Jump to content

Problems with Juan and Vundo


Recommended Posts

Hello all. <_< I have been having problems with a virus that for the world of me I can't figure out how to delete. So, I have come here asking for help. I've tried AVG (which doesn't even pick it up), Ad-Aware (again, isn't picking it up), and Malwarebytes (which picks it up and deletes it, but it just keeps coming back). Below is a copy of the malwarebytes log and the hijackthis log. Any help would be greatly appreciated. :angry: Thank you.

Malwarebyte Log:

Malwarebytes' Anti-Malware 1.31

Database version: 1500

Windows 5.1.2600 Service Pack 2

2/24/2009 2:27:49 PM

mbam-log-2009-02-24 (14-27-49).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 189068

Time elapsed: 7 hour(s), 33 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

And the Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:37:54 PM, on 2/24/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sharempeg.com/find/

R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/5meen_us/122

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - (no file)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: {73c870c8-5080-488b-7ce4-0e15c123e053} - {350e321c-51e0-4ec7-b884-08058c078c37} - C:\WINDOWS\system32\ryoeci.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: CleanMyPC Popup Blocker - {7A9BC6B1-7F27-47c6-A66D-13582E81E537} - C:\Program Files\CleanMyPC Popup Blocker\CleanBHO.dll

O2 - BHO: (no name) - {8A046589-DB23-4008-834C-CF130ACD4062} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - (no file)

O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: >>> HARDCORE MOVIES <<< - java script:{document.location='http://neosexvideo.com/webmasters/df004/access.htm';}

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.moove.com

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173074364515

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173074351531

O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab45837.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab

O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab

O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab

O16 - DPF: {F977E961-BC9E-4B91-ACF8-468E1CC224DD} (FixUpdate Class) - http://69.59.149.193:82/enzf/TqUpdate_Release.CAB

O19 - User stylesheet: (file missing)

O20 - AppInit_DLLs: c:\windows\ C:\WINDOWS\system32\miyatedo.dll ryoeci.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 11649 bytes

Link to post
Share on other sites

  • Root Admin

Please UPDATE MBAM and scan again.

YOUR VERSION

Malwarebytes' Anti-Malware 1.31

Database version: 1500

CURRENT VERSION

Malwarebytes' Anti-Malware 1.34

Database version: 1800

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

Sorry about that. Here's the updated Mbam log and hjt log.

Mbam-

Malwarebytes' Anti-Malware 1.34

Database version: 1800

Windows 5.1.2600 Service Pack 2

2/24/2009 9:44:39 PM

mbam-log-2009-02-24 (21-44-39).txt

Scan type: Quick Scan

Objects scanned: 85527

Time elapsed: 17 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 7

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 64

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\ryoeci.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{350e321c-51e0-4ec7-b884-08058c078c37} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{350e321c-51e0-4ec7-b884-08058c078c37} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{350e321c-51e0-4ec7-b884-08058c078c37} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\PremierOpinion (Adware.PremierOpinion) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\ryoeci.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\anlglc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\aswjaw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\bitibipe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\bokayipo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\bokimuda.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\darekove.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\dfamba.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\eezmsi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\emtuut.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\fokeripi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\fuzuwopi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\gipuriti.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\hidagipe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\hituyaju.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\jiwizagi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lutawudi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\memitigu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mitezifi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mojazulo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mopasuru.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\motulaja.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\nactnj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\nibafora.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\nosekemu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ntczqf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pamegako.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pitajayi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\redukidu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\repuyilo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\retavugi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\rowuwoze.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\rusafuta.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sekiduso.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sokoyeji.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\somajate.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sutefide.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tavazowo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tphjjp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tuzadoye.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\welefame.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\widamibo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wilatola.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wutogewu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\linejegu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pokegale.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\womehiva.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\masarodo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yofeyima.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\zajefola.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\zehiheve.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\zihawofa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\zitofowu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\zivopoza.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sewisosu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pywmkv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lamabayi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lebedesi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\0xf9.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\temp\~os69B.tmp\DOMPilot.dll (Adware.PremierOpinion) -> Quarantined and deleted successfully.

C:\WINDOWS\temp\~os69B.tmp\OssPdf.dll (Adware.PremierOpinion) -> Quarantined and deleted successfully.

C:\Program Files\PremierOpinion\pmls.dll (Adware.PremierOpinion) -> Quarantined and deleted successfully.

C:\Program Files\PremierOpinion\pmoci.bin (Adware.PremierOpinion) -> Quarantined and deleted successfully.

C:\Program Files\PremierOpinion\pmropn.exe (Adware.PremierOpinion) -> Quarantined and deleted successfully.

And here's the HJT log after restart:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:11:48 PM, on 2/24/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sharempeg.com/find/

R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/5meen_us/122

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - (no file)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: CleanMyPC Popup Blocker - {7A9BC6B1-7F27-47c6-A66D-13582E81E537} - C:\Program Files\CleanMyPC Popup Blocker\CleanBHO.dll

O2 - BHO: (no name) - {8A046589-DB23-4008-834C-CF130ACD4062} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - (no file)

O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: >>> HARDCORE MOVIES <<< - java script:{document.location='http://neosexvideo.com/webmasters/df004/access.htm';}

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.moove.com

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173074364515

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173074351531

O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab45837.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab

O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab

O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab

O16 - DPF: {F977E961-BC9E-4B91-ACF8-468E1CC224DD} (FixUpdate Class) - http://69.59.149.193:82/enzf/TqUpdate_Release.CAB

O19 - User stylesheet: (file missing)

O20 - AppInit_DLLs: c:\windows\ C:\WINDOWS\system32\miyatedo.dll ryoeci.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 11256 bytes

Link to post
Share on other sites

  • Root Admin

STEP 1

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

  • R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/5meen_us/122
  • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
  • R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
  • R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - (no file)
  • O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
  • O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
  • O2 - BHO: (no name) - {8A046589-DB23-4008-834C-CF130ACD4062} - (no file)
  • O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - (no file)
  • O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
  • O8 - Extra context menu item: >>> HARDCORE MOVIES <<< - java script:{document.location='http://neosexvideo.com/webmasters/df004/access.htm';}
  • O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
  • O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
  • O15 - Trusted Zone: *.moove.com
  • O19 - User stylesheet: (file missing)
  • O20 - AppInit_DLLs: c:\windows\ C:\WINDOWS\system32\miyatedo.dll ryoeci.dll
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

STEP 2

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

When we're done you can go back and install the latest version but for now please do not install any.

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

STEP 3

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup216.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 4

Your Adobe Acrobat is old and has exploited code and needs to be updated.

Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat

STEP 5

Download and Update Java Runtime

The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 12.

  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 12 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says jre-6u12-windows-i586-p.exe and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  • Uncheck the Toolbar button (unless you want the toolbar)
  • Reboot your computer

STEP 6

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

STEP 7

Please run an Online Anti-Virus scan with either the Java or ActiveX version of Kaspersky

Java Version

Run Kaspersky Online AV Scanner

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

    [*]Click on My Computer under Scan and then put the kettle on!

    [*]Once the scan is complete, it will display the results. Click on View Scan Report.

    [*]You will see a list of infected items there. Click on Save Report As....

    [*]Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.

    [*]Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

ActiveX version

Run Kaspersky Online AV Scanner

Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

STEP 8

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

Alright, sorry it took so long to respond. Work has been hectic. But here are the following logs that you requested. On a side note, so far so good. I haven't recieved any pop-ups, and my system seems to be running faster and smoother.

JavaRa Log:

JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Wed Feb 25 01:54:11 2009

Found and removed: C:\Program Files\Java\j2re1.4.2_01

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\JavaPlugin.140

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.4.0

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.4

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.4.0

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}

Found and removed: Software\JavaSoft\Java2D\1.5.0_02

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D510002

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F841731866D117AB7000B0D410205

Found and removed: SOFTWARE\Classes\JavaPlugin.142_05

Found and removed: Software\Classes\JavaPlugin.160_03

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_02\

Found and removed: C:\Program Files\JavaSoft

------------------------------------

Finished reporting.

Kaspersky Log:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Wednesday, February 25, 2009

Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Wednesday, February 25, 2009 09:32:42

Records in database: 1842466

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

Scan statistics:

Files scanned: 109419

Threat name: 9

Infected objects: 55

Suspicious objects: 0

Duration of the scan: 02:53:09

File name / Threat name / Threats count

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\FEGNG6CP\pldr8[1].htm Infected: Packed.Win32.Mondera.c 1

C:\WINDOWS\system32\avxzcy.dll Infected: Trojan.Win32.Agent.bjxa 1

C:\WINDOWS\system32\boyiyiro.dll.tmp Infected: Trojan-Downloader.Win32.BHO.gmh 1

C:\WINDOWS\system32\busediho.dll Infected: Trojan.Win32.Agent.bjxa 1

C:\WINDOWS\system32\fasesosu.dll.tmp Infected: Trojan-Downloader.Win32.BHO.gmh 1

C:\WINDOWS\system32\favonone.dll Infected: Packed.Win32.Krap.f 1

C:\WINDOWS\system32\fukurago.dll Infected: Trojan.Win32.Agent.bktc 1

C:\WINDOWS\system32\funufoli.dll Infected: Trojan.Win32.Monderd.o 1

C:\WINDOWS\system32\ganepuze.dll Infected: Packed.Win32.Krap.f 1

C:\WINDOWS\system32\gorumiba.dll.tmp Infected: Packed.Win32.Krap.f 1

C:\WINDOWS\system32\gumuluha.dll Infected: Trojan.Win32.Agent.bktc 1

C:\WINDOWS\system32\hadabome.dll.tmp Infected: Packed.Win32.Mondera.b 1

C:\WINDOWS\system32\haposoli.dll Infected: Packed.Win32.Krap.f 1

C:\WINDOWS\system32\hepiyunu.dll Infected: Trojan.Win32.Monderd.o 1

C:\WINDOWS\system32\hosezuba.dll Infected: Packed.Win32.Krap.f 1

C:\WINDOWS\system32\hubasode.dll.tmp Infected: Packed.Win32.Krap.f 1

C:\WINDOWS\system32\huforiti.dll Infected: Trojan.Win32.Monderd.n 1

C:\WINDOWS\system32\jigijumu.dll Infected: Packed.Win32.Krap.f 1

C:\WINDOWS\system32\jopokano.dll Infected: Packed.Win32.Mondera.c 1

C:\WINDOWS\system32\joyoroyu.dll Infected: Packed.Win32.Krap.f 1

C:\WINDOWS\system32\kawadono.dll.tmp Infected: Packed.Win32.Krap.f 1

C:\WINDOWS\system32\kerihudo.dll Infected: Trojan.Win32.Agent.bpco 1

C:\WINDOWS\system32\kodikumu.dll Infected: Packed.Win32.Mondera.c 1

C:\WINDOWS\system32\kujetoni.dll.tmp Infected: Trojan-Downloader.Win32.BHO.gmh 1

C:\WINDOWS\system32\kuzokefa.dll Infected: Packed.Win32.Mondera.c 1

C:\WINDOWS\system32\lakenade.dll Infected: Packed.Win32.Krap.f 1

C:\WINDOWS\system32\lctfwz.dll Infected: Trojan.Win32.Agent.bjxa 1

C:\WINDOWS\system32\mewogaji.dll Infected: Trojan.Win32.Agent.bjxa 1

C:\WINDOWS\system32\mipasowu.dll.tmp Infected: Packed.Win32.Mondera.c 1

C:\WINDOWS\system32\miperuwo.dll.tmp Infected: Packed.Win32.Mondera.c 1

C:\WINDOWS\system32\modupuku.dll Infected: Packed.Win32.Mondera.b 1

C:\WINDOWS\system32\mopidozu.dll Infected: Packed.Win32.Mondera.c 1

C:\WINDOWS\system32\nutopeko.dll Infected: Packed.Win32.Krap.f 1

C:\WINDOWS\system32\pesanaho.dll.tmp Infected: Packed.Win32.Krap.f 1

C:\WINDOWS\system32\pijakane.dll Infected: Packed.Win32.Krap.f 1

C:\WINDOWS\system32\pnuakt.dll Infected: Trojan.Win32.Agent.bktc 1

C:\WINDOWS\system32\pujayime.dll.tmp Infected: Packed.Win32.Mondera.b 1

C:\WINDOWS\system32\radiguyo.dll.tmp Infected: Packed.Win32.Krap.f 1

C:\WINDOWS\system32\rageyeju.dll.tmp Infected: Packed.Win32.Mondera.b 1

C:\WINDOWS\system32\reraketo.dll.tmp Infected: Packed.Win32.Mondera.c 1

C:\WINDOWS\system32\rijezahu.dll Infected: Packed.Win32.Mondera.b 1

C:\WINDOWS\system32\ruyaguka.dll.tmp Infected: Trojan-Downloader.Win32.BHO.gmh 1

C:\WINDOWS\system32\sinofosu.dll Infected: Packed.Win32.Krap.f 1

C:\WINDOWS\system32\tewejaza.dll.tmp Infected: Trojan-Downloader.Win32.BHO.gmh 1

C:\WINDOWS\system32\tizebaju.dll Infected: Packed.Win32.Mondera.b 1

C:\WINDOWS\system32\vahucg.dll Infected: Trojan.Win32.Agent.bktc 1

C:\WINDOWS\system32\vemayuva.dll Infected: Packed.Win32.Mondera.b 1

C:\WINDOWS\system32\vitumepa.dll Infected: Trojan.Win32.Monderd.n 1

C:\WINDOWS\system32\viwetabi.dll Infected: Packed.Win32.Krap.f 1

C:\WINDOWS\system32\vufoburo.dll Infected: Packed.Win32.Krap.f 1

C:\WINDOWS\system32\wahoyumi.dll Infected: Packed.Win32.Krap.f 1

C:\WINDOWS\system32\warewabe.dll.tmp Infected: Packed.Win32.Krap.f 1

C:\WINDOWS\system32\wilatubu.dll Infected: Packed.Win32.Mondera.b 1

C:\WINDOWS\system32\wimifisi.dll.tmp Infected: Trojan-Downloader.Win32.BHO.gmh 1

C:\WINDOWS\system32\yurezasa.dll Infected: Packed.Win32.Krap.f 1

The selected area was scanned.

Mbam Log:

Malwarebytes' Anti-Malware 1.34

Database version: 1802

Windows 5.1.2600 Service Pack 2

2/25/2009 9:49:55 PM

mbam-log-2009-02-25 (21-49-55).txt

Scan type: Quick Scan

Objects scanned: 72030

Time elapsed: 10 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

And finally, HJT Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:01:41 PM, on 2/25/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sharempeg.com/find/

R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: CleanMyPC Popup Blocker - {7A9BC6B1-7F27-47c6-A66D-13582E81E537} - C:\Program Files\CleanMyPC Popup Blocker\CleanBHO.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173074364515

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173074351531

O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab45837.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab

O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab

O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab

O16 - DPF: {F977E961-BC9E-4B91-ACF8-468E1CC224DD} (FixUpdate Class) - http://69.59.149.193:82/enzf/TqUpdate_Release.CAB

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 10513 bytes

And again, thank you for your continued help.

Link to post
Share on other sites

  • Root Admin

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

File::
C:\WINDOWS\system32\avxzcy.dll
C:\WINDOWS\system32\boyiyiro.dll.tmp
C:\WINDOWS\system32\busediho.dll
C:\WINDOWS\system32\fasesosu.dll.tmp
C:\WINDOWS\system32\favonone.dll
C:\WINDOWS\system32\fukurago.dll
C:\WINDOWS\system32\funufoli.dll
C:\WINDOWS\system32\ganepuze.dll
C:\WINDOWS\system32\gorumiba.dll.tmp
C:\WINDOWS\system32\gumuluha.dll
C:\WINDOWS\system32\hadabome.dll.tmp
C:\WINDOWS\system32\haposoli.dll
C:\WINDOWS\system32\hepiyunu.dll
C:\WINDOWS\system32\hosezuba.dll
C:\WINDOWS\system32\hubasode.dll.tmp
C:\WINDOWS\system32\huforiti.dll
C:\WINDOWS\system32\jigijumu.dll
C:\WINDOWS\system32\jopokano.dll
C:\WINDOWS\system32\joyoroyu.dll
C:\WINDOWS\system32\kawadono.dll.tmp
C:\WINDOWS\system32\kerihudo.dll
C:\WINDOWS\system32\kodikumu.dll
C:\WINDOWS\system32\kujetoni.dll.tmp
C:\WINDOWS\system32\kuzokefa.dll
C:\WINDOWS\system32\lakenade.dll
C:\WINDOWS\system32\lctfwz.dll
C:\WINDOWS\system32\mewogaji.dll
C:\WINDOWS\system32\mipasowu.dll.tmp
C:\WINDOWS\system32\miperuwo.dll.tmp
C:\WINDOWS\system32\modupuku.dll
C:\WINDOWS\system32\mopidozu.dll
C:\WINDOWS\system32\nutopeko.dll
C:\WINDOWS\system32\pesanaho.dll.tmp
C:\WINDOWS\system32\pijakane.dll
C:\WINDOWS\system32\pnuakt.dll
C:\WINDOWS\system32\pujayime.dll.tmp
C:\WINDOWS\system32\radiguyo.dll.tmp
C:\WINDOWS\system32\rageyeju.dll.tmp
C:\WINDOWS\system32\reraketo.dll.tmp
C:\WINDOWS\system32\rijezahu.dll
C:\WINDOWS\system32\ruyaguka.dll.tmp
C:\WINDOWS\system32\sinofosu.dll
C:\WINDOWS\system32\tewejaza.dll.tmp
C:\WINDOWS\system32\tizebaju.dll
C:\WINDOWS\system32\vahucg.dll
C:\WINDOWS\system32\vemayuva.dll
C:\WINDOWS\system32\vitumepa.dll
C:\WINDOWS\system32\viwetabi.dll
C:\WINDOWS\system32\vufoburo.dll
C:\WINDOWS\system32\wahoyumi.dll
C:\WINDOWS\system32\warewabe.dll.tmp
C:\WINDOWS\system32\wilatubu.dll
C:\WINDOWS\system32\wimifisi.dll.tmp
C:\WINDOWS\system32\yurezasa.dll

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30
Link to post
Share on other sites

Alright, I've got that step out of the way finally. And here is the log. :rolleyes:

Combofix Log:

ComboFix 09-02-25.02 - Owner 2009-02-26 13:42:24.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.478.178 [GMT -6:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFscript.txt

* Created a new restore point

FILE ::

c:\windows\system32\avxzcy.dll

c:\windows\system32\boyiyiro.dll.tmp

c:\windows\system32\busediho.dll

c:\windows\system32\fasesosu.dll.tmp

c:\windows\system32\favonone.dll

c:\windows\system32\fukurago.dll

c:\windows\system32\funufoli.dll

c:\windows\system32\ganepuze.dll

c:\windows\system32\gorumiba.dll.tmp

c:\windows\system32\gumuluha.dll

c:\windows\system32\hadabome.dll.tmp

c:\windows\system32\haposoli.dll

c:\windows\system32\hepiyunu.dll

c:\windows\system32\hosezuba.dll

c:\windows\system32\hubasode.dll.tmp

c:\windows\system32\huforiti.dll

c:\windows\system32\jigijumu.dll

c:\windows\system32\jopokano.dll

c:\windows\system32\joyoroyu.dll

c:\windows\system32\kawadono.dll.tmp

c:\windows\system32\kerihudo.dll

c:\windows\system32\kodikumu.dll

c:\windows\system32\kujetoni.dll.tmp

c:\windows\system32\kuzokefa.dll

c:\windows\system32\lakenade.dll

c:\windows\system32\lctfwz.dll

c:\windows\system32\mewogaji.dll

c:\windows\system32\mipasowu.dll.tmp

c:\windows\system32\miperuwo.dll.tmp

c:\windows\system32\modupuku.dll

c:\windows\system32\mopidozu.dll

c:\windows\system32\nutopeko.dll

c:\windows\system32\pesanaho.dll.tmp

c:\windows\system32\pijakane.dll

c:\windows\system32\pnuakt.dll

c:\windows\system32\pujayime.dll.tmp

c:\windows\system32\radiguyo.dll.tmp

c:\windows\system32\rageyeju.dll.tmp

c:\windows\system32\reraketo.dll.tmp

c:\windows\system32\rijezahu.dll

c:\windows\system32\ruyaguka.dll.tmp

c:\windows\system32\sinofosu.dll

c:\windows\system32\tewejaza.dll.tmp

c:\windows\system32\tizebaju.dll

c:\windows\system32\vahucg.dll

c:\windows\system32\vemayuva.dll

c:\windows\system32\vitumepa.dll

c:\windows\system32\viwetabi.dll

c:\windows\system32\vufoburo.dll

c:\windows\system32\wahoyumi.dll

c:\windows\system32\warewabe.dll.tmp

c:\windows\system32\wilatubu.dll

c:\windows\system32\wimifisi.dll.tmp

c:\windows\system32\yurezasa.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\windows\system32\avxzcy.dll

c:\windows\system32\boyiyiro.dll.tmp

c:\windows\system32\bumefoni.dll.tmp

c:\windows\system32\busediho.dll

c:\windows\system32\buwemeru.dll.tmp

c:\windows\system32\danahodo.dll.tmp

c:\windows\system32\dujebihu.dll.tmp

c:\windows\system32\fasesosu.dll.tmp

c:\windows\system32\favonone.dll

c:\windows\system32\fewusopa.dll.tmp

c:\windows\system32\filature.dll.tmp

c:\windows\system32\fukurago.dll

c:\windows\system32\funufoli.dll

c:\windows\system32\ganepuze.dll

c:\windows\system32\gorumiba.dll.tmp

c:\windows\system32\gumuluha.dll

c:\windows\system32\hadabome.dll.tmp

c:\windows\system32\hajilito.dll

c:\windows\system32\haposoli.dll

c:\windows\system32\hepiyunu.dll

c:\windows\system32\hosezuba.dll

c:\windows\system32\hubasode.dll.tmp

c:\windows\system32\huforiti.dll

c:\windows\system32\hukodare.dll

c:\windows\system32\jebifoye.dll.tmp

c:\windows\system32\jigijumu.dll

c:\windows\system32\jilehobe.dll.tmp

c:\windows\system32\jopokano.dll

c:\windows\system32\joyoroyu.dll

c:\windows\system32\kawadono.dll.tmp

c:\windows\system32\kerihudo.dll

c:\windows\system32\kodikumu.dll

c:\windows\system32\kujetoni.dll.tmp

c:\windows\system32\kuzokefa.dll

c:\windows\system32\lakenade.dll

c:\windows\system32\lctfwz.dll

c:\windows\system32\mewogaji.dll

c:\windows\system32\mipasowu.dll.tmp

c:\windows\system32\miperuwo.dll.tmp

c:\windows\system32\modupuku.dll

c:\windows\system32\mopidozu.dll

c:\windows\system32\nutopeko.dll

c:\windows\system32\pesanaho.dll.tmp

c:\windows\system32\pijakane.dll

c:\windows\system32\pnuakt.dll

c:\windows\system32\pujayime.dll.tmp

c:\windows\system32\radiguyo.dll.tmp

c:\windows\system32\rageyeju.dll.tmp

c:\windows\system32\reraketo.dll.tmp

c:\windows\system32\rijezahu.dll

c:\windows\system32\rotowini.dll

c:\windows\system32\rusipaju.dll

c:\windows\system32\ruyaguka.dll.tmp

c:\windows\system32\ruyopifi.dll.tmp

c:\windows\system32\sinofosu.dll

c:\windows\system32\tewejaza.dll.tmp

c:\windows\system32\tizebaju.dll

c:\windows\system32\vahucg.dll

c:\windows\system32\vemayuva.dll

c:\windows\system32\vitumepa.dll

c:\windows\system32\viwetabi.dll

c:\windows\system32\vufoburo.dll

c:\windows\system32\wahoyumi.dll

c:\windows\system32\warewabe.dll.tmp

c:\windows\system32\wayiyewa.dll.tmp

c:\windows\system32\wevotozu.dll.tmp

c:\windows\system32\wilatubu.dll

c:\windows\system32\wimifisi.dll.tmp

c:\windows\system32\yekareki.dll

c:\windows\system32\yurezasa.dll

c:\windows\system32\yuvoniko.dll

c:\windows\system32\zilafaba.dll.tmp

c:\windows\Tasks\hpvwsvda.job

c:\windows\wiaserviv.log

----- BITS: Possible infected sites -----

hxxp://77.74.48.105

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_GB

((((((((((((((((((((((((( Files Created from 2009-01-26 to 2009-02-26 )))))))))))))))))))))))))))))))

.

2009-02-25 03:24 . 2009-02-25 03:23 410,984 --a------ c:\windows\system32\deploytk.dll

2009-02-25 03:24 . 2009-02-25 03:23 73,728 --a------ c:\windows\system32\javacpl.cpl

2009-02-25 03:23 . 2009-02-25 03:23 <DIR> d-------- c:\program files\Java

2009-02-25 03:20 . 2009-02-25 03:20 <DIR> d-------- c:\program files\Common Files\Adobe AIR

2009-02-25 02:57 . 2009-02-25 02:57 <DIR> d-------- c:\program files\CCleaner

2009-02-25 01:49 . 2009-02-25 01:49 0 --a------ c:\windows\system32\REN18.tmp

2009-02-25 01:49 . 2009-02-25 01:49 0 --a------ c:\windows\system32\REN17.tmp

2009-02-24 14:37 . 2009-02-24 14:37 <DIR> d-------- c:\program files\Trend Micro

2009-02-19 03:33 . 2009-02-18 01:31 15,688 --a------ c:\windows\system32\lsdelete.exe

2009-02-19 03:30 . 2009-02-19 03:53 <DIR> d-------- c:\program files\Free Window Registry Repair

2009-02-18 01:31 . 2009-02-18 01:30 64,160 --a------ c:\windows\system32\drivers\Lbd.sys

2009-02-18 01:28 . 2009-02-18 01:28 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-02-18 01:27 . 2009-02-18 01:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2009-02-17 02:28 . 2009-02-17 02:28 <DIR> d-------- c:\documents and settings\Owner\Application Data\Philips

2009-02-17 02:21 . 2009-02-17 02:40 <DIR> d-------- c:\program files\Rhapsody

2009-02-17 02:20 . 2009-02-17 02:20 <DIR> d-------- c:\program files\Philips

2009-02-17 02:20 . 2009-02-17 02:20 <DIR> d-------- c:\documents and settings\Owner\Application Data\InstallShield

2009-02-17 02:20 . 2008-05-09 11:28 18,560 --a------ c:\windows\system32\drivers\vtcdrv.sys

2009-01-26 18:59 . 2009-01-26 18:59 <DIR> d-------- c:\windows\ROSE Online Evolution

2009-01-26 18:59 . 2009-01-26 18:59 <DIR> d-------- c:\program files\Triggersoft

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-26 14:00 --------- d-----w c:\documents and settings\LocalService\Application Data\AVG7

2009-02-25 03:23 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-02-24 08:18 --------- d-----w c:\documents and settings\Owner\Application Data\AVG7

2009-02-18 07:27 --------- d-----w c:\program files\Lavasoft

2009-02-17 08:24 --------- d-----w c:\program files\Real

2009-02-17 08:20 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-17 04:29 --------- d-----w c:\program files\Winamp

2009-02-17 04:28 --------- d-----w c:\program files\Winamp3

2009-02-17 04:28 --------- d-----w c:\documents and settings\Owner\Application Data\Neopets Toolbar

2009-02-17 04:25 --------- d-----w c:\program files\MagicISO

2009-02-17 04:23 --------- d-----w c:\program files\a-squared Anti-Malware

2009-02-16 22:00 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-02-13 05:37 --------- d-----w c:\program files\Google

2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-01-31 08:41 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent

2009-01-25 05:27 --------- d-----w c:\program files\CleanMyPC

2009-01-25 05:26 --------- d-----w c:\program files\CleanMyPC Popup Blocker

2009-01-25 05:06 --------- d-----w c:\program files\Morpheus

2009-01-22 21:27 --------- d-----w c:\program files\Exterminate It!

2009-01-22 01:46 --------- d-----w c:\program files\Conquer 2.0

2009-01-22 01:43 --------- d-----w c:\program files\Diablo II

2009-01-22 01:41 --------- d-----w c:\program files\Starcraft

2009-01-22 01:40 --------- d-----w c:\program files\Yahoo!

2009-01-22 01:40 --------- d-----w c:\documents and settings\Owner\Application Data\Yahoo!

2009-01-22 01:40 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!

2009-01-22 01:39 --------- d-----w c:\program files\Common Files\Blizzard Entertainment

2009-01-22 01:38 --------- d-----w c:\program files\SUPERAntiSpyware

2009-01-22 01:38 --------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com

2009-01-21 21:11 --------- d-----w c:\documents and settings\Owner\Application Data\Morpheus

2009-01-21 21:07 --------- d-----w c:\program files\Lx_cats

2009-01-15 04:21 --------- d-----w c:\documents and settings\Owner\Application Data\SoundSpectrum

2009-01-15 03:52 --------- d-----w c:\program files\SoundSpectrum

2009-01-07 20:27 5,607 ----a-w c:\windows\~GLH0004.TMP

2009-01-07 20:27 155,136 ----a-w c:\windows\~GLC0004.TMP

2009-01-07 20:25 5,607 ----a-w c:\windows\~GLH0003.TMP

2009-01-07 20:25 155,136 ----a-w c:\windows\~GLC0003.TMP

2009-01-07 20:24 5,607 ----a-w c:\windows\~GLH0002.TMP

2009-01-07 20:24 155,136 ----a-w c:\windows\~GLC0002.TMP

2009-01-07 19:56 --------- d-----w c:\documents and settings\Owner\Application Data\acccore

2009-01-07 19:54 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP

2009-01-07 19:53 --------- d-----w c:\program files\AIM6

2009-01-07 19:52 --------- d-----w c:\program files\Viewpoint

2009-01-07 19:52 --------- d-----w c:\program files\Common Files\AOL

2009-01-07 19:52 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint

2009-01-07 19:52 --------- d-----w c:\documents and settings\All Users\Application Data\AOL

2009-01-07 19:52 --------- d-----w c:\documents and settings\All Users\Application Data\acccore

2008-07-18 05:44 8,928 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat

2007-01-15 07:00 0 ----a-w c:\documents and settings\Kelly\Application Data\wklnhst.dat

2005-09-11 22:14 774,144 ----a-w c:\program files\RngInterstitial.dll

2007-07-17 21:53 56 --sha-r c:\windows\system32\AE2FB7EFD4.sys

2007-07-17 23:42 1,890 --sha-w c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

----a-w 180,269 2005-07-24 17:31:53 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 180,269 2007-01-12 19:54:27 c:\program files\Common Files\Real\Update_OB\realsched.exe

----a-w 110,592 2003-08-19 09:01:00 c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 369,664 2006-10-13 18:49:02 c:\program files\Grisoft\AVG Free\bak\avgcc.exe

----a-w 229,438 2004-10-14 01:34:48 c:\program files\HPQ\Default Settings\bak\cpqset.exe

----a-w 290,816 2004-09-18 00:19:42 c:\program files\HPQ\Quick Launch Buttons\bak\EabServr.exe

----a-w 98,304 2004-12-14 13:07:17 c:\program files\QuickTime\bak\qttask.exe

----a-w 688,218 2004-10-05 16:24:28 c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe

----a-w 98,394 2004-10-05 16:25:10 c:\program files\Synaptics\SynTP\bak\SynTPLpr.exe

----a-w 33,792 2004-12-20 18:41:22 c:\program files\Winamp\bak\winampa.exe

----a-w 208,952 2004-08-04 12:00:00 c:\windows\ime\imjp8_1\bak\IMJPMIG.EXE

----a-w 208,952 2004-08-04 12:00:00 c:\windows\ime\imjp8_1\imjpmig.exe

----a-w 118,784 2004-06-17 20:43:58 c:\windows\system32\bak\hkcmd.exe

----a-w 77,824 2006-02-07 13:36:06 c:\windows\system32\hkcmd.exe

----a-w 155,648 2004-06-17 20:48:08 c:\windows\system32\bak\igfxtray.exe

----a-w 94,208 2006-02-07 13:39:20 c:\windows\system32\igfxtray.exe

----a-w 59,392 2004-08-04 12:00:00 c:\windows\system32\IME\PINTLGNT\bak\ImScInst.exe

----a-w 59,392 2004-08-04 12:00:00 c:\windows\system32\IME\PINTLGNT\imscinst.exe

----a-w 455,168 2004-08-04 12:00:00 c:\windows\system32\IME\TINTLGNT\bak\TINTSETP.EXE

----a-w 455,168 2004-08-04 12:00:00 c:\windows\system32\IME\TINTLGNT\tintsetp.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-18 509784]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-12 180269]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-25 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-24 219136]

"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Philips SA52XX Device Manager.lnk]

backup=c:\windows\pss\Philips SA52XX Device Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MagicDisc.lnk]

backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Morpheus.lnk]

backup=c:\windows\pss\Morpheus.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

--a------ 2008-10-21 11:09 50472 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

--a------ 2008-10-20 02:25 590848 c:\progra~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2004-08-04 06:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]

--a------ 2006-02-07 07:39 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]

--a------ 2004-08-04 06:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCFCATS]

--a------ 2005-07-20 11:47 73728 c:\windows\system32\spool\drivers\w32x86\3\lxcftime.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]

--a------ 2008-12-12 12:46 9555968 c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner Scheduler]

--a------ 2009-01-07 01:36 913672 c:\program files\CleanMyPC\Registry Cleaner\RCHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

c:\program files\Java\jre1.6.0_03\bin\jusched.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

--a------ 2007-07-27 20:06 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a------ 2007-01-12 13:54 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\WINDOWS\\system32\\lxcfcoms.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcfpswx.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=

"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=

"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

"c:\\Program Files\\uTorrent\\utorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"23958:TCP"= 23958:TCP:BitComet 23958 TCP

"23958:UDP"= 23958:UDP:BitComet 23958 UDP

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

"135:TCP"= 135:TCP:TCP Port 135

"5000:TCP"= 5000:TCP:TCP Port 5000

"5001:TCP"= 5001:TCP:TCP Port 5001

"5002:TCP"= 5002:TCP:TCP Port 5002

"5003:TCP"= 5003:TCP:TCP Port 5003

"5004:TCP"= 5004:TCP:TCP Port 5004

"5005:TCP"= 5005:TCP:TCP Port 5005

"5006:TCP"= 5006:TCP:TCP Port 5006

"5007:TCP"= 5007:TCP:TCP Port 5007

"5008:TCP"= 5008:TCP:TCP Port 5008

"5009:TCP"= 5009:TCP:TCP Port 5009

"5010:TCP"= 5010:TCP:TCP Port 5010

"5011:TCP"= 5011:TCP:TCP Port 5011

"5012:TCP"= 5012:TCP:TCP Port 5012

"5013:TCP"= 5013:TCP:TCP Port 5013

"5014:TCP"= 5014:TCP:TCP Port 5014

"5015:TCP"= 5015:TCP:TCP Port 5015

"5016:TCP"= 5016:TCP:TCP Port 5016

"5017:TCP"= 5017:TCP:TCP Port 5017

"5018:TCP"= 5018:TCP:TCP Port 5018

"5019:TCP"= 5019:TCP:TCP Port 5019

"5020:TCP"= 5020:TCP:TCP Port 5020

"6112:TCP"= 6112:TCP:StarCraft Battle.net TCP

"6112:UDP"= 6112:UDP:StarCraft Battle.net UDP

"9420:TCP"= 9420:TCP:Akamai Network Manager

"5000:UDP"= 5000:UDP:Akamai Network Manager

"14213:TCP"= 14213:TCP:BitCometLite 14213 TCP

"14213:UDP"= 14213:UDP:BitCometLite 14213 UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-18 64160]

S3 49d21538-162a-43b7-91bb-effb9a7da2b0;49d21538-162a-43b7-91bb-effb9a7da2b0;\??\d:\player\cds300.dll --> d:\player\cds300.dll [?]

S3 jnv4_mib;jnv4_mib;\??\c:\docume~1\Owner\LOCALS~1\Temp\jnv4_mib.sys --> c:\docume~1\Owner\LOCALS~1\Temp\jnv4_mib.sys [?]

S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\drivers\SaiHFF0C.sys [2006-07-30 56576]

S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\drivers\saiuFF0C.sys [2006-07-30 19584]

S3 vtcdrv;Philips SA52xx Recovery Device;c:\windows\system32\drivers\vtcdrv.sys [2009-02-17 18560]

--- Other Services/Drivers In Memory ---

*Deregistered* - ALG

*Deregistered* - AudioSrv

*Deregistered* - Avg7Alrt

*Deregistered* - Avg7UpdSvc

*Deregistered* - AVGEMS

*Deregistered* - BITS

*Deregistered* - Bonjour Service

*Deregistered* - Browser

*Deregistered* - CryptSvc

*Deregistered* - DcomLaunch

*Deregistered* - Dhcp

*Deregistered* - Dnscache

*Deregistered* - ERSvc

*Deregistered* - EventSystem

*Deregistered* - FastUserSwitchingCompatibility

*Deregistered* - helpsvc

*Deregistered* - HidServ

*Deregistered* - HTTPFilter

*Deregistered* - ImapiService

*Deregistered* - JavaQuickStarterService

*Deregistered* - lanmanserver

*Deregistered* - lanmanworkstation

*Deregistered* - Lavasoft Ad-Aware Service

*Deregistered* - LmHosts

*Deregistered* - MSIServer

*Deregistered* - Netman

*Deregistered* - Nla

*Deregistered* - ose

*Deregistered* - PolicyAgent

*Deregistered* - ProtectedStorage

*Deregistered* - RasMan

*Deregistered* - RemoteAccess

*Deregistered* - RpcSs

*Deregistered* - SamSs

*Deregistered* - Schedule

*Deregistered* - seclogon

*Deregistered* - SENS

*Deregistered* - SharedAccess

*Deregistered* - ShellHWDetection

*Deregistered* - Spooler

*Deregistered* - srservice

*Deregistered* - SSDPSRV

*Deregistered* - stisvc

*Deregistered* - TapiSrv

*Deregistered* - TermService

*Deregistered* - Themes

*Deregistered* - TrkWks

*Deregistered* - upnphost

*Deregistered* - Viewpoint Manager Service

*Deregistered* - W32Time

*Deregistered* - WebClient

*Deregistered* - winmgmt

*Deregistered* - WMPNetworkSvc

*Deregistered* - wscsvc

*Deregistered* - wuauserv

*Deregistered* - WudfSvc

*Deregistered* - WZCSVC

.

Contents of the 'Scheduled Tasks' folder

2009-02-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-18 01:30]

2009-02-26 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2008-04-21 15:21]

2009-02-26 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2008-04-21 15:21]

2009-02-26 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-07-19 19:26]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: c:\progra~1\COMMON~1\BTLINK\btlink.dll//iemenu

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

DPF: {F977E961-BC9E-4B91-ACF8-468E1CC224DD} - hxxp://69.59.149.193:82/enzf/TqUpdate_Release.CAB

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-26 13:54:12

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap]

@DACL=(02 0000)

@="bootstrap.application.1"

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Lavasoft\Ad-Aware\AAWService.exe

c:\progra~1\Grisoft\AVG7\avgamsvr.exe

c:\progra~1\Grisoft\AVG7\avgupsvc.exe

c:\progra~1\Grisoft\AVG7\avgemc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Viewpoint\Common\ViewpointService.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\msiexec.exe

c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

c:\windows\system32\msiexec.exe

.

**************************************************************************

.

Completion time: 2009-02-26 14:32:56 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-26 20:32:48

ComboFix2.txt 2008-09-20 17:56:37

Pre-Run: 17,209,352,192 bytes free

Post-Run: 17,187,098,624 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=30

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

480 --- E O F --- 2008-11-15 17:10:34

Link to post
Share on other sites

  • Root Admin

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

Driver::
Lbd
49d21538-162a-43b7-91bb-effb9a7da2b0;49d21538-162a-43b7-91bb-effb9a7da2b0
jnv4_mib

File::
c:\docume~1\Owner\LOCALS~1\Temp\jnv4_mib.sys
c:\windows\system32\REN18.tmp
c:\windows\system32\REN17.tmp
c:\windows\system32\drivers\Lbd.sys
c:\windows\~GLH0004.TMP
c:\windows\~GLC0004.TMP
c:\windows\~GLH0003.TMP
c:\windows\~GLC0003.TMP
c:\windows\~GLH0002.TMP
c:\windows\~GLC0002.TMP
c:\windows\system32\AE2FB7EFD4.sys
d:\player\cds300.dll
c:\windows\Tasks\RegCure.job
c:\progra~1\COMMON~1\BTLINK\btlink.dll

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Click on START - RUN and type in or copy / paste NETSH FIREWALL RESET (there is a space between each word) then hit the OK button.

STEP 03

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

STEP 04

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.