Jump to content

Recommended Posts

Hello,

I'm struggling with a Vundo infection that I can't remove. I've cleaned it with MBAM several times, but it always reappears. Here are the 2 requested log files:

Any help would be appreciated.

1) Latest MBAM log

Malwarebytes' Anti-Malware 1.41

Database version: 2844

Windows 5.1.2600 Service Pack 3

9/23/2009 7:10:01 AM

mbam-log-2009-09-23 (07-10-01).txt

Scan type: Quick Scan

Objects scanned: 273638

Time elapsed: 2 hour(s), 34 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 3

Registry Keys Infected: 1

Registry Values Infected: 3

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\zebelivu.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\jonotama.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\bozujeyi.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{37ced711-29e2-4a1c-b0c7-740ed3c8e7eb} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jamisogiw (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{37ced711-29e2-4a1c-b0c7-740ed3c8e7eb} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\gapapotuw (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\zebelivu.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\zebelivu.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\zebelivu.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\jonotama.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\bozujeyi.dll (Trojan.Vundo) -> Delete on reboot.

2) Latest HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:45:25 PM, on 9/23/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\WD\WD Anywhere Backup\MemeoBackgroundService.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe

C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe

C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe

C:\Program Files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe

C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchassistant.iwon.com/srchlft.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [WorkFlowTray] "C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"

O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"

O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"

O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program Files\ScanSoft\OmniPagePro14.0\PdfCnv\RegistryController.exe"

O4 - HKLM\..\Run: [sSPrnAgent] C:\Program Files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe

O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"

O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [jamisogiw] Rundll32.exe "c:\windows\system32\nabukeyu.dll",a

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: officejet 6100.lnk = ?

O4 - Global Startup: VPN Client.lnk = ?

O4 - Global Startup: WD Anywhere Backup Launcher.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open PDF in Word - res://C:\Program Files\ScanSoft\OmniPagePro14.0\PdfCnv\IEShellExt.dll /100

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1221868546966

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1225242709515

O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://download.iwon.com/ct/pm3/iWonPMSetup_5_1,0,2,5.exe

O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab

O20 - AppInit_DLLs: c:\windows\system32\doheyesi.dll c:\windows\system32\nabukeyu.dll,fezahoyu.dll

O21 - SSODL: nemaleyij - {d25034de-2962-4ebb-9179-9a8ebd577855} - (no file)

O21 - SSODL: lujomorat - {14a80ccc-0c3e-44c0-84d7-e49ea84b4748} - c:\windows\system32\nabukeyu.dll

O22 - SharedTaskScheduler: mujuzedij - {d25034de-2962-4ebb-9179-9a8ebd577855} - (no file)

O22 - SharedTaskScheduler: kupuhivus - {14a80ccc-0c3e-44c0-84d7-e49ea84b4748} - c:\windows\system32\nabukeyu.dll

O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\PROGRA~1\SYSTEM~1\autocomp.exe (file missing)

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: MemeoBackgroundService - Memeo - C:\Program Files\WD\WD Anywhere Backup\MemeoBackgroundService.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--

End of file - 10929 bytes

Link to post
Share on other sites

Hi and Welcome to Malwarebytes',

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click

  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

________________________________________________________________________

Launch HijackThis (HJT) by double-clicking the desktop shortcut. Choose the Scan Only option. Close all programs except HJT and all browser windows, then check the following items for removal and click on "Fix Checked":

O4 - HKLM\..\Run: [jamisogiw] Rundll32.exe "c:\windows\system32\nabukeyu.dll",a

O20 - AppInit_DLLs: c:\windows\system32\doheyesi.dll c:\windows\system32\nabukeyu.dll,fezahoyu.dll

O21 - SSODL: nemaleyij - {d25034de-2962-4ebb-9179-9a8ebd577855} - (no file)

O21 - SSODL: lujomorat - {14a80ccc-0c3e-44c0-84d7-e49ea84b4748} - c:\windows\system32\nabukeyu.dll

O22 - SharedTaskScheduler: mujuzedij - {d25034de-2962-4ebb-9179-9a8ebd577855} - (no file)

O22 - SharedTaskScheduler: kupuhivus - {14a80ccc-0c3e-44c0-84d7-e49ea84b4748} - c:\windows\system32\nabukeyu.dll

Close HJT and Reboot

Download DDS and save it to your desktop from here

dds_scr.gif

Disable any script blocking programs you may have installed (such as McAfee script proxy), and then double-click dss.scr to run the tool. I notice you have McAfee script blocking enabled - you must disable it!!

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

  • When done, DDS will open two (2) logs:
    • DDS.txt- copy/paste this log into your reply
    • Attach.txt - attach this one to your reply

    [*]Save both reports to your desktop

    [*]Please copy and paste DDS.txt into your reply and attach attach.txt

Link to post
Share on other sites

Ok, I downloaded and ran ATF Cleaner.

I then reran HijackThis and fixed 4 of the 6 lines. The following 2 no longer appeared:

O21 - SSODL: nemaleyij - {d25034de-2962-4ebb-9179-9a8ebd577855} - (no file)

O22 - SharedTaskScheduler: mujuzedij - {d25034de-2962-4ebb-9179-9a8ebd577855} - (no file)

I shut off all the McAfee functions that I could find in the Security Center and then ran the DDS Script and here are the file contents:

DDS (Ver_09-07-30.01) - NTFSx86

Run by John at 22:36:59.70 on Wed 09/23/2009

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.617 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\WD\WD Anywhere Backup\MemeoBackgroundService.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe

C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe

C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe

C:\Program Files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe

C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\John\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearch Bar = hxxp://www.comcast.net/toolbar2.0/search/

mSearch Bar = hxxp://searchassistant.iwon.com/srchlft.html

mWindow Title = Windows Internet Explorer provided by Comcast

mSearchAssistant = hxxp://www.comcast.net/toolbar2.0/search/

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll

BHO: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll

TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [WorkFlowTray] "c:\program files\scansoft\omnipagepro14.0\WorkFlowTray.exe"

mRun: [Opware14] "c:\program files\scansoft\omnipagepro14.0\Opware14.exe"

mRun: [OpScheduler] "c:\program files\scansoft\omnipagepro14.0\OpScheduler.exe"

mRun: [PDF Converter Registry Controller] "c:\program files\scansoft\omnipagepro14.0\pdfcnv\RegistryController.exe"

mRun: [sSPrnAgent] c:\program files\scansoft\omnipagepro14.0\pdfprn\SPrnAgent.exe

mRun: [Drag'n'Drop_Autolaunch] "c:\program files\iomega hotburn pro\Autolaunch.exe"

mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [jamisogiw] Rundll32.exe "c:\windows\system32\nabukeyu.dll",a

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wincin~1.lnk - c:\program files\sandisk\common\bin\WinCinemaMgr.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hposol08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{4c271126-c295-4828-a901-5910ae0c258b}\Icon3E5562ED7.ico

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdanyw~1.lnk - c:\windows\installer\{47566d9f-6ed6-47c6-8a92-b5c01c44edb4}\NewShortcut4_3A95A0BFA90C41A28DFACEDE7630C4FB.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: Open PDF in Word - c:\program files\scansoft\omnipagepro14.0\pdfcnv\IEShellExt.dll /100

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221868546966

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1225242709515

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - hxxp://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

Handler: x-atng - {7e8717b0-d862-11d5-8c9e-00010304f989} - c:\program files\fidelity investments\fidelity active trader\system\atngprot.dll

AppInit_DLLs: c:\windows\system32\nabukeyu.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SSODL: lujomorat - {14a80ccc-0c3e-44c0-84d7-e49ea84b4748} - c:\windows\system32\nabukeyu.dll

STS: kupuhivus: {14a80ccc-0c3e-44c0-84d7-e49ea84b4748} - c:\windows\system32\nabukeyu.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-9-19 214024]

R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-9-19 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-9-19 144704]

R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\wd\wd anywhere backup\MemeoBackgroundService.exe [2008-7-10 25824]

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2001-8-18 14336]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-9-19 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-9-19 35272]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-9-19 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-9-19 40552]

S3 PacketNTx;Packet helper driver;c:\windows\system32\drivers\PacketNTx.sys [2003-2-3 24544]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-9-19 606736]

=============== Created Last 30 ================

2009-09-23 20:29 <DIR> acdshr-- C:\cmdcons

2009-09-23 20:26 229,888 a------- c:\windows\PEV.exe

2009-09-23 20:26 161,792 a------- c:\windows\SWREG.exe

2009-09-23 20:26 98,816 a------- c:\windows\sed.exe

2009-09-23 19:45 <DIR> --d----- c:\program files\Trend Micro

2009-09-22 21:45 <DIR> -cd----- C:\VundoFix Backups

2009-09-20 19:49 <DIR> --d-h--- c:\windows\Copy of $NtUninstallQ328310$

2009-09-20 19:49 <DIR> --d-h--- c:\windows\Copy of $NtUninstallQ329834$

2009-09-20 19:49 <DIR> --d-h--- c:\windows\Copy of $NtUninstallQ329115$

2009-09-20 19:49 <DIR> --d-h--- c:\windows\Copy of $NtUninstallQ329048$

2009-09-20 19:49 <DIR> --d-h--- c:\windows\Copy of $NtUninstallKB970653-v3$

2009-09-20 15:27 <DIR> --d----- c:\program files\CCleaner

2009-09-20 15:24 <DIR> --d----- c:\docume~1\john\applic~1\Printer Info Cache

2009-09-19 12:52 7,396 a------- c:\windows\system32\drivers\pctcore.cat

2009-09-18 21:56 <DIR> --d----- c:\docume~1\john\applic~1\Malwarebytes

2009-09-18 21:56 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-18 21:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-09-18 21:56 19,160 a------- c:\windows\system32\drivers\mbam.sys

2009-09-18 21:56 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-09-18 20:34 <DIR> --d----- c:\docume~1\john\applic~1\PC Tools

2009-09-18 20:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools

2009-09-09 13:25 153,088 -c------ c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-09-23 18:28 88,576 a--sh--- c:\windows\system32\nabukeyu.dll

2009-09-15 11:32 112,192 a------- c:\docume~1\john\applic~1\GDIPFONTCACHEV1.DAT

2009-08-05 05:01 204,800 -------- c:\windows\system32\mswebdvd.dll

2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll

2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll

2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll

2009-06-29 12:12 827,392 -------- c:\windows\system32\wininet.dll

2009-06-29 12:12 17,408 a------- c:\windows\system32\corpol.dll

2009-06-29 12:12 78,336 -------- c:\windows\system32\ieencode.dll

2005-01-31 23:07 305 a---h--- c:\program files\hpothb07.dat

2005-01-31 22:21 515 a---h--- c:\program files\hpothb07.tif

2004-03-01 19:56 16,706,160 a------- c:\program files\AdbeRdr60_enu_full.exe

2004-03-01 19:54 6,262,872 a------- c:\program files\psa2se_us.exe

2009-06-20 06:28 512 a--sh--- c:\windows\system32\dedezaye.dll

2009-06-20 06:28 36 a--sh--- c:\windows\system32\hesuwopa.exe

2009-06-20 06:28 512 a--sh--- c:\windows\system32\niyohaja.dll

============= FINISH: 22:37:54.81 ===============

Attach.txt

Link to post
Share on other sites

Here is the combo-fix log as requested.

ComboFix 09-09-23.02 - John 09/23/2009 20:42.1.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.517 [GMT -4:00]

Running from: c:\documents and settings\John\Desktop\Combo-Fix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\recycler\NPROTECT

c:\windows\Installer\1487e98.msi

c:\windows\Installer\280e9.msi

c:\windows\Installer\ae6ff1.msp

c:\windows\system\MSVWWIN.DLL

c:\windows\system32\11478.exe

c:\windows\system32\15724.exe

c:\windows\system32\18467.exe

c:\windows\system32\19169.exe

c:\windows\system32\24464.exe

c:\windows\system32\26500.exe

c:\windows\system32\26962.exe

c:\windows\system32\29358.exe

c:\windows\system32\41.exe

c:\windows\system32\6334.exe

c:\windows\system32\dehokiju.dll

c:\windows\system32\falukovo.dll

c:\windows\system32\fezahoyu.dll

c:\windows\system32\hayibeso.dll

c:\windows\system32\latadeti.dll

c:\windows\system32\nazoduse.dll

c:\windows\system32\ndisapi.dll

c:\windows\system32\ntSVc.ocx

c:\windows\system32\rubolezo.dll

c:\windows\system32\system

c:\windows\system32\system\msxml4.dll

c:\windows\system32\system\msxml4r.dll

F:\autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NDISRD

((((((((((((((((((((((((( Files Created from 2009-08-24 to 2009-09-24 )))))))))))))))))))))))))))))))

.

2009-09-23 23:45 . 2009-09-23 23:45 -------- d-----w- c:\program files\Trend Micro

2009-09-23 01:45 . 2009-09-23 01:45 -------- dc----w- C:\VundoFix Backups

2009-09-20 23:49 . 2009-09-20 23:49 -------- d--h--w- c:\windows\Copy of $NtUninstallQ328310$

2009-09-20 23:49 . 2009-09-20 23:49 -------- d--h--w- c:\windows\Copy of $NtUninstallQ329834$

2009-09-20 23:49 . 2009-09-20 23:49 -------- d--h--w- c:\windows\Copy of $NtUninstallQ329115$

2009-09-20 23:49 . 2009-09-20 23:49 -------- d--h--w- c:\windows\Copy of $NtUninstallQ329048$

2009-09-20 23:49 . 2009-09-20 23:49 -------- d--h--w- c:\windows\Copy of $NtUninstallKB970653-v3$

2009-09-20 19:27 . 2009-09-20 19:27 -------- d-----w- c:\program files\CCleaner

2009-09-20 19:24 . 2009-09-20 19:24 -------- d-----w- c:\documents and settings\John\Application Data\Printer Info Cache

2009-09-20 04:22 . 2009-09-20 04:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\COMCASTTOOLBAR

2009-09-19 01:56 . 2009-09-19 01:56 -------- d-----w- c:\documents and settings\John\Application Data\Malwarebytes

2009-09-19 01:56 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-19 01:56 . 2009-09-19 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-19 01:56 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-19 01:56 . 2009-09-19 10:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-19 00:35 . 2009-09-20 20:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-09-19 00:34 . 2009-09-19 00:34 -------- d-----w- c:\documents and settings\John\Application Data\PC Tools

2009-09-19 00:34 . 2009-09-19 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-09-18 13:23 . 2009-09-18 13:23 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2009-09-09 17:25 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-24 00:16 . 2008-09-27 16:00 -------- d-----w- c:\documents and settings\John\Application Data\COMCASTTOOLBAR

2009-09-23 23:33 . 2008-09-27 16:56 -------- d-----w- c:\documents and settings\John\Application Data\U3

2009-09-23 22:28 . 2009-06-23 22:28 88576 --sha-w- c:\windows\system32\nabukeyu.dll

2009-09-23 01:37 . 2008-10-10 23:50 -------- d-----w- c:\program files\Java

2009-09-19 16:52 . 2009-09-19 16:52 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat

2009-09-17 11:45 . 2002-10-25 00:20 -------- d-----w- c:\program files\Quicken

2009-09-16 11:39 . 2008-09-20 02:44 -------- d-----w- c:\program files\McAfee

2009-09-15 16:36 . 2008-09-20 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-09-10 14:40 . 2008-09-28 22:55 -------- d-----w- c:\documents and settings\John\Application Data\AdobeUM

2009-09-08 01:36 . 2008-09-27 15:58 112192 ----a-w- c:\documents and settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-07 17:35 . 2009-06-30 23:39 -------- d-----w- c:\program files\MioNet

2009-08-08 13:31 . 2009-08-08 13:31 -------- d-----w- c:\program files\MSBuild

2009-08-08 13:30 . 2009-08-08 13:30 -------- d-----w- c:\program files\Reference Assemblies

2009-08-05 09:01 . 2002-10-25 11:41 204800 ------w- c:\windows\system32\mswebdvd.dll

2009-07-25 09:23 . 2009-01-18 16:05 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-17 19:01 . 2002-10-25 11:39 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-16 16:32 . 2008-09-20 02:45 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2009-07-14 03:43 . 2002-10-26 13:34 286208 ------w- c:\windows\system32\wmpdxm.dll

2009-07-08 17:44 . 2008-09-20 02:46 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2009-07-08 17:44 . 2008-09-20 02:46 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2009-07-08 17:44 . 2008-09-20 02:46 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2009-07-08 17:44 . 2008-09-20 02:46 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-07-08 17:43 . 2008-09-20 02:46 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2009-06-29 16:12 . 2004-02-06 22:05 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2001-08-18 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2005-02-01 03:07 . 2005-02-01 02:21 305 ---ha-w- c:\program files\hpothb07.dat

2005-02-01 02:21 . 2005-02-01 02:21 515 ---ha-w- c:\program files\hpothb07.tif

2004-03-01 23:56 . 2004-03-01 23:54 16706160 ----a-w- c:\program files\AdbeRdr60_enu_full.exe

2004-03-01 23:54 . 2004-03-01 23:54 6262872 ----a-w- c:\program files\psa2se_us.exe

2009-06-20 10:28 . 2009-06-20 10:28 512 --sha-w- c:\windows\system32\dedezaye.dll

2009-06-20 10:28 . 2009-06-20 10:28 36 --sha-w- c:\windows\system32\hesuwopa.exe

2009-06-20 10:28 . 2009-06-20 10:28 512 --sha-w- c:\windows\system32\niyohaja.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]

"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-04 188416]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]

"WorkFlowTray"="c:\program files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe" [2003-10-29 139363]

"Opware14"="c:\program files\ScanSoft\OmniPagePro14.0\Opware14.exe" [2003-10-29 57344]

"OpScheduler"="c:\program files\ScanSoft\OmniPagePro14.0\OpScheduler.exe" [2003-10-29 114688]

"PDF Converter Registry Controller"="c:\program files\ScanSoft\OmniPagePro14.0\PdfCnv\RegistryController.exe" [2003-09-30 102400]

"SSPrnAgent"="c:\program files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe" [2003-10-29 20480]

"Drag'n'Drop_Autolaunch"="c:\program files\Iomega HotBurn Pro\Autolaunch.exe" [2004-02-10 131072]

"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"jamisogiw"="c:\windows\system32\nabukeyu.dll" [2009-09-23 88576]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]

c:\documents and settings\Owner\Start Menu\Programs\Startup\

Dragon NaturallySpeaking.lnk - c:\program files\ScanSoft\NaturallySpeaking\Program\natspeak.exe [2003-12-4 2498607]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

WinCinema Manager.lnk - c:\program files\Sandisk\Common\Bin\WinCinemaMgr.exe [2007-12-6 303104]

hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-4-6 147456]

VPN Client.lnk - c:\windows\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2008-10-24 6144]

WD Anywhere Backup Launcher.lnk - c:\windows\Installer\{47566D9F-6ED6-47C6-8A92-B5C01C44EDB4}\NewShortcut4_3A95A0BFA90C41A28DFACEDE7630C4FB.exe [2009-6-30 84887]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{14a80ccc-0c3e-44c0-84d7-e49ea84b4748}"= "c:\windows\system32\nabukeyu.dll" [2009-09-23 88576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"lujomorat"= {14a80ccc-0c3e-44c0-84d7-e49ea84b4748} - c:\windows\system32\nabukeyu.dll [2009-09-23 88576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk

backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk

backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Controller.LNK]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Controller.LNK

backup=c:\windows\pss\Controller.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk

backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

"1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0

"1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1

"1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2

"1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3

"1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4

"1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5

"1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6

"1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7

"1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8

"1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9

"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification

"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration

"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]

R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\WD\WD Anywhere Backup\MemeoBackgroundService.exe [7/10/2008 6:26 PM 25824]

S3 PacketNTx;Packet helper driver;c:\windows\system32\drivers\PacketNTx.sys [2/3/2003 2:44 PM 24544]

--- Other Services/Drivers In Memory ---

*Deregistered* - dnbudf

.

Contents of the 'Scheduled Tasks' folder

2004-11-09 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p officejet 6100 series5E771253C1676EBED677BF361FDFC537825E15B8083848849.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 04:52]

2008-09-20 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-09-20 01:26]

2009-07-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-09-20 01:26]

2009-09-23 c:\windows\Tasks\{D6C240CA-014B-43C5-AFA4-C88CA5A5F234}_779QK11_Owner.job

- c:\windows\system32\mobsync.exe [2001-08-18 00:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mSearch Bar = hxxp://searchassistant.iwon.com/srchlft.html

mWindow Title = Windows Internet Explorer provided by Comcast

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Open PDF in Word - c:\program files\ScanSoft\OmniPagePro14.0\PdfCnv\IEShellExt.dll /100

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - hxxp://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab

.

- - - - ORPHANS REMOVED - - - -

BHO-{cbee8077-2f0c-4a9c-be65-0712616499c5} - nazoduse.dll

HKLM-Run-taniyidowa - rubolezo.dll

SharedTaskScheduler-{d25034de-2962-4ebb-9179-9a8ebd577855} - (no file)

SSODL-nemaleyij-{d25034de-2962-4ebb-9179-9a8ebd577855} - (no file)

AddRemove-DeleteProdVVFW100Web_US - c:\documents and settings\Owner\Local Settings\Temp\_ISTMP11.DIR\_ISTMP0.DIR\uninst_us.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-23 21:41

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3456)

c:\windows\system32\WININET.dll

c:\program files\ScanSoft\OmniPagePro14.0\OpHook14.dll

c:\windows\system32\nabukeyu.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

c:\windows\IME\SPGRMR.DLL

c:\program files\Common Files\Microsoft Shared\Ink\PENUSA.DLL

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\drivers\CDAC11BA.EXE

c:\windows\system32\CTSVCCDA.EXE

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\progra~1\Iomega\System32\AppServices.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\McAfee\MPF\MpfSrv.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe

c:\progra~1\McAfee.com\Agent\mcagent.exe

c:\windows\system32\devldr32.exe

c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe

c:\program files\WD\WD Anywhere Backup\MemeoBackup.exe

.

**************************************************************************

.

Completion time: 2009-09-24 21:51 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-24 01:51

Pre-Run: 1,791,082,496 bytes free

Post-Run: 5,538,246,656 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

285 --- E O F --- 2009-09-09 19:13

Link to post
Share on other sites

Give me time to review your logs just submitted.

I also want you to do the following please -

Next, download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • After the automatic "quick" scan is finished (a few seconds), click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.
  • Re-enable your antivirus and any antimalware programs you disabled before running the scan

Note: If you have trouble completing a full Rootkit/Malware scan with the ARK program then just copy/paste the "Quick scan" results into your reply. Often that alone provides enough information.

Link to post
Share on other sites

OK listen stop it. Close the program, and relaunch it. Then just post the quick scan results - that takes a matter of seconds to get.

Let me know if it warned you of rootkit activity. I just want to see if there is any hidden driver which is often the reason those items persist after MBAM is run in the case of Vundo.H.

Link to post
Share on other sites

Hi Again,

I saw your last response after I went to bed and didn't get a chance to stop it until the morning. It ran all night and was still going when I stopped it. It was working through a McAfee quarentine directory that it appears I need to clean out. There was about 8G of files in there.

Here is the result of the quick scan:

GMER 1.0.15.15087 - http://www.gmer.net

Rootkit quick scan 2009-09-24 07:06:02

Windows 5.1.2600 Service Pack 3

Running: dhkc14wv.exe; Driver: C:\DOCUME~1\John\LOCALS~1\Temp\uwtdapow.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF5C7C4EA]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF5C7C581]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF5C7C498]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF5C7C4AC]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF5C7C595]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF5C7C5C1]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF5C7C62F]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF5C7C619]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF5C7C52A]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF5C7C65B]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF5C7C56D]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF5C7C470]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF5C7C484]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF5C7C4FE]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF5C7C697]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF5C7C603]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF5C7C5ED]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF5C7C5AB]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF5C7C683]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF5C7C66F]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF5C7C4D6]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF5C7C4C2]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF5C7C5D7]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF5C7C559]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF5C7C645]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF5C7C540]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF5C7C514]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

There's nothing in the ARK log showing but McAfee.

We have some more items to clean up that we will manually specify for deletion by using a Combofix script.

Note: The script was created specifically for this user ONLY. By running this same script on a system for which it was not intended, you may put your computer at serious risk of damage.

It is important that you follow the next set of instructions precisely.

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

KillAll::

driver::
dnbudf

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs]
AppInit_DLLs=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"jamisogiw"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{14a80ccc-0c3e-44c0-84d7-e49ea84b4748}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"lujomorat"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000

File::
c:\windows\system32\nabukeyu.dll
c:\windows\system32\dedezaye.dll
c:\windows\system32\hesuwopa.exe
c:\windows\system32\niyohaja.dll

Save this to your desktop as CFScript.txt by selecting File -> Save as.

CFScriptB-4.gif

Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!!

Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdskor any scanners. If Windows is in the middle of updating and it needs to reboot to finish the updating process, allow it to complete that first - before attempting to run Combofix.

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will cause ComboFix to run again.

Please post back the log that is opens when it finishes.

Run an updated MBAM scan, remove all threats found, reboot if required and post that log back, as well.

Link to post
Share on other sites

Here's the Combofix log. I will post the MBAM log after it completes.

ComboFix 09-09-23.02 - John 09/24/2009 21:15.2.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.629 [GMT -4:00]

Running from: c:\documents and settings\John\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\John\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::

"c:\windows\system32\dedezaye.dll"

"c:\windows\system32\hesuwopa.exe"

"c:\windows\system32\nabukeyu.dll"

"c:\windows\system32\niyohaja.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\dedezaye.dll

c:\windows\system32\hesuwopa.exe

c:\windows\system32\niyohaja.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_DNBUDF

-------\Service_dnbudf

((((((((((((((((((((((((( Files Created from 2009-08-25 to 2009-09-25 )))))))))))))))))))))))))))))))

.

2009-09-24 03:11 . 2009-09-24 11:06 -------- dc----w- C:\ARK

2009-09-23 23:45 . 2009-09-23 23:45 -------- d-----w- c:\program files\Trend Micro

2009-09-23 01:45 . 2009-09-23 01:45 -------- dc----w- C:\VundoFix Backups

2009-09-20 23:49 . 2009-09-20 23:49 -------- d--h--w- c:\windows\Copy of $NtUninstallQ328310$

2009-09-20 23:49 . 2009-09-20 23:49 -------- d--h--w- c:\windows\Copy of $NtUninstallQ329834$

2009-09-20 23:49 . 2009-09-20 23:49 -------- d--h--w- c:\windows\Copy of $NtUninstallQ329115$

2009-09-20 23:49 . 2009-09-20 23:49 -------- d--h--w- c:\windows\Copy of $NtUninstallQ329048$

2009-09-20 23:49 . 2009-09-20 23:49 -------- d--h--w- c:\windows\Copy of $NtUninstallKB970653-v3$

2009-09-20 19:27 . 2009-09-20 19:27 -------- d-----w- c:\program files\CCleaner

2009-09-20 19:24 . 2009-09-20 19:24 -------- d-----w- c:\documents and settings\John\Application Data\Printer Info Cache

2009-09-20 04:22 . 2009-09-20 04:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\COMCASTTOOLBAR

2009-09-19 01:56 . 2009-09-19 01:56 -------- d-----w- c:\documents and settings\John\Application Data\Malwarebytes

2009-09-19 01:56 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-19 01:56 . 2009-09-19 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-19 01:56 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-19 01:56 . 2009-09-19 10:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-19 00:35 . 2009-09-20 20:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-09-19 00:34 . 2009-09-19 00:34 -------- d-----w- c:\documents and settings\John\Application Data\PC Tools

2009-09-19 00:34 . 2009-09-19 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-09-18 13:23 . 2009-09-18 13:23 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2009-09-09 17:25 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-24 20:26 . 2008-09-27 16:00 -------- d-----w- c:\documents and settings\John\Application Data\COMCASTTOOLBAR

2009-09-23 23:33 . 2008-09-27 16:56 -------- d-----w- c:\documents and settings\John\Application Data\U3

2009-09-23 01:37 . 2008-10-10 23:50 -------- d-----w- c:\program files\Java

2009-09-19 16:52 . 2009-09-19 16:52 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat

2009-09-17 11:45 . 2002-10-25 00:20 -------- d-----w- c:\program files\Quicken

2009-09-16 11:39 . 2008-09-20 02:44 -------- d-----w- c:\program files\McAfee

2009-09-15 16:36 . 2008-09-20 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-09-10 14:40 . 2008-09-28 22:55 -------- d-----w- c:\documents and settings\John\Application Data\AdobeUM

2009-09-08 01:36 . 2008-09-27 15:58 112192 ----a-w- c:\documents and settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-07 17:35 . 2009-06-30 23:39 -------- d-----w- c:\program files\MioNet

2009-08-08 13:31 . 2009-08-08 13:31 -------- d-----w- c:\program files\MSBuild

2009-08-08 13:30 . 2009-08-08 13:30 -------- d-----w- c:\program files\Reference Assemblies

2009-08-05 09:01 . 2002-10-25 11:41 204800 ------w- c:\windows\system32\mswebdvd.dll

2009-07-25 09:23 . 2009-01-18 16:05 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-17 19:01 . 2002-10-25 11:39 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-16 16:32 . 2008-09-20 02:45 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2009-07-14 03:43 . 2002-10-26 13:34 286208 ------w- c:\windows\system32\wmpdxm.dll

2009-07-08 17:44 . 2008-09-20 02:46 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2009-07-08 17:44 . 2008-09-20 02:46 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2009-07-08 17:44 . 2008-09-20 02:46 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2009-07-08 17:44 . 2008-09-20 02:46 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-07-08 17:43 . 2008-09-20 02:46 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2009-06-29 16:12 . 2004-02-06 22:05 827392 ------w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2001-08-18 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2005-02-01 03:07 . 2005-02-01 02:21 305 ---ha-w- c:\program files\hpothb07.dat

2005-02-01 02:21 . 2005-02-01 02:21 515 ---ha-w- c:\program files\hpothb07.tif

2004-03-01 23:56 . 2004-03-01 23:54 16706160 ----a-w- c:\program files\AdbeRdr60_enu_full.exe

2004-03-01 23:54 . 2004-03-01 23:54 6262872 ----a-w- c:\program files\psa2se_us.exe

.

((((((((((((((((((((((((((((( SnapShot@2009-09-24_01.43.01 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-09-25 01:27 . 2009-09-25 01:27 16384 c:\windows\Temp\Perflib_Perfdata_248.dat

+ 2002-10-24 15:07 . 2009-09-24 22:26 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2002-10-24 15:07 . 2009-09-23 23:22 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2002-10-24 15:07 . 2009-09-24 22:26 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2002-10-24 15:07 . 2009-09-23 23:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-09-24 03:52 . 2009-09-24 22:26 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2002-10-24 15:07 . 2009-09-23 23:22 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]

"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-04 188416]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]

"WorkFlowTray"="c:\program files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe" [2003-10-29 139363]

"Opware14"="c:\program files\ScanSoft\OmniPagePro14.0\Opware14.exe" [2003-10-29 57344]

"OpScheduler"="c:\program files\ScanSoft\OmniPagePro14.0\OpScheduler.exe" [2003-10-29 114688]

"PDF Converter Registry Controller"="c:\program files\ScanSoft\OmniPagePro14.0\PdfCnv\RegistryController.exe" [2003-09-30 102400]

"SSPrnAgent"="c:\program files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe" [2003-10-29 20480]

"Drag'n'Drop_Autolaunch"="c:\program files\Iomega HotBurn Pro\Autolaunch.exe" [2004-02-10 131072]

"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]

c:\documents and settings\Owner\Start Menu\Programs\Startup\

Dragon NaturallySpeaking.lnk - c:\program files\ScanSoft\NaturallySpeaking\Program\natspeak.exe [2003-12-4 2498607]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

WinCinema Manager.lnk - c:\program files\Sandisk\Common\Bin\WinCinemaMgr.exe [2007-12-6 303104]

hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-4-6 147456]

VPN Client.lnk - c:\windows\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2008-10-24 6144]

WD Anywhere Backup Launcher.lnk - c:\windows\Installer\{47566D9F-6ED6-47C6-8A92-B5C01C44EDB4}\NewShortcut4_3A95A0BFA90C41A28DFACEDE7630C4FB.exe [2009-6-30 84887]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk

backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk

backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Controller.LNK]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Controller.LNK

backup=c:\windows\pss\Controller.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk

backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

"1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0

"1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1

"1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2

"1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3

"1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4

"1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5

"1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6

"1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7

"1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8

"1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9

"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification

"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration

"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]

R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\WD\WD Anywhere Backup\MemeoBackgroundService.exe [7/10/2008 6:26 PM 25824]

R2 NwSapAgent;SAP Agent;c:\windows\System32\svchost.exe -k netsvcs [8/18/2001 8:00 AM 14336]

S3 PacketNTx;Packet helper driver;c:\windows\system32\drivers\PacketNTx.sys [2/3/2003 2:44 PM 24544]

.

Contents of the 'Scheduled Tasks' folder

2004-11-09 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p officejet 6100 series5E771253C1676EBED677BF361FDFC537825E15B8083848849.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 04:52]

2008-09-20 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-09-20 01:26]

2009-07-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-09-20 01:26]

2009-09-24 c:\windows\Tasks\{D6C240CA-014B-43C5-AFA4-C88CA5A5F234}_779QK11_Owner.job

- c:\windows\system32\mobsync.exe [2001-08-18 00:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mSearch Bar = hxxp://searchassistant.iwon.com/srchlft.html

mWindow Title = Windows Internet Explorer provided by Comcast

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Open PDF in Word - c:\program files\ScanSoft\OmniPagePro14.0\PdfCnv\IEShellExt.dll /100

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - hxxp://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-24 21:29

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3432)

c:\windows\system32\WININET.dll

c:\program files\ScanSoft\OmniPagePro14.0\OpHook14.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

c:\windows\IME\SPGRMR.DLL

c:\program files\Common Files\Microsoft Shared\Ink\PENUSA.DLL

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\drivers\CDAC11BA.EXE

c:\windows\system32\CTSVCCDA.EXE

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\progra~1\Iomega\System32\AppServices.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\McAfee\MPF\MpfSrv.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe

c:\progra~1\McAfee.com\Agent\mcagent.exe

c:\windows\system32\devldr32.exe

c:\windows\system32\wscntfy.exe

c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

c:\windows\system32\HPZipm12.exe

c:\program files\WD\WD Anywhere Backup\MemeoBackup.exe

c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe

.

**************************************************************************

.

Completion time: 2009-09-25 21:36 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-25 01:36

ComboFix2.txt 2009-09-24 01:51

Pre-Run: 3,030,573,056 bytes free

Post-Run: 3,018,604,544 bytes free

253 --- E O F --- 2009-09-09 19:13

Link to post
Share on other sites

Here's the log from the quick scan...looks good! Thank you so much for taking the time to help me.

Malwarebytes' Anti-Malware 1.41

Database version: 2857

Windows 5.1.2600 Service Pack 3

9/25/2009 6:52:26 AM

mbam-log-2009-09-25 (06-52-26).txt

Scan type: Quick Scan

Objects scanned: 131691

Time elapsed: 13 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

You're Welcome and good job!

We have a few steps to finish up now.

You should update your version of the Sun Java Platform (JRE) to the newest version which is Java Runtime Environment (JRE) 6 Update 16, if you have not done that already.

You can check your currently installed JRE version here.

If you find you need to update to the Java Runtime Environment (JRE) 6 Update 16, then follow these steps:

1. Download the latest JRE version at the http://java.sun.com/javase/downloads/index.jsp Sun Microsystem's website

2. Select the option that says: "JRE 6 Update 16

This special release provides a few key fixes", and click Download button.

3. Select your platform: Windows, in the pull down menu.

4. Check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement."

5. Click Continue.

6. Under the Windows Platform - Java SE Runtime Environment 6 Update 16 section, click on the link to download the Windows Offline Installation and save the installer to your desktop.

7. Close any programs you may have running - especially your web browser.

8. Next, remove all older versions of the Sun Java Platform using the Control Panel's Add/Remove Program feature (as they may contain security vulnerabilities).

9. Reboot your system

10. Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version of the Sun Java Platform

12. Ifhe Yahoo Toolbar is prechecked for installation be sure to UNCHECK it, if you do not care to have it, or already have it installed - it is not part of the JRE install and totally unnecessary.

13. You may verify that the current version installed properly by clicking http://java.com/en/download/installed.jsp here.

Now clear the Java cache:

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*] Click OK to leave the Temporary Files Window

    [*]Click OK to leave the Java Control Panel.

-

If I asked you to download and run an ARK (Antirootkit program, then please uninstall it by doing the following:

  • Delete the contents of the folder C:\ARK
  • Delete the C:\ARK folder

Let's remove Combofix and all its associated files including those in quarantine:

Click start -> run, then copy and paste the following line into the Open box and click OK.

If I asked you to download Avenger, then delete that program and the C:\Avenger folder.

"%userprofile%\desktop\Combo-Fix.exe" /u

This will do the following:

  • Uninstall Combofix and all its associated files and folders.
  • It will flush your system restore points and create a new restore point.
  • It will rehide your system files and folders
  • Reset your system clock

---

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI). This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, and many others are commonly targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

4. Download and install SpywareBlaster:

http://www.javacoolsoftware.com/spywareblaster.html

Update it and the enable protection for all unprotected items.

You will have to update the free version manually about once a month by clicking the Updates button. You can refer to the Calendar of Updates Website to see when SpywareBlaster and other programs that do not autoupdate have new definitions or program updates available.

You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.

The easiest and fastest way to obtain/check Windows Updates is by clicking Control Panel -> Windows Updates. However, setting your computer to download and install updates automatically will relieve you of the responsibility of doing this on a continual basis. It is important to periodically check that Windows Updates is functioning because many threats disable it as part of their strategy to compromise your system. Windows Updates are released on the second Tuesday of every month.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.