gypsyhowl Posted March 14, 2009 ID:64535 Share Posted March 14, 2009 Hi folks - I cannot get online, can't get mbam.exe to run, can't get randmbam.exe to run, and as a newbie, I am frustrated. I know there is something I am not doing - I first started off with virus melt on the system. I ran regedit to enable my task manager, then deleted the VMelt.exe process, but can't do anything further. I was able to run hijack this - and here is my log - hijack this did tell me to do something with the O1 host google entries but I didn't know what it meant... so here is the whole enchilada - please help, this is hard, but I know there is a way to beat it, hopefully with your help. Thanks ahead of time.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:15:20 PM, on 3/14/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Analog Devices\SoundMAX\spkrmon.exeC:\Program Files\Common Files\supportsoft\bin\sprtlisten.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\userinit.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\AGRSMMSG.exeC:\WINDOWS\System32\keyhook.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\Program Files\HP\HP Software Update\HPWuSchd.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Qwest\Quickcare\bin\sprtcmd.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\frmwrk32.exeC:\DOCUME~1\PHILLL~1\LOCALS~1\Temp\winlogqn.exeC:\WINDOWS\system32\sistray.exeC:\WINDOWS\system32\ntdll64.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeC:\WINDOWS\system32\ntdll64.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\WINDOWS\system32\ntdll64.exeF:\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O1 - Hosts: 89.149.227.223 google.aeO1 - Hosts: 89.149.227.223 google.asO1 - Hosts: 89.149.227.223 google.atO1 - Hosts: 89.149.227.223 google.azO1 - Hosts: 89.149.227.223 google.baO1 - Hosts: 89.149.227.223 google.beO1 - Hosts: 89.149.227.223 google.bgO1 - Hosts: 89.149.227.223 google.bsO1 - Hosts: 89.149.227.223 google.caO1 - Hosts: 89.149.227.223 google.cdO1 - Hosts: 89.149.227.223 google.com.ghO1 - Hosts: 89.149.227.223 google.com.giO1 - Hosts: 89.149.227.223 google.com.hkO1 - Hosts: 89.149.227.223 google.com.jmO1 - Hosts: 89.149.227.223 google.com.lyO1 - Hosts: 89.149.227.223 google.com.mxO1 - Hosts: 89.149.227.223 google.com.myO1 - Hosts: 89.149.227.223 google.com.naO1 - Hosts: 89.149.227.223 google.com.nfO1 - Hosts: 89.149.227.223 google.com.ngO1 - Hosts: 89.149.227.223 google.chO1 - Hosts: 89.149.227.223 google.com.npO1 - Hosts: 89.149.227.223 google.com.omO1 - Hosts: 89.149.227.223 google.com.paO1 - Hosts: 89.149.227.223 google.com.prO1 - Hosts: 89.149.227.223 google.com.qaO1 - Hosts: 89.149.227.223 google.com.sgO1 - Hosts: 89.149.227.223 google.com.tjO1 - Hosts: 89.149.227.223 google.com.trO1 - Hosts: 89.149.227.223 google.com.twO1 - Hosts: 89.149.227.223 google.com.uaO1 - Hosts: 89.149.227.223 google.djO1 - Hosts: 89.149.227.223 google.com.vcO1 - Hosts: 89.149.227.223 google.it.aoO1 - Hosts: 89.149.227.223 google.deO1 - Hosts: 89.149.227.223 google.dkO1 - Hosts: 89.149.227.223 google.dmO1 - Hosts: 89.149.227.223 google.dzO1 - Hosts: 89.149.227.223 google.eeO1 - Hosts: 89.149.227.223 google.fiO1 - Hosts: 89.149.227.223 google.fmO1 - Hosts: 89.149.227.223 google.frO1 - Hosts: 89.149.227.223 google.geO1 - Hosts: 89.149.227.223 google.ggO1 - Hosts: 89.149.227.223 google.gmO1 - Hosts: 89.149.227.223 google.grO1 - Hosts: 89.149.227.223 google.gyO1 - Hosts: 89.149.227.223 google.htO1 - Hosts: 89.149.227.223 google.ieO1 - Hosts: 89.149.227.223 google.imO1 - Hosts: 89.149.227.223 google.inO1 - Hosts: 89.149.227.223 google.itO1 - Hosts: 89.149.227.223 google.kiO1 - Hosts: 89.149.227.223 google.kzO1 - Hosts: 89.149.227.223 google.laO1 - Hosts: 89.149.227.223 google.liO1 - Hosts: 89.149.227.223 google.lkO1 - Hosts: 89.149.227.223 google.lvO1 - Hosts: 89.149.227.223 google.maO1 - Hosts: 89.149.227.223 google.mdO1 - Hosts: 89.149.227.223 google.msO1 - Hosts: 89.149.227.223 google.muO1 - Hosts: 89.149.227.223 google.mvO1 - Hosts: 89.149.227.223 google.mwO1 - Hosts: 89.149.227.223 google.nlO1 - Hosts: 89.149.227.223 google.noO1 - Hosts: 89.149.227.223 google.nrO1 - Hosts: 89.149.227.223 google.nuO1 - Hosts: 89.149.227.223 google.plO1 - Hosts: 89.149.227.223 google.pnO1 - Hosts: 89.149.227.223 google.ptO1 - Hosts: 89.149.227.223 google.roO1 - Hosts: 89.149.227.223 google.ruO1 - Hosts: 89.149.227.223 google.rwO1 - Hosts: 89.149.227.223 google.scO1 - Hosts: 89.149.227.223 google.seO1 - Hosts: 89.149.227.223 google.shO1 - Hosts: 89.149.227.223 google.siO1 - Hosts: 89.149.227.223 google.smO1 - Hosts: 89.149.227.223 google.snO1 - Hosts: 89.149.227.223 google.stO1 - Hosts: 89.149.227.223 google.tlO1 - Hosts: 89.149.227.223 google.tmO1 - Hosts: 89.149.227.223 google.ttO1 - Hosts: 89.149.227.223 google.usO1 - Hosts: 89.149.227.223 google.vgO1 - Hosts: 89.149.227.223 google.vuO1 - Hosts: 89.149.227.223 google.wsO1 - Hosts: 89.149.227.223 google.co.bwO1 - Hosts: 89.149.227.223 google.co.ckO1 - Hosts: 89.149.227.223 google.co.idO1 - Hosts: 89.149.227.223 google.co.ilO1 - Hosts: 89.149.227.223 google.co.inO1 - Hosts: 89.149.227.223 google.co.jpO1 - Hosts: 89.149.227.223 google.co.keO1 - Hosts: 89.149.227.223 google.co.krO1 - Hosts: 89.149.227.223 google.co.lsO1 - Hosts: 89.149.227.223 google.co.maO1 - Hosts: 89.149.227.223 google.co.mzO1 - Hosts: 89.149.227.223 google.co.nzO1 - Hosts: 89.149.227.223 google.co.thO2 - BHO: (no name) - {2765f56e-bd26-4719-a77a-dd09184f02c7} - C:\WINDOWS\system32\lijuhidi.dllO2 - BHO: C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll - {c5bf40a2-94f3-42bd-f434-1604812c8955} - C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll (file missing)O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\System32\keyhook.exeO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",sO4 - HKLM\..\Run: [QuickCare] C:\Program Files\Qwest\Quickcare\bin\sprtcmd.exe /P QuickCareO4 - HKLM\..\Run: [00abcf24] rundll32.exe "C:\WINDOWS\system32\bagahone.dll",bO4 - HKLM\..\Run: [Kxawo] rundll32.exe "C:\WINDOWS\Qyucepinukonejiq.dll",eO4 - HKLM\..\Run: [Framework Windows] frmwrk32.exeO4 - HKLM\..\Run: [kjahrfoi37rljanfaw3il7fhjd3f] C:\DOCUME~1\PHILLL~1\LOCALS~1\Temp\winlogqn.exeO4 - HKLM\..\Run: [CPM0398fcb8] Rundll32.exe "c:\windows\system32\yihuhote.dll",aO4 - HKLM\..\Run: [Ggijixa] rundll32.exe "C:\WINDOWS\eqowusuyanami.dll",eO4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Virus Melt] "C:\Documents and Settings\All Users\Application Data\fe61ef9\VMelt.exe" /s O4 - HKCU\..\Run: [kjahrfoi37rljanfaw3il7fhjd3f] C:\DOCUME~1\PHILLL~1\LOCALS~1\Temp\winlogqn.exeO4 - HKUS\S-1-5-19\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s (User 'NETWORK SERVICE')O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exeO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXEO4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\docume~1\philll~1\locals~1\temp\ntdll64.dllO10 - Unknown file in Winsock LSP: c:\docume~1\philll~1\locals~1\temp\ntdll64.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO17 - HKLM\System\CCS\Services\Tcpip\..\{4CAE0260-F926-4FB2-94D1-83BF3EB976F8}: NameServer = 205.171.3.65,205.171.2.65O20 - AppInit_DLLs: C:\WINDOWS\system32\pigofube.dll ainmgw.dll pdpbpt.dll c:\windows\system32\yihuhote.dllO20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dllO21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yihuhote.dllO22 - SharedTaskScheduler: klj3r93iorkemnfaja93riemef - {C5BF40A2-94F3-42BD-F434-1604812C8955} - C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll (file missing)O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yihuhote.dllO23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\icf.exe.exe:ext.exe (file missing)O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exeO23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exeO23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe--End of file - 10709 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 15, 2009 Root Admin ID:64603 Share Posted March 15, 2009 STEP 01Reconfigure Windows XP to show hidden files:To enable the viewing of Hidden files follow these steps: * Close all programs so that you are at your desktop. * Double-click on the My Computer icon. * Select the Tools menu and click Folder Options. * After the new window appears select the View tab. * Put a checkmark in the checkbox labeled Display the contents of system folders. * Under the Hidden files and folders section select the radio button labeled Show hidden files and folders. * Remove the checkmark from the checkbox labeled Hide file extensions for known file types. * Remove the checkmark from the checkbox labeled Hide protected operating system files. * Press the Apply button and then the OK button and exit My Computer. * Now your computer is configured to show all hidden files. STEP 02It may not let you, but if it will please delete the following file.C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hostsSTEP 03With all other applications closed (Taskbar empty), open HijackThis againand run Do a system scan only and place a check mark on the following items.O2 - BHO: (no name) - {2765f56e-bd26-4719-a77a-dd09184f02c7} - C:\WINDOWS\system32\lijuhidi.dllO2 - BHO: C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll - {c5bf40a2-94f3-42bd-f434-1604812c8955} - C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll (file missing)O4 - HKLM\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",sO4 - HKLM\..\Run: [QuickCare] C:\Program Files\Qwest\Quickcare\bin\sprtcmd.exe /P QuickCareO4 - HKLM\..\Run: [00abcf24] rundll32.exe "C:\WINDOWS\system32\bagahone.dll",bO4 - HKLM\..\Run: [Kxawo] rundll32.exe "C:\WINDOWS\Qyucepinukonejiq.dll",eO4 - HKLM\..\Run: [Framework Windows] frmwrk32.exeO4 - HKLM\..\Run: [kjahrfoi37rljanfaw3il7fhjd3f] C:\DOCUME~1\PHILLL~1\LOCALS~1\Temp\winlogqn.exeO4 - HKLM\..\Run: [CPM0398fcb8] Rundll32.exe "c:\windows\system32\yihuhote.dll",aO4 - HKLM\..\Run: [Ggijixa] rundll32.exe "C:\WINDOWS\eqowusuyanami.dll",eO4 - HKCU\..\Run: [Virus Melt] "C:\Documents and Settings\All Users\Application Data\fe61ef9\VMelt.exe" /sO4 - HKCU\..\Run: [kjahrfoi37rljanfaw3il7fhjd3f] C:\DOCUME~1\PHILLL~1\LOCALS~1\Temp\winlogqn.exeO4 - HKUS\S-1-5-19\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s (User 'NETWORK SERVICE')O10 - Unknown file in Winsock LSP: c:\docume~1\philll~1\locals~1\temp\ntdll64.dllO10 - Unknown file in Winsock LSP: c:\docume~1\philll~1\locals~1\temp\ntdll64.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO17 - HKLM\System\CCS\Services\Tcpip\..\{4CAE0260-F926-4FB2-94D1-83BF3EB976F8}: NameServer = 205.171.3.65,205.171.2.65O20 - AppInit_DLLs: C:\WINDOWS\system32\pigofube.dll ainmgw.dll pdpbpt.dll c:\windows\system32\yihuhote.dllO20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dllO21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yihuhote.dllO22 - SharedTaskScheduler: klj3r93iorkemnfaja93riemef - {C5BF40A2-94F3-42BD-F434-1604812C8955} - C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll (file missing)O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yihuhote.dllThen Quit All Browsers including the one you're reading this in now.Then click on Fix checked and then quit HJTSTEP 04Download and install CCleanerCCleaner Double-click on the downloaded file "ccsetup217.exe" and install the application.Keep the default installation folder "C:\Program Files\CCleaner"Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"Click finish when done and close ALL PROGRAMSStart the CCleaner program.Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log FilesClick on Run Cleaner button on the bottom right side of the program.Click OK to any promptsSTEP 05Restart the computer now and see if MBAM will install or run.Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen post back the MBAM log and a new Hijackthis log. Link to post Share on other sites More sharing options...
gypsyhowl Posted March 15, 2009 Author ID:64708 Share Posted March 15, 2009 I followed all your instructions - however, I cannot get online to download malwarebytes directly, and when I copy over the mbam.exe to disk then to its desktop, I get an error code 707(3) - please advise me? BTW, thank you for your quick response! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 17, 2009 Root Admin ID:65066 Share Posted March 17, 2009 Please see if one of these options helps or not. http://www.malwarebytes.org/forums/index.php?showtopic=12709http://www.malwarebytes.org/forums/index.php?showtopic=12713If not then please try to run this.Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofixPlease ensure you read this guide carefully and install the Recovery Console first.NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:ComboFix.exeComboFix.exeComboFix.exeNote: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system. Link to post Share on other sites More sharing options...
gypsyhowl Posted March 18, 2009 Author ID:65433 Share Posted March 18, 2009 When running the Combofix program the system gave me feedback that I had an incompatible OS, but continued to run... until the point of making a log file. At that point the system crashed, citing a physical memory dump, and then told me to restart the computer. I did, and got a couple of .dll errors as it started up, now I am reloaded, but don't know which way to go... do I re-run Combofix to try to get a log file? Or should I run HJT for a current log file to show you? Link to post Share on other sites More sharing options...
gypsyhowl Posted March 18, 2009 Author ID:65644 Share Posted March 18, 2009 I decided to run another HJT log for you - thank you for helping me with this B) Logfile of Trend Micro HijackThis v2.0.2Scan saved at 13:11, on 2009-03-18Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Analog Devices\SoundMAX\spkrmon.exeC:\Program Files\Common Files\supportsoft\bin\sprtlisten.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\AGRSMMSG.exeC:\WINDOWS\System32\keyhook.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\Program Files\HP\HP Software Update\HPWuSchd.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\QuickTime\qttask.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\sistray.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeC:\Documents and Settings\Phil Llapitan\Desktop\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: (no name) - {2765f56e-bd26-4719-a77a-dd09184f02c7} - C:\WINDOWS\system32\lijuhidi.dll (file missing)O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\System32\keyhook.exeO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [Ggijixa] rundll32.exe "C:\WINDOWS\eqowusuyanami.dll",eO4 - HKLM\..\Run: [CPM0398fcb8] Rundll32.exe "c:\windows\system32\yihuhote.dll",aO4 - HKLM\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",sO4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-19\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s (User 'NETWORK SERVICE')O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exeO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXEO4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\docume~1\philll~1\locals~1\temp\ntdll64.dllO10 - Unknown file in Winsock LSP: c:\docume~1\philll~1\locals~1\temp\ntdll64.dllO20 - AppInit_DLLs: C:\WINDOWS\system32\pigofube.dll c:\windows\system32\yihuhote.dllO21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yihuhote.dll (file missing)O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yihuhote.dll (file missing)O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\icf.exe.exe:ext.exe (file missing)O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exeO23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exeO23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe--End of file - 5236 bytes Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 19, 2009 Staff ID:65817 Share Posted March 19, 2009 Hi,I'm taking this over since AdvancedSetup won't be able to reply (busy with other stuff).I just want to make you aware of the fact that your computer is SEVERLY infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts. As a matter of fact, it doesn't suprise me at all... You don't even seem to have an Antivirus installed!!This is somewhat suicidal in today's digital world.That's why I want you to install one first!!* Please install Avira Antivirus: http://www.free-av.com/This is a free Antivirus.Perform a full scan with Avira and let it delete everything it is finding.Then reboot.After reboot, open your Avira and select "reports".There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.In case you lost internet connection after running the scan...Go to start > run and type cmdA dos Window will appear.Type next in the dos window: netsh winsock resethit enter.This should solve your broken connection.I just want to make you aware of the fact that you may not expect miracles. I cannot promise you that we will be able to clean or fix the damage it already caused. If you had an Antivirus previously, it would have prevented a lot of damage already... Link to post Share on other sites More sharing options...
gypsyhowl Posted March 19, 2009 Author ID:65928 Share Posted March 19, 2009 thank you Miekiemoes, for your response, and sound lashing. I realize the importance of having a good antivirus program, but the computer that came to me from my daughter-in-law did not, obviously, have anything on it to protect it. Although I tried to add Avira originally, and also run Dr. Web, they did not find what was wrong. TThis time, the initial Avira run showed me there was a ntdll64 in my documents and settings folder error that I quarantined. After I reboot from running Avira fullscan, I received the error "C:\windows\system32\yumifesu.dll and c:\windows\system32\yihuhote.dll, specified modules could not be found", and many problems, of which I had Avira fix - and then it seemed to continue to run for a second time, without me rebooting it - so I have included BOTH log files.Avira AntiVir PersonalReport file date: 2009-03-19 14:17Scanning for 1284893 virus strains and unwanted programs.Licensee : Avira AntiVir Personal - FREE AntivirusSerial number : 0000149996-ADJIE-0000001Platform : Windows XPWindows version : (Service Pack 3) [5.1.2600]Boot mode : Normally bootedUsername : SYSTEMComputer name : PHIL-PIMIBA6H3JVersion information:BUILD.DAT : 9.0.0.386 17962 Bytes 2009-03-11 15:55:00AVSCAN.EXE : 9.0.3.3 464641 Bytes 2009-02-24 19:13:28AVSCAN.DLL : 9.0.3.0 40705 Bytes 2009-02-27 17:58:26LUKE.DLL : 9.0.3.2 209665 Bytes 2009-02-20 18:35:50LUKERES.DLL : 9.0.2.0 12033 Bytes 2009-02-27 17:58:54ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 2008-10-27 19:30:38ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2009-02-11 03:33:28ANTIVIR2.VDF : 7.1.2.105 513536 Bytes 2009-03-03 14:41:16ANTIVIR3.VDF : 7.1.2.127 110592 Bytes 2009-03-05 21:58:22Engineversion : 8.2.0.100AEVDF.DLL : 8.1.1.0 106868 Bytes 2009-01-28 00:36:42AESCRIPT.DLL : 8.1.1.56 352634 Bytes 2009-02-27 03:01:58AESCN.DLL : 8.1.1.7 127347 Bytes 2009-02-12 18:44:26AERDL.DLL : 8.1.1.3 438645 Bytes 2008-10-30 01:24:42AEPACK.DLL : 8.1.3.10 397686 Bytes 2009-03-04 20:06:12AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2009-02-27 03:01:58AEHEUR.DLL : 8.1.0.100 1618295 Bytes 2009-02-25 22:49:16AEHELP.DLL : 8.1.2.2 119158 Bytes 2009-02-27 03:01:58AEGEN.DLL : 8.1.1.24 336244 Bytes 2009-03-04 20:06:12AEEMU.DLL : 8.1.0.9 393588 Bytes 2008-10-09 21:32:40AECORE.DLL : 8.1.6.6 176501 Bytes 2009-02-17 21:22:44AEBB.DLL : 8.1.0.3 53618 Bytes 2008-10-09 21:32:40AVWINLL.DLL : 9.0.0.3 18177 Bytes 2008-12-12 15:48:00AVPREF.DLL : 9.0.0.1 43777 Bytes 2008-12-05 17:32:16AVREP.DLL : 8.0.0.3 155905 Bytes 2009-01-20 21:34:30AVREG.DLL : 9.0.0.0 36609 Bytes 2008-12-05 17:32:10AVARKT.DLL : 9.0.0.1 292609 Bytes 2009-02-09 14:52:26AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 2009-01-30 17:37:10SQLITE3.DLL : 3.6.1.0 326401 Bytes 2009-01-28 22:03:50SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2009-02-02 15:21:34NETNT.DLL : 9.0.0.0 11521 Bytes 2008-12-05 17:32:12RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2009-02-09 18:45:46RCTEXT.DLL : 9.0.35.0 87297 Bytes 2009-03-11 22:55:14Configuration settings for the scan:Jobname.............................: Complete system scanConfiguration file..................: c:\program files\avira\antivir desktop\sysscan.avpLogging.............................: lowPrimary action......................: interactiveSecondary action....................: ignoreScan master boot sector.............: onScan boot sector....................: onBoot sectors........................: C:, Process scan........................: onScan registry.......................: onSearch for rootkits.................: onIntegrity checking of system files..: onScan all files......................: All filesScan archives.......................: onRecursion depth.....................: 20Smart extensions....................: onMacro heuristic.....................: onFile heuristic......................: mediumDeviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,Start of the scan: 2009-03-19 14:17Initiating scan of system files:Signed -> 'C:\WINDOWS\system32\svchost.exe'Signed -> 'C:\WINDOWS\system32\winlogon.exe'Signed -> 'C:\WINDOWS\explorer.exe'Signed -> 'C:\WINDOWS\system32\smss.exe'Signed -> 'C:\WINDOWS\system32\wininet.DLL'Signed -> 'C:\WINDOWS\system32\wsock32.DLL'Signed -> 'C:\WINDOWS\system32\ws2_32.DLL'Signed -> 'C:\WINDOWS\system32\services.exe'Signed -> 'C:\WINDOWS\system32\lsass.exe'Signed -> 'C:\WINDOWS\system32\csrss.exe'Signed -> 'C:\WINDOWS\system32\drivers\kbdclass.sys'Signed -> 'C:\WINDOWS\system32\spoolsv.exe'Signed -> 'C:\WINDOWS\system32\alg.exe'Signed -> 'C:\WINDOWS\system32\wuauclt.exe'Signed -> 'C:\WINDOWS\system32\advapi32.DLL'Signed -> 'C:\WINDOWS\system32\user32.DLL'Signed -> 'C:\WINDOWS\system32\gdi32.DLL'Signed -> 'C:\WINDOWS\system32\kernel32.DLL'Signed -> 'C:\WINDOWS\system32\ntdll.DLL'Signed -> 'C:\WINDOWS\system32\ntoskrnl.exe'Signed -> 'C:\WINDOWS\system32\ctfmon.exe'The system files were scanned ('21' files)Starting search for hidden objects.'31628' objects were checked, '0' hidden objects were found.The scan of running processes will be startedScan process 'avscan.exe' - '1' Module(s) have been scannedScan process 'avscan.exe' - '1' Module(s) have been scannedScan process 'avcenter.exe' - '1' Module(s) have been scannedScan process 'alg.exe' - '1' Module(s) have been scannedScan process 'wscntfy.exe' - '1' Module(s) have been scannedScan process 'EasyShare.exe' - '1' Module(s) have been scannedScan process 'HPQTRA08.EXE' - '1' Module(s) have been scannedScan process 'SISTRAY.EXE' - '1' Module(s) have been scannedScan process 'CTFMON.EXE' - '1' Module(s) have been scannedScan process 'avgnt.exe' - '1' Module(s) have been scannedScan process 'QTTASK.EXE' - '1' Module(s) have been scannedScan process 'TFSWCTRL.EXE' - '1' Module(s) have been scannedScan process 'HPCMPMGR.EXE' - '1' Module(s) have been scannedScan process 'hpwuSchd.exe' - '1' Module(s) have been scannedScan process 'WkUFind.exe' - '1' Module(s) have been scannedScan process 'DVDLauncher.exe' - '1' Module(s) have been scannedScan process 'Keyhook.exe' - '1' Module(s) have been scannedScan process 'AGRSMMSG.EXE' - '1' Module(s) have been scannedScan process 'EXPLORER.EXE' - '1' Module(s) have been scannedScan process 'SVCHOST.EXE' - '1' Module(s) have been scannedScan process 'sprtlisten.exe' - '1' Module(s) have been scannedScan process 'SPKRMON.EXE' - '1' Module(s) have been scannedScan process 'avguard.exe' - '1' Module(s) have been scannedScan process 'sched.exe' - '1' Module(s) have been scannedScan process 'SPOOLSV.EXE' - '1' Module(s) have been scannedScan process 'SVCHOST.EXE' - '1' Module(s) have been scannedScan process 'SVCHOST.EXE' - '1' Module(s) have been scannedScan process 'SVCHOST.EXE' - '1' Module(s) have been scannedScan process 'SVCHOST.EXE' - '1' Module(s) have been scannedScan process 'SVCHOST.EXE' - '1' Module(s) have been scannedScan process 'LSASS.EXE' - '1' Module(s) have been scannedScan process 'SERVICES.EXE' - '1' Module(s) have been scannedScan process 'WINLOGON.EXE' - '1' Module(s) have been scannedScan process 'CSRSS.EXE' - '1' Module(s) have been scannedScan process 'SMSS.EXE' - '1' Module(s) have been scanned35 processes with 35 modules were scannedStarting master boot sector scan:Start scanning boot sectors:Starting to scan executable files (registry).The registry was scanned ( '62' files ).Starting the file scan:Begin scan in 'C:\'C:\yiar.exe [DETECTION] Is the TR/Crypt.ULPM.Gen TrojanC:\cyieqw.exe [DETECTION] Is the TR/Tiny.705 TrojanC:\ootpnl.exe [DETECTION] Is the TR/Downloader.Gen TrojanC:\mfvse.exe [DETECTION] Is the TR/Dropper.Gen TrojanC:\pagefile.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning.C:\WINDOWS\instsp1.exe [DETECTION] Is the TR/Crypt.ULPM.Gen TrojanC:\WINDOWS\system32\zujaviwi.dll [DETECTION] Is the TR/Crypt.ULPM.Gen TrojanC:\Documents and Settings\All Users\Application Data\fe61ef9\VMelt.exe [DETECTION] Is the TR/Dropper.Gen TrojanC:\Documents and Settings\Phil Llapitan\Desktop\ComboFix.exe [0] Archive type: RAR SFX (self extracting) --> 32788R22FWJFW\psexec.cfexe [1] Archive type: RSRC --> Object [DETECTION] Contains recognition pattern of the APPL/PsExec.E applicationC:\Documents and Settings\Phil Llapitan\Desktop\backups\backup-20090315-110451-200.dll [DETECTION] Is the TR/Vundo.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP154\A0030011.dll [DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spywareC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP154\A0031026.exe [0] Archive type: NSIS --> [PluginsDir]/InstallerHelperPlugin.dll [DETECTION] Contains recognition pattern of the ADSPY/MartSho.dll.2 adware or spywareC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP154\A0031027.dll [DETECTION] Contains recognition pattern of the ADSPY/Shopper.V.1 adware or spywareC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP157\A0031749.dll [DETECTION] Is the TR/Vundo.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP157\A0032023.exe [DETECTION] Is the TR/Crypt.XPACK.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP157\A0032044.exe [DETECTION] Is the TR/Crypt.XPACK.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP158\A0035079.exe [DETECTION] Is the TR/Crypt.XPACK.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP159\A0036197.exe [DETECTION] Is the TR/Dropper.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036409.dll [DETECTION] Is the TR/Dldr.JLRL TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036413.exe [DETECTION] Is the TR/Crypt.XPACK.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036416.exe [DETECTION] Is the TR/Vundo.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036418.DLL [DETECTION] Is the TR/Vundo.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036421.DLL [DETECTION] Is the TR/Vundo.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036422.dll [DETECTION] Is the TR/Vundo.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036423.dll [DETECTION] Is the TR/Vundo.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036425.dll [DETECTION] Is the TR/Vundo.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036426.dll [DETECTION] Is the TR/Vundo.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036427.dll [DETECTION] Is the TR/Vundo.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036428.dll [DETECTION] Is the TR/Vundo.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036429.dll [DETECTION] Is the TR/Vundo.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036430.DLL [DETECTION] Is the TR/Vundo.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036431.DLL [DETECTION] Is the TR/Vundo.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036432.dll [DETECTION] Is the TR/Vundo.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036433.dll [DETECTION] Is the TR/Vundo.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036434.dll [DETECTION] Is the TR/Vundo.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036435.dll [DETECTION] Is the TR/Vundo.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036436.DLL [DETECTION] Is the TR/Vundo.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036437.DLL [DETECTION] Is the TR/Vundo.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036438.EXE [DETECTION] Is the TR/Crypt.XPACK.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036439.exe [DETECTION] Is the TR/Crypt.XPACK.Gen TrojanC:\FOUND.002\FILE0001.CHK [DETECTION] Is the TR/Rootkit.Gen TrojanC:\FOUND.003\FILE0001.CHK [DETECTION] Is the TR/Vundo.Gen TrojanC:\FOUND.003\FILE0002.CHK [DETECTION] Is the TR/Vundo.Gen TrojanC:\FOUND.003\FILE0005.CHK [DETECTION] Is the TR/Vundo.Gen TrojanC:\FOUND.003\FILE0006.CHK [DETECTION] Is the TR/Vundo.Gen TrojanC:\FOUND.003\FILE0020.CHK [DETECTION] Is the TR/Vundo.Gen TrojanC:\FOUND.003\FILE0021.CHK [DETECTION] Is the TR/Vundo.Gen TrojanC:\FOUND.003\FILE0022.CHK [DETECTION] Is the TR/Vundo.Gen TrojanC:\FOUND.003\FILE0024.CHK [DETECTION] Is the TR/Vundo.Gen TrojanC:\FOUND.003\FILE0025.CHK [DETECTION] Is the TR/Vundo.Gen TrojanC:\FOUND.003\FILE0026.CHK [DETECTION] Is the TR/Dropper.Gen TrojanC:\FOUND.003\FILE0027.CHK [DETECTION] Is the TR/Vundo.Gen TrojanC:\FOUND.003\FILE0028.CHK [DETECTION] Is the TR/Vundo.Gen TrojanC:\FOUND.003\FILE0030.CHK [DETECTION] Is the TR/Vundo.Gen TrojanC:\FOUND.003\FILE0031.CHK [DETECTION] Is the TR/Vundo.Gen TrojanC:\FOUND.003\FILE0032.CHK [DETECTION] Is the TR/Vundo.Gen TrojanC:\FOUND.003\FILE0033.CHK [DETECTION] Is the TR/Vundo.Gen TrojanC:\FOUND.003\FILE0034.CHK [DETECTION] Is the TR/Vundo.Gen TrojanC:\FOUND.003\FILE0035.CHK [DETECTION] Is the TR/Vundo.Gen TrojanC:\FOUND.003\FILE0036.CHK [DETECTION] Is the TR/Vundo.Gen TrojanC:\Qoobox\Quarantine\C\DOCUME~1\PHILLL~1\LOCALS~1\Temp\mousehook.dll.vir [DETECTION] Is the TR/Crypt.XPACK.Gen TrojanC:\Qoobox\Quarantine\C\WINDOWS\system32\crypts.dll.vir [DETECTION] Is the TR/Dldr.JLRL TrojanC:\Qoobox\Quarantine\C\WINDOWS\system32\ntdll64.exe.vir [DETECTION] Is the TR/Crypt.XPACK.Gen TrojanC:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir [DETECTION] Is the TR/Vundo.Gen TrojanC:\Qoobox\LastRun\drevB.dat [DETECTION] Is the TR/Dropper.Gen TrojanC:\ComboFix\psexec.cfexe [0] Archive type: RSRC --> Object [DETECTION] Contains recognition pattern of the APPL/PsExec.E applicationBeginning disinfection:C:\yiar.exe [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan [NOTE] The file was moved to '4a23c0a0.qua'!C:\cyieqw.exe [DETECTION] Is the TR/Tiny.705 Trojan [NOTE] The file was moved to '4a2bc0b1.qua'!C:\ootpnl.exe [DETECTION] Is the TR/Downloader.Gen Trojan [NOTE] The file was moved to '4a36c0a7.qua'!C:\mfvse.exe [DETECTION] Is the TR/Dropper.Gen Trojan [NOTE] The file was moved to '4a38c0a1.qua'!C:\WINDOWS\instsp1.exe [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan [NOTE] The file was moved to '4a35c0a9.qua'!C:\WINDOWS\system32\zujaviwi.dll [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan [NOTE] The file was moved to '4a2cc0b0.qua'!C:\Documents and Settings\All Users\Application Data\fe61ef9\VMelt.exe [DETECTION] Is the TR/Dropper.Gen Trojan [NOTE] The file was moved to '4a27c089.qua'!C:\Documents and Settings\Phil Llapitan\Desktop\ComboFix.exe [NOTE] The file was moved to '4a2fc0ac.qua'!C:\Documents and Settings\Phil Llapitan\Desktop\backups\backup-20090315-110451-200.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a25c0a0.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP154\A0030011.dll [DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware [NOTE] The file was moved to '49f2c06f.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP154\A0031026.exe [NOTE] The file was moved to '4a879970.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP154\A0031027.dll [DETECTION] Contains recognition pattern of the ADSPY/Shopper.V.1 adware or spyware [NOTE] The file was moved to '49f2c070.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP157\A0031749.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4fcba1d9.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP157\A0032023.exe [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [NOTE] The file was moved to '48a581f1.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP157\A0032044.exe [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [NOTE] The file was moved to '4fc8a901.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP158\A0035079.exe [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [NOTE] The file was moved to '4a85b141.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP159\A0036197.exe [DETECTION] Is the TR/Dropper.Gen Trojan [NOTE] The file was moved to '49f2c071.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036409.dll [DETECTION] Is the TR/Dldr.JLRL Trojan [NOTE] The file was moved to '49f2c073.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036413.exe [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [NOTE] The file was moved to '4a8848fc.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036416.exe [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a895024.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036418.DLL [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a8e586c.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036421.DLL [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a8f5f94.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036422.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '49f2c074.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036423.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a8d6f05.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036425.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a72774d.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036426.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a737f75.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036427.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a7006bd.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036428.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '49f2c075.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036429.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a76162e.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036430.DLL [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a771e56.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036431.DLL [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a74259e.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036432.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a752dc6.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036433.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '49f2c076.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036434.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a7b3d37.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036435.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a79c57f.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036436.DLL [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a7ecca7.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036437.DLL [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '49f2c077.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036438.EXE [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [NOTE] The file was moved to '4a7cdc18.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036439.exe [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [NOTE] The file was moved to '4a7de450.qua'!C:\FOUND.002\FILE0001.CHK [DETECTION] Is the TR/Rootkit.Gen Trojan [NOTE] The file was moved to '4a0ec090.qua'!C:\FOUND.003\FILE0001.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4b66e8f9.qua'!C:\FOUND.003\FILE0002.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a0ec091.qua'!C:\FOUND.003\FILE0005.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '499ff32a.qua'!C:\FOUND.003\FILE0006.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '499cfb12.qua'!C:\FOUND.003\FILE0020.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '499d83da.qua'!C:\FOUND.003\FILE0021.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '499a8b82.qua'!C:\FOUND.003\FILE0022.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '499b924a.qua'!C:\FOUND.003\FILE0024.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a0ec092.qua'!C:\FOUND.003\FILE0025.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4999a2fb.qua'!C:\FOUND.003\FILE0026.CHK [DETECTION] Is the TR/Dropper.Gen Trojan [NOTE] The file was moved to '4996aaa3.qua'!C:\FOUND.003\FILE0027.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4997b16b.qua'!C:\FOUND.003\FILE0028.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a0ec093.qua'!C:\FOUND.003\FILE0030.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4995411c.qua'!C:\FOUND.003\FILE0031.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '499249c4.qua'!C:\FOUND.003\FILE0032.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a0ec094.qua'!C:\FOUND.003\FILE0033.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '49905875.qua'!C:\FOUND.003\FILE0034.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4991603d.qua'!C:\FOUND.003\FILE0035.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '49ae68e5.qua'!C:\FOUND.003\FILE0036.CHK [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '49af70ad.qua'!C:\Qoobox\Quarantine\C\DOCUME~1\PHILLL~1\LOCALS~1\Temp\mousehook.dll.vir [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [NOTE] The file was moved to '4a37c0ba.qua'!C:\Qoobox\Quarantine\C\WINDOWS\system32\crypts.dll.vir [DETECTION] Is the TR/Dldr.JLRL Trojan [NOTE] The file was moved to '4a3bc0be.qua'!C:\Qoobox\Quarantine\C\WINDOWS\system32\ntdll64.exe.vir [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [NOTE] The file was moved to '4a26c0c0.qua'!C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '4a27c07a.qua'!C:\Qoobox\LastRun\drevB.dat [DETECTION] Is the TR/Dropper.Gen Trojan [NOTE] The file was moved to '4a27c0be.qua'!C:\ComboFix\psexec.cfexe [NOTE] The file was moved to '4a27c0bf.qua'!End of the scan: 2009-03-19 14:59Used time: 36:34 Minute(s)The scan has been done completely. 4217 Scanned directories 133669 Files were scanned 65 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 65 Files were moved to quarantine 0 Files were renamed 1 Files cannot be scanned 133603 Files not concerned 887 Archives were scanned 1 Warnings 66 Notes 31628 Objects were scanned with rootkit scan 0 Hidden objects were found************************************************AND THE SECOND LOG FILE:************************************************Avira AntiVir PersonalReport file date: 2009-03-19 14:17Scanning for 1284893 virus strains and unwanted programs.Licensee : Avira AntiVir Personal - FREE AntivirusSerial number : 0000149996-ADJIE-0000001Platform : Windows XPWindows version : (Service Pack 3) [5.1.2600]Boot mode : Normally bootedUsername : SYSTEMComputer name : PHIL-PIMIBA6H3JVersion information:BUILD.DAT : 9.0.0.386 17962 Bytes 2009-03-11 15:55:00AVSCAN.EXE : 9.0.3.3 464641 Bytes 2009-02-24 19:13:28AVSCAN.DLL : 9.0.3.0 40705 Bytes 2009-02-27 17:58:26LUKE.DLL : 9.0.3.2 209665 Bytes 2009-02-20 18:35:50LUKERES.DLL : 9.0.2.0 12033 Bytes 2009-02-27 17:58:54ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 2008-10-27 19:30:38ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2009-02-11 03:33:28ANTIVIR2.VDF : 7.1.2.105 513536 Bytes 2009-03-03 14:41:16ANTIVIR3.VDF : 7.1.2.127 110592 Bytes 2009-03-05 21:58:22Engineversion : 8.2.0.100AEVDF.DLL : 8.1.1.0 106868 Bytes 2009-01-28 00:36:42AESCRIPT.DLL : 8.1.1.56 352634 Bytes 2009-02-27 03:01:58AESCN.DLL : 8.1.1.7 127347 Bytes 2009-02-12 18:44:26AERDL.DLL : 8.1.1.3 438645 Bytes 2008-10-30 01:24:42AEPACK.DLL : 8.1.3.10 397686 Bytes 2009-03-04 20:06:12AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2009-02-27 03:01:58AEHEUR.DLL : 8.1.0.100 1618295 Bytes 2009-02-25 22:49:16AEHELP.DLL : 8.1.2.2 119158 Bytes 2009-02-27 03:01:58AEGEN.DLL : 8.1.1.24 336244 Bytes 2009-03-04 20:06:12AEEMU.DLL : 8.1.0.9 393588 Bytes 2008-10-09 21:32:40AECORE.DLL : 8.1.6.6 176501 Bytes 2009-02-17 21:22:44AEBB.DLL : 8.1.0.3 53618 Bytes 2008-10-09 21:32:40AVWINLL.DLL : 9.0.0.3 18177 Bytes 2008-12-12 15:48:00AVPREF.DLL : 9.0.0.1 43777 Bytes 2008-12-05 17:32:16AVREP.DLL : 8.0.0.3 155905 Bytes 2009-01-20 21:34:30AVREG.DLL : 9.0.0.0 36609 Bytes 2008-12-05 17:32:10AVARKT.DLL : 9.0.0.1 292609 Bytes 2009-02-09 14:52:26AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 2009-01-30 17:37:10SQLITE3.DLL : 3.6.1.0 326401 Bytes 2009-01-28 22:03:50SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2009-02-02 15:21:34NETNT.DLL : 9.0.0.0 11521 Bytes 2008-12-05 17:32:12RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2009-02-09 18:45:46RCTEXT.DLL : 9.0.35.0 87297 Bytes 2009-03-11 22:55:14Configuration settings for the scan:Jobname.............................: Complete system scanConfiguration file..................: c:\program files\avira\antivir desktop\sysscan.avpLogging.............................: lowPrimary action......................: interactiveSecondary action....................: ignoreScan master boot sector.............: onScan boot sector....................: onBoot sectors........................: C:, Process scan........................: onScan registry.......................: onSearch for rootkits.................: onIntegrity checking of system files..: onScan all files......................: All filesScan archives.......................: onRecursion depth.....................: 20Smart extensions....................: onMacro heuristic.....................: onFile heuristic......................: mediumDeviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,Start of the scan: 2009-03-19 14:17Initiating scan of system files:Signed -> 'C:\WINDOWS\system32\svchost.exe'Signed -> 'C:\WINDOWS\system32\winlogon.exe'Signed -> 'C:\WINDOWS\explorer.exe'Signed -> 'C:\WINDOWS\system32\smss.exe'Signed -> 'C:\WINDOWS\system32\wininet.DLL'Signed -> 'C:\WINDOWS\system32\wsock32.DLL'Signed -> 'C:\WINDOWS\system32\ws2_32.DLL'Signed -> 'C:\WINDOWS\system32\services.exe'Signed -> 'C:\WINDOWS\system32\lsass.exe'Signed -> 'C:\WINDOWS\system32\csrss.exe'Signed -> 'C:\WINDOWS\system32\drivers\kbdclass.sys'Signed -> 'C:\WINDOWS\system32\spoolsv.exe'Signed -> 'C:\WINDOWS\system32\alg.exe'Signed -> 'C:\WINDOWS\system32\wuauclt.exe'Signed -> 'C:\WINDOWS\system32\advapi32.DLL'Signed -> 'C:\WINDOWS\system32\user32.DLL'Signed -> 'C:\WINDOWS\system32\gdi32.DLL'Signed -> 'C:\WINDOWS\system32\kernel32.DLL'Signed -> 'C:\WINDOWS\system32\ntdll.DLL'Signed -> 'C:\WINDOWS\system32\ntoskrnl.exe'Signed -> 'C:\WINDOWS\system32\ctfmon.exe'The system files were scanned ('21' files)Starting search for hidden objects.An ARK library instance is already running.The scan of running processes will be startedScan process 'avscan.exe' - '1' Module(s) have been scannedScan process 'avscan.exe' - '1' Module(s) have been scannedScan process 'avcenter.exe' - '1' Module(s) have been scannedScan process 'alg.exe' - '1' Module(s) have been scannedScan process 'wscntfy.exe' - '1' Module(s) have been scannedScan process 'EasyShare.exe' - '1' Module(s) have been scannedScan process 'HPQTRA08.EXE' - '1' Module(s) have been scannedScan process 'SISTRAY.EXE' - '1' Module(s) have been scannedScan process 'CTFMON.EXE' - '1' Module(s) have been scannedScan process 'avgnt.exe' - '1' Module(s) have been scannedScan process 'QTTASK.EXE' - '1' Module(s) have been scannedScan process 'TFSWCTRL.EXE' - '1' Module(s) have been scannedScan process 'HPCMPMGR.EXE' - '1' Module(s) have been scannedScan process 'hpwuSchd.exe' - '1' Module(s) have been scannedScan process 'WkUFind.exe' - '1' Module(s) have been scannedScan process 'DVDLauncher.exe' - '1' Module(s) have been scannedScan process 'Keyhook.exe' - '1' Module(s) have been scannedScan process 'AGRSMMSG.EXE' - '1' Module(s) have been scannedScan process 'EXPLORER.EXE' - '1' Module(s) have been scannedScan process 'SVCHOST.EXE' - '1' Module(s) have been scannedScan process 'sprtlisten.exe' - '1' Module(s) have been scannedScan process 'SPKRMON.EXE' - '1' Module(s) have been scannedScan process 'avguard.exe' - '1' Module(s) have been scannedScan process 'sched.exe' - '1' Module(s) have been scannedScan process 'SPOOLSV.EXE' - '1' Module(s) have been scannedScan process 'SVCHOST.EXE' - '1' Module(s) have been scannedScan process 'SVCHOST.EXE' - '1' Module(s) have been scannedScan process 'SVCHOST.EXE' - '1' Module(s) have been scannedScan process 'SVCHOST.EXE' - '1' Module(s) have been scannedScan process 'SVCHOST.EXE' - '1' Module(s) have been scannedScan process 'LSASS.EXE' - '1' Module(s) have been scannedScan process 'SERVICES.EXE' - '1' Module(s) have been scannedScan process 'WINLOGON.EXE' - '1' Module(s) have been scannedScan process 'CSRSS.EXE' - '1' Module(s) have been scannedScan process 'SMSS.EXE' - '1' Module(s) have been scanned35 processes with 35 modules were scannedStarting master boot sector scan:Start scanning boot sectors:Starting to scan executable files (registry).The registry was scanned ( '62' files ).Starting the file scan:Begin scan in 'C:\'C:\yiar.exe [DETECTION] Is the TR/Crypt.ULPM.Gen TrojanC:\cyieqw.exe [DETECTION] Is the TR/Tiny.705 TrojanC:\ootpnl.exe [DETECTION] Is the TR/Downloader.Gen TrojanC:\mfvse.exe [DETECTION] Is the TR/Dropper.Gen TrojanC:\pagefile.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning.C:\WINDOWS\instsp1.exe [DETECTION] Is the TR/Crypt.ULPM.Gen TrojanC:\WINDOWS\system32\zujaviwi.dll [DETECTION] Is the TR/Crypt.ULPM.Gen TrojanC:\Documents and Settings\All Users\Application Data\fe61ef9\VMelt.exe [DETECTION] Is the TR/Dropper.Gen TrojanC:\Documents and Settings\Phil Llapitan\Desktop\ComboFix.exe [0] Archive type: RAR SFX (self extracting) --> 32788R22FWJFW\psexec.cfexe [1] Archive type: RSRC --> Object [DETECTION] Contains recognition pattern of the APPL/PsExec.E applicationC:\Documents and Settings\Phil Llapitan\Desktop\backups\backup-20090315-110451-200.dll [DETECTION] Is the TR/Vundo.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037411.exe [DETECTION] Is the TR/Crypt.ULPM.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037412.exe [DETECTION] Is the TR/Tiny.705 TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037413.exe [DETECTION] Is the TR/Downloader.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037414.exe [DETECTION] Is the TR/Dropper.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037415.exe [DETECTION] Is the TR/Crypt.ULPM.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037416.dll [DETECTION] Is the TR/Crypt.ULPM.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037417.exe [DETECTION] Is the TR/Dropper.Gen TrojanC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037418.exe [0] Archive type: RAR SFX (self extracting) --> 32788R22FWJFW\psexec.cfexe [1] Archive type: RSRC --> Object [DETECTION] Contains recognition pattern of the APPL/PsExec.E applicationC:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037419.dll [DETECTION] Is the TR/Vundo.Gen TrojanBeginning disinfection:C:\yiar.exe [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan [WARNING] An error has occurred and the file was not deleted. ErrorID: 26004 [WARNING] The source file could not be found. [NOTE] Attempting to perform action using the ARK library. [WARNING] Error in ARK library [NOTE] The file is scheduled for deleting after reboot.C:\cyieqw.exe [DETECTION] Is the TR/Tiny.705 Trojan [WARNING] An error has occurred and the file was not deleted. ErrorID: 26004 [WARNING] The source file could not be found. [NOTE] Attempting to perform action using the ARK library. [WARNING] Error in ARK library [NOTE] The file is scheduled for deleting after reboot.C:\ootpnl.exe [DETECTION] Is the TR/Downloader.Gen Trojan [WARNING] An error has occurred and the file was not deleted. ErrorID: 26004 [WARNING] The source file could not be found. [NOTE] Attempting to perform action using the ARK library. [WARNING] Error in ARK library [NOTE] The file is scheduled for deleting after reboot.C:\mfvse.exe [DETECTION] Is the TR/Dropper.Gen Trojan [WARNING] An error has occurred and the file was not deleted. ErrorID: 26004 [WARNING] The source file could not be found. [NOTE] Attempting to perform action using the ARK library. [WARNING] Error in ARK library [NOTE] The file is scheduled for deleting after reboot.C:\WINDOWS\instsp1.exe [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan [WARNING] An error has occurred and the file was not deleted. ErrorID: 26004 [WARNING] The source file could not be found. [NOTE] Attempting to perform action using the ARK library. [WARNING] Error in ARK library [NOTE] The file is scheduled for deleting after reboot.C:\WINDOWS\system32\zujaviwi.dll [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan [WARNING] An error has occurred and the file was not deleted. ErrorID: 26004 [WARNING] The source file could not be found. [NOTE] Attempting to perform action using the ARK library. [WARNING] Error in ARK library [NOTE] The file is scheduled for deleting after reboot.C:\Documents and Settings\All Users\Application Data\fe61ef9\VMelt.exe [DETECTION] Is the TR/Dropper.Gen Trojan [WARNING] An error has occurred and the file was not deleted. ErrorID: 26004 [WARNING] The source file could not be found. [NOTE] Attempting to perform action using the ARK library. [WARNING] Error in ARK library [NOTE] The file is scheduled for deleting after reboot.C:\Documents and Settings\Phil Llapitan\Desktop\ComboFix.exe [WARNING] An error has occurred and the file was not deleted. ErrorID: 26004 [WARNING] The source file could not be found. [NOTE] Attempting to perform action using the ARK library. [WARNING] Error in ARK library [NOTE] The file is scheduled for deleting after reboot.C:\Documents and Settings\Phil Llapitan\Desktop\backups\backup-20090315-110451-200.dll [DETECTION] Is the TR/Vundo.Gen Trojan [WARNING] An error has occurred and the file was not deleted. ErrorID: 26004 [WARNING] The source file could not be found. [NOTE] Attempting to perform action using the ARK library. [WARNING] Error in ARK library [NOTE] The file is scheduled for deleting after reboot.C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037411.exe [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan [NOTE] The file was moved to '49f2c23b.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037412.exe [DETECTION] Is the TR/Tiny.705 Trojan [NOTE] The file was moved to '411b185c.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037413.exe [DETECTION] Is the TR/Downloader.Gen Trojan [NOTE] The file was moved to '41182014.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037414.exe [DETECTION] Is the TR/Dropper.Gen Trojan [NOTE] The file was moved to '411e2bc4.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037415.exe [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan [NOTE] The file was moved to '4fa61854.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037416.dll [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan [NOTE] The file was moved to '411f33fc.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037417.exe [DETECTION] Is the TR/Dropper.Gen Trojan [NOTE] The file was moved to '411c3bb4.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037418.exe [NOTE] The file was moved to '4102c36c.qua'!C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP163\A0037419.dll [DETECTION] Is the TR/Vundo.Gen Trojan [NOTE] The file was moved to '411508ec.qua'!End of the scan: 2009-03-19 15:07Used time: 47:27 Minute(s)The scan has been done completely. 4217 Scanned directories 133748 Files were scanned 18 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 9 Files were moved to quarantine 0 Files were renamed 1 Files cannot be scanned 133729 Files not concerned 887 Archives were scanned 10 Warnings 19 Notes*******************************************I appreciate that you have done all you and AdvancedSetup could to help me so far, and also the fact that this system may be toast. I have requested the drivers disk(s) and XP installation disk from her (well, now apparently the uncle she just got this system from, grrrrr he probably knew all of this) in the event that I have to reformat and reinstall. She doesn't have anything really on this to save, so that is a very viable solution too. I am glad to have learned all the tools and information that have been shared with me from you guys, although I hope to never have to use them again anytime soon.. As far as establishing an internet connection on that system, it has QWest wireless, which she has told me doesn't work outside her home. I do not know about that and am looking into that further.Here is the HJT log, and again, thank you for your help.I should mention that I would like to try to fix the system so I can say I tried, if you are game!?********************************************Logfile of Trend Micro HijackThis v2.0.2Scan saved at 15:45, on 2009-03-19Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Analog Devices\SoundMAX\spkrmon.exeC:\Program Files\Common Files\supportsoft\bin\sprtlisten.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\AGRSMMSG.exeC:\WINDOWS\System32\keyhook.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\Program Files\HP\HP Software Update\HPWuSchd.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\sistray.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Avira\AntiVir Desktop\avcenter.exeC:\WINDOWS\system32\notepad.exeC:\Documents and Settings\Phil Llapitan\Desktop\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: (no name) - {2765f56e-bd26-4719-a77a-dd09184f02c7} - C:\WINDOWS\system32\lijuhidi.dll (file missing)O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\System32\keyhook.exeO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [Ggijixa] rundll32.exe "C:\WINDOWS\eqowusuyanami.dll",eO4 - HKLM\..\Run: [CPM0398fcb8] Rundll32.exe "c:\windows\system32\yihuhote.dll",aO4 - HKLM\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",sO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-19\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [sadirozusi] Rundll32.exe "C:\WINDOWS\system32\yumifesu.dll",s (User 'NETWORK SERVICE')O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exeO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXEO4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO20 - AppInit_DLLs: C:\WINDOWS\system32\pigofube.dll c:\windows\system32\yihuhote.dllO21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yihuhote.dll (file missing)O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yihuhote.dll (file missing)O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exeO23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\icf.exe.exe:ext.exe (file missing)O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exeO23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exeO23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe--End of file - 5640 bytes Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 19, 2009 Staff ID:65937 Share Posted March 19, 2009 Hi,Avira already found a LOT, but, it looks like some real damage was already done - file/folder access, corrupted files etc... We'll see how everything behaves if we deal with the rest manually, but I can't promise anything.The errors are normal after reboot. We'll fix that.First of all, reboot your computer.After reboot,Can you try to run MalwareBytes again please? But, First of all, please update MalwareBytes, because the databaseversion may be outdated.Start MalwareBytes and click the Update tab. There click "Check for updates"Once the updates are downloaded, perform a full scan again.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.In case you can't run MBAM, Please read the following tutorial and perform the steps:http://www.malwarebytes.org/forums/index.php?showtopic=12709 Link to post Share on other sites More sharing options...
gypsyhowl Posted March 20, 2009 Author ID:65985 Share Posted March 20, 2009 Thank you for your quick response. I'm about to ask a real newbie question here - first, her computer will not go online so I cannot update malwarebytes from there, so, how can I get malwarebytes to update itself, then make a copy of that to transfer to the other computer? I updated to MY desktop, then copied the whole folder over to the other computer's desktop, but mbam.exe will not run - I am getting the following errors (vbAccelerator SGrid II Control, Run-time error '0') and (Malwarebytes' Anti-Malware, Run-time error '440'; Automation error). So - am I doing it wrong? I would like to get Malwarebytes to run before I go back to the other solutions. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 20, 2009 Staff ID:66051 Share Posted March 20, 2009 Hi,No need to copy the whole folder there.Reinstall MBAM there again and also download the latest database: http://www.gt500.org/malwarebytes/database.jspThen run it on the infected computer. Link to post Share on other sites More sharing options...
gypsyhowl Posted March 20, 2009 Author ID:66152 Share Posted March 20, 2009 Hi - I recopied both to the infected computer - still getting runtime errors '0' and '440'. Is it because I am using Vista and Malwarebytes 'knows' that, so it won't run on the XP when I copy it over? Or am I just doing it wrong? I have them both saved to desktop... is that a problem? Sigh. I appreciate your patience. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 20, 2009 Staff ID:66154 Share Posted March 20, 2009 Just copy the MalwareBytes installer and database installer to the other pc.If you get these errors, then it's most probably because malware is preventing it.Please read the following tutorial and perform the steps:http://www.malwarebytes.org/forums/index.php?showtopic=12709Then you should be able to run MBAM afterwards. Also, make sure you update MBAM (Update tab > check for updates), before you run the scan.Then, once the scan has finished, reboot!After reboot,Post the log from MBAM in your next reply. Link to post Share on other sites More sharing options...
gypsyhowl Posted March 20, 2009 Author ID:66226 Share Posted March 20, 2009 WhooHoo! I copied the file incorrectly the last time, but I did it right this time and got mbam to run - (the rootrepeal showed nothing) Here is my mbam log:Malwarebytes' Anti-Malware 1.34Database version: 1863Windows 5.1.2600 Service Pack 32009-03-20 14:57:15mbam-log-2009-03-20 (14-57-15).txtScan type: Full Scan (C:\|)Objects scanned: 110717Time elapsed: 26 minute(s), 32 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 10Registry Values Infected: 5Registry Data Items Infected: 4Folders Infected: 2Files Infected: 10Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2765f56e-bd26-4719-a77a-dd09184f02c7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{2765f56e-bd26-4719-a77a-dd09184f02c7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf40a2-94f3-42bd-f434-1604812c8955} (Trojan.Ertfor) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ICF (Rootkit.Agent) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm0398fcb8 (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sadirozusi (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ggijixa (Trojan.Agent) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:C:\Documents and Settings\Phil Llapitan\Application Data\Virus Melt (Rogue.VirusMelt) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\System Data (Rogue.VirusMelt) -> Quarantined and deleted successfully.Files Infected:C:\tcrnwc.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.C:\ucpdcu.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\Qyucepinukonejiq.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP159\A0036187.exe (Rogue.Installer) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036411.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{A6AF2DF0-87E9-4A95-A8A5-8C13414BB860}\RP162\A0036417.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\WINDOWS\system32\frmwrk32.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.C:\Documents and Settings\Phil Llapitan\Application Data\Virus Melt\Instructions.ini (Rogue.VirusMelt) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\System Data\mscfg.ini (Rogue.VirusMelt) -> Quarantined and deleted successfully.C:\WINDOWS\eqowusuyanami.dll (Trojan.Agent) -> Delete on reboot. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 20, 2009 Staff ID:66235 Share Posted March 20, 2009 Hi,I assume you already rebooted as well? If not, then please reboot, because MBAM still has to delete some files after reboot.Also, I see you have been using Combofix previously, so please run it again (disable your Avira when you run it) and post the log (C:\Combofix.txt) in your next reply. Link to post Share on other sites More sharing options...
gypsyhowl Posted March 21, 2009 Author ID:66293 Share Posted March 21, 2009 Hi - Actually, mbam rebooted itself and then came up with a log... I have run Combofix, but I had a problem with the Avira coming back on when Combofix rebooted the system... I hope it did not mess up the log for you... here it isComboFix 09-03-15.01 - Phil Llapitan 2009-03-20 19:38:49.2 - FAT32x86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.221.92 [GMT -7:00]Running from: F:\ComboFix.exeAV: AntiVir Desktop *On-access scanning enabled* (Outdated).((((((((((((((((((((((((( Files Created from 2009-02-21 to 2009-03-21 ))))))))))))))))))))))))))))))).2009-03-20 14:26 . 2009-03-20 14:26 <DIR> d-------- c:\documents and settings\Phil Llapitan\Application Data\Malwarebytes2009-03-20 14:26 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys2009-03-20 14:26 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys2009-03-20 08:25 . 2009-03-20 08:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2009-03-20 08:25 . 2009-03-20 08:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes2009-03-19 13:03 . 2009-03-19 13:03 <DIR> d-------- c:\program files\Avira2009-03-19 13:03 . 2009-03-19 13:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira2009-03-19 13:03 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys2009-03-17 18:54 . 2009-03-17 18:54 <DIR> d--hs---- C:\FOUND.0032009-03-17 05:55 . 2009-03-17 05:55 2,713 ---hs---- c:\windows\system32\rubiromu.exe2009-03-16 11:54 . 2009-03-16 11:54 2,713 ---hs---- c:\windows\system32\lohukehi.exe2009-03-15 17:52 . 2009-03-15 17:52 2,713 ---hs---- c:\windows\system32\posidiha.exe2009-03-14 13:55 . 2009-03-14 13:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files2009-03-14 13:02 . 2009-03-14 13:02 <DIR> d-------- c:\documents and settings\mom\Application Data\VERITAS2009-03-14 12:42 . 2009-03-14 12:42 <DIR> d-------- c:\documents and settings\mom2009-03-14 12:23 . 2009-03-14 12:23 <DIR> d--hs---- C:\FOUND.0022009-03-13 19:17 . 2009-03-13 19:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP2009-03-13 19:16 . 2009-03-13 19:16 <DIR> d-------- c:\program files\Spyware Doctor2009-03-13 19:07 . 2009-03-13 19:07 <DIR> d--hs---- C:\FOUND.0012009-03-10 15:37 . 2009-03-10 15:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\f9f72009-03-10 15:33 . 2009-03-10 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\SupportSoft2009-03-10 15:25 . 2009-03-10 15:25 <DIR> d--hs---- C:\FOUND.0002009-03-10 14:38 . 2009-03-10 14:37 49,152 --a------ c:\windows\system32\dllcache\userinit.exe2009-03-10 14:36 . 2009-03-10 14:37 2 --a------ C:\112597872009-03-09 22:52 . 2009-03-09 22:52 75 --a------ c:\windows\system32\dllcache\cb.tmp2009-03-09 22:51 . 2009-03-09 22:51 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\fe61ef92009-03-09 21:30 . 2009-03-09 21:30 <DIR> d-------- c:\program files\Microsoft Windows OneCare Live2009-03-09 21:24 . 2007-05-30 09:50 287,934 --a------ c:\windows\ConnectWait.ico2009-03-09 12:27 . 2009-03-09 23:10 442,368 --a------ C:\ffastunT.ffl2009-03-09 09:30 . 2009-03-09 09:30 <DIR> d-------- c:\program files\Qwest2009-03-09 09:29 . 2009-03-09 09:29 <DIR> d-------- c:\program files\Common Files\supportsoft2009-03-09 09:29 . 2009-03-09 09:29 <DIR> d-------- c:\program files\Actiontec2009-03-09 09:29 . 2009-03-09 09:29 <DIR> d-------- c:\program files\2Wire2009-03-09 09:29 . 2004-02-14 09:19 143,360 --a------ c:\windows\GTRemove.exe2009-03-09 09:27 . 2009-03-09 09:27 <DIR> d-------- c:\documents and settings\Phil Llapitan\Application Data\InstallShield2009-03-08 22:45 . 2009-03-17 18:45 6,456 --ah----- c:\windows\system32\pekubofe.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-03-07 15:11 0 ----a-w c:\documents and settings\Phil Llapitan\Application Data\wklnhst.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SiS Windows KeyHook"="c:\windows\System32\keyhook.exe" [2004-05-12 249856]"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-09 28672]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-03-12 114741]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]"AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 c:\windows\AGRSMMSG.exe]c:\documents and settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-11-12 335872]HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-08-19 111376]Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 1 (0x1)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-19 108289]R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [2008-01-08 1213728]S1 f742cf20;f742cf20;c:\windows\system32\drivers\f742cf20.sys --> c:\windows\system32\drivers\f742cf20.sys [?]S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2007-09-29 20608]S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys --> c:\windows\system32\DRIVERS\ss.sys [?]S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [2007-09-29 477696]S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);c:\windows\system32\drivers\ZD1211BU.sys [2007-09-29 477696].Contents of the 'Scheduled Tasks' folder2009-03-20 c:\windows\Tasks\QuickConnectSupportTask.job- c:\program files\Qwest\QuickConnect\QuickConnect.exe [2008-11-19 14:36].- - - - ORPHANS REMOVED - - - -HKCU-Run-MoneyAgent - c:\program files\Microsoft Money\System\mnyexpr.exe.------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-03-20 19:44:03Windows 5.1.2600 Service Pack 3 FAT NTAPIscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.------------------------ Other Running Processes ------------------------.c:\program files\Avira\AntiVir Desktop\avguard.exec:\program files\ANALOG DEVICES\SOUNDMAX\SPKRMON.EXEc:\windows\system32\wscntfy.exe.**************************************************************************.Completion time: 2009-03-20 19:49:36 - machine was rebooted [Phil Llapitan]ComboFix-quarantined-files.txt 2009-03-21 02:49:30Pre-Run: 20,218,707,968 bytes freePost-Run: 20,147,552,256 bytes free122 --- E O F --- 2009-01-15 04:05:14 Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 21, 2009 Staff ID:66310 Share Posted March 21, 2009 Hi,We're really making progress here - I guess you were lucky here. MBAM and Avira already deleted most, now we'll just have to deal with some leftovers * Open notepad - don't use any other texteditor than notepad or the script will fail.Copy/paste the text in the quotebox below into notepad:File::c:\windows\system32\drivers\f742cf20.sysc:\windows\system32\rubiromu.exec:\windows\system32\lohukehi.exec:\windows\system32\posidiha.exeDirlook::c:\documents and settings\All Users\Application Data\fe61ef9c:\documents and settings\All Users\Application Data\f9f7Driver::f742cf20Save this as txtfile CFScript Then drag the CFScript into ComboFix.exe as you see in the screenshot below.This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply. Link to post Share on other sites More sharing options...
gypsyhowl Posted March 22, 2009 Author ID:66502 Share Posted March 22, 2009 hello - sorry it took me so long to get back - I have done the CFScript, run Combofix and here is my log from that thank you for your patience!ComboFix 09-03-19.02 - Phil Llapitan 2009-03-21 20:12:05.3 - FAT32x86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.221.68 [GMT -7:00]Running from: c:\combofix\ComboFix.exeCommand switches used :: c:\documents and settings\Phil Llapitan\Desktop\CFScript.txtAV: AntiVir Desktop *On-access scanning disabled* (Updated) * Created a new restore pointFILE ::c:\windows\system32\drivers\f742cf20.sysc:\windows\system32\lohukehi.exec:\windows\system32\posidiha.exec:\windows\system32\rubiromu.exe.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\system32\lohukehi.exec:\windows\system32\posidiha.exec:\windows\system32\rubiromu.exe.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Service_f742cf20((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 ))))))))))))))))))))))))))))))).2009-03-20 14:26 . 2009-03-20 14:26 <DIR> d-------- c:\documents and settings\Phil Llapitan\Application Data\Malwarebytes2009-03-20 14:26 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys2009-03-20 14:26 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys2009-03-20 08:25 . 2009-03-20 08:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2009-03-20 08:25 . 2009-03-20 08:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes2009-03-19 13:03 . 2009-03-19 13:03 <DIR> d-------- c:\program files\Avira2009-03-19 13:03 . 2009-03-19 13:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira2009-03-19 13:03 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys2009-03-17 18:54 . 2009-03-17 18:54 <DIR> d--hs---- C:\FOUND.0032009-03-14 13:55 . 2009-03-14 13:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files2009-03-14 13:02 . 2009-03-14 13:02 <DIR> d-------- c:\documents and settings\mom\Application Data\VERITAS2009-03-14 12:42 . 2009-03-14 12:42 <DIR> d-------- c:\documents and settings\mom2009-03-14 12:23 . 2009-03-14 12:23 <DIR> d--hs---- C:\FOUND.0022009-03-13 19:17 . 2009-03-13 19:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP2009-03-13 19:16 . 2009-03-13 19:16 <DIR> d-------- c:\program files\Spyware Doctor2009-03-13 19:07 . 2009-03-13 19:07 <DIR> d--hs---- C:\FOUND.0012009-03-10 15:37 . 2009-03-10 15:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\f9f72009-03-10 15:33 . 2009-03-10 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\SupportSoft2009-03-10 15:25 . 2009-03-10 15:25 <DIR> d--hs---- C:\FOUND.0002009-03-10 14:38 . 2009-03-10 14:37 49,152 --a------ c:\windows\system32\dllcache\userinit.exe2009-03-10 14:36 . 2009-03-10 14:37 2 --a------ C:\112597872009-03-09 22:52 . 2009-03-09 22:52 75 --a------ c:\windows\system32\dllcache\cb.tmp2009-03-09 22:51 . 2009-03-09 22:51 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\fe61ef92009-03-09 21:30 . 2009-03-09 21:30 <DIR> d-------- c:\program files\Microsoft Windows OneCare Live2009-03-09 21:24 . 2007-05-30 09:50 287,934 --a------ c:\windows\ConnectWait.ico2009-03-09 12:27 . 2009-03-09 23:10 442,368 --a------ C:\ffastunT.ffl2009-03-09 09:30 . 2009-03-09 09:30 <DIR> d-------- c:\program files\Qwest2009-03-09 09:29 . 2009-03-09 09:29 <DIR> d-------- c:\program files\Common Files\supportsoft2009-03-09 09:29 . 2009-03-09 09:29 <DIR> d-------- c:\program files\Actiontec2009-03-09 09:29 . 2009-03-09 09:29 <DIR> d-------- c:\program files\2Wire2009-03-09 09:29 . 2004-02-14 09:19 143,360 --a------ c:\windows\GTRemove.exe2009-03-09 09:27 . 2009-03-09 09:27 <DIR> d-------- c:\documents and settings\Phil Llapitan\Application Data\InstallShield2009-03-08 22:45 . 2009-03-17 18:45 6,456 --ah----- c:\windows\system32\pekubofe.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-03-07 15:11 0 ----a-w c:\documents and settings\Phil Llapitan\Application Data\wklnhst.dat.(((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))).---- Directory of c:\documents and settings\All Users\Application Data\f9f7 ----2009-03-10 15:38 3282 --a------ c:\documents and settings\All Users\Application Data\f9f7\unins000.dat ---- Directory of c:\documents and settings\All Users\Application Data\fe61ef9 ----2009-03-10 15:35 12378 --a------ c:\documents and settings\All Users\Application Data\fe61ef9\System Data\vd952342.bd 2008-10-09 13:50 1741 --a------ c:\documents and settings\All Users\Application Data\fe61ef9\BackUp\Kodak EasyShare software.lnk 2006-03-17 18:32 665 --a------ c:\documents and settings\All Users\Application Data\fe61ef9\BackUp\Microsoft Find Fast.lnk 2006-01-31 17:09 1712 --a------ c:\documents and settings\All Users\Application Data\fe61ef9\BackUp\HP Digital Imaging Monitor.lnk 2005-11-12 13:39 1417 --a------ c:\documents and settings\All Users\Application Data\fe61ef9\BackUp\Utility Tray.lnk ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SiS Windows KeyHook"="c:\windows\System32\keyhook.exe" [2004-05-12 249856]"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-09 28672]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-03-12 114741]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]"AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 c:\windows\AGRSMMSG.exe]c:\documents and settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-11-12 335872]HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-08-19 111376]Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 1 (0x1)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-19 108289]S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2007-09-29 20608]S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys --> c:\windows\system32\DRIVERS\ss.sys [?]S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [2007-09-29 477696]S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);c:\windows\system32\drivers\ZD1211BU.sys [2007-09-29 477696]--- Other Services/Drivers In Memory ---*Deregistered* - Dhcp*Deregistered* - Dnscache*Deregistered* - ERSvc*Deregistered* - EventSystem*Deregistered* - FastUserSwitchingCompatibility*Deregistered* - helpsvc*Deregistered* - HTTPFilter*Deregistered* - lanmanserver*Deregistered* - lanmanworkstation*Deregistered* - LmHosts*Deregistered* - Netman*Deregistered* - Nla*Deregistered* - Pml Driver HPZ12*Deregistered* - PolicyAgent*Deregistered* - ProtectedStorage*Deregistered* - RasMan*Deregistered* - RpcSs*Deregistered* - SamSs*Deregistered* - Schedule*Deregistered* - seclogon*Deregistered* - SENS*Deregistered* - SharedAccess*Deregistered* - ShellHWDetection*Deregistered* - spkrmon*Deregistered* - Spooler*Deregistered* - sprtlisten*Deregistered* - srservice*Deregistered* - SSDPSRV*Deregistered* - stisvc*Deregistered* - TapiSrv*Deregistered* - TermService*Deregistered* - Themes*Deregistered* - TrkWks*Deregistered* - W32Time*Deregistered* - WebClient*Deregistered* - winmgmt*Deregistered* - wscsvc*Deregistered* - WZCSVC.Contents of the 'Scheduled Tasks' folder2009-03-20 c:\windows\Tasks\QuickConnectSupportTask.job- c:\program files\Qwest\QuickConnect\QuickConnect.exe [2008-11-19 14:36]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-03-21 20:17:31Windows 5.1.2600 Service Pack 3 FAT NTAPIscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.------------------------ Other Running Processes ------------------------.c:\program files\Avira\AntiVir Desktop\avguard.exec:\program files\ANALOG DEVICES\SOUNDMAX\SPKRMON.EXEc:\program files\COMMON FILES\SUPPORTSOFT\BIN\SPRTLISTEN.EXEc:\windows\system32\wscntfy.exe.**************************************************************************.Completion time: 2009-03-21 20:22:49 - machine was rebootedComboFix-quarantined-files.txt 2009-03-22 03:22:44ComboFix2.txt 2009-03-21 02:49:40Pre-Run: 20,205,404,160 bytes freePost-Run: 20,040,941,568 bytes free182 --- E O F --- 2009-01-15 04:05:14 Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 22, 2009 Staff ID:66522 Share Posted March 22, 2009 Hi,This looks OK again.* Go to start > run and copy and paste next command in the field:ComboFix /uMake sure there's a space between Combofix and /Then hit enter.This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.Let me know in your next reply how things are now. Link to post Share on other sites More sharing options...
gypsyhowl Posted March 22, 2009 Author ID:66604 Share Posted March 22, 2009 Thank you for all of your help and patience. The system seems to be running well... I have it online and am checking out the programs that she has on it. It so far seems to be ok I can let you know if there are any further problems? Have a pleasant week ~ Diane D. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 22, 2009 Staff ID:66608 Share Posted March 22, 2009 Hi Diane, glad we could help. Please read my Prevention page with lots of info and tips how to prevent this in the future.And if you want to improve speed/system performance after malware removal, take a look here.Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.Happy Surfing again! Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 23, 2009 Staff ID:66923 Share Posted March 23, 2009 Since this issue appears resolved ... this Topic is closed.If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.Everyone else please begin a New Topic. Link to post Share on other sites More sharing options...
Recommended Posts