Jump to content

VirtualMundo files that won't go away


Recommended Posts

I posted this on the PC Help forum, but they said do it here. I ran a Full Scan in safe mode with the Malwarebytes Scanner. I started off with 80 some odd files. It cleaned off all but 3. When retrying it says it cleans them off, but when I do a rescan, it brings those same 3 files back again. No matter how many times it's done, those same 3 files keep coming up. If I leave my PC on overnight, the file count goes back up to about 21 or so. I'm doing a cleaning everyday now just to keep it under control. Even when I tried to go and manually delete one of the registry entries, the entry comes right back up as soon as it's deleted (even in safe mode). Here is my hi-jack this log. Anyone who can help would be greatly appreciated:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:45:04 PM, on 2/8/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\HP Multimedia Keyboard\KMaestro.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe

C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe

C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {B1C69F9C-AD10-4FCD-9973-0E9D28123767} - C:\WINDOWS\system32\khfEXPGW.dll (file missing)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: (no name) - {ed22a73b-1df8-405d-a8a1-db24a4b76210} - C:\WINDOWS\system32\namubave.dll (file missing)

O4 - HKLM\..\Run: [btcMaestro] "C:\Program Files\HP Multimedia Keyboard\KMaestro.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [kagidoliza] Rundll32.exe "C:\WINDOWS\system32\hitusoli.dll",s

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [kagidoliza] Rundll32.exe "C:\WINDOWS\system32\hitusoli.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [kagidoliza] Rundll32.exe "C:\WINDOWS\system32\hitusoli.dll",s (User 'NETWORK SERVICE')

O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe

O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Web-Based Email Tools - http://email02.secureserver.net/Download.CAB

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://fubar.com/imgs/ImageUploader5.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1232190577421

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O20 - AppInit_DLLs: wbsys.dll C:\WINDOWS\system32\nitazolo.dll c:\windows\system32\rikeleju.dll aeivgq.dll akddog.dll fqnfxz.dll

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 6307 bytes

Link to post
Share on other sites

Okay, and in case you want to see it. I just did another scan (quick scan, but full scan pulls up the same three files in question) and once again it "deleted" those 3 files, but once I rescan, they are there again. Here's the log of that scan:

Malwarebytes' Anti-Malware 1.33

Database version: 1738

Windows 5.1.2600 Service Pack 3

2/8/2009 11:00:18 PM

mbam-log-2009-02-08 (23-00-18).txt

Scan type: Quick Scan

Objects scanned: 70232

Time elapsed: 8 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed22a73b-1df8-405d-a8a1-db24a4b76210} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ed22a73b-1df8-405d-a8a1-db24a4b76210} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kagidoliza (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Root Admin

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Okay, here's the Combofix log:

ComboFix 09-02-10.02 - Lew 2009-02-11 4:50:47.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2660 [GMT -6:00]

Running from: c:\documents and settings\Lew\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1296 [VPS 090207-0] *On-access scanning disabled* (Updated)

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\Lew\LOCALS~1\Temp\tmp1.tmp

c:\docume~1\Lew\LOCALS~1\Temp\tmp2.tmp

c:\windows\system32\adepugiy.ini

c:\windows\system32\afitozok.ini

c:\windows\system32\bimewefi.dll

c:\windows\system32\demesari.dll

c:\windows\system32\edefuyeg.ini

c:\windows\system32\ehewabar.ini

c:\windows\system32\huwifolu.dll

c:\windows\system32\kujxvi.dll

c:\windows\system32\nitazolo.dll

c:\windows\system32\pthreadGC2.dll

c:\windows\system32\uiywjg.dll

c:\windows\system32\WGPXEfhk.ini

c:\windows\system32\WGPXEfhk.ini2

c:\windows\Tasks\dxwjkvpx.job

.

((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))

.

2009-02-10 14:09 . 2009-02-10 14:09 2,713 ---hs---- c:\windows\system32\tojowebo.dll

2009-02-10 02:09 . 2009-02-10 02:09 2,713 ---hs---- c:\windows\system32\vituwoze.dll

2009-02-09 15:53 . 2009-02-09 15:53 <DIR> d-------- c:\documents and settings\Rya\Application Data\Malwarebytes

2009-02-09 14:09 . 2009-02-09 14:09 2,713 ---hs---- c:\windows\system32\ludimeda.dll

2009-02-09 02:08 . 2009-02-09 02:08 2,713 ---hs---- c:\windows\system32\fegigewi.dll

2009-02-08 22:44 . 2009-02-08 22:44 <DIR> d-------- c:\program files\Trend Micro

2009-02-08 16:08 . 2009-02-08 16:08 61,440 --a------ c:\windows\system32\drivers\gfbrcjix.sys

2009-02-08 14:08 . 2009-02-08 14:08 2,713 ---hs---- c:\windows\system32\vokeloso.dll

2009-02-07 18:42 . 2009-02-07 18:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-07 18:42 . 2009-02-07 18:42 <DIR> d-------- c:\documents and settings\Lew\Application Data\Malwarebytes

2009-02-07 18:42 . 2009-02-07 18:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-02-07 18:42 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-07 18:42 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-07 18:22 . 2009-02-07 18:22 1,529,241 --a------ C:\SDFix.exe

2009-02-07 18:13 . 2009-02-07 18:13 <DIR> d-------- c:\documents and settings\Lew\Application Data\Uniblue

2009-02-07 18:09 . 2009-02-07 18:09 <DIR> d-------- c:\program files\Uniblue

2009-02-07 18:09 . 2009-02-07 18:09 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}

2009-02-06 15:41 . 2009-02-06 15:41 <DIR> d-------- c:\documents and settings\Lew\Application Data\Windows Search

2009-02-06 15:22 . 2009-02-06 15:51 <DIR> d-------- C:\reg

2009-02-06 15:19 . 2009-02-06 15:19 <DIR> d-------- c:\program files\Rundll Errors Fix Wizard

2009-02-06 15:19 . 2005-10-11 15:40 356,352 --a------ c:\windows\eSellerateEngine.dll

2009-02-06 15:19 . 2003-06-06 12:21 81,920 --a------ c:\windows\eSellerateControl350.dll

2009-02-06 06:41 . 2009-02-06 06:41 <DIR> d-------- c:\windows\SxsCaPendDel

2009-02-04 04:50 . 2009-02-04 04:50 <DIR> d-------- c:\windows\Sun

2009-02-04 00:22 . 2009-02-05 06:09 <DIR> d-------- c:\program files\NavNet

2009-02-01 22:48 . 2009-02-01 22:48 <DIR> d-------- c:\program files\ImTOO

2009-01-30 18:16 . 2009-01-30 18:05 15,688 --a------ c:\windows\system32\lsdelete.exe

2009-01-30 18:10 . 2009-01-30 18:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\InstallShield

2009-01-30 18:10 . 2006-05-16 11:58 73,728 --a------ c:\windows\system32\ISUSPM.cpl

2009-01-30 18:05 . 2009-01-30 18:05 64,160 --a------ c:\windows\system32\drivers\Lbd.sys

2009-01-30 13:50 . 2009-01-30 13:50 <DIR> d-------- c:\program files\Lavasoft

2009-01-30 13:50 . 2009-01-30 18:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2009-01-30 03:10 . 2009-02-11 02:29 69 --a------ c:\windows\NeroDigital.ini

2009-01-30 02:40 . 2009-01-30 02:40 <DIR> d-------- c:\program files\GoldEsel

2009-01-30 02:38 . 2009-01-30 02:38 <DIR> d-------- c:\program files\Common Files\Ahead

2009-01-30 02:38 . 2009-01-30 02:38 <DIR> d-------- c:\program files\Ahead

2009-01-30 02:38 . 2001-07-09 11:50 155,648 --a------ c:\windows\system32\NeroCheck.exe

2009-01-30 02:38 . 2004-03-02 17:37 125,184 --------- c:\windows\system32\drivers\imagesrv.sys

2009-01-30 02:38 . 2000-06-26 11:45 106,496 --a------ c:\windows\system32\TwnLib20.dll

2009-01-30 02:38 . 2004-03-02 17:37 5,504 --------- c:\windows\system32\drivers\imagedrv.sys

2009-01-29 13:26 . 2009-01-29 13:26 <DIR> d-------- c:\program files\Windows Sidebar

2009-01-29 13:14 . 2009-01-30 02:15 <DIR> d-------- c:\program files\Nero

2009-01-27 12:54 . 2009-01-27 12:54 <DIR> d-------- c:\program files\Common Files\Adobe AIR

2009-01-27 12:52 . 2009-01-27 15:11 <DIR> d-------- c:\program files\NOS

2009-01-27 12:52 . 2009-01-27 15:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

2009-01-26 09:48 . 2009-01-26 09:48 <DIR> d-------- c:\windows\70DECFBF91194434B2D3A3C283D15E45.TMP

2009-01-25 02:06 . 2009-01-25 02:06 <DIR> d-------- c:\documents and settings\Lew\Application Data\EPSON

2009-01-24 08:08 . 2009-01-30 18:10 <DIR> d-------- c:\windows\USBdevice

2009-01-24 08:08 . 2009-01-24 08:08 <DIR> d-------- C:\temp

2009-01-24 08:08 . 2009-01-24 08:08 <DIR> d-------- c:\program files\D-Link

2009-01-24 08:08 . 2007-09-27 00:58 461,952 --a------ c:\windows\system32\drivers\MRVW245.sys

2009-01-20 03:24 . 2009-01-20 03:24 <DIR> d-------- c:\program files\VideoLAN

2009-01-20 03:24 . 2009-01-20 03:24 <DIR> d-------- c:\documents and settings\Lew\Application Data\vlc

2009-01-20 03:15 . 2009-01-20 06:27 23,392 --a------ c:\windows\system32\nscompat.tlb

2009-01-20 03:15 . 2009-01-20 06:27 16,832 --a------ c:\windows\system32\amcompat.tlb

2009-01-19 20:10 . 2009-01-19 20:10 <DIR> d-------- c:\documents and settings\Rya\Application Data\Thunderbird

2009-01-19 18:08 . 2009-01-19 18:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!

2009-01-19 01:51 . 2009-01-19 01:51 <DIR> d-------- c:\documents and settings\Lew\Application Data\DivX

2009-01-19 01:47 . 2007-09-06 01:27 104,064 -ra------ c:\windows\system32\drivers\viamraid.sys

2009-01-19 01:46 . 2009-01-19 01:47 <DIR> d-------- c:\program files\VIA

2009-01-19 01:46 . 2007-09-06 01:27 331,184 --a------ c:\windows\system32\difxapi.dll

2009-01-18 15:22 . 2009-01-18 15:22 <DIR> d-------- c:\documents and settings\Rya\Application Data\Windows Desktop Search

2009-01-18 15:22 . 2009-02-10 15:32 <DIR> d-------- c:\documents and settings\Rya

2009-01-18 15:13 . 2009-01-18 15:14 <DIR> d-------- c:\program files\DivX

2009-01-18 15:12 . 2009-01-18 15:12 <DIR> d-------- c:\windows\system32\languages

2009-01-18 15:06 . 2009-01-18 15:06 <DIR> d-------- c:\program files\PTDD Group

2009-01-18 15:03 . 2009-02-06 06:43 <DIR> d-------- c:\windows\system32\XPSViewer

2009-01-18 15:03 . 2009-01-18 15:03 <DIR> d-------- c:\program files\Reference Assemblies

2009-01-18 15:03 . 2009-01-18 15:03 <DIR> d-------- c:\program files\MSBuild

2009-01-18 15:03 . 2006-06-29 13:07 14,048 --a------ c:\windows\system32\spmsg2.dll

2009-01-18 14:40 . 2009-01-18 14:49 <DIR> d-------- c:\windows\NV9442992.TMP

2009-01-18 14:40 . 2008-09-18 01:55 201,050 --a------ c:\windows\system32\nvapps.nvb

2009-01-18 14:39 . 2009-01-18 14:39 <DIR> d-------- c:\windows\system32\GroupPolicy

2009-01-18 14:39 . 2009-01-18 14:39 <DIR> d-------- c:\program files\Windows Desktop Search

2009-01-18 14:39 . 2009-01-18 14:39 <DIR> d-------- c:\documents and settings\Lew\Application Data\Windows Desktop Search

2009-01-18 14:38 . 2009-01-20 03:13 <DIR> d-------- c:\program files\Windows Media Connect 2

2009-01-18 14:38 . 2008-04-13 18:12 221,184 --a------ c:\windows\system32\wmpns.dll

2009-01-18 14:38 . 2008-03-07 11:02 192,000 -----c--- c:\windows\system32\dllcache\offfilt.dll

2009-01-18 14:38 . 2008-03-07 11:02 98,304 -----c--- c:\windows\system32\dllcache\nlhtml.dll

2009-01-18 14:38 . 2008-03-07 11:02 29,696 -----c--- c:\windows\system32\dllcache\mimefilt.dll

2009-01-18 14:37 . 2009-01-18 14:37 <DIR> d-------- c:\windows\system32\LogFiles

2009-01-18 14:37 . 2009-01-20 03:21 <DIR> d-------- c:\windows\system32\drivers\UMDF

2009-01-18 14:36 . 2009-01-18 14:36 <DIR> d-------- c:\windows\system32\URTTEMP

2009-01-18 09:29 . 2009-02-09 02:07 410,984 --a------ c:\windows\system32\deploytk.dll

2009-01-18 09:17 . 2009-01-18 09:17 <DIR> d-------- c:\program files\OneRiot

2009-01-18 09:15 . 2009-01-18 09:15 <DIR> d-------- c:\program files\PowerQuest

2009-01-18 09:12 . 2009-01-18 09:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Maxtor

2009-01-18 09:04 . 2009-01-18 09:04 <DIR> d-------- c:\documents and settings\Lew\Application Data\Media Player Classic

2009-01-18 05:40 . 2009-01-18 05:40 <DIR> d-------- c:\program files\MSXML 4.0

2009-01-18 05:34 . 2008-10-16 14:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll

2009-01-18 05:34 . 2007-04-17 03:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat

2009-01-18 05:34 . 2007-03-07 23:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui

2009-01-18 05:34 . 2008-10-16 14:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll

2009-01-18 05:34 . 2008-10-16 14:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll

2009-01-18 05:34 . 2008-10-16 14:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll

2009-01-18 05:34 . 2008-10-16 14:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll

2009-01-18 05:34 . 2008-10-16 14:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll

2009-01-18 05:34 . 2008-10-16 07:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe

2009-01-18 05:29 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

2009-01-18 05:29 . 2008-12-11 04:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys

2009-01-18 05:28 . 2008-08-14 04:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe

2009-01-18 05:28 . 2008-08-14 04:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-01-18 05:28 . 2008-08-14 03:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe

2009-01-18 05:28 . 2008-08-14 03:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe

2009-01-18 05:28 . 2008-09-15 06:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys

2009-01-18 05:28 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

2009-01-18 05:28 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll

2009-01-18 05:27 . 2008-04-11 13:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll

2009-01-18 05:27 . 2008-05-01 08:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll

2009-01-18 05:26 . 2008-06-13 05:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys

2009-01-18 05:26 . 2008-05-08 08:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys

2009-01-18 04:49 . 2009-01-18 04:49 <DIR> d-------- c:\program files\Alwil Software

2009-01-18 04:44 . 2009-02-09 02:07 <DIR> d-------- c:\program files\Java

2009-01-18 04:44 . 2009-01-18 04:52 <DIR> d-------- c:\documents and settings\Lew\Application Data\LimeWire

2009-01-18 04:44 . 2009-02-09 02:07 73,728 --a------ c:\windows\system32\javacpl.cpl

2009-01-18 04:43 . 2009-01-18 04:44 <DIR> d-------- c:\program files\LimeWire

2009-01-18 04:43 . 2009-01-18 04:43 <DIR> d-------- c:\program files\Common Files\Java

2009-01-18 04:43 . 2005-02-18 02:40 45,056 --a------ c:\windows\system32\KmRemove.exe

2009-01-18 04:43 . 2003-07-17 23:57 7,850 -ra------ c:\windows\system32\drivers\Maestro1.sys

2009-01-18 04:42 . 2009-01-18 04:43 <DIR> d-------- c:\program files\HP Multimedia Keyboard

2009-01-18 02:24 . 2009-01-19 18:08 <DIR> d-------- c:\program files\Yahoo!

2009-01-18 02:22 . 2009-01-18 02:22 <DIR> d-------- c:\program files\QuickPar

2009-01-18 02:22 . 2009-01-18 02:22 <DIR> d-------- c:\program files\AWS

2009-01-18 02:22 . 2009-01-18 02:22 <DIR> d-------- c:\documents and settings\Lew\Application Data\WeatherBug

2009-01-18 02:21 . 2009-01-18 02:21 <DIR> d-------- c:\program files\MSECache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-11 10:49 --------- d-----w c:\program files\Mozilla Thunderbird

2009-02-08 22:08 168 ----a-w c:\program files\yxgm.txt

2009-01-31 00:10 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-31 00:10 --------- d-----w c:\program files\Common Files\InstallShield

2009-01-18 21:11 684,560 ----a-w c:\windows\system32\unins000.exe

2009-01-17 13:52 --------- d-----w c:\program files\DIFX

2009-01-17 13:51 --------- d-----w c:\program files\Marvell

2009-01-17 13:50 315,392 ----a-w c:\windows\HideWin.exe

2009-01-17 13:50 --------- d-----w c:\program files\Realtek

2009-01-17 13:49 --------- d-----w c:\documents and settings\Lew\Application Data\InstallShield

2009-01-17 13:32 --------- d-----w c:\program files\microsoft frontpage

2009-01-17 11:31 --------- d-----w c:\program files\EPSON

2009-01-17 11:30 --------- d-----w c:\program files\MozBackup

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-11 00:33 86,016 ----a-w c:\windows\system32\dpl100.dll

2008-12-11 00:33 200,704 ----a-w c:\windows\system32\dtu100.dll

2008-12-09 02:28 593,920 ----a-w c:\windows\system32\dpuGUI11.dll

2008-12-09 02:28 57,344 ----a-w c:\windows\system32\dpv11.dll

2008-12-09 02:28 344,064 ----a-w c:\windows\system32\dpus11.dll

2008-12-09 02:28 294,912 ----a-w c:\windows\system32\dpu11.dll

2008-11-29 20:26 991,232 ----a-w c:\windows\system32\VSFilter.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BtcMaestro"="c:\program files\HP Multimedia Keyboard\KMaestro.exe" [2005-02-20 245760]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-30 509784]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-09 136600]

c:\documents and settings\Lew\Start Menu\Programs\Startup\

Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-03-18 4742184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Wireless Connection Manager.lnk - c:\program files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe [2009-01-24 20512768]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]

2008-09-17 10:05 210168 c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli c:\windows\system32\nitazolo.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]

--a------ 2007-04-20 10:03 149024 c:\program files\Common Files\Maxtor\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]

--a------ 2007-04-20 10:09 1945712 c:\program files\Maxtor\MaxBlast\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]

--a------ 2009-01-17 21:00 342848 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxBlastMonitor.exe]

--a------ 2007-04-20 09:59 1169720 c:\program files\Maxtor\MaxBlast\MaxBlastMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2008-09-18 01:55 13574144 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2008-09-18 01:55 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009]

--a------ 2008-08-26 10:48 2019624 c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

-r------- 2005-05-03 04:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2008-09-18 01:55 1657376 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

-r------- 2007-02-26 01:03 16125440 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"avast! Web Scanner"=3 (0x3)

"avast! Mail Scanner"=3 (0x3)

"avast! Antivirus"=2 (0x2)

"aswUpdSv"=2 (0x2)

"AcrSch2Svc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\eMule\\emule.exe"=

"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=

"c:\\Program Files\\Lavasoft\\Ad-Aware\\AAWTray.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-30 64160]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-18 111184]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-18 20560]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

.

Contents of the 'Scheduled Tasks' folder

2009-02-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-30 18:05]

2009-02-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-484061587-839522115-1004.job

- c:\documents and settings\Lew\Local Settings\Application Data\Google\Update\GoogleUpdate.exe []

.

- - - - ORPHANS REMOVED - - - -

BHO-{B1C69F9C-AD10-4FCD-9973-0E9D28123767} - c:\windows\system32\khfEXPGW.dll

BHO-{ed22a73b-1df8-405d-a8a1-db24a4b76210} - c:\windows\system32\namubave.dll

WebBrowser-{9516EB1C-AC77-492D-8FD6-A05AFAC9EA6E} - (no file)

HKLM-Run-kagidoliza - c:\windows\system32\hitusoli.dll

MSConfigStartUp-000000af - c:\windows\system32\yigupeda.dll

MSConfigStartUp-CPMe733c9d0 - c:\windows\system32\barijatu.dll

MSConfigStartUp-e400fa4c - c:\windows\system32\gipidiwu.dll

MSConfigStartUp-Google Update - c:\documents and settings\Lew\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

MSConfigStartUp-kagidoliza - c:\windows\system32\hitusoli.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

DPF: Web-Based Email Tools - hxxp://email02.secureserver.net/Download.CAB

FF - ProfilePath - c:\documents and settings\Lew\Application Data\Mozilla\Firefox\Profiles\0dvkbvze.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com

FF - plugin: c:\documents and settings\Lew\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-11 04:55:34

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1148)

c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll

- - - - - - - > 'lsass.exe'(1204)

c:\windows\system32\relog_ap.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\searchindexer.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\wbem\unsecapp.exe

.

**************************************************************************

.

Completion time: 2009-02-11 4:58:38 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-11 10:58:35

Pre-Run: 53,816,860,672 bytes free

Post-Run: 56,973,619,200 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn /usepmtimer

328

Link to post
Share on other sites

and here's the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:02:55 AM, on 2/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\HP Multimedia Keyboard\KMaestro.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe

C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [btcMaestro] "C:\Program Files\HP Multimedia Keyboard\KMaestro.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe

O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Web-Based Email Tools - http://email02.secureserver.net/Download.CAB

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://fubar.com/imgs/ImageUploader5.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1232190577421

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 5625 bytes

Link to post
Share on other sites

  • Root Admin

Wow, you have a lot of junk there. Please run the following temp cleaner and then an Anti-Virus scanner and we'll go from there.

STEP 1

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup216.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 2

Download to the desktop: Dr.Web CureIt

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.
Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.