namida12 Posted January 28, 2009 ID:51359 Share Posted January 28, 2009 I can not install malwarebytes Anti-Malware - Was able to install Rogueremover but can not update and it did not find any malware. This is being transfered via e-mail from one system to another...Logfile of HijackThis v1.99.1Scan saved at 9:08:26 PM, on 1/27/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\a-squared Free\a2service.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\system32\UStorSrv.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\Explorer.EXEC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\QuickPlay\QPService.exeC:\Program Files\Hp\HP Software Update\HPWuSchd2.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\iTunes\iTunesHelper.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\WINDOWS\system32\ctfmon.exeC:\PROGRA~1\hpq\Shared\HPQTOA~1.EXEC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXEC:\Documents and Settings\Souhil\Desktop\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - Default URLSearchHook is missingO3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /StartO4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exeO4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [GetModule27] "C:\Program Files\GetModule\GetModule27.exe"O4 - HKCU\..\Run: [21261863281273546458966242326576] C:\Program Files\Antivirus 2009\av2009.exeO8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZCxdm801NUUSO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dllO11 - Options group: [iNTERNATIONAL] International*O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptopO16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cabO16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cabO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLLO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLLO20 - AppInit_DLLs: karna.dat?,avgrsstx.dllO21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dllO23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exeO23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 28, 2009 Root Admin ID:51448 Share Posted January 28, 2009 With all other applications closed (Taskbar empty), open HijackThis againand run Do a system scan only and place a check mark on the following items.R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - Default URLSearchHook is missingO3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)O4 - HKCU\..\Run: [GetModule27] "C:\Program Files\GetModule\GetModule27.exe"O4 - HKCU\..\Run: [21261863281273546458966242326576] C:\Program Files\Antivirus 2009\av2009.exeO8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZCxdm801NUUSO11 - Options group: [iNTERNATIONAL] International*O20 - AppInit_DLLs: karna.dat?,avgrsstx.dllO21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dllThen Quit All Browsers including the one you're reading this in now.Then click on Fix checked and then quit HJTPlease visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofixPlease ensure you read this guide carefully and install the Recovery Console first.NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:ComboFix.exeComboFix.exeComboFix.exeNote: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system. Link to post Share on other sites More sharing options...
namida12 Posted January 28, 2009 Author ID:51493 Share Posted January 28, 2009 I am on another computer next to the notebook... I placed a checkmark in the items you indicated and a dialog box has appeared:An unexpected error has occured at procedure: ModBackup_MakeBackup(sitem=020 - AppInit_DLLs: karna.dat?,avgrsstx.dll)Error #5 - Invalid procedure or ArgumentPlease email me at xxxx (at) spywareinfo.com reporting the following:8 What you were trying to fix when the the error occured, if applicableHow you can reproduce the error* A complete Hijackthis scan log, if possibleWindows Version: Windows NT 5.01.2600Msie version 7.0.530.13HijackThis version 1.99.1This message has been copied to your clipboard.Click OK to Continue the rest of the scan* * *Tis it ok to continue? Should i send an e-mail? AdvancedSetup, please advise do not want to continue without an OK, maybe I should stop and uncheck that item?JR Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 29, 2009 Root Admin ID:51606 Share Posted January 29, 2009 No, you don't need to send an email. A couple of things are going on.1. Your version of Hijackthis is OLD and needs to be updated. Click here to get the newer version: http://www.trendsecure.com/portal/en-US/_d.../HJTInstall.exeDelete your OLD version and use the new one.2. The Malware on your system could be actively monitoring the program and attempting to stop it. Try renaming the HijackThis.exe to hello.exe and see if the new one works any better or not.So you don't think you're able to download and burn that CD ? Link to post Share on other sites More sharing options...
namida12 Posted January 29, 2009 Author ID:51681 Share Posted January 29, 2009 I downloaded the new version, and combofix... Burned a CD and moved the software to the infected system...I ran the hello program and made a new scan log... it appears everything you indicated to remove has disapeared! But ComboFix appears it does not install... I waited 20 minutes (opened taskmanager it showed as a process but was using no memory I ended the process)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:07:44 PM, on 1/28/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\a-squared Free\a2service.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\system32\UStorSrv.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\WINDOWS\Explorer.EXEC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\QuickPlay\QPService.exeC:\Program Files\Hp\HP Software Update\HPWuSchd2.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\iTunes\iTunesHelper.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\iPod\bin\iPodService.exeC:\PROGRA~1\hpq\Shared\HPQTOA~1.EXEC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /StartO4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exeO4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptopO16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cabO16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cabO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exeO23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe--End of file - 6336 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 29, 2009 Root Admin ID:51724 Share Posted January 29, 2009 Please download, burn, and run this CD against the affected computer.Requires access to a working computer with a CD/DVD burner to create a bootable CD.Avira AntiVir Rescue System - downloadAvira AntiVir Rescue SystemAvira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to: repair a damaged system, rescue data, scan the system for virus infections.Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available. Link to post Share on other sites More sharing options...
namida12 Posted January 30, 2009 Author ID:52019 Share Posted January 30, 2009 Have downloaded Avira AntiVir Rescue System, moved it to the infected computer to burn the CD, since I could not locate a method for K3b burn this correctly as a bootable disk. It appears to be offered only as a windows executable, and the file is not available as a ISO. I booted with the software it performed a scan, but there is no method to look at the warnings (26) or save a file to the disk. Looked about on the website there is no Tutorial for this scanner. I am depending on you for instruction: How do you want me to set up the configuration file of this off line scanner?.checking the master boot record of drive 128:error (25): can not read recordchecking the master boot record of drive 129:error (2): can not read recordThere is only one drive in this notebook, it is an Compaq Presario C300, and I believe it has its own special MBR, or I would have replaced that already.... Link to post Share on other sites More sharing options...
namida12 Posted January 30, 2009 Author ID:52034 Share Posted January 30, 2009 Unable to edit the above post. I went to the config file and checked the fix or rename, and after the scan it reported renamed 104 files... Booting back into windows the anti-virus updated, resident shield still deactivated...As you can see, I was able to connect to this website, and now maybe can download combofix as it was one of the files that was renamed... Wish i could have written a text file to a pen drive while in Linux, or saved a file to the hard drive (cli did not activate) I had to shut the system own using the power button, but guess the off line Linux portion is not that developed, as i waited a decent amount of time for it to active, and found the system frozenI am tempted to get the windows updates, but guess i should be waiting for more instrutions...I will sign off now and shut down this computer, untill you suggest the next step...JR Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 31, 2009 Root Admin ID:52187 Share Posted January 31, 2009 Okay, now that it's been cleaned up some please see if MBAM will run on it. Don't do the Windows updates right now.Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen RESTART the computerAFTER the reboot run HJT Do a system scan and save a logfileThe post back NEW MBAM and HJT logs in that order please. Link to post Share on other sites More sharing options...
namida12 Posted February 1, 2009 Author ID:52633 Share Posted February 1, 2009 Malwarebytes' Anti-Malware 1.33Database version: 1713Windows 5.1.2600 Service Pack 32/1/2009 1:39:29 PMmbam-log-2009-02-01 (13-39-29).txtScan type: Full Scan (C:\|)Objects scanned: 164607Time elapsed: 43 minute(s), 5 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 28Registry Values Infected: 1Registry Data Items Infected: 1Folders Infected: 3Files Infected: 85Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\Interface\{0fbc3efb-fc98-4b32-bf10-bde9aa4dea5a} (Adware.Comet) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{6a4b7d17-1de9-4c14-8adf-eb4c07060519} (Adware.Comet) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{abf441b2-9b57-4838-96a0-34b1cecd4aa5} (Adware.Comet) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Typelib\{74278296-0ec7-4f7a-ad55-eb7a2f35f311} (Adware.Comet) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a84e835e-1b9c-4fc0-980f-4b2da3c6a2a7} (Adware.Comet) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{bf0a1ff4-bbaf-487f-bc85-a24ef8f443a8} (Adware.Comet) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\GetModule (Adware.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Solt Lake Software (Rogue.ProAntispyware2009) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\yayvungw -> Quarantined and deleted successfully.Folders Infected:C:\Program Files\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\Solt Lake Software (Rogue.ProAntispyware2009) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009 (Rogue.ProAntispyware2009) -> Quarantined and deleted successfully.Files Infected:C:\WINDOWS\system32\afmokiqm.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\WINDOWS\system32\mqikomfa.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\WINDOWS\system32\cmeyrpfa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\WINDOWS\system32\afpryemc.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\auftpxhk.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\ayubxpwo.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\bfrvljbi.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\bnbsfb.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\bvusoitv.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\bxqkpevs.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\csqmsoil.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\dmtlci.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\dskgnl.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\efunjf.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\ejfocbty.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\esdsmuuv.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\favebhet.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\fqdwlqlr.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\fuxfkdin.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\mwiqkdwq.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\ojmaqmmm.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\qbprys.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\qdhdvoac.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\rfqmkhxw.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\sfjrdvtj.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\srmyid.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\sxlvsfmp.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\syxcdgvd.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\jsfzrd.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\kdwjrlhg.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\ktwnbpfh.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\kurcsqdh.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\lcakxwgt.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\liquuk.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\mojovnll.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\tmpqan.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\udyvsd.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\umyruxcc.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\vxfvlp.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\whxtvr.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\wsyupxan.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\ghpdrxve.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\thakwxgp.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\zypvwz.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\grxweurx.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\gxqtonyv.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\haqxtk.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\hifmvkdy.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\hlquixpp.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\ieaboi.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Guest\Local Settings\Temp\ikwddkdk.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Souhil\Local Settings\Temp\TDSS9f77.tmp.XXX (Trojan.Agent) -> Quarantined and deleted successfully.C:\Program Files\iCheck\Uninstall.exe.XXX (Trojan.Downloader) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP366\A0066448.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\cgtxctpu.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\cihrjxwk.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\dbmxll.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\dpakykni.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\ersyqrdm.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\fnpptwax.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\fqkklo.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\kpsrwb.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\oelaxgjs.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\oyaaaikl.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\qgouix.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\TDSScfub.dll.XXX (Trojan.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\system32\TDSSnrsr.dll.XXX (Trojan.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\system32\TDSSoeqh.dll.XXX (Trojan.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\system32\TDSSriqp.dll.XXX (Trojan.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\system32\tjxcva.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\tpkskicf.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\unlxpfrm.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\vcetllru.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\vxijgz.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\xbjtzy.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\xnintqui.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\yayvUNGw.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\yjfqjvvc.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\nbblva.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\wqgbre.dll.XXX (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\drivers\TDSSpaxt.sys.XXX (Trojan.TDSS) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\proas2009.exe (Rogue.ProAntispyware2009) -> Quarantined and deleted successfully.C:\WINDOWS\system32\ieupdates.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\TDSSfpmp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\TDSStkdv.log (Trojan.TDSS) -> Quarantined and deleted successfully.* *Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:12:13 PM, on 2/1/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\a-squared Free\a2service.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\system32\UStorSrv.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\QuickPlay\QPService.exeC:\Program Files\Hp\HP Software Update\HPWuSchd2.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\iTunes\iTunesHelper.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\iPod\bin\iPodService.exeC:\PROGRA~1\hpq\Shared\HPQTOA~1.EXEC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: (no name) - {4A251E8A-4559-4C60-ADC2-C0AA7AB27B09} - C:\WINDOWS\system32\yayvUNGw.dll (file missing)O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /StartO4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exeO4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptopO16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cabO16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dllO20 - Winlogon Notify: fccaBSmN - fccaBSmN.dll (file missing)O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exeO23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe--End of file - 7294 bytesJR Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 3, 2009 Root Admin ID:52902 Share Posted February 3, 2009 Please download and install CCleanerCCleaner Double-click on the downloaded file "ccsetup216.exe" and install the application.Keep the default installation folder "C:\Program Files\CCleaner"Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"Click finish when done and close ALL PROGRAMSStart the CCleaner program.Click on Registry and Uncheck Registry Integrity so that it does not runClick on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log FilesClick on Run Cleaner button on the bottom right side of the program.Click OK to any promptsThenn restart the computer and run the following again.Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen RESTART the computerAFTER the reboot run HJT Do a system scan and save a logfileThe post back NEW MBAM and HJT logs in that order please. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 3, 2009 Root Admin ID:53053 Share Posted February 3, 2009 Please post a status update on this. Link to post Share on other sites More sharing options...
namida12 Posted February 3, 2009 Author ID:53201 Share Posted February 3, 2009 Malwarebytes' Anti-Malware 1.33Database version: 1721Windows 5.1.2600 Service Pack 32/3/2009 3:43:10 PMmbam-log-2009-02-03 (15-43-10).txtScan type: Full Scan (C:\|D:\|)Objects scanned: 162377Time elapsed: 40 minute(s), 45 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)* *Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:47:59 PM, on 2/3/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\a-squared Free\a2service.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\QuickPlay\QPService.exeC:\Program Files\Hp\HP Software Update\HPWuSchd2.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\iTunes\iTunesHelper.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\system32\UStorSrv.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\Program Files\iPod\bin\iPodService.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\hpq\Shared\HPQTOA~1.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Program Files\Internet Explorer\iexplore.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: (no name) - {4A251E8A-4559-4C60-ADC2-C0AA7AB27B09} - C:\WINDOWS\system32\yayvUNGw.dll (file missing)O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /StartO4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exeO4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptopO16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cabO16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dllO20 - Winlogon Notify: fccaBSmN - fccaBSmN.dll (file missing)O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exeO23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe--End of file - 7294 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 4, 2009 Root Admin ID:53343 Share Posted February 4, 2009 STEP 1With all other applications closed (Taskbar empty), open HijackThis againand run Do a system scan only and place a check mark on the following items.O2 - BHO: (no name) - {4A251E8A-4559-4C60-ADC2-C0AA7AB27B09} - C:\WINDOWS\system32\yayvUNGw.dll (file missing)O2 - BHO: Java Link to post Share on other sites More sharing options...
namida12 Posted February 4, 2009 Author ID:53455 Share Posted February 4, 2009 ComboFix 09-02-03.01 - Souhil 2009-02-04 8:15:16.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.168 [GMT -8:00]Running from: c:\documents and settings\Souhil\Desktop\ComboFix.exeAV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) * Created a new restore point.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\system32\adfkxtre.inic:\windows\system32\aghoatps.dllc:\windows\system32\bbwhixty.inic:\windows\system32\cobnci.dllc:\windows\system32\eirdnopt.inic:\windows\system32\fmkcicnr.inic:\windows\system32\fnodqcgn.inic:\windows\system32\hmdynqud.inic:\windows\system32\inkykapd.inic:\windows\system32\iuqtninx.inic:\windows\system32\JTBcLRqr.ini2c:\windows\system32\kwxjrhic.inic:\windows\system32\lilryjva.inic:\windows\system32\nwxepb.dllc:\windows\system32\nxkusevb.inic:\windows\system32\pbpesfgj.inic:\windows\system32\reorxdtk.inic:\windows\system32\TDSSosvd.datc:\windows\system32\wGNUvyay.inic:\windows\system32\wGNUvyay.ini2c:\windows\system32\xbtidymr.inic:\windows\system32\yomxmdxo.inic:\windows\system32\ypslhvxd.dllc:\windows\system32\ywnhawju.inic:\windows\system32\YyGgNXbc.inic:\windows\system32\YyGgNXbc.ini2D:\Autorun.inf.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_TDSSSERV.SYS-------\Service_TDSSserv.sys((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 ))))))))))))))))))))))))))))))).2009-02-01 12:54 . 2009-02-01 12:54 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2009-02-01 12:54 . 2009-02-01 12:54 <DIR> d-------- c:\documents and settings\Souhil\Application Data\Malwarebytes2009-02-01 12:54 . 2009-02-01 12:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes2009-02-01 12:54 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys2009-02-01 12:54 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys2009-02-01 12:46 . 2009-02-04 08:15 <DIR> d-------- c:\windows\system32\CatRoot22009-01-30 10:50 . 2009-01-30 10:50 <DIR> d--hs---- C:\found.0002009-01-28 19:06 . 2009-01-28 19:06 <DIR> d-------- c:\program files\Trend Micro2009-01-27 20:06 . 2009-01-27 20:08 <DIR> d-------- c:\program files\RogueRemover FREE2009-01-27 15:06 . 2009-01-27 15:06 410,984 --a------ c:\windows\system32\deploytk.dll2009-01-27 15:05 . 2009-01-28 15:11 <DIR> d--h----- C:\$AVG8.VAULT$2009-01-27 15:02 . 2009-02-04 08:04 <DIR> d-------- c:\windows\system32\drivers\Avg2009-01-27 15:02 . 2009-02-01 12:53 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys2009-01-27 15:02 . 2009-02-01 12:53 10,520 --a------ c:\windows\system32\avgrsstx.dll2009-01-27 12:26 . 2009-01-27 12:26 0 --a------ c:\windows\nsreg.dat2009-01-27 12:08 . 2009-01-27 12:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant2009-01-27 11:31 . 2009-01-27 11:31 <DIR> d-------- c:\program files\CCleaner2009-01-27 10:45 . 2009-01-27 11:29 <DIR> d-------- c:\program files\a-squared Free2009-01-27 09:43 . 2006-08-19 02:08 <DIR> d-------- c:\documents and settings\george\Application Data\Intuit2009-01-27 09:43 . 2009-01-27 15:02 <DIR> d-------- c:\documents and settings\george2009-01-27 09:21 . 2006-08-19 02:08 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intuit2009-01-27 09:21 . 2009-01-27 15:02 <DIR> d-------- c:\documents and settings\Administrator2009-01-16 19:06 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll2009-01-16 19:06 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys2009-01-16 19:05 . 2009-01-16 19:05 <DIR> d-------- c:\program files\iTunes2009-01-16 19:05 . 2009-01-16 19:05 <DIR> d-------- c:\program files\iPod2009-01-16 19:05 . 2009-01-16 19:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}2009-01-16 19:04 . 2009-01-16 19:04 <DIR> d-------- c:\program files\Bonjour2009-01-16 19:03 . 2009-01-16 19:04 <DIR> d-------- c:\program files\QuickTime2009-01-16 19:03 . 2009-01-16 19:03 <DIR> d-------- c:\program files\Apple Software Update.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-02-01 20:50 --------- d-----w c:\documents and settings\All Users\Application Data\avg82009-01-28 05:03 --------- d-----w c:\program files\Trillian2009-01-28 05:00 --------- d-----w c:\documents and settings\Souhil\Application Data\LimeWire2009-01-28 05:00 --------- d-----w c:\documents and settings\Souhil\Application Data\Chessmaster Challenge2009-01-17 03:03 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer2008-12-31 18:49 31 ----a-w c:\documents and settings\Guest\jagex_runescape_preferences.dat2008-12-31 03:34 --------- d-----w c:\program files\LimeWire2008-12-27 20:26 31 ----a-w c:\documents and settings\Souhil\jagex_runescape_preferences.dat2008-12-18 20:13 --------- d--h--w c:\program files\InstallShield Installation Information2008-12-18 20:13 --------- d-----w c:\program files\Robot Wars2008-12-18 20:10 --------- d-----w c:\program files\WildGames2008-12-18 20:10 --------- d-----w c:\documents and settings\Souhil\Application Data\WildTangent2008-12-18 20:10 --------- d-----w c:\documents and settings\All Users\Application Data\WildTangent2008-12-07 21:09 --------- d-----w c:\documents and settings\Guest\Application Data\LimeWire2008-05-17 20:25 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051720080518\index.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 458752]"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 794713]"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-06-23 102400]"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 135168]"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-01 1601304]"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 c:\windows\system32\CHDAudPropShortcut.exe][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]2009-02-01 12:53 10520 c:\windows\system32\avgrsstx.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]--a------ 2005-08-11 15:30 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]--a------ 2005-08-11 15:30 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001"AntiVirusOverride"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\HP Games\\Wheel of Fortune\\Wheel of Fortune.exe"="c:\\Program Files\\HP Games\\JEOPARDY\\JEOPARDY!.exe"="c:\\Program Files\\Trillian\\trillian.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="c:\\Program Files\\LimeWire\\LimeWire.exe"="c:\\WINDOWS\\system32\\dpnsvr.exe"="c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-27 325128]R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-01 298264]S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2008-03-04 20608]S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [2007-01-22 477696][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{749eab1a-323f-11dc-b59c-001a73099455}]\Shell\AutoRun\command - G:\LaunchU3.exe -a.- - - - ORPHANS REMOVED - - - -WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)MSConfigStartUp-2e7afc00 - c:\windows\system32\afmokiqm.dll.------- Supplementary Scan -------.uStart Page = hxxp://www.google.commStart Page = hxxp://www.google.comuInternet Connection Wizard,ShellNext = iexploreIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cabFF - ProfilePath - c:\documents and settings\Souhil\Application Data\Mozilla\Firefox\Profiles\t7yq7ln8.default\FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-02-04 08:18:24Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????]??????`?@?????L?@ scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.------------------------ Other Running Processes ------------------------.c:\program files\a-squared Free\a2service.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEc:\windows\system32\HPZipm12.exec:\windows\system32\UStorSrv.exec:\program files\Hewlett-Packard\Shared\hpqwmiex.exec:\program files\AVG\AVG8\avgrsx.exec:\program files\iPod\bin\iPodService.exec:\progra~1\HPQ\Shared\HPQTOA~1.EXE.**************************************************************************.Completion time: 2009-02-04 8:21:52 - machine was rebootedComboFix-quarantined-files.txt 2009-02-04 16:21:48Pre-Run: 49,652,432,896 bytes freePost-Run: 49,574,809,600 bytes freeWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect198 --- E O F --- 2008-10-27 22:08:01* *Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:28:52 AM, on 2/4/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\a-squared Free\a2service.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\system32\UStorSrv.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\QuickPlay\QPService.exeC:\Program Files\Hp\HP Software Update\HPWuSchd2.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exeC:\Program Files\iTunes\iTunesHelper.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\iPod\bin\iPodService.exeC:\PROGRA~1\hpq\Shared\HPQTOA~1.EXEC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /StartO4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exeO4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptopO16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cabO16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dllO23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exeO23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe--End of file - 6557 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 5, 2009 Root Admin ID:53575 Share Posted February 5, 2009 That looks good. Please run the following and then let me know how the computer is running and if there are still any signs of an infection.Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen RESTART the computerAFTER the reboot run HJT Do a system scan and save a logfileThe post back NEW MBAM and HJT logs in that order please. Link to post Share on other sites More sharing options...
namida12 Posted February 6, 2009 Author ID:54068 Share Posted February 6, 2009 Malwarebytes' Anti-Malware 1.33Database version: 1733Windows 5.1.2600 Service Pack 32/6/2009 5:10:22 AMmbam-log-2009-02-06 (05-10-22).txtScan type: Quick ScanObjects scanned: 65449Time elapsed: 3 minute(s), 9 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)* *Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:13:28 AM, on 2/6/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\QuickPlay\QPService.exeC:\Program Files\Hp\HP Software Update\HPWuSchd2.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exeC:\Program Files\iTunes\iTunesHelper.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\a-squared Free\a2service.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\system32\UStorSrv.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\AVG8\avgnsx.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\Program Files\iPod\bin\iPodService.exeC:\PROGRA~1\hpq\Shared\HPQTOA~1.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /StartO4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exeO4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptopO16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cabO16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dllO23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exeO23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe--End of file - 6524 bytesI now have windows updates ready to install <--- OK, to install them, and Java?JR Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 7, 2009 Root Admin ID:54241 Share Posted February 7, 2009 As long as there are no other signs of infection. The logs look clean but I'm not sitting at the computer to see how it's working.Please run the following to remove any tools that might have been used during the scaning and cleaning of your system.STEP 1Uninstall ComboFix.exeClick START then RUNNow type Combofix /u (if you renamed Combofix.exe use that name instead) in the runbox and click OK. Note the space between the X and the /U, it needs to be there.When shown the disclaimer, Select "2"Remove this folder C:\QooBox if the uninstall instructions don't work and delete Combofix.exeSTEP 2Uninstall GMERClick on START - RUN and type in or copy/paste %windir%\gmer_uninstall.cmd to remove GMER.STEP 3Uninstall other toolsPlease Download OTMoveIt3 by Old Timer and save it to your Desktop.Double-click OTMoveIt3.exe to run it.While connected to the Internet, Click on the green CleanUp! button and it will populate a list of items to clean from your system that we used or may have used.It should ask if you want to clean up, select Yes and allow the system to clean up these items.NOW please reboot your computer to finish the cleanup processDownload and Update Java RuntimeThe most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 12.Go to http://java.sun.com/javase/downloads/index.jspGo to Java Runtime Environment (JRE) 6 Update 12 about half way down the page and click on the Download button.In Platform box choose Windows.Check the box to Accept License Agreement and click Continue.Click on Windows Offline Installation, click on the link under it which says jre-6u12-windows-i586-p.exe and save the downloaded file to your desktop.Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.Uncheck the Toolbar button (unless you want the toolbar)Reboot your computerThen go get all the Windows Critical Updates. Link to post Share on other sites More sharing options...
Recommended Posts