help

ken545 · Jan 21, 2011

Give it a few minutes to finish what its doing,

Then shut it down by using the power button, then restart it press F8 and at the menu use your arrow keys and go back up to LAST KNOWN GOOD CONFIGURATION

igy31 · Jan 21, 2011

?????????????????

when i hit F8
LAST KNOWN GOOD CONFIGURATION is not an opptions
i have
launch startup repair
start windown normally

what should i do

ken545 · Jan 21, 2011

Start windows normally

igy31 · Jan 21, 2011

Thank you so much that worked

i did the combo fix and here is the log:

ComboFix 11-01-20.04 - Ian Young 01/21/2011 15:02:44.1.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.8190.6495 [GMT -6:00]
Running from: c:\users\Ian Young\Saved Games\Desktop\ComboFix.exe
Command switches used :: c:\users\Ian Young\Saved Games\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\32788R22FWJFW
c:\32788r22fwjfw\EN-US\cmd.cfxxe.mui
c:\hp\KBD\KbdStub.EXE
c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
c:\program files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe
c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe
c:\program files (x86)\iTunes\iTunesHelper.exe
c:\program files (x86)\Java\jre1.6.0_03\bin\jusched.exe
c:\program files (x86)\QuickTime\QTTask.exe
c:\program files (x86)\Search Toolbar
c:\program files (x86)\Search Toolbar\icon.ico
c:\program files (x86)\Search Toolbar\SearchToolbarUninstall.exe
c:\program files (x86)\Search Toolbar\SearchToolbarUpdater.exe
c:\program files (x86)\whitesmoketoolbar
c:\program files (x86)\whitesmoketoolbar\chrome\content\lib\external.js
c:\program files (x86)\whitesmoketoolbar\chrome\content\lib\vmncode.js
c:\program files (x86)\whitesmoketoolbar\chrome\content\vmncode.js
c:\program files (x86)\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\scripts\defscript.js
c:\program files (x86)\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\js\jquery.js
c:\program files (x86)\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\js\scripts.js
c:\program files (x86)\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\scripts\defscript.js
c:\program files (x86)\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\scripts\defscript.js
c:\program files (x86)\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\js\jquery-1.3.2.min.js
c:\program files (x86)\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\js\jquery.autocomplete.min.js
c:\program files (x86)\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\scripts\defscript.js
c:\program files (x86)\whitesmoketoolbar\chrome\skin\lib\panels\default\scripts\defscript.js
c:\program files (x86)\whitesmoketoolbar\chrome\skin\lib\panels\gameData.js
c:\program files (x86)\whitesmoketoolbar\components\windowmediator.js
c:\program files (x86)\whitesmoketoolbar\uninstall.exe
c:\program files (x86)\whitesmoketoolbar\whitesmoketoolbar.dll
c:\programdata\Microsoft\Windows\Start Menu\Programs\System Tool
c:\programdata\Microsoft\Windows\Start Menu\Programs\System Tool\System Tool 2011.lnk
c:\programdata\V7IFM37E.exe
c:\programdata\vlc-1.0.0-win32.exe
c:\programdata\vlc-1.0.1-win32.exe
c:\programdata\vlc-1.0.3-win32.exe
c:\users\Ian Young\AppData\Roaming\Adobe\AdobeUpdate .exe
c:\users\Ian Young\AppData\Roaming\sdhkryu.bat
C:\whtsmk.exe
c:\windows\system32\FastUv32.dll
c:\windows\system32\jusched.exe
c:\windows\SysWow64\audition.dll
c:\windows\SysWow64\FastUv32.dll
c:\windows\SysWow64\jusched.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job

Code:

 <pre>
c:\hp\KBD\KbdStub .exe --->c:\hp\KBD\KbdStub.exe
c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl .exe --->c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe --->c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
c:\program files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth .exe --->c:\program files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe
c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler .exe --->c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
</pre>

.
.
((((((((((((((((((((((((( Files Created from 2010-12-21 to 2011-01-21 )))))))))))))))))))))))))))))))
.

2011-01-21 21:12 . 2011-01-21 21:12 -------- d-----w- c:\users\Ian Young\AppData\Local\temp
2011-01-21 21:12 . 2011-01-21 21:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-21 15:44 . 2011-01-21 16:27 -------- d-----w- c:\users\Ian Young\AppData\Local\Temp(21)
2011-01-20 22:10 . 2011-01-20 22:10 -------- d-----w- C:\_OTL
2011-01-17 14:47 . 2011-01-17 14:53 34560 ----a-w- c:\windows\SysWow64\drivers\Normandy.sys
2011-01-02 05:23 . 2011-01-02 05:23 -------- d-----w- c:\program files (x86)\ERUNT
2011-01-02 05:02 . 2010-11-02 06:29 660760 ----a-w- c:\program files\Internet Explorer\iexplore.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-23 22:13 . 2010-11-11 15:15 0 ----a-w- c:\users\Ian Young\AppData\Local\Cmetuxeg.bin
2009-03-16 19:36 . 2009-03-16 19:36 1691464 ----a-w- c:\program files\dsetup32.dll
2009-03-16 19:35 . 2009-03-16 19:35 525128 ----a-w- c:\program files\DXSETUP.exe
2009-03-16 19:35 . 2009-03-16 19:35 94024 ----a-w- c:\program files\DSETUP.dll
.

Code:

<pre>
c:\program files (x86)\HP\HP Software Update\HPWuSchd2 .exe
c:\program files (x86)\iTunes\iTunesHelper .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{f999a48b-1950-4d81-9971-79018f807b4b}]
2010-10-18 10:26 3908192 ----a-w- c:\program files (x86)\FreeOnlineRadioPlayerRecorder\tbFre0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{f999a48b-1950-4d81-9971-79018f807b4b}"= "c:\program files (x86)\FreeOnlineRadioPlayerRecorder\tbFre0.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{f999a48b-1950-4d81-9971-79018f807b4b}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"Weather"="c:\program files (x86)\AWS\WeatherBug\Weather.exe" [2007-08-29 1347584]
"AROReminder"="c:\program files (x86)\Advanced Registry Optimizer\ARO.exe" [2008-08-22 2084480]
"Steam"="c:\program files (x86)\steam\steam.exe" [2010-11-20 1242448]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask .exe -atboottime" [X]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-02 75008]
"SunJavaUpdateSched"="c:\program files (x86)\Java\jre1.6.0_03\bin\jusched.exe" [N/A]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [N/A]
"nmctxth"="c:\program files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe" [2010-06-30 231888]

c:\users\Ian Young\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-12 136176]
R2 LinksysUpdater;Linksys Updater;c:\program files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-11-13 204800]
R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [2009-06-11 35840]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-08-07 3276800]
R3 Normandy;Normandy SR2; [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2010-04-20 50688]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
S2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2010-04-29 335288]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-08-27 1253376]
S2 HPBtnSrv;HP Chasis Button Service;c:\hp\HPEZBTN\HPBtnSrv.exe [2007-05-29 198240]
S2 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2009-08-14 517632]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2008-12-04 1686528]
S3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28x.sys [2008-06-09 459776]

.
Contents of the 'Scheduled Tasks' folder

2011-01-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-12 19:55]

2011-01-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-12 19:55]

2011-01-21 c:\windows\Tasks\User_Feed_Synchronization-{2B569909-EA70-4117-81A1-F0AA99D8121D}.job
- c:\windows\system32\msfeedssync.exe [2011-01-02 04:25]
.

--------- x86-64 -----------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-04-01 138264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-01 203288]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-01 167448]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-06-11 178712]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 16141344]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 82464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {4ECE056F-E50F-4F9D-B069-EB342D21F26A} - hxxp://photos1.walmart.com/WalmartActivia3.cab
FF - ProfilePath - c:\users\Ian Young\AppData\Roaming\Mozilla\Firefox\Profiles\ocaw0gfp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2737658&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://forums.spybot.info/showthread.php?t=288
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: FreeOnlineRadioPlayerRecorder Toolbar: {f999a48b-1950-4d81-9971-79018f807b4b} - %profile%\extensions\{f999a48b-1950-4d81-9971-79018f807b4b}
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
FF - Ext: MediaBar: {E84D42CA-64EB-11DE-A65F-8C3656D89593} - %profile%\extensions\{E84D42CA-64EB-11DE-A65F-8C3656D89593}
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{F999A48B-1950-4D81-9971-79018F807B4B} - (no file)

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b1,ce,b1,6b,19,6e,d1,49,9c,38,11,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b1,ce,b1,6b,19,6e,d1,49,9c,38,11,\

[HKEY_USERS\S-1-5-21-2015652920-1189781164-2704344669-1000\¬ î**]
@Allowed: (Read) (RestrictedCode)
"MachineID"=hex:f2,29,d3,52,f6,70,cc,00
DUMPHIVE0.003 (REGF)

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2011-01-21 15:14:09
ComboFix-quarantined-files.txt 2011-01-21 21:14
ComboFix2.txt 2011-01-21 15:44

Pre-Run: 379,807,338,496 bytes free
Post-Run: 379,759,349,760 bytes free

- - End Of File - - 2FF361540F76C7FFC8B1A169E24795C1

ken545 · Jan 21, 2011

Hi,

Great, please understand that your system was heavily infected, this can cause all sorts of problems.

Hate to do this to you again but we need to run these through Combofix and see if it can repair them

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above RenV::

Code:

RenV::
C:\hp\KBD\KbdStub .exe
c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe
c:\program files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth .exe
c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler .exe
c:\program files (x86)\HP\HP Software Update\HPWuSchd2 .exe
c:\program files (x86)\iTunes\iTunesHelper .exe

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

igy31 · Jan 21, 2011

heres fix two

ComboFix 11-01-20.04 - Ian Young 01/21/2011 16:33:20.2.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.8190.6142 [GMT -6:00]
Running from: c:\users\Ian Young\Saved Games\Desktop\ComboFix.exe
Command switches used :: c:\users\Ian Young\Saved Games\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-12-21 to 2011-01-21 )))))))))))))))))))))))))))))))
.

2011-01-21 22:37 . 2011-01-21 22:37 -------- d-----w- c:\users\Ian Young\AppData\Local\temp
2011-01-21 22:37 . 2011-01-21 22:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-21 15:44 . 2011-01-21 16:27 -------- d-----w- c:\users\Ian Young\AppData\Local\Temp(21)
2011-01-20 22:10 . 2011-01-20 22:10 -------- d-----w- C:\_OTL
2011-01-17 14:47 . 2011-01-17 14:53 34560 ----a-w- c:\windows\SysWow64\drivers\Normandy.sys
2011-01-02 05:23 . 2011-01-02 05:23 -------- d-----w- c:\program files (x86)\ERUNT
2011-01-02 05:02 . 2010-11-02 06:29 660760 ----a-w- c:\program files\Internet Explorer\iexplore.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-23 22:13 . 2010-11-11 15:15 0 ----a-w- c:\users\Ian Young\AppData\Local\Cmetuxeg.bin
2009-03-16 19:36 . 2009-03-16 19:36 1691464 ----a-w- c:\program files\dsetup32.dll
2009-03-16 19:35 . 2009-03-16 19:35 525128 ----a-w- c:\program files\DXSETUP.exe
2009-03-16 19:35 . 2009-03-16 19:35 94024 ----a-w- c:\program files\DSETUP.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{f999a48b-1950-4d81-9971-79018f807b4b}]
2010-10-18 10:26 3908192 ----a-w- c:\program files (x86)\FreeOnlineRadioPlayerRecorder\tbFre0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{f999a48b-1950-4d81-9971-79018f807b4b}"= "c:\program files (x86)\FreeOnlineRadioPlayerRecorder\tbFre0.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{f999a48b-1950-4d81-9971-79018f807b4b}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"Weather"="c:\program files (x86)\AWS\WeatherBug\Weather.exe" [2007-08-29 1347584]
"AROReminder"="c:\program files (x86)\Advanced Registry Optimizer\ARO.exe" [2008-08-22 2084480]
"Steam"="c:\program files (x86)\steam\steam.exe" [2010-11-20 1242448]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask .exe -atboottime" [X]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-02 75008]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"nmctxth"="c:\program files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe" [2010-06-30 231888]

c:\users\Ian Young\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-12 136176]
R2 LinksysUpdater;Linksys Updater;c:\program files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-11-13 204800]
R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [2009-06-11 35840]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-08-07 3276800]
R3 Normandy;Normandy SR2; [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2010-04-20 50688]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
S2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2010-04-29 335288]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-08-27 1253376]
S2 HPBtnSrv;HP Chasis Button Service;c:\hp\HPEZBTN\HPBtnSrv.exe [2007-05-29 198240]
S2 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2009-08-14 517632]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2008-12-04 1686528]
S3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28x.sys [2008-06-09 459776]

.
Contents of the 'Scheduled Tasks' folder

2011-01-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-12 19:55]

2011-01-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-12 19:55]

2011-01-21 c:\windows\Tasks\User_Feed_Synchronization-{2B569909-EA70-4117-81A1-F0AA99D8121D}.job
- c:\windows\system32\msfeedssync.exe [2011-01-02 04:25]
.

--------- x86-64 -----------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-04-01 138264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-01 203288]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-01 167448]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-06-11 178712]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 16141344]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 82464]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {4ECE056F-E50F-4F9D-B069-EB342D21F26A} - hxxp://photos1.walmart.com/WalmartActivia3.cab
FF - ProfilePath - c:\users\Ian Young\AppData\Roaming\Mozilla\Firefox\Profiles\ocaw0gfp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2737658&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://forums.spybot.info/showthread.php?t=288
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: FreeOnlineRadioPlayerRecorder Toolbar: {f999a48b-1950-4d81-9971-79018f807b4b} - %profile%\extensions\{f999a48b-1950-4d81-9971-79018f807b4b}
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
FF - Ext: MediaBar: {E84D42CA-64EB-11DE-A65F-8C3656D89593} - %profile%\extensions\{E84D42CA-64EB-11DE-A65F-8C3656D89593}
.
- - - - ORPHANS REMOVED - - - -

Wow6432Node-HKLM-Run-SunJavaUpdateSched - c:\program files (x86)\Java\jre1.6.0_03\bin\jusched.exe
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{F999A48B-1950-4D81-9971-79018F807B4B} - (no file)

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b1,ce,b1,6b,19,6e,d1,49,9c,38,11,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b1,ce,b1,6b,19,6e,d1,49,9c,38,11,\

[HKEY_USERS\S-1-5-21-2015652920-1189781164-2704344669-1000\¬ î**]
@Allowed: (Read) (RestrictedCode)
"MachineID"=hex:f2,29,d3,52,f6,70,cc,00
DUMPHIVE0.003 (REGF)

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2011-01-21 16:39:18
ComboFix-quarantined-files.txt 2011-01-21 22:39
ComboFix2.txt 2011-01-21 21:14
ComboFix3.txt 2011-01-21 15:44

Pre-Run: 379,290,836,992 bytes free
Post-Run: 379,251,830,784 bytes free

- - End Of File - - C5F19E255FBA94FC7008359FD4A88C28

ken545 · Jan 22, 2011

Looking good, the programs that where infected with the Vundo File Infector appear to have been fixed

Please run this free online virus scanner from ESET

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

Post the log and let me know how your system is behaving now ?

igy31 · Jan 22, 2011

here the log

it took almost 2 hours...is that normal?

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=3a1f2b46add93a4ea85b0b0b9184ef6c
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-01-22 02:26:24
# local_time=2011-01-21 08:26:24 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5892 16776574 100 56 5449766 132255665 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=311148
# found=44
# cleaned=44
# scan_time=6224
C:\Program Files (x86)\Vuze\.install4j\i4j_extf_8_5p83tu.exe a variant of Win32/AdInstaller application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\whtsmk.exe.vir a variant of Win32/TrojanDownloader.Agent.QLI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\hp\KBD\KbdStub.EXE.vir a variant of Win32/Kryptik.JGL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe.vir a variant of Win32/Kryptik.JGL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe.vir a variant of Win32/Kryptik.JGL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe.vir a variant of Win32/Kryptik.JGL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe.vir a variant of Win32/Kryptik.JGL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe.vir a variant of Win32/Kryptik.JGL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files (x86)\iTunes\iTunesHelper.exe.vir a variant of Win32/Kryptik.JGL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files (x86)\QuickTime\QTTask.exe.vir a variant of Win32/Kryptik.JGL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Windows\SysWOW64\audition.dll.vir a variant of Win32/Kryptik.ICS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Windows\SysWOW64\FastUv32.dll.vir a variant of Win32/Wimpixo.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Ian Young\Music\Ian's Music\CARSON 1\1\clean sheets endo.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Ian Young\Music\Ian's Music\CARSON 1\1\Earshot - Headstrong.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Users\Ian Young\Music\Ian's Music\CARSON 1\1\feel ear shot.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Ian Young\Music\Ian's Music\CARSON 1\1\rape otep.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Ian Young\Music\Ian's Music\CARSON 1\1\remember us endo.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Ian Young\Music\Ian's Music\CARSON 1\1\wait ear shot.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Ian Young\Music\Ian's Music\CARSON 2\epidemic.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Ian Young\Music\Ian's Music\CARSON 2\Pillar - Epidemic.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Users\Ian Young\Music\Ian's Music\CARSON 2\Shifty 250 - (03) The Covenant (we gone die) .mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Ian Young\Music\Ian's Music\lime wire\8-9-08\Compilation - Ashes Divide - The stone.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Ian Young\Music\Ian's Music\lime wire\8-9-08\them vs you.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Ian Young\Music\Ian's Music\lime wire 7-18-08\another black day sexy girl has shaking orgasm during sex.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Users\Ian Young\Music\Ian's Music\lime wire 7-18-08\i smell sex nirvana.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Ian Young\Vuze\.install4j\i4j_extf_8_5p83tu.exe a variant of Win32/AdInstaller application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\Installer\254ea809.msi a variant of Win32/AdInstaller application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Windows\System32\config\systemprofile\AppData\Local\MSASCui.exe a variant of Win32/Kryptik.ICF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\System32\config\systemprofile\AppData\Local\pw.exe a variant of Win32/Kryptik.ICF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\01202011_161052\C_Program Files (x86)\DNA\btdna.exe a variant of Win32/Kryptik.JGL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Vuze\.install4j\i4j_extf_8_5p83tu.exe a variant of Win32/AdInstaller application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Ian's Music\CARSON 1\1\clean sheets endo.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Ian's Music\CARSON 1\1\Earshot - Headstrong.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
G:\Ian's Music\CARSON 1\1\feel ear shot.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Ian's Music\CARSON 1\1\rape otep.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Ian's Music\CARSON 1\1\remember us endo.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Ian's Music\CARSON 1\1\wait ear shot.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Ian's Music\CARSON 2\epidemic.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Ian's Music\CARSON 2\Pillar - Epidemic.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
G:\Ian's Music\CARSON 2\Shifty 250 - (03) The Covenant (we gone die) .mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Ian's Music\lime wire\8-9-08\Compilation - Ashes Divide - The stone.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Ian's Music\lime wire\8-9-08\them vs you.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Ian's Music\lime wire 7-18-08\another black day sexy girl has shaking orgasm during sex.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
G:\Ian's Music\lime wire 7-18-08\i smell sex nirvana.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

ken545 · Jan 22, 2011

Hi,

I have seen ESET take a half hour and I have seen it take all day, depends on your system.

Most of what it found where back ups of what Combofix removed, we will address that in a bit.

It also found infected copies of music you downloaded , some illegally :sad:

You need to stay away from any File Sharing , your downloading that file from an unknown source, malware writers are in tune to this and using File Sharing to infect your computer.

Advanced Registry Optimizer <--You need to stay away from Registry Cleaners also unless your a windows expert and know exactly what there removing, even the better ones make mistakes at time. Remove unwanted items and you will see no difference in system performance, remove the wrong entry or entries and you can make your system unbootable. You can uninstall it via Programs and Features in the Control Panel.

How are things running now ?

igy31 · Jan 22, 2011

much better

:laugh:
my computer is running much better…thank you…..it boots up in under a min, the 20 windows that said something not working after it buts up are not there anymore, and the internet seems to be running much better….I have some external hard drives I back my computer up on, should I reformat those? it's been a few months since I moved stuff over. I'm taking your hints and staying away from peer to peer anything… is a site called Bear share peer to peer/legal? My fiancé is a dance teacher and needs to be able to down load music…I will wait for the CD…..what would you recommend

also I asked you to make me a believer in this site, and you have…I will recommend this site to everyone and expect some type of gift from me….thank you so much

ken545 · Jan 22, 2011

Hi,

Bear Share in a P2P site, not recommended. Not to worry about Limewire, a judge shut them down a few months ago.

As far as your fiance needing music, you can download music legitimately, you can even download them from Walmart for a small cost
http://mp3.walmart.com/store/home
http://www.buy.com/dept/Music_CDs_/109.html
http://www.apple.com/itunes/affiliates/download/

If you can it would be a good idea to format the other external drives

Keep Java up to date
Download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Open up OTL and click on Cleanup and it will remove the tools we used to clean your systems along with there back ups. Qoobox will be removed

How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
WhattheTech
Grinler BleepingComputer
GeeksTo Go
Dslreports

Safe Surfn
Ken

ken545 · Jan 25, 2011

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

help

ken545

Emeritus-Security Expert

igy31

New member

ken545

Emeritus-Security Expert

igy31

New member

ken545

Emeritus-Security Expert

igy31

New member

ken545

Emeritus-Security Expert

igy31

New member

ken545

Emeritus-Security Expert

igy31

New member

ken545

Emeritus-Security Expert

ken545

Emeritus-Security Expert