Jump to content

gypsyhowl

Members
  • Posts

    16
  • Joined

  • Last visited

Everything posted by gypsyhowl

  1. Thank you very much Miekiemoes for all your help and the link to Toshiba - I will address these issues there. Have a great weekend and be well.
  2. Here is my Malwarebytes log, before I ran ComboFix. I also tried the steps for the automatic dns obtaining and it did not work. My main problem is I cannot get online with IE or Firefox. And when the system restarts it also states that the 'card reader' cannot be found. Not sure what that is, or what to do about it either. ******************** Malwarebytes' Anti-Malware 1.34 Database version: 1749 Windows 6.0.6001 Service Pack 1 11/25/2009 4:17:05 PM mbam-log-2009-11-25 (16-17-05).txt Scan type: Full Scan (C:\|) Objects scanned: 243488 Time elapsed: 4 hour(s), 19 minute(s), 54 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 13 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\cdmyidd.securitytoolbar (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{cd24eb02-9831-4838-99d0-726d411b1328} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{f20da564-9254-49fe-a678-cc3cef172252} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\cdmyidd.securitytoolbar.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\seekeen (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Mirar (Adware.Mirar) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\PlayMP3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files\Seekeen (Trojan.Agent) -> Quarantined and deleted successfully. Files Infected: C:\Users\surferboi\AppData\LocalLow\CyberDefender\cdmyidd.dll (Trojan.BHO) -> Quarantined and deleted successfully. C:\Program Files\Seekeen\home.js (Trojan.Agent) -> Quarantined and deleted successfully. C:\Program Files\Seekeen\uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
  3. ********* OK, here is my ComboFix.txt - Also, I believe I did set that one, per something I googled a while ago, too much going on and I was getting confused, so I came here to this forum, and just this forum. Thank you for your help. ********* ComboFix 09-12-02.05 - surferboi 12/02/2009 18:05.1.2 - x86 Microsoft
  4. I have tried everything I could think of from running Malwarebytes to DNS flushing and still I cannot access the internet with laptop that is otherwise working - not with IE or Firefox - I ran Malwarebytes with fairly recent updates and had 11 infections which it fixed for me, but I still cannot get online to update the definitions or to do anything else. I have a HijackThis log, plus the Malwarebytes log, but will only give you the HijackThis log for now unless you need the other as well. I do not recognize some of these programs (this is a friend's computer) so I don't know if they are causing this. If I am in the wrong forum, I apologize, I didn't know where else to go. Thank you for your help. Diane Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:26:33 PM, on 11/25/2009 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v8.00 (8.00.6001.18828) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Windows\RtHDVCpl.exe C:\Program Files\Toshiba\Power Saver\TPwrMain.exe C:\Program Files\Toshiba\SmoothView\SmoothView.exe C:\Program Files\Toshiba\FlashCards\TCrdMain.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe C:\Program Files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe C:\Program Files\Toshiba\ConfigFree\NDSTray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Zune\ZuneLauncher.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\ActivIdentity\ActivClient\acsagent.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\ActivIdentity\ActivClient\acevents.exe C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Synaptics\SynTP\SynTPHelper.exe C:\Windows\system32\wuauclt.exe C:\Users\surferboi\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe O4 - HKLM\..\Run: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PCMAgent] "C:\Program Files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe" O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe" O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [iTSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [cfFncEnabler.exe] cfFncEnabler.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe" O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O4 - Startup: Epson all-in-one Registration.lnk = D:\Common\EpsonReg\EPS2.exe O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O13 - Gopher Prefix: O17 - HKLM\System\CCS\Services\Tcpip\..\{F3861283-9628-4CEF-8D42-77E292EACDF1}: NameServer = 4.2.2.2,4.2.2.1 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\Windows\System32\dhcpcsvc32.dll O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - SmithMicro Inc. - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: AT&T Con App Svc (CAATT) - SmithMicro Inc. - C:\Program Files\AT&T\Communication Manager\ConAppsSvc.exe O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe O23 - Service: SmartFaceVWatchSrv - Toshiba - C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- End of file - 12210 bytes
  5. Cannot run malwarebytes now that I have an infection on this system. I am enclosing my HJT log - (it is hard doing this as I keep getting the spyware protect 2009 popups - thank you, this is a great forum - Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:07:05 PM, on 5/16/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\McAfee\MBK\MBackMonitor.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\WINDOWS\ALCXMNTR.EXE C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\sysguard.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\Iexplore.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lexmark.com/MD/?func=newreg&amp...;os=5&src=1 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) R3 - URLSearchHook: (no name) - {9C47E9D9-566C-1BBC-4E25-2910942677B1} - (no file) F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\kqqut.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file) O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: (no name) - {052b12f7-86fa-4921-8482-26c42316b522} - (no file) O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [btPQ] C:\WINDOWS\vipvl.exe O4 - HKLM\..\Run: [txehtk] C:\WINDOWS\System32\uhaqtm.exe reg_run O4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe" O4 - HKLM\..\Run: [rxoqpvwA] C:\WINDOWS\rxoqpvwA.exe O4 - HKLM\..\Run: [Vuumx] C:\Program Files\Fhtvy\Khpawua.exe O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe O4 - HKLM\..\Run: [win3206435217784] C:\WINDOWS\win3206435217784.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [updateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\regclean.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Registry Defender] "C:\Program Files\Registry Defender Trial\RegClean.exe" O4 - HKCU\..\Run: [759b6bd3.exe] C:\Documents and Settings\Owner\Local Settings\Application Data\759b6bd3.exe O4 - HKCU\..\Run: [Notn] "C:\WINDOWS\SSEMBL~1\wucrtupd.exe" -vt yazr O4 - HKCU\..\Run: [qulju] C:\WINDOWS\System32\uhaqtm.exe reg_run O4 - HKCU\..\Run: [bbje] C:\Documents and Settings\Owner\My Documents\A?pPatch\mmc.exe O4 - HKCU\..\Run: [system] C:\WINDOWS\System32\service.exe O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe O4 - HKLM\..\Policies\Explorer\Run: [ishost.exe] ishost.exe O4 - HKLM\..\Policies\Explorer\Run: [issearch.exe] issearch.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file) O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file) O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file) O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file) O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Risk/Images/stg_drm.ocx O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://guy-n-di.spaces.live.com/PhotoUpload/MsnPUpld.cab O16 - DPF: {886DDE35-E955-11D0-A707-000000881958} - http://69.56.176.75/webplugin.cab O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Risk/Images/armhelper.ocx O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab O18 - Filter hijack: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - (no file) O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\irjol5131.dll (file missing) O20 - Winlogon Notify: URL - C:\WINDOWS\system32\q4nu0e59eh.dll (file missing) O21 - SSODL: coursings - {f8d02387-789a-4c0f-a1d8-8a93f33ee4df} - (no file) O22 - SharedTaskScheduler: {f8d02387-789a-4c0f-a1d8-8a93f33ee4df} - coursings - (no file) O22 - SharedTaskScheduler: IPC Configuration Utility - IPC Configuration Utility - (no file) O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\qugydyb.html O24 - Desktop Component 1: (no name) - C:\Program Files\ComPlus Applications\nidoboxow.html -- End of file - 13292 bytes
  6. Thank you for all of your help and patience. The system seems to be running well... I have it online and am checking out the programs that she has on it. It so far seems to be ok I can let you know if there are any further problems? Have a pleasant week ~ Diane D.
  7. hello - sorry it took me so long to get back - I have done the CFScript, run Combofix and here is my log from that thank you for your patience! ComboFix 09-03-19.02 - Phil Llapitan 2009-03-21 20:12:05.3 - FAT32x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.221.68 [GMT -7:00] Running from: c:\combofix\ComboFix.exe Command switches used :: c:\documents and settings\Phil Llapitan\Desktop\CFScript.txt AV: AntiVir Desktop *On-access scanning disabled* (Updated) * Created a new restore point FILE :: c:\windows\system32\drivers\f742cf20.sys c:\windows\system32\lohukehi.exe c:\windows\system32\posidiha.exe c:\windows\system32\rubiromu.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\lohukehi.exe c:\windows\system32\posidiha.exe c:\windows\system32\rubiromu.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_f742cf20 ((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 ))))))))))))))))))))))))))))))) . 2009-03-20 14:26 . 2009-03-20 14:26 <DIR> d-------- c:\documents and settings\Phil Llapitan\Application Data\Malwarebytes 2009-03-20 14:26 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-20 14:26 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-03-20 08:25 . 2009-03-20 08:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-03-20 08:25 . 2009-03-20 08:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-03-19 13:03 . 2009-03-19 13:03 <DIR> d-------- c:\program files\Avira 2009-03-19 13:03 . 2009-03-19 13:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira 2009-03-19 13:03 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys 2009-03-17 18:54 . 2009-03-17 18:54 <DIR> d--hs---- C:\FOUND.003 2009-03-14 13:55 . 2009-03-14 13:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files 2009-03-14 13:02 . 2009-03-14 13:02 <DIR> d-------- c:\documents and settings\mom\Application Data\VERITAS 2009-03-14 12:42 . 2009-03-14 12:42 <DIR> d-------- c:\documents and settings\mom 2009-03-14 12:23 . 2009-03-14 12:23 <DIR> d--hs---- C:\FOUND.002 2009-03-13 19:17 . 2009-03-13 19:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP 2009-03-13 19:16 . 2009-03-13 19:16 <DIR> d-------- c:\program files\Spyware Doctor 2009-03-13 19:07 . 2009-03-13 19:07 <DIR> d--hs---- C:\FOUND.001 2009-03-10 15:37 . 2009-03-10 15:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\f9f7 2009-03-10 15:33 . 2009-03-10 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\SupportSoft 2009-03-10 15:25 . 2009-03-10 15:25 <DIR> d--hs---- C:\FOUND.000 2009-03-10 14:38 . 2009-03-10 14:37 49,152 --a------ c:\windows\system32\dllcache\userinit.exe 2009-03-10 14:36 . 2009-03-10 14:37 2 --a------ C:\11259787 2009-03-09 22:52 . 2009-03-09 22:52 75 --a------ c:\windows\system32\dllcache\cb.tmp 2009-03-09 22:51 . 2009-03-09 22:51 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\fe61ef9 2009-03-09 21:30 . 2009-03-09 21:30 <DIR> d-------- c:\program files\Microsoft Windows OneCare Live 2009-03-09 21:24 . 2007-05-30 09:50 287,934 --a------ c:\windows\ConnectWait.ico 2009-03-09 12:27 . 2009-03-09 23:10 442,368 --a------ C:\ffastunT.ffl 2009-03-09 09:30 . 2009-03-09 09:30 <DIR> d-------- c:\program files\Qwest 2009-03-09 09:29 . 2009-03-09 09:29 <DIR> d-------- c:\program files\Common Files\supportsoft 2009-03-09 09:29 . 2009-03-09 09:29 <DIR> d-------- c:\program files\Actiontec 2009-03-09 09:29 . 2009-03-09 09:29 <DIR> d-------- c:\program files\2Wire 2009-03-09 09:29 . 2004-02-14 09:19 143,360 --a------ c:\windows\GTRemove.exe 2009-03-09 09:27 . 2009-03-09 09:27 <DIR> d-------- c:\documents and settings\Phil Llapitan\Application Data\InstallShield 2009-03-08 22:45 . 2009-03-17 18:45 6,456 --ah----- c:\windows\system32\pekubofe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-07 15:11 0 ----a-w c:\documents and settings\Phil Llapitan\Application Data\wklnhst.dat . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\documents and settings\All Users\Application Data\f9f7 ---- 2009-03-10 15:38 3282 --a------ c:\documents and settings\All Users\Application Data\f9f7\unins000.dat ---- Directory of c:\documents and settings\All Users\Application Data\fe61ef9 ---- 2009-03-10 15:35 12378 --a------ c:\documents and settings\All Users\Application Data\fe61ef9\System Data\vd952342.bd 2008-10-09 13:50 1741 --a------ c:\documents and settings\All Users\Application Data\fe61ef9\BackUp\Kodak EasyShare software.lnk 2006-03-17 18:32 665 --a------ c:\documents and settings\All Users\Application Data\fe61ef9\BackUp\Microsoft Find Fast.lnk 2006-01-31 17:09 1712 --a------ c:\documents and settings\All Users\Application Data\fe61ef9\BackUp\HP Digital Imaging Monitor.lnk 2005-11-12 13:39 1417 --a------ c:\documents and settings\All Users\Application Data\fe61ef9\BackUp\Utility Tray.lnk ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SiS Windows KeyHook"="c:\windows\System32\keyhook.exe" [2004-05-12 249856] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248] "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-09 28672] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664] "StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-03-12 114741] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 c:\windows\AGRSMMSG.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-11-12 335872] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568] Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-08-19 111376] Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"= R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-19 108289] S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2007-09-29 20608] S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys --> c:\windows\system32\DRIVERS\ss.sys [?] S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [2007-09-29 477696] S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);c:\windows\system32\drivers\ZD1211BU.sys [2007-09-29 477696] --- Other Services/Drivers In Memory --- *Deregistered* - Dhcp *Deregistered* - Dnscache *Deregistered* - ERSvc *Deregistered* - EventSystem *Deregistered* - FastUserSwitchingCompatibility *Deregistered* - helpsvc *Deregistered* - HTTPFilter *Deregistered* - lanmanserver *Deregistered* - lanmanworkstation *Deregistered* - LmHosts *Deregistered* - Netman *Deregistered* - Nla *Deregistered* - Pml Driver HPZ12 *Deregistered* - PolicyAgent *Deregistered* - ProtectedStorage *Deregistered* - RasMan *Deregistered* - RpcSs *Deregistered* - SamSs *Deregistered* - Schedule *Deregistered* - seclogon *Deregistered* - SENS *Deregistered* - SharedAccess *Deregistered* - ShellHWDetection *Deregistered* - spkrmon *Deregistered* - Spooler *Deregistered* - sprtlisten *Deregistered* - srservice *Deregistered* - SSDPSRV *Deregistered* - stisvc *Deregistered* - TapiSrv *Deregistered* - TermService *Deregistered* - Themes *Deregistered* - TrkWks *Deregistered* - W32Time *Deregistered* - WebClient *Deregistered* - winmgmt *Deregistered* - wscsvc *Deregistered* - WZCSVC . Contents of the 'Scheduled Tasks' folder 2009-03-20 c:\windows\Tasks\QuickConnectSupportTask.job - c:\program files\Qwest\QuickConnect\QuickConnect.exe [2008-11-19 14:36] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-21 20:17:31 Windows 5.1.2600 Service Pack 3 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\ANALOG DEVICES\SOUNDMAX\SPKRMON.EXE c:\program files\COMMON FILES\SUPPORTSOFT\BIN\SPRTLISTEN.EXE c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-03-21 20:22:49 - machine was rebooted ComboFix-quarantined-files.txt 2009-03-22 03:22:44 ComboFix2.txt 2009-03-21 02:49:40 Pre-Run: 20,205,404,160 bytes free Post-Run: 20,040,941,568 bytes free 182 --- E O F --- 2009-01-15 04:05:14
  8. Hi - Actually, mbam rebooted itself and then came up with a log... I have run Combofix, but I had a problem with the Avira coming back on when Combofix rebooted the system... I hope it did not mess up the log for you... here it is ComboFix 09-03-15.01 - Phil Llapitan 2009-03-20 19:38:49.2 - FAT32x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.221.92 [GMT -7:00] Running from: F:\ComboFix.exe AV: AntiVir Desktop *On-access scanning enabled* (Outdated) . ((((((((((((((((((((((((( Files Created from 2009-02-21 to 2009-03-21 ))))))))))))))))))))))))))))))) . 2009-03-20 14:26 . 2009-03-20 14:26 <DIR> d-------- c:\documents and settings\Phil Llapitan\Application Data\Malwarebytes 2009-03-20 14:26 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-20 14:26 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-03-20 08:25 . 2009-03-20 08:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-03-20 08:25 . 2009-03-20 08:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-03-19 13:03 . 2009-03-19 13:03 <DIR> d-------- c:\program files\Avira 2009-03-19 13:03 . 2009-03-19 13:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira 2009-03-19 13:03 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys 2009-03-17 18:54 . 2009-03-17 18:54 <DIR> d--hs---- C:\FOUND.003 2009-03-17 05:55 . 2009-03-17 05:55 2,713 ---hs---- c:\windows\system32\rubiromu.exe 2009-03-16 11:54 . 2009-03-16 11:54 2,713 ---hs---- c:\windows\system32\lohukehi.exe 2009-03-15 17:52 . 2009-03-15 17:52 2,713 ---hs---- c:\windows\system32\posidiha.exe 2009-03-14 13:55 . 2009-03-14 13:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files 2009-03-14 13:02 . 2009-03-14 13:02 <DIR> d-------- c:\documents and settings\mom\Application Data\VERITAS 2009-03-14 12:42 . 2009-03-14 12:42 <DIR> d-------- c:\documents and settings\mom 2009-03-14 12:23 . 2009-03-14 12:23 <DIR> d--hs---- C:\FOUND.002 2009-03-13 19:17 . 2009-03-13 19:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP 2009-03-13 19:16 . 2009-03-13 19:16 <DIR> d-------- c:\program files\Spyware Doctor 2009-03-13 19:07 . 2009-03-13 19:07 <DIR> d--hs---- C:\FOUND.001 2009-03-10 15:37 . 2009-03-10 15:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\f9f7 2009-03-10 15:33 . 2009-03-10 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\SupportSoft 2009-03-10 15:25 . 2009-03-10 15:25 <DIR> d--hs---- C:\FOUND.000 2009-03-10 14:38 . 2009-03-10 14:37 49,152 --a------ c:\windows\system32\dllcache\userinit.exe 2009-03-10 14:36 . 2009-03-10 14:37 2 --a------ C:\11259787 2009-03-09 22:52 . 2009-03-09 22:52 75 --a------ c:\windows\system32\dllcache\cb.tmp 2009-03-09 22:51 . 2009-03-09 22:51 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\fe61ef9 2009-03-09 21:30 . 2009-03-09 21:30 <DIR> d-------- c:\program files\Microsoft Windows OneCare Live 2009-03-09 21:24 . 2007-05-30 09:50 287,934 --a------ c:\windows\ConnectWait.ico 2009-03-09 12:27 . 2009-03-09 23:10 442,368 --a------ C:\ffastunT.ffl 2009-03-09 09:30 . 2009-03-09 09:30 <DIR> d-------- c:\program files\Qwest 2009-03-09 09:29 . 2009-03-09 09:29 <DIR> d-------- c:\program files\Common Files\supportsoft 2009-03-09 09:29 . 2009-03-09 09:29 <DIR> d-------- c:\program files\Actiontec 2009-03-09 09:29 . 2009-03-09 09:29 <DIR> d-------- c:\program files\2Wire 2009-03-09 09:29 . 2004-02-14 09:19 143,360 --a------ c:\windows\GTRemove.exe 2009-03-09 09:27 . 2009-03-09 09:27 <DIR> d-------- c:\documents and settings\Phil Llapitan\Application Data\InstallShield 2009-03-08 22:45 . 2009-03-17 18:45 6,456 --ah----- c:\windows\system32\pekubofe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-07 15:11 0 ----a-w c:\documents and settings\Phil Llapitan\Application Data\wklnhst.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SiS Windows KeyHook"="c:\windows\System32\keyhook.exe" [2004-05-12 249856] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248] "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-09 28672] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664] "StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-03-12 114741] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 c:\windows\AGRSMMSG.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-11-12 335872] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568] Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-08-19 111376] Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"= R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-19 108289] R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [2008-01-08 1213728] S1 f742cf20;f742cf20;c:\windows\system32\drivers\f742cf20.sys --> c:\windows\system32\drivers\f742cf20.sys [?] S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2007-09-29 20608] S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys --> c:\windows\system32\DRIVERS\ss.sys [?] S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [2007-09-29 477696] S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);c:\windows\system32\drivers\ZD1211BU.sys [2007-09-29 477696] . Contents of the 'Scheduled Tasks' folder 2009-03-20 c:\windows\Tasks\QuickConnectSupportTask.job - c:\program files\Qwest\QuickConnect\QuickConnect.exe [2008-11-19 14:36] . - - - - ORPHANS REMOVED - - - - HKCU-Run-MoneyAgent - c:\program files\Microsoft Money\System\mnyexpr.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-20 19:44:03 Windows 5.1.2600 Service Pack 3 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\ANALOG DEVICES\SOUNDMAX\SPKRMON.EXE c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-03-20 19:49:36 - machine was rebooted [Phil Llapitan] ComboFix-quarantined-files.txt 2009-03-21 02:49:30 Pre-Run: 20,218,707,968 bytes free Post-Run: 20,147,552,256 bytes free 122 --- E O F --- 2009-01-15 04:05:14
  9. WhooHoo! I copied the file incorrectly the last time, but I did it right this time and got mbam to run - (the rootrepeal showed nothing) Here is my mbam log: Malwarebytes' Anti-Malware 1.34 Database version: 1863 Windows 5.1.2600 Service Pack 3 2009-03-20 14:57:15 mbam-log-2009-03-20 (14-57-15).txt Scan type: Full Scan (C:\|) Objects scanned: 110717 Time elapsed: 26 minute(s), 32 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 10 Registry Values Infected: 5 Registry Data Items Infected: 4 Folders Infected: 2 Files Infected: 10 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2765f56e-bd26-4719-a77a-dd09184f02c7} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{2765f56e-bd26-4719-a77a-dd09184f02c7} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf40a2-94f3-42bd-f434-1604812c8955} (Trojan.Ertfor) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ICF (Rootkit.Agent) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm0398fcb8 (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sadirozusi (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ggijixa (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: C:\Documents and Settings\Phil Llapitan\Application Data\Virus Melt (Rogue.VirusMelt) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\System Data (Rogue.VirusMelt) -> Quarantined and deleted successfully. Files Infected: C:\tcrnwc.exe (Trojan.Hiloti) -> Quarantined and deleted successfully. C:\ucpdcu.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\Qyucepinukonejiq.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP159\A0036187.exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036411.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036417.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\frmwrk32.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Phil Llapitan\Application Data\Virus Melt\Instructions.ini (Rogue.VirusMelt) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\System Data\mscfg.ini (Rogue.VirusMelt) -> Quarantined and deleted successfully. C:\WINDOWS\eqowusuyanami.dll (Trojan.Agent) -> Delete on reboot.
  10. Hi - I recopied both to the infected computer - still getting runtime errors '0' and '440'. Is it because I am using Vista and Malwarebytes 'knows' that, so it won't run on the XP when I copy it over? Or am I just doing it wrong? I have them both saved to desktop... is that a problem? Sigh. I appreciate your patience.
  11. Thank you for your quick response. I'm about to ask a real newbie question here - first, her computer will not go online so I cannot update malwarebytes from there, so, how can I get malwarebytes to update itself, then make a copy of that to transfer to the other computer? I updated to MY desktop, then copied the whole folder over to the other computer's desktop, but mbam.exe will not run - I am getting the following errors (vbAccelerator SGrid II Control, Run-time error '0') and (Malwarebytes' Anti-Malware, Run-time error '440'; Automation error). So - am I doing it wrong? I would like to get Malwarebytes to run before I go back to the other solutions.
  12. thank you Miekiemoes, for your response, and sound lashing. I realize the importance of having a good antivirus program, but the computer that came to me from my daughter-in-law did not, obviously, have anything on it to protect it. Although I tried to add Avira originally, and also run Dr. Web, they did not find what was wrong. T This time, the initial Avira run showed me there was a ntdll64 in my documents and settings folder error that I quarantined. After I reboot from running Avira fullscan, I received the error "C:\windows\system32\yumifesu.dll and c:\windows\system32\yihuhote.dll, specified modules could not be found", and many problems, of which I had Avira fix - and then it seemed to continue to run for a second time, without me rebooting it - so I have included BOTH log files. Avira AntiVir Personal Report file date: 2009-03-19 14:17 Scanning for 1284893 virus strains and unwanted programs. Licensee : Avira AntiVir Personal - FREE Antivirus Serial number : 0000149996-ADJIE-0000001 Platform : Windows XP Windows version : (Service Pack 3) [5.1.2600] Boot mode : Normally booted Username : SYSTEM Computer name : PHIL-PIMIBA6H3J Version information: BUILD.DAT : 9.0.0.386 17962 Bytes 2009-03-11 15:55:00 AVSCAN.EXE : 9.0.3.3 464641 Bytes 2009-02-24 19:13:28 AVSCAN.DLL : 9.0.3.0 40705 Bytes 2009-02-27 17:58:26 LUKE.DLL : 9.0.3.2 209665 Bytes 2009-02-20 18:35:50 LUKERES.DLL : 9.0.2.0 12033 Bytes 2009-02-27 17:58:54 ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 2008-10-27 19:30:38 ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2009-02-11 03:33:28 ANTIVIR2.VDF : 7.1.2.105 513536 Bytes 2009-03-03 14:41:16 ANTIVIR3.VDF : 7.1.2.127 110592 Bytes 2009-03-05 21:58:22 Engineversion : 8.2.0.100 AEVDF.DLL : 8.1.1.0 106868 Bytes 2009-01-28 00:36:42 AESCRIPT.DLL : 8.1.1.56 352634 Bytes 2009-02-27 03:01:58 AESCN.DLL : 8.1.1.7 127347 Bytes 2009-02-12 18:44:26 AERDL.DLL : 8.1.1.3 438645 Bytes 2008-10-30 01:24:42 AEPACK.DLL : 8.1.3.10 397686 Bytes 2009-03-04 20:06:12 AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2009-02-27 03:01:58 AEHEUR.DLL : 8.1.0.100 1618295 Bytes 2009-02-25 22:49:16 AEHELP.DLL : 8.1.2.2 119158 Bytes 2009-02-27 03:01:58 AEGEN.DLL : 8.1.1.24 336244 Bytes 2009-03-04 20:06:12 AEEMU.DLL : 8.1.0.9 393588 Bytes 2008-10-09 21:32:40 AECORE.DLL : 8.1.6.6 176501 Bytes 2009-02-17 21:22:44 AEBB.DLL : 8.1.0.3 53618 Bytes 2008-10-09 21:32:40 AVWINLL.DLL : 9.0.0.3 18177 Bytes 2008-12-12 15:48:00 AVPREF.DLL : 9.0.0.1 43777 Bytes 2008-12-05 17:32:16 AVREP.DLL : 8.0.0.3 155905 Bytes 2009-01-20 21:34:30 AVREG.DLL : 9.0.0.0 36609 Bytes 2008-12-05 17:32:10 AVARKT.DLL : 9.0.0.1 292609 Bytes 2009-02-09 14:52:26 AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 2009-01-30 17:37:10 SQLITE3.DLL : 3.6.1.0 326401 Bytes 2009-01-28 22:03:50 SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2009-02-02 15:21:34 NETNT.DLL : 9.0.0.0 11521 Bytes 2008-12-05 17:32:12 RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2009-02-09 18:45:46 RCTEXT.DLL : 9.0.35.0 87297 Bytes 2009-03-11 22:55:14 Configuration settings for the scan: Jobname.............................: Complete system scan Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp Logging.............................: low Primary action......................: interactive Secondary action....................: ignore Scan master boot sector.............: on Scan boot sector....................: on Boot sectors........................: C:, Process scan........................: on Scan registry.......................: on Search for rootkits.................: on Integrity checking of system files..: on Scan all files......................: All files Scan archives.......................: on Recursion depth.....................: 20 Smart extensions....................: on Macro heuristic.....................: on File heuristic......................: medium Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR, Start of the scan: 2009-03-19 14:17 Initiating scan of system files: Signed -> 'C:\WINDOWS\system32\svchost.exe' Signed -> 'C:\WINDOWS\system32\winlogon.exe' Signed -> 'C:\WINDOWS\explorer.exe' Signed -> 'C:\WINDOWS\system32\smss.exe' Signed -> 'C:\WINDOWS\system32\wininet.DLL' Signed -> 'C:\WINDOWS\system32\wsock32.DLL' Signed -> 'C:\WINDOWS\system32\ws2_32.DLL' Signed -> 'C:\WINDOWS\system32\services.exe' Signed -> 'C:\WINDOWS\system32\lsass.exe' Signed -> 'C:\WINDOWS\system32\csrss.exe' Signed -> 'C:\WINDOWS\system32\drivers\kbdclass.sys' Signed -> 'C:\WINDOWS\system32\spoolsv.exe' Signed -> 'C:\WINDOWS\system32\alg.exe' Signed -> 'C:\WINDOWS\system32\wuauclt.exe' Signed -> 'C:\WINDOWS\system32\advapi32.DLL' Signed -> 'C:\WINDOWS\system32\user32.DLL' Signed -> 'C:\WINDOWS\system32\gdi32.DLL' Signed -> 'C:\WINDOWS\system32\kernel32.DLL' Signed -> 'C:\WINDOWS\system32\ntdll.DLL' Signed -> 'C:\WINDOWS\system32\ntoskrnl.exe' Signed -> 'C:\WINDOWS\system32\ctfmon.exe' The system files were scanned ('21' files) Starting search for hidden objects. '31628' objects were checked, '0' hidden objects were found. The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'wscntfy.exe' - '1' Module(s) have been scanned Scan process 'EasyShare.exe' - '1' Module(s) have been scanned Scan process 'HPQTRA08.EXE' - '1' Module(s) have been scanned Scan process 'SISTRAY.EXE' - '1' Module(s) have been scanned Scan process 'CTFMON.EXE' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'QTTASK.EXE' - '1' Module(s) have been scanned Scan process 'TFSWCTRL.EXE' - '1' Module(s) have been scanned Scan process 'HPCMPMGR.EXE' - '1' Module(s) have been scanned Scan process 'hpwuSchd.exe' - '1' Module(s) have been scanned Scan process 'WkUFind.exe' - '1' Module(s) have been scanned Scan process 'DVDLauncher.exe' - '1' Module(s) have been scanned Scan process 'Keyhook.exe' - '1' Module(s) have been scanned Scan process 'AGRSMMSG.EXE' - '1' Module(s) have been scanned Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'sprtlisten.exe' - '1' Module(s) have been scanned Scan process 'SPKRMON.EXE' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'SPOOLSV.EXE' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'LSASS.EXE' - '1' Module(s) have been scanned Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned Scan process 'SMSS.EXE' - '1' Module(s) have been scanned 35 processes with 35 modules were scanned Starting master boot sector scan: Start scanning boot sectors: Starting to scan executable files (registry). The registry was scanned ( '62' files ). Starting the file scan: Begin scan in 'C:\' C:\yiar.exe [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan C:\cyieqw.exe [DETECTION] Is the TR/Tiny.705 Trojan C:\ootpnl.exe [DETECTION] Is the TR/Downloader.Gen Trojan C:\mfvse.exe [DETECTION] Is the TR/Dropper.Gen Trojan C:\pagefile.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning. C:\WINDOWS\instsp1.exe [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan C:\WINDOWS\system32\zujaviwi.dll [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan C:\Documents and Settings\All Users\Application Data\fe61ef9\VMelt.exe [DETECTION] Is the TR/Dropper.Gen Trojan C:\Documents and Settings\Phil Llapitan\Desktop\ComboFix.exe [0] Archive type: RAR SFX (self extracting) --> 32788R22FWJFW\psexec.cfexe [1] Archive type: RSRC --> Object [DETECTION] Contains recognition pattern of the APPL/PsExec.E application C:\Documents and Settings\Phil Llapitan\Desktop\backups\backup-20090315-110451-200.dll [DETECTION] Is the TR/Vundo.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP154\A0030011.dll [DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP154\A0031026.exe [0] Archive type: NSIS --> [PluginsDir]/InstallerHelperPlugin.dll [DETECTION] Contains recognition pattern of the ADSPY/MartSho.dll.2 adware or spyware C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP154\A0031027.dll [DETECTION] Contains recognition pattern of the ADSPY/Shopper.V.1 adware or spyware C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP157\A0031749.dll [DETECTION] Is the TR/Vundo.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP157\A0032023.exe [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP157\A0032044.exe [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP158\A0035079.exe [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP159\A0036197.exe [DETECTION] Is the TR/Dropper.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036409.dll [DETECTION] Is the TR/Dldr.JLRL Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036413.exe [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036416.exe [DETECTION] Is the TR/Vundo.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036418.DLL [DETECTION] Is the TR/Vundo.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036421.DLL [DETECTION] Is the TR/Vundo.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036422.dll [DETECTION] Is the TR/Vundo.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036423.dll [DETECTION] Is the TR/Vundo.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036425.dll [DETECTION] Is the TR/Vundo.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036426.dll [DETECTION] Is the TR/Vundo.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036427.dll [DETECTION] Is the TR/Vundo.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036428.dll [DETECTION] Is the TR/Vundo.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036429.dll [DETECTION] Is the TR/Vundo.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036430.DLL [DETECTION] Is the TR/Vundo.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036431.DLL [DETECTION] Is the TR/Vundo.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036432.dll [DETECTION] Is the TR/Vundo.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036433.dll [DETECTION] Is the TR/Vundo.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036434.dll [DETECTION] Is the TR/Vundo.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036435.dll [DETECTION] Is the TR/Vundo.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036436.DLL [DETECTION] Is the TR/Vundo.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036437.DLL [DETECTION] Is the TR/Vundo.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036438.EXE [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036439.exe [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan C:\FOUND.002\FILE0001.CHK [DETECTION] Is the TR/Rootkit.Gen Trojan C:\FOUND.003\FILE0001.CHK [DETECTION] Is the TR/Vundo.Gen Trojan C:\FOUND.003\FILE0002.CHK [DETECTION] Is the TR/Vundo.Gen Trojan C:\FOUND.003\FILE0005.CHK [DETECTION] Is the TR/Vundo.Gen Trojan C:\FOUND.003\FILE0006.CHK [DETECTION] Is the TR/Vundo.Gen Trojan C:\FOUND.003\FILE0020.CHK [DETECTION] Is the TR/Vundo.Gen Trojan C:\FOUND.003\FILE0021.CHK [DETECTION] Is the TR/Vundo.Gen Trojan C:\FOUND.003\FILE0022.CHK [DETECTION] Is the TR/Vundo.Gen Trojan C:\FOUND.003\FILE0024.CHK [DETECTION] Is the TR/Vundo.Gen Trojan C:\FOUND.003\FILE0025.CHK [DETECTION] Is the TR/Vundo.Gen Trojan C:\FOUND.003\FILE0026.CHK [DETECTION] Is the TR/Dropper.Gen Trojan C:\FOUND.003\FILE0027.CHK [DETECTION] Is the TR/Vundo.Gen Trojan C:\FOUND.003\FILE0028.CHK [DETECTION] Is the TR/Vundo.Gen Trojan C:\FOUND.003\FILE0030.CHK [DETECTION] Is the TR/Vundo.Gen Trojan C:\FOUND.003\FILE0031.CHK [DETECTION] Is the TR/Vundo.Gen Trojan C:\FOUND.003\FILE0032.CHK [DETECTION] Is the TR/Vundo.Gen Trojan C:\FOUND.003\FILE0033.CHK [DETECTION] Is the TR/Vundo.Gen Trojan C:\FOUND.003\FILE0034.CHK [DETECTION] Is the TR/Vundo.Gen Trojan C:\FOUND.003\FILE0035.CHK [DETECTION] Is the TR/Vundo.Gen Trojan C:\FOUND.003\FILE0036.CHK [DETECTION] Is the TR/Vundo.Gen Trojan C:\Qoobox\Quarantine\C\DOCUME~1\PHILLL~1\LOCALS~1\Temp\mousehook.dll.vir [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan C:\Qoobox\Quarantine\C\WINDOWS\system32\crypts.dll.vir [DETECTION] Is the TR/Dldr.JLRL Trojan C:\Qoobox\Quarantine\C\WINDOWS\system32\ntdll64.exe.vir [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir [DETECTION] Is the TR/Vundo.Gen Trojan C:\Qoobox\LastRun\drevB.dat [DETECTION] Is the TR/Dropper.Gen Trojan C:\ComboFix\psexec.cfexe [0] Archive type: RSRC --> Object [DETECTION] Contains recognition pattern of the APPL/PsExec.E application Beginning disinfection: C:\yiar.exe [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan [NOTE] The file was moved to '4a23c0a0.qua'! C:\cyieqw.exe [DETECTION] Is the TR/Tiny.705 Trojan [NOTE] The file was moved to '4a2bc0b1.qua'! C:\ootpnl.exe [DETECTION] Is the TR/Downloader.Gen Trojan [NOTE] The file was moved to '4a36c0a7.qua'! C:\mfvse.exe [DETECTION] Is the TR/Dropper.Gen Trojan [NOTE] The file was moved to '4a38c0a1.qua'! C:\WINDOWS\instsp1.exe [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan [NOTE] The file was moved to '4a35c0a9.qua'! C:\WINDOWS\system32\zujaviwi.dll [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan [NOTE] The file was moved to '4a2cc0b0.qua'! C:\Documents and Settings\All Users\Application Data\fe61ef9\VMelt.exe [DETECTION] Is the TR/Dropper.Gen Trojan [NOTE] The file was moved to '4a27c089.qua'! C:\Documents and Settings\Phil Llapitan\Desktop\ComboFix.exe [NOTE] The file was moved to '4a2fc0ac.qua'! C:\Documents and Settings\Phil Llapitan\Desktop\backups\backup-20090315-110451-200.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a25c0a0.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP154\A0030011.dll [DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware [NOTE] The file was moved to '49f2c06f.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP154\A0031026.exe [NOTE] The file was moved to '4a879970.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP154\A0031027.dll [DETECTION] Contains recognition pattern of the ADSPY/Shopper.V.1 adware or spyware [NOTE] The file was moved to '49f2c070.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP157\A0031749.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4fcba1d9.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP157\A0032023.exe [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [NOTE] The file was moved to '48a581f1.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP157\A0032044.exe [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [NOTE] The file was moved to '4fc8a901.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP158\A0035079.exe [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [NOTE] The file was moved to '4a85b141.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP159\A0036197.exe [DETECTION] Is the TR/Dropper.Gen Trojan [NOTE] The file was moved to '49f2c071.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036409.dll [DETECTION] Is the TR/Dldr.JLRL Trojan [NOTE] The file was moved to '49f2c073.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036413.exe [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [NOTE] The file was moved to '4a8848fc.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036416.exe [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a895024.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036418.DLL [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a8e586c.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036421.DLL [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a8f5f94.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036422.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '49f2c074.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036423.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a8d6f05.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036425.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a72774d.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036426.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a737f75.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036427.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a7006bd.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036428.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '49f2c075.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036429.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a76162e.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036430.DLL [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a771e56.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036431.DLL [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a74259e.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036432.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a752dc6.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036433.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '49f2c076.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036434.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a7b3d37.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036435.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a79c57f.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036436.DLL [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a7ecca7.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036437.DLL [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '49f2c077.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036438.EXE [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [NOTE] The file was moved to '4a7cdc18.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036439.exe [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [NOTE] The file was moved to '4a7de450.qua'! C:\FOUND.002\FILE0001.CHK [DETECTION] Is the TR/Rootkit.Gen Trojan [NOTE] The file was moved to '4a0ec090.qua'! C:\FOUND.003\FILE0001.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4b66e8f9.qua'! C:\FOUND.003\FILE0002.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a0ec091.qua'! C:\FOUND.003\FILE0005.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '499ff32a.qua'! C:\FOUND.003\FILE0006.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '499cfb12.qua'! C:\FOUND.003\FILE0020.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '499d83da.qua'! C:\FOUND.003\FILE0021.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '499a8b82.qua'! C:\FOUND.003\FILE0022.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '499b924a.qua'! C:\FOUND.003\FILE0024.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a0ec092.qua'! C:\FOUND.003\FILE0025.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4999a2fb.qua'! C:\FOUND.003\FILE0026.CHK [DETECTION] Is the TR/Dropper.Gen Trojan [NOTE] The file was moved to '4996aaa3.qua'! C:\FOUND.003\FILE0027.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4997b16b.qua'! C:\FOUND.003\FILE0028.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a0ec093.qua'! C:\FOUND.003\FILE0030.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4995411c.qua'! C:\FOUND.003\FILE0031.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '499249c4.qua'! C:\FOUND.003\FILE0032.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a0ec094.qua'! C:\FOUND.003\FILE0033.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '49905875.qua'! C:\FOUND.003\FILE0034.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4991603d.qua'! C:\FOUND.003\FILE0035.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '49ae68e5.qua'! C:\FOUND.003\FILE0036.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '49af70ad.qua'! C:\Qoobox\Quarantine\C\DOCUME~1\PHILLL~1\LOCALS~1\Temp\mousehook.dll.vir [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [NOTE] The file was moved to '4a37c0ba.qua'! C:\Qoobox\Quarantine\C\WINDOWS\system32\crypts.dll.vir [DETECTION] Is the TR/Dldr.JLRL Trojan [NOTE] The file was moved to '4a3bc0be.qua'! C:\Qoobox\Quarantine\C\WINDOWS\system32\ntdll64.exe.vir [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [NOTE] The file was moved to '4a26c0c0.qua'! C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a27c07a.qua'! C:\Qoobox\LastRun\drevB.dat [DETECTION] Is the TR/Dropper.Gen Trojan [NOTE] The file was moved to '4a27c0be.qua'! C:\ComboFix\psexec.cfexe [NOTE] The file was moved to '4a27c0bf.qua'! End of the scan: 2009-03-19 14:59 Used time: 36:34 Minute(s) The scan has been done completely. 4217 Scanned directories 133669 Files were scanned 65 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 65 Files were moved to quarantine 0 Files were renamed 1 Files cannot be scanned 133603 Files not concerned 887 Archives were scanned 1 Warnings 66 Notes 31628 Objects were scanned with rootkit scan 0 Hidden objects were found ************************************************ AND THE SECOND LOG FILE: ************************************************ Avira AntiVir Personal Report file date: 2009-03-19 14:17 Scanning for 1284893 virus strains and unwanted programs. Licensee : Avira AntiVir Personal - FREE Antivirus Serial number : 0000149996-ADJIE-0000001 Platform : Windows XP Windows version : (Service Pack 3) [5.1.2600] Boot mode : Normally booted Username : SYSTEM Computer name : PHIL-PIMIBA6H3J Version information: BUILD.DAT : 9.0.0.386 17962 Bytes 2009-03-11 15:55:00 AVSCAN.EXE : 9.0.3.3 464641 Bytes 2009-02-24 19:13:28 AVSCAN.DLL : 9.0.3.0 40705 Bytes 2009-02-27 17:58:26 LUKE.DLL : 9.0.3.2 209665 Bytes 2009-02-20 18:35:50 LUKERES.DLL : 9.0.2.0 12033 Bytes 2009-02-27 17:58:54 ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 2008-10-27 19:30:38 ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2009-02-11 03:33:28 ANTIVIR2.VDF : 7.1.2.105 513536 Bytes 2009-03-03 14:41:16 ANTIVIR3.VDF : 7.1.2.127 110592 Bytes 2009-03-05 21:58:22 Engineversion : 8.2.0.100 AEVDF.DLL : 8.1.1.0 106868 Bytes 2009-01-28 00:36:42 AESCRIPT.DLL : 8.1.1.56 352634 Bytes 2009-02-27 03:01:58 AESCN.DLL : 8.1.1.7 127347 Bytes 2009-02-12 18:44:26 AERDL.DLL : 8.1.1.3 438645 Bytes 2008-10-30 01:24:42 AEPACK.DLL : 8.1.3.10 397686 Bytes 2009-03-04 20:06:12 AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2009-02-27 03:01:58 AEHEUR.DLL : 8.1.0.100 1618295 Bytes 2009-02-25 22:49:16 AEHELP.DLL : 8.1.2.2 119158 Bytes 2009-02-27 03:01:58 AEGEN.DLL : 8.1.1.24 336244 Bytes 2009-03-04 20:06:12 AEEMU.DLL : 8.1.0.9 393588 Bytes 2008-10-09 21:32:40 AECORE.DLL : 8.1.6.6 176501 Bytes 2009-02-17 21:22:44 AEBB.DLL : 8.1.0.3 53618 Bytes 2008-10-09 21:32:40 AVWINLL.DLL : 9.0.0.3 18177 Bytes 2008-12-12 15:48:00 AVPREF.DLL : 9.0.0.1 43777 Bytes 2008-12-05 17:32:16 AVREP.DLL : 8.0.0.3 155905 Bytes 2009-01-20 21:34:30 AVREG.DLL : 9.0.0.0 36609 Bytes 2008-12-05 17:32:10 AVARKT.DLL : 9.0.0.1 292609 Bytes 2009-02-09 14:52:26 AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 2009-01-30 17:37:10 SQLITE3.DLL : 3.6.1.0 326401 Bytes 2009-01-28 22:03:50 SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2009-02-02 15:21:34 NETNT.DLL : 9.0.0.0 11521 Bytes 2008-12-05 17:32:12 RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2009-02-09 18:45:46 RCTEXT.DLL : 9.0.35.0 87297 Bytes 2009-03-11 22:55:14 Configuration settings for the scan: Jobname.............................: Complete system scan Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp Logging.............................: low Primary action......................: interactive Secondary action....................: ignore Scan master boot sector.............: on Scan boot sector....................: on Boot sectors........................: C:, Process scan........................: on Scan registry.......................: on Search for rootkits.................: on Integrity checking of system files..: on Scan all files......................: All files Scan archives.......................: on Recursion depth.....................: 20 Smart extensions....................: on Macro heuristic.....................: on File heuristic......................: medium Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR, Start of the scan: 2009-03-19 14:17 Initiating scan of system files: Signed -> 'C:\WINDOWS\system32\svchost.exe' Signed -> 'C:\WINDOWS\system32\winlogon.exe' Signed -> 'C:\WINDOWS\explorer.exe' Signed -> 'C:\WINDOWS\system32\smss.exe' Signed -> 'C:\WINDOWS\system32\wininet.DLL' Signed -> 'C:\WINDOWS\system32\wsock32.DLL' Signed -> 'C:\WINDOWS\system32\ws2_32.DLL' Signed -> 'C:\WINDOWS\system32\services.exe' Signed -> 'C:\WINDOWS\system32\lsass.exe' Signed -> 'C:\WINDOWS\system32\csrss.exe' Signed -> 'C:\WINDOWS\system32\drivers\kbdclass.sys' Signed -> 'C:\WINDOWS\system32\spoolsv.exe' Signed -> 'C:\WINDOWS\system32\alg.exe' Signed -> 'C:\WINDOWS\system32\wuauclt.exe' Signed -> 'C:\WINDOWS\system32\advapi32.DLL' Signed -> 'C:\WINDOWS\system32\user32.DLL' Signed -> 'C:\WINDOWS\system32\gdi32.DLL' Signed -> 'C:\WINDOWS\system32\kernel32.DLL' Signed -> 'C:\WINDOWS\system32\ntdll.DLL' Signed -> 'C:\WINDOWS\system32\ntoskrnl.exe' Signed -> 'C:\WINDOWS\system32\ctfmon.exe' The system files were scanned ('21' files) Starting search for hidden objects. An ARK library instance is already running. The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'wscntfy.exe' - '1' Module(s) have been scanned Scan process 'EasyShare.exe' - '1' Module(s) have been scanned Scan process 'HPQTRA08.EXE' - '1' Module(s) have been scanned Scan process 'SISTRAY.EXE' - '1' Module(s) have been scanned Scan process 'CTFMON.EXE' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'QTTASK.EXE' - '1' Module(s) have been scanned Scan process 'TFSWCTRL.EXE' - '1' Module(s) have been scanned Scan process 'HPCMPMGR.EXE' - '1' Module(s) have been scanned Scan process 'hpwuSchd.exe' - '1' Module(s) have been scanned Scan process 'WkUFind.exe' - '1' Module(s) have been scanned Scan process 'DVDLauncher.exe' - '1' Module(s) have been scanned Scan process 'Keyhook.exe' - '1' Module(s) have been scanned Scan process 'AGRSMMSG.EXE' - '1' Module(s) have been scanned Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'sprtlisten.exe' - '1' Module(s) have been scanned Scan process 'SPKRMON.EXE' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'SPOOLSV.EXE' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned Scan process 'LSASS.EXE' - '1' Module(s) have been scanned Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned Scan process 'SMSS.EXE' - '1' Module(s) have been scanned 35 processes with 35 modules were scanned Starting master boot sector scan: Start scanning boot sectors: Starting to scan executable files (registry). The registry was scanned ( '62' files ). Starting the file scan: Begin scan in 'C:\' C:\yiar.exe [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan C:\cyieqw.exe [DETECTION] Is the TR/Tiny.705 Trojan C:\ootpnl.exe [DETECTION] Is the TR/Downloader.Gen Trojan C:\mfvse.exe [DETECTION] Is the TR/Dropper.Gen Trojan C:\pagefile.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning. C:\WINDOWS\instsp1.exe [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan C:\WINDOWS\system32\zujaviwi.dll [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan C:\Documents and Settings\All Users\Application Data\fe61ef9\VMelt.exe [DETECTION] Is the TR/Dropper.Gen Trojan C:\Documents and Settings\Phil Llapitan\Desktop\ComboFix.exe [0] Archive type: RAR SFX (self extracting) --> 32788R22FWJFW\psexec.cfexe [1] Archive type: RSRC --> Object [DETECTION] Contains recognition pattern of the APPL/PsExec.E application C:\Documents and Settings\Phil Llapitan\Desktop\backups\backup-20090315-110451-200.dll [DETECTION] Is the TR/Vundo.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037411.exe [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037412.exe [DETECTION] Is the TR/Tiny.705 Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037413.exe [DETECTION] Is the TR/Downloader.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037414.exe [DETECTION] Is the TR/Dropper.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037415.exe [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037416.dll [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037417.exe [DETECTION] Is the TR/Dropper.Gen Trojan C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037418.exe [0] Archive type: RAR SFX (self extracting) --> 32788R22FWJFW\psexec.cfexe [1] Archive type: RSRC --> Object [DETECTION] Contains recognition pattern of the APPL/PsExec.E application C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037419.dll [DETECTION] Is the TR/Vundo.Gen Trojan Beginning disinfection: C:\yiar.exe [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan [WARNING] An error has occurred and the file was not deleted. ErrorID: 26004 [WARNING] The source file could not be found. [NOTE] Attempting to perform action using the ARK library. [WARNING] Error in ARK library [NOTE] The file is scheduled for deleting after reboot. C:\cyieqw.exe [DETECTION] Is the TR/Tiny.705 Trojan [WARNING] An error has occurred and the file was not deleted. ErrorID: 26004 [WARNING] The source file could not be found. [NOTE] Attempting to perform action using the ARK library. [WARNING] Error in ARK library [NOTE] The file is scheduled for deleting after reboot. C:\ootpnl.exe [DETECTION] Is the TR/Downloader.Gen Trojan [WARNING] An error has occurred and the file was not deleted. ErrorID: 26004 [WARNING] The source file could not be found. [NOTE] Attempting to perform action using the ARK library. [WARNING] Error in ARK library [NOTE] The file is scheduled for deleting after reboot. C:\mfvse.exe [DETECTION] Is the TR/Dropper.Gen Trojan [WARNING] An error has occurred and the file was not deleted. ErrorID: 26004 [WARNING] The source file could not be found. [NOTE] Attempting to perform action using the ARK library. [WARNING] Error in ARK library [NOTE] The file is scheduled for deleting after reboot. C:\WINDOWS\instsp1.exe [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan [WARNING] An error has occurred and the file was not deleted. ErrorID: 26004 [WARNING] The source file could not be found. [NOTE] Attempting to perform action using the ARK library. [WARNING] Error in ARK library [NOTE] The file is scheduled for deleting after reboot. C:\WINDOWS\system32\zujaviwi.dll [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan [WARNING] An error has occurred and the file was not deleted. ErrorID: 26004 [WARNING] The source file could not be found. [NOTE] Attempting to perform action using the ARK library. [WARNING] Error in ARK library [NOTE] The file is scheduled for deleting after reboot. C:\Documents and Settings\All Users\Application Data\fe61ef9\VMelt.exe [DETECTION] Is the TR/Dropper.Gen Trojan [WARNING] An error has occurred and the file was not deleted. ErrorID: 26004 [WARNING] The source file could not be found. [NOTE] Attempting to perform action using the ARK library. [WARNING] Error in ARK library [NOTE] The file is scheduled for deleting after reboot. C:\Documents and Settings\Phil Llapitan\Desktop\ComboFix.exe [WARNING] An error has occurred and the file was not deleted. ErrorID: 26004 [WARNING] The source file could not be found. [NOTE] Attempting to perform action using the ARK library. [WARNING] Error in ARK library [NOTE] The file is scheduled for deleting after reboot. C:\Documents and Settings\Phil Llapitan\Desktop\backups\backup-20090315-110451-200.dll [DETECTION] Is the TR/Vundo.Gen Trojan [WARNING] An error has occurred and the file was not deleted. ErrorID: 26004 [WARNING] The source file could not be found. [NOTE] Attempting to perform action using the ARK library. [WARNING] Error in ARK library [NOTE] The file is scheduled for deleting after reboot. C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037411.exe [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan [NOTE] The file was moved to '49f2c23b.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037412.exe [DETECTION] Is the TR/Tiny.705 Trojan [NOTE] The file was moved to '411b185c.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037413.exe [DETECTION] Is the TR/Downloader.Gen Trojan [NOTE] The file was moved to '41182014.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037414.exe [DETECTION] Is the TR/Dropper.Gen Trojan [NOTE] The file was moved to '411e2bc4.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037415.exe [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan [NOTE] The file was moved to '4fa61854.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037416.dll [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan [NOTE] The file was moved to '411f33fc.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037417.exe [DETECTION] Is the TR/Dropper.Gen Trojan [NOTE] The file was moved to '411c3bb4.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037418.exe [NOTE] The file was moved to '4102c36c.qua'! C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037419.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '411508ec.qua'! End of the scan: 2009-03-19 15:07 Used time: 47:27 Minute(s) The scan has been done completely. 4217 Scanned directories 133748 Files were scanned 18 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 9 Files were moved to quarantine 0 Files were renamed 1 Files cannot be scanned 133729 Files not concerned 887 Archives were scanned 10 Warnings 19 Notes ******************************************* I appreciate that you have done all you and AdvancedSetup could to help me so far, and also the fact that this system may be toast. I have requested the drivers disk(s) and XP installation disk from her (well, now apparently the uncle she just got this system from, grrrrr he probably knew all of this) in the event that I have to reformat and reinstall. She doesn't have anything really on this to save, so that is a very viable solution too. I am glad to have learned all the tools and information that have been shared with me from you guys, although I hope to never have to use them again anytime soon.. As far as establishing an internet connection on that system, it has QWest wireless, which she has told me doesn't work outside her home. I do not know about that and am looking into that further. Here is the HJT log, and again, thank you for your help. I should mention that I would like to try to fix the system so I can say I tried, if you are game!? ******************************************** Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:45, on 2009-03-19 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\System32\keyhook.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\HP\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\sistray.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Avira\AntiVir Desktop\avcenter.exe C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\Phil Llapitan\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: (no name) - {2765f56e-bd26-4719-a77a-dd09184f02c7} - C:\WINDOWS\system32\lijuhidi.dll (file missing) O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Ggijixa] rundll32.exe "C:\WINDOWS\eqowusuyanami.dll",e O4 - HKLM\..\Run: [CPM0398fcb8] Rundll32.exe "c:\windows\system32\yihuhote.dll",a O4 - HKLM\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s (User 'NETWORK SERVICE') O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - AppInit_DLLs: C:\WINDOWS\system32\pigofube.dll c:\windows\system32\yihuhote.dll O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yihuhote.dll (file missing) O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yihuhote.dll (file missing) O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\ O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\icf.exe.exe:ext.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe -- End of file - 5640 bytes
  13. I decided to run another HJT log for you - thank you for helping me with this B) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:11, on 2009-03-18 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\System32\keyhook.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\HP\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\sistray.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Documents and Settings\Phil Llapitan\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: (no name) - {2765f56e-bd26-4719-a77a-dd09184f02c7} - C:\WINDOWS\system32\lijuhidi.dll (file missing) O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Ggijixa] rundll32.exe "C:\WINDOWS\eqowusuyanami.dll",e O4 - HKLM\..\Run: [CPM0398fcb8] Rundll32.exe "c:\windows\system32\yihuhote.dll",a O4 - HKLM\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s (User 'NETWORK SERVICE') O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\docume~1\philll~1\locals~1\temp\ntdll64.dll O10 - Unknown file in Winsock LSP: c:\docume~1\philll~1\locals~1\temp\ntdll64.dll O20 - AppInit_DLLs: C:\WINDOWS\system32\pigofube.dll c:\windows\system32\yihuhote.dll O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yihuhote.dll (file missing) O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yihuhote.dll (file missing) O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\ O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\icf.exe.exe:ext.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe -- End of file - 5236 bytes
  14. When running the Combofix program the system gave me feedback that I had an incompatible OS, but continued to run... until the point of making a log file. At that point the system crashed, citing a physical memory dump, and then told me to restart the computer. I did, and got a couple of .dll errors as it started up, now I am reloaded, but don't know which way to go... do I re-run Combofix to try to get a log file? Or should I run HJT for a current log file to show you?
  15. I followed all your instructions - however, I cannot get online to download malwarebytes directly, and when I copy over the mbam.exe to disk then to its desktop, I get an error code 707(3) - please advise me? BTW, thank you for your quick response!
  16. Hi folks - I cannot get online, can't get mbam.exe to run, can't get randmbam.exe to run, and as a newbie, I am frustrated. I know there is something I am not doing - I first started off with virus melt on the system. I ran regedit to enable my task manager, then deleted the VMelt.exe process, but can't do anything further. I was able to run hijack this - and here is my log - hijack this did tell me to do something with the O1 host google entries but I didn't know what it meant... so here is the whole enchilada - please help, this is hard, but I know there is a way to beat it, hopefully with your help. Thanks ahead of time. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:15:20 PM, on 3/14/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\userinit.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\System32\keyhook.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\HP\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Qwest\Quickcare\bin\sprtcmd.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\frmwrk32.exe C:\DOCUME~1\PHILLL~1\LOCALS~1\Temp\winlogqn.exe C:\WINDOWS\system32\sistray.exe C:\WINDOWS\system32\ntdll64.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\WINDOWS\system32\ntdll64.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\ntdll64.exe F:\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O1 - Hosts: 89.149.227.223 google.ae O1 - Hosts: 89.149.227.223 google.as O1 - Hosts: 89.149.227.223 google.at O1 - Hosts: 89.149.227.223 google.az O1 - Hosts: 89.149.227.223 google.ba O1 - Hosts: 89.149.227.223 google.be O1 - Hosts: 89.149.227.223 google.bg O1 - Hosts: 89.149.227.223 google.bs O1 - Hosts: 89.149.227.223 google.ca O1 - Hosts: 89.149.227.223 google.cd O1 - Hosts: 89.149.227.223 google.com.gh O1 - Hosts: 89.149.227.223 google.com.gi O1 - Hosts: 89.149.227.223 google.com.hk O1 - Hosts: 89.149.227.223 google.com.jm O1 - Hosts: 89.149.227.223 google.com.ly O1 - Hosts: 89.149.227.223 google.com.mx O1 - Hosts: 89.149.227.223 google.com.my O1 - Hosts: 89.149.227.223 google.com.na O1 - Hosts: 89.149.227.223 google.com.nf O1 - Hosts: 89.149.227.223 google.com.ng O1 - Hosts: 89.149.227.223 google.ch O1 - Hosts: 89.149.227.223 google.com.np O1 - Hosts: 89.149.227.223 google.com.om O1 - Hosts: 89.149.227.223 google.com.pa O1 - Hosts: 89.149.227.223 google.com.pr O1 - Hosts: 89.149.227.223 google.com.qa O1 - Hosts: 89.149.227.223 google.com.sg O1 - Hosts: 89.149.227.223 google.com.tj O1 - Hosts: 89.149.227.223 google.com.tr O1 - Hosts: 89.149.227.223 google.com.tw O1 - Hosts: 89.149.227.223 google.com.ua O1 - Hosts: 89.149.227.223 google.dj O1 - Hosts: 89.149.227.223 google.com.vc O1 - Hosts: 89.149.227.223 google.it.ao O1 - Hosts: 89.149.227.223 google.de O1 - Hosts: 89.149.227.223 google.dk O1 - Hosts: 89.149.227.223 google.dm O1 - Hosts: 89.149.227.223 google.dz O1 - Hosts: 89.149.227.223 google.ee O1 - Hosts: 89.149.227.223 google.fi O1 - Hosts: 89.149.227.223 google.fm O1 - Hosts: 89.149.227.223 google.fr O1 - Hosts: 89.149.227.223 google.ge O1 - Hosts: 89.149.227.223 google.gg O1 - Hosts: 89.149.227.223 google.gm O1 - Hosts: 89.149.227.223 google.gr O1 - Hosts: 89.149.227.223 google.gy O1 - Hosts: 89.149.227.223 google.ht O1 - Hosts: 89.149.227.223 google.ie O1 - Hosts: 89.149.227.223 google.im O1 - Hosts: 89.149.227.223 google.in O1 - Hosts: 89.149.227.223 google.it O1 - Hosts: 89.149.227.223 google.ki O1 - Hosts: 89.149.227.223 google.kz O1 - Hosts: 89.149.227.223 google.la O1 - Hosts: 89.149.227.223 google.li O1 - Hosts: 89.149.227.223 google.lk O1 - Hosts: 89.149.227.223 google.lv O1 - Hosts: 89.149.227.223 google.ma O1 - Hosts: 89.149.227.223 google.md O1 - Hosts: 89.149.227.223 google.ms O1 - Hosts: 89.149.227.223 google.mu O1 - Hosts: 89.149.227.223 google.mv O1 - Hosts: 89.149.227.223 google.mw O1 - Hosts: 89.149.227.223 google.nl O1 - Hosts: 89.149.227.223 google.no O1 - Hosts: 89.149.227.223 google.nr O1 - Hosts: 89.149.227.223 google.nu O1 - Hosts: 89.149.227.223 google.pl O1 - Hosts: 89.149.227.223 google.pn O1 - Hosts: 89.149.227.223 google.pt O1 - Hosts: 89.149.227.223 google.ro O1 - Hosts: 89.149.227.223 google.ru O1 - Hosts: 89.149.227.223 google.rw O1 - Hosts: 89.149.227.223 google.sc O1 - Hosts: 89.149.227.223 google.se O1 - Hosts: 89.149.227.223 google.sh O1 - Hosts: 89.149.227.223 google.si O1 - Hosts: 89.149.227.223 google.sm O1 - Hosts: 89.149.227.223 google.sn O1 - Hosts: 89.149.227.223 google.st O1 - Hosts: 89.149.227.223 google.tl O1 - Hosts: 89.149.227.223 google.tm O1 - Hosts: 89.149.227.223 google.tt O1 - Hosts: 89.149.227.223 google.us O1 - Hosts: 89.149.227.223 google.vg O1 - Hosts: 89.149.227.223 google.vu O1 - Hosts: 89.149.227.223 google.ws O1 - Hosts: 89.149.227.223 google.co.bw O1 - Hosts: 89.149.227.223 google.co.ck O1 - Hosts: 89.149.227.223 google.co.id O1 - Hosts: 89.149.227.223 google.co.il O1 - Hosts: 89.149.227.223 google.co.in O1 - Hosts: 89.149.227.223 google.co.jp O1 - Hosts: 89.149.227.223 google.co.ke O1 - Hosts: 89.149.227.223 google.co.kr O1 - Hosts: 89.149.227.223 google.co.ls O1 - Hosts: 89.149.227.223 google.co.ma O1 - Hosts: 89.149.227.223 google.co.mz O1 - Hosts: 89.149.227.223 google.co.nz O1 - Hosts: 89.149.227.223 google.co.th O2 - BHO: (no name) - {2765f56e-bd26-4719-a77a-dd09184f02c7} - C:\WINDOWS\system32\lijuhidi.dll O2 - BHO: C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll - {c5bf40a2-94f3-42bd-f434-1604812c8955} - C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll (file missing) O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s O4 - HKLM\..\Run: [QuickCare] C:\Program Files\Qwest\Quickcare\bin\sprtcmd.exe /P QuickCare O4 - HKLM\..\Run: [00abcf24] rundll32.exe "C:\WINDOWS\system32\bagahone.dll",b O4 - HKLM\..\Run: [Kxawo] rundll32.exe "C:\WINDOWS\Qyucepinukonejiq.dll",e O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe O4 - HKLM\..\Run: [kjahrfoi37rljanfaw3il7fhjd3f] C:\DOCUME~1\PHILLL~1\LOCALS~1\Temp\winlogqn.exe O4 - HKLM\..\Run: [CPM0398fcb8] Rundll32.exe "c:\windows\system32\yihuhote.dll",a O4 - HKLM\..\Run: [Ggijixa] rundll32.exe "C:\WINDOWS\eqowusuyanami.dll",e O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Virus Melt] "C:\Documents and Settings\All Users\Application Data\fe61ef9\VMelt.exe" /s O4 - HKCU\..\Run: [kjahrfoi37rljanfaw3il7fhjd3f] C:\DOCUME~1\PHILLL~1\LOCALS~1\Temp\winlogqn.exe O4 - HKUS\S-1-5-19\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s (User 'NETWORK SERVICE') O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\docume~1\philll~1\locals~1\temp\ntdll64.dll O10 - Unknown file in Winsock LSP: c:\docume~1\philll~1\locals~1\temp\ntdll64.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{4CAE0260-F926-4FB2-94D1-83BF3EB976F8}: NameServer = 205.171.3.65,205.171.2.65 O20 - AppInit_DLLs: C:\WINDOWS\system32\pigofube.dll ainmgw.dll pdpbpt.dll c:\windows\system32\yihuhote.dll O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yihuhote.dll O22 - SharedTaskScheduler: klj3r93iorkemnfaja93riemef - {C5BF40A2-94F3-42BD-F434-1604812C8955} - C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll (file missing) O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yihuhote.dll O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\ O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\icf.exe.exe:ext.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe -- End of file - 10709 bytes
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.