exe
2009-09-21 16:10 . 2009-09-21 16:10 471664 ----a-w- c:\programdata\Application Data\Application Data\Google\Google Toolbar\Update\gtb1B7B.tmp.exe
2009-09-21 16:10 . 2009-09-21 16:10 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb1B7B.tmp.exe
2009-09-21 16:10 . 2009-09-21 16:10 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb1B7B.tmp.exe
2009-09-21 16:10 . 2009-09-21 16:10 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb1B7B.tmp.exe
2009-09-21 16:10 . 2009-09-21 16:10 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb1B7B.tmp.exe
2009-09-21 16:10 . 2009-09-21 16:10 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb1B7B.tmp.exe
2009-09-21 16:10 . 2009-09-21 16:10 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb1B7B.tmp.exe
2009-09-21 16:10 . 2009-09-21 16:10 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb1B7B.tmp.exe
2009-09-21 16:10 . 2009-09-21 16:10 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb1B7B.tmp.exe
2009-09-21 16:10 . 2009-09-21 16:10 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb1B7B.tmp.exe
2009-09-20 13:46 . 2009-09-20 13:46 471664 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbE984.tmp.exe
2009-09-20 13:46 . 2009-09-20 13:46 471664 ----a-w- c:\programdata\Application Data\Google\Google Toolbar\Update\gtbE984.tmp.exe
2009-09-20 13:46 . 2009-09-20 13:46 471664 ----a-w- c:\programdata\Application Data\Application Data\Google\Google Toolbar\Update\gtbE984.tmp.exe
2009-09-20 13:46 . 2009-09-20 13:46 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbE984.tmp.exe
2009-09-20 13:46 . 2009-09-20 13:46 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbE984.tmp.exe
2009-09-20 13:46 . 2009-09-20 13:46 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbE984.tmp.exe
2009-09-20 13:46 . 2009-09-20 13:46 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbE984.tmp.exe
2009-09-20 13:46 . 2009-09-20 13:46 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbE984.tmp.exe
2009-09-20 13:46 . 2009-09-20 13:46 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbE984.tmp.exe
2009-09-20 13:46 . 2009-09-20 13:46 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbE984.tmp.exe
2009-09-20 13:46 . 2009-09-20 13:46 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbE984.tmp.exe
2009-09-20 13:46 . 2009-09-20 13:46 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbE984.tmp.exe
2009-09-19 20:25 . 2009-09-19 20:25 471664 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb5A10.tmp.exe
2009-09-19 20:25 . 2009-09-19 20:25 471664 ----a-w- c:\programdata\Application Data\Google\Google Toolbar\Update\gtb5A10.tmp.exe
2009-09-19 20:25 . 2009-09-19 20:25 471664 ----a-w- c:\programdata\Application Data\Application Data\Google\Google Toolbar\Update\gtb5A10.tmp.exe
2009-09-19 20:25 . 2009-09-19 20:25 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb5A10.tmp.exe
2009-09-19 20:25 . 2009-09-19 20:25 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb5A10.tmp.exe
2009-09-19 20:25 . 2009-09-19 20:25 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb5A10.tmp.exe
2009-09-19 20:25 . 2009-09-19 20:25 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb5A10.tmp.exe
2009-09-19 20:25 . 2009-09-19 20:25 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb5A10.tmp.exe
2009-09-19 20:25 . 2009-09-19 20:25 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb5A10.tmp.exe
2009-09-19 20:25 . 2009-09-19 20:25 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb5A10.tmp.exe
2009-09-19 20:25 . 2009-09-19 20:25 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb5A10.tmp.exe
2009-09-19 20:25 . 2009-09-19 20:25 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb5A10.tmp.exe
2009-09-18 16:56 . 2009-09-18 16:56 471664 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb9770.tmp.exe
2009-09-18 16:56 . 2009-09-18 16:56 471664 ----a-w- c:\programdata\Application Data\Google\Google Toolbar\Update\gtb9770.tmp.exe
2009-09-18 16:56 . 2009-09-18 16:56 471664 ----a-w- c:\programdata\Application Data\Application Data\Google\Google Toolbar\Update\gtb9770.tmp.exe
2009-09-18 16:56 . 2009-09-18 16:56 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb9770.tmp.exe
2009-09-18 16:56 . 2009-09-18 16:56 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb9770.tmp.exe
2009-09-18 16:56 . 2009-09-18 16:56 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb9770.tmp.exe
2009-09-18 16:56 . 2009-09-18 16:56 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb9770.tmp.exe
2009-09-18 16:56 . 2009-09-18 16:56 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb9770.tmp.exe
2009-09-18 16:56 . 2009-09-18 16:56 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb9770.tmp.exe
2009-09-18 16:56 . 2009-09-18 16:56 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb9770.tmp.exe
2009-09-18 16:56 . 2009-09-18 16:56 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb9770.tmp.exe
2009-09-18 16:56 . 2009-09-18 16:56 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb9770.tmp.exe
2009-09-18 02:14 . 2009-09-18 02:14 471664 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb2FE5.tmp.exe
2009-09-18 02:14 . 2009-09-18 02:14 471664 ----a-w- c:\programdata\Application Data\Google\Google Toolbar\Update\gtb2FE5.tmp.exe
2009-09-18 02:14 . 2009-09-18 02:14 471664 ----a-w- c:\programdata\Application Data\Application Data\Google\Google Toolbar\Update\gtb2FE5.tmp.exe
2009-09-18 02:14 . 2009-09-18 02:14 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb2FE5.tmp.exe
2009-09-18 02:14 . 2009-09-18 02:14 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb2FE5.tmp.exe
2009-09-18 02:14 . 2009-09-18 02:14 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb2FE5.tmp.exe
2009-09-18 02:14 . 2009-09-18 02:14 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb2FE5.tmp.exe
2009-09-18 02:14 . 2009-09-18 02:14 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb2FE5.tmp.exe
2009-09-18 02:14 . 2009-09-18 02:14 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb2FE5.tmp.exe
2009-09-18 02:14 . 2009-09-18 02:14 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb2FE5.tmp.exe
2009-09-18 02:14 . 2009-09-18 02:14 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb2FE5.tmp.exe
2009-09-18 02:14 . 2009-09-18 02:14 471664 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb2FE5.tmp.exe
2009-09-16 16:11 . 2009-09-16 16:11 471664 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb4D44.tmp.exe
2009-09-16 16:11 . 2009-09-16 16:11 471664 ----a-w- c:\programdata\Application Data\Google\Google Toolbar\Update\gtb4D44.tmp.exe
2009-07-25 15:59 . 2009-07-25 15:59 10240 --sha-w- c:\windows\System32\mapopabe.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-19 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-19 92704]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-01 149280]
"combofix"="c:\wtg\CF12156.exe" [2009-11-06 318976]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-06-19 6244896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
SetupExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):bd,cf,30,45,e0,5a,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-18]
"EnableNotifications\\Ref"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1030263071-3691112099-3180659711-1001]
"EnableNotifications\\Ref"=dword:00000001

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [10/25/2009 11:43 AM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [10/25/2009 11:43 AM 108552]
R1 ElRawDisk;ElRawDisk;c:\windows\System32\drivers\elrawdsk.sys [6/12/2009 4:08 AM 12800]
R2 ETService;Empowering Technology Service;c:\program files\EMACHINES\eMachines Recovery Management\Service\ETService.exe [10/11/2006 2:18 AM 24576]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [6/12/2009 4:07 AM 628584]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [6/12/2009 4:07 AM 628584]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [11/1/2009 5:57 AM 1153368]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [9/4/2008 8:07 PM 43552]
S3 GoogleDesktopManager-071508-051939;Google Desktop Manager 5.7.807.15159;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" --> c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [?]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/25/2009 11:43 AM 906520]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/25/2009 11:43 AM 298776]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-01 c:\windows\Tasks\Hitman Pro 3.5 Boot Task.job
- c:\program files\Hitman Pro 3.5\HitmanPro35.exe [2009-10-28 15:45]

2009-11-06 c:\windows\Tasks\User_Feed_Synchronization-{88B7284F-FA8A-4263-B5C9-6C34C08FD7BF}.job
- c:\windows\system32\msfeedssync.exe [2009-11-01 03:41]
.
.
------- Supplementary Scan -------
.
uSearch Bar = Preserve
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1006&m=el1210-09
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1006&m=el1210-09
.
.
------- File Associations -------
.
regedit=regedit.exe "%1"
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-eRecoveryService - (no file)
HKU-Default-Run-inixs - c:\windows\system32\minix32.exe
SharedTaskScheduler-{b6a16664-f04a-4a0c-9fc1-97a968d84934} - c:\windows\system32\rahupeke.dll
SSODL-bohifirib-{b6a16664-f04a-4a0c-9fc1-97a968d84934} - c:\windows\system32\rahupeke.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 08:04
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\msiserver]
"ImagePath"="%systemroot%\system32\msiexec /V"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,02,68,4e,9c,62,a9,a6,49,a3,61,8f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,02,68,4e,9c,62,a9,a6,49,a3,61,8f,\

[HKEY_LOCAL_MACHINE\system\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\agrsmsvc.exe
c:\windows\system32\WUDFHost.exe
c:\windows\System32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-11-06 8:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-06 13:07

Pre-Run: 44,223,422,464 bytes free
Post-Run: 43,753,533,440 bytes free

- - End Of File - - D06637684717AA440D9DC516DC68450A
now the hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:47 AM, on 11/6/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\cyrus\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1006&m=el1210-09
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe
O23 - Service: Google Desktop Manager 5.7.807.15159 (GoogleDesktopManager-071508-051939) - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 4026 bytes
Whats the next step? Thanks
 
Hi,

You need to enable windows to Show all Files and Folders
Instructions for your Operating System HERE


c:\windows\system32\mijinube.exe <--Delete this file, let me know if it would not delete





Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.

c:\programdata\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtbE984.tmp.exe







Please run this free online virus scanner from ESET
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
 
Here is the virus report


Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.09 -
AhnLab-V3 5.0.0.2 2009.11.06 -
AntiVir 7.9.1.61 2009.11.09 -
Antiy-AVL 2.0.3.7 2009.11.09 -
Authentium 5.2.0.5 2009.11.08 -
Avast 4.8.1351.0 2009.11.08 -
AVG 8.5.0.423 2009.11.09 -
BitDefender 7.2 2009.11.09 -
CAT-QuickHeal 10.00 2009.11.09 -
ClamAV 0.94.1 2009.11.09 -
Comodo 2895 2009.11.09 -
DrWeb 5.0.0.12182 2009.11.09 -
eSafe 7.0.17.0 2009.11.08 -
eTrust-Vet 35.1.7111 2009.11.09 -
F-Prot 4.5.1.85 2009.11.08 -
F-Secure 9.0.15370.0 2009.11.09 -
Fortinet 3.120.0.0 2009.11.09 -
GData 19 2009.11.09 -
Ikarus T3.1.1.74.0 2009.11.09 -
Jiangmin 11.0.800 2009.11.09 -
K7AntiVirus 7.10.891 2009.11.07 -
Kaspersky 7.0.0.125 2009.11.09 -
McAfee 5796 2009.11.08 -
McAfee+Artemis 5796 2009.11.08 -
McAfee-GW-Edition 6.8.5 2009.11.09 -
Microsoft 1.5202 2009.11.09 -
NOD32 4587 2009.11.09 -
Norman 6.03.02 2009.11.09 -
nProtect 2009.1.8.0 2009.11.09 -
Panda 10.0.2.2 2009.11.08 -
PCTools 7.0.3.5 2009.11.09 -
Prevx 3.0 2009.11.09 -
Rising 22.21.00.08 2009.11.09 -
Sophos 4.47.0 2009.11.09 -
Sunbelt 3.2.1858.2 2009.11.08 -
Symantec 1.4.4.12 2009.11.09 -
TheHacker 6.5.0.2.063 2009.11.06 -
TrendMicro 9.0.0.1003 2009.11.09 -
VBA32 3.12.10.11 2009.11.09 -
ViRobot 2009.11.9.2027 2009.11.09 -
VirusBuster 4.6.5.0 2009.11.08 -
Additional information
File size: 471664 bytes
MD5...: 71338bab3fc015cd4a10bc25858b1785
SHA1..: 556028afb0ef67001660b98a734da6c8bae8ecff
SHA256: 2f85eaa53efeceb338a02a419a2aa260b8de24d130fe92dff78dc8da0a57f76d
ssdeep: 6144:0fvHASFf8w+gajkHjnb8OLXxYsRxFbrxd8QZQ6vvKrBeWIY4Afy08npBNq:
0XbFf8wPaanbXFJZd8QZFvG0WIYzoq

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x29271
timedatestamp.....: 0x4a57e684 (Sat Jul 11 01:10:28 2009)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3dbed 0x3dc00 6.66 12b14fc0189bc6e23c6c171b6f2d1650
.rdata 0x3f000 0xca18 0xcc00 4.90 18ab01311b0d973315e9274cb0b2bc17
.data 0x4c000 0xbb88 0x2000 4.11 9ded777a187febde17623bd3ed7bdbe0
.rsrc 0x58000 0x206bc 0x20800 5.87 3a5cd4261dc21d723fd0689a4570d9da
.reloc 0x79000 0x461e 0x4800 5.04 03837c480fba9935b8762157780fdd34

( 15 imports )
> KERNEL32.dll: WriteConsoleA, SetStdHandle, SetFilePointer, GetStringTypeW, GetStringTypeA, GetConsoleOutputCP, WriteConsoleW, SetEndOfFile, CreateFileA, CompareStringA, HeapCreate, MapViewOfFileEx, DuplicateHandle, WaitForMultipleObjects, SetThreadPriority, OpenProcess, ResumeThread, SetEvent, ResetEvent, CreateEventW, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, CreateFileW, GetLastError, LoadLibraryExW, lstrlenW, LeaveCriticalSection, EnterCriticalSection, GetModuleHandleA, GetCurrentThreadId, FindResourceExW, FindResourceW, GetExitCodeProcess, LoadResource, WaitForSingleObject, LockResource, CompareStringW, SizeofResource, FreeLibrary, RaiseException, GetVersion, GetCurrentProcess, GetProcAddress, DeleteCriticalSection, GetModuleFileNameW, MultiByteToWideChar, InitializeCriticalSection, SetLastError, InterlockedExchange, Sleep, FlushInstructionCache, CloseHandle, InterlockedDecrement, LoadLibraryW, CreateProcessW, OutputDebugStringA, LoadLibraryA, InterlockedIncrement, GetModuleHandleW, GetCommandLineW, lstrcmpiW, FlushFileBuffers, GetConsoleMode, GetConsoleCP, GetTimeZoneInformation, QueryPerformanceCounter, GetStartupInfoA, GetFileType, SetHandleCount, GetCommandLineA, GetEnvironmentStringsW, ExitProcess, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, IsValidCodePage, GetOEMCP, GetCPInfo, LCMapStringA, RtlUnwind, VirtualQuery, VirtualProtect, GetStartupInfoW, CreateThread, ExitThread, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, IsProcessorFeaturePresent, GetThreadLocale, GetLocaleInfoA, GetACP, GetVersionExA, GetProcessHeap, HeapSize, HeapReAlloc, SetEnvironmentVariableA, GetFileAttributesW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetModuleFileNameA, ProcessIdToSessionId, GetCurrentProcessId, GetTempFileNameW, GetFileAttributesExW, GetFileSizeEx, ReadFile, WriteFile, MoveFileExW, LCMapStringW, WideCharToMultiByte, DeleteFileW, GetVersionExW, GetSystemInfo, GetTickCount, SetThreadLocale, GetUserDefaultUILanguage, LocalAlloc, LocalFree, VerSetConditionMask, VerifyVersionInfoW, GetSystemTimeAsFileTime, Process32NextW, CreateToolhelp32Snapshot, Process32FirstW, TerminateProcess, InterlockedCompareExchange, ReleaseMutex, OpenEventW, CreateMutexW, CopyFileW, FindFirstFileW, FindNextFileW, FindClose, GetTempPathW, FormatMessageW, EnumResourceNamesW, EnumResourceLanguagesW, HeapDestroy, HeapAlloc, HeapFree, GetStdHandle
> USER32.dll: SetWindowRgn, DefWindowProcW, UnregisterClassA, MessageBoxIndirectW, GetActiveWindow, DialogBoxParamW, SetWindowLongW, CharNextW, DestroyWindow, SystemParametersInfoW, GetWindow, GetDlgItem, GetWindowLongW, SetTimer, EnableWindow, SetDlgItemTextW, EndDialog, SendMessageW, GetSystemMetrics, SetWindowPos, MapWindowPoints, GetClientRect, GetParent, GetWindowRect, LoadCursorW, GetClassInfoExW, RegisterClassExW, CallWindowProcW, GetClassNameW, BringWindowToTop, CreateWindowExW, MessageBoxW, PostMessageW, EnumChildWindows, FindWindowExW, IsWindowVisible, GetWindowThreadProcessId, IsWindowEnabled, RegisterClassW, LoadImageW, BeginPaint, EndPaint, IsWindow
> VERSION.dll: VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
> urlmon.dll: CreateAsyncBindCtx, CreateURLMonikerEx, RegisterBindStatusCallback
> WINTRUST.dll: WinVerifyTrust
> ADVAPI32.dll: CryptVerifySignatureW, CryptHashData, CryptCreateHash, CryptAcquireContextW, RegNotifyChangeKeyValue, ConvertSidToStringSidW, SetSecurityDescriptorOwner, ConvertStringSecurityDescriptorToSecurityDescriptorW, GetSidSubAuthorityCount, GetSidIdentifierAuthority, SetSecurityDescriptorGroup, IsValidSid, CopySid, GetSidLengthRequired, InitializeSid, GetLengthSid, GetSecurityDescriptorLength, GetSecurityDescriptorControl, MakeSelfRelativeSD, MakeAbsoluteSD, GetSecurityDescriptorDacl, GetAce, InitializeSecurityDescriptor, GetAclInformation, InitializeAcl, AddAce, SetSecurityDescriptorDacl, GetSidSubAuthority, GetSecurityDescriptorOwner, RegFlushKey, GetSecurityDescriptorGroup, GetSecurityDescriptorSacl, FreeSid, EqualSid, AllocateAndInitializeSid, GetTokenInformation, RegEnumValueW, RegQueryValueExW, CryptDestroyHash, CryptDestroyKey, RegDeleteKeyW, RegDeleteValueW, RegSetValueExW, RegCreateKeyExW, RegOpenKeyExW, OpenProcessToken, RegEnumKeyExW, RegQueryInfoKeyW, RegCloseKey
> ole32.dll: CoInitialize, CoTaskMemFree, CoCreateInstance, CoTaskMemAlloc, StringFromGUID2, CLSIDFromProgID, CoInitializeEx, CoCreateGuid, OleRun, CoUninitialize, CoTaskMemRealloc
> SHELL32.dll: ShellExecuteExW, SHGetFolderPathW, -
> OLEAUT32.dll: -, -, -, -
> SHLWAPI.dll: PathIsDirectoryW, PathAppendW, SHSetValueW, SHDeleteValueW, SHGetValueW, PathCombineW, StrCatBuffA, PathCanonicalizeW, PathFileExistsW
> GDI32.dll: CreateRectRgn
> USERENV.dll: UnloadUserProfile
> CRYPT32.dll: CertCreateContext, CryptImportPublicKeyInfo, CertEnumCertificatesInStore, CryptQueryObject, CertNameToStrW, CertFreeCertificateContext, CertDuplicateCertificateContext, CertVerifyCertificateChainPolicy, CertGetNameStringW, CertFreeCertificateChain, CertGetCertificateChain
> msi.dll: -, -, -
> WININET.dll: InternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile, HttpQueryInfoW

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
sigcheck:
publisher....: Google Inc.
copyright....: Copyright (c) 2000-2008
product......: Google Toolbar for Internet Explorer
description..: Google Toolbar Installer
original name: GoogleToolbarInstaller.exe
internal name: GoogleToolbarInstaller
file version.: 6, 2, 1910, 1554
comments.....: n/a
signers......: Google Inc
VeriSign Class 3 Code Signing 2004 CA
Class 3 Public Primary Certification Authority
signing date.: 2:16 AM 7/11/2009
verified.....: -

and here is the virus scan

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=81afef54a715844b966bf3f613536160
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-11-09 12:49:22
# local_time=2009-11-09 07:49:22 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 364549 364549 0 0
# compatibility_mode=2049 16777214 0 5 0 0 0 0
# compatibility_mode=5892 16776573 100 100 0 94377166 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=125089
# found=0
# cleaned=0
# scan_time=1323


Thankyou and what is the next step?
 
I cant seem to log in to the forum on this computer still. It says thankyou for logging in automatically redirect and then it logs out I guess. Should I go ahead and reinstall spybot and avg? Anything else? Thanks
 
It says thankyou for logging in automatically redirect <--Is it redirecting you to another site ? Are you using the correct username and password?

Could you explain this please??
 
Sounds like you may not have cookies enabled. Open IE and go to Tools > Internet Options > Privacy and make sure the slider for cookies is set to at least minimum or less for now

It also sounds like you are not putting in the correct password
 
Ok, Ill try that and when I tried to uninstall spybot and reinstall I got the same read only, cant execute spybot.exe error.
 
Open up IE and go to Tools > Internet Options> General Tab and delete all your Browsing History. Then go to the Advanced Tab and click on Reset Internet Explorer Setting > Reset.....let it do its thing, then x your way out , close IE, restart it and see if you can log in.




Please download OTM by OldTimer.
  • Save it to your desktop.
  • Please click OTM and then click >> run.
  • Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code: 
:Processes
explorer.exe

:Services

:Reg

:Files
C:\Program Files\Spybot - Search & Destroy


:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTM, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.




Then download a new copy and install it
http://www.safer-networking.org/en/home/index.html

Let me know if any of this helped
 
Still no luck logging in. As soon as it says "thanks for logging in , page will redirect" , I redirect not logged in. I also still cant seem to download anything. I click save file and try to dave to desktop and then it starts saving and completes. When I go back to the desktop its not there. So I do a search for the file and still cant find it. If I try to run instead of save it still acts like its working and then just quits.
 
You must log in or register to reply here.
Back
Top