Jump to content

Security Tool and friends keep coming back


Recommended Posts

Good morning and thank you so much in advance! I have worked on getting rid of Security Tools for over a week now. Downloaded and purchased Spyware Doctor because it advertised that it could fix Security Tools, but didn't. Found MalwareBytes through some message boards and finally got it installed by renaming the executable and sneaking it in. Each time I run a scan, it says everything is fixed. I have done this over and over and last night got an "all clear". The computer was not turned off during the night, and when I woke up this morning, Security Tools was back! Grrrrrr

I rebooted and very quickly ran MalwareBytes again (it is the only thing that seems to fix this thing! THANK YOU!!) Log is attached. Then I downloaded the latest ComboFix and ran it. I stopped everything (per instructions) that I could on AVG 8, but ComboFix said part of it was still running. I could not stop it, not even through Task Manager. Combo Fix log is attached.

Then I downloaded and ran HiJack This. Log is attached. Thank you SO much! A POX on the head of the scum-sucking trash that is putting this stuff out!

Malwarebytes' Anti-Malware 1.41

Database version: 2948

Windows 5.1.2600 Service Pack 3

10/13/2009 5:39:26 AM

mbam-log-2009-10-13 (05-39-26).txt

Scan type: Quick Scan

Objects scanned: 102759

Time elapsed: 7 minute(s), 39 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 4

Registry Data Items Infected: 3

Folders Infected: 1

Files Infected: 5

Memory Processes Infected:

C:\Documents and Settings\All Users\Application Data\62047928\62047928.exe (Rogue.SecurityTool) -> Unloaded process successfully.

Memory Modules Infected:

c:\WINDOWS\system32\tubiwewa.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{15da66b2-772b-47a0-8f36-18abd1338d1e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vawalamow (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\62047928 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{15da66b2-772b-47a0-8f36-18abd1338d1e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\biletimuz (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\tubiwewa.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\tubiwewa.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\All Users\Application Data\62047928 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:

c:\WINDOWS\system32\tubiwewa.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\Documents and Settings\All Users\Application Data\62047928\62047928.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\gehiraso.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Eric\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\Eric\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

ComboFix Log:

ComboFix 09-10-12.03 - Eric 10/13/2009 5:56.2.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.561 [GMT -5:00]

Running from: c:\documents and settings\Eric\Desktop\Combo-Fix.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\kegezadu.dll

c:\windows\system32\kelesopu.dll

c:\windows\system32\layejuso.dll

c:\windows\system32\pisefire.dll

c:\windows\system32\sobipore.dll

c:\windows\system32\sutojude.dll

.

((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 )))))))))))))))))))))))))))))))

.

2009-10-09 19:01 . 2009-10-09 19:01 -------- d-----w- c:\documents and settings\Eric\Application Data\Malwarebytes

2009-10-09 12:49 . 2009-10-09 12:49 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\WMTools Downloaded Files

2009-10-08 22:43 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-08 22:43 . 2009-10-11 19:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-08 22:43 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-08 00:57 . 2008-12-11 13:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-10-08 00:57 . 2009-08-24 19:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-10-08 00:57 . 2009-08-19 16:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-10-08 00:56 . 2009-10-08 00:58 -------- d-----w- c:\program files\Common Files\PC Tools

2009-10-08 00:56 . 2008-12-10 16:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-10-08 00:56 . 2009-10-12 16:09 -------- d-----w- c:\program files\Spyware Doctor

2009-10-08 00:02 . 2006-05-20 17:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Symantec

2009-10-03 22:02 . 2009-10-03 22:02 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-27 03:26 . 2009-09-27 03:26 -------- d-sh--w- c:\windows\ftpcache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-12 20:20 . 2009-05-26 16:13 34800 ----a-w- c:\documents and settings\Eric\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-12 20:16 . 2006-05-20 17:02 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-10-12 20:13 . 2006-05-20 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-10-12 20:10 . 2006-05-20 17:00 -------- d-----w- c:\program files\Common Files\Corel

2009-10-12 17:55 . 2009-10-08 00:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-10-08 00:56 . 2009-10-08 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-10-08 00:56 . 2009-10-08 00:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools

2009-10-08 00:43 . 2009-10-08 00:22 -------- d-----w- c:\program files\winlogon

2009-10-08 00:22 . 2009-10-08 00:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-10-08 00:22 . 2009-10-08 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-27 03:24 . 2009-05-26 21:01 -------- d-----w- c:\program files\Yahoo! Games

2009-09-12 17:58 . 2009-05-29 22:20 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys

2009-09-12 17:58 . 2009-05-29 22:20 88 --sh--r- c:\windows\system32\3EF6841A13.sys

2009-08-27 00:13 . 2009-05-26 16:42 -------- d-----w- c:\documents and settings\Eric\Application Data\AdobeUM

2009-08-23 13:18 . 2009-05-26 20:24 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-23 13:18 . 2009-05-26 20:24 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-23 13:18 . 2009-05-26 20:24 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-19 15:34 . 2009-08-19 15:33 -------- d-----w- c:\program files\iTunes

2009-08-19 15:33 . 2009-08-19 15:33 -------- d-----w- c:\program files\iPod

2009-08-19 15:33 . 2009-05-27 16:07 -------- d-----w- c:\program files\Common Files\Apple

2009-08-14 11:58 . 2009-10-08 00:57 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat

2009-08-07 00:24 . 2004-08-10 18:02 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-07 00:24 . 2004-08-10 18:02 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-07 00:24 . 2008-10-16 19:09 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-07 00:24 . 2004-08-10 18:02 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-07 00:24 . 2004-08-10 18:02 53472 ------w- c:\windows\system32\wuauclt.exe

2009-08-07 00:24 . 2004-08-10 17:50 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-07 00:23 . 2004-08-10 18:02 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-07 00:23 . 2009-05-27 14:36 274288 ----a-w- c:\windows\system32\mucltui.dll

2009-08-07 00:23 . 2008-10-16 19:07 215920 ----a-w- c:\windows\system32\muweb.dll

2009-08-07 00:23 . 2004-08-10 18:02 1929952 ----a-w- c:\windows\system32\wuaueng.dll

2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-09 21:45 . 2009-07-09 21:45 50688 --sha-w- c:\windows\system32\dehaseha.dll.tmp

2009-07-08 09:44 . 2009-07-08 09:44 38400 --sha-w- c:\windows\system32\godanihe.dll

2009-07-09 09:44 . 2009-07-09 09:44 38912 --sha-w- c:\windows\system32\hawajifi.dll

2009-07-09 21:44 . 2009-07-09 21:44 50688 --sha-w- c:\windows\system32\hojahuge.dll

2009-07-07 14:31 . 2009-07-07 14:31 37376 --sha-w- c:\windows\system32\meruyuva.dll

2009-07-09 21:44 . 2009-07-09 21:44 38400 --sha-w- c:\windows\system32\tuwefake.dll

2009-07-12 15:44 . 2009-07-12 15:44 51712 --sha-w- c:\windows\system32\vetahadu.dll

2009-07-08 21:43 . 2009-07-08 21:43 37888 --sha-w- c:\windows\system32\yuterahi.dll

2009-07-12 15:43 . 2009-07-12 15:43 51712 --sha-w- c:\windows\system32\zufajudi.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49abb7e8-dda5-4080-9a46-37fc2e15c28d}]

2009-07-12 15:44 51712 --sha-w- c:\windows\system32\vetahadu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-09-02 16:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]

"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]

"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-09 110592]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]

"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 106496]

"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840]

"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-08-18 999424]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-03 2023704]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-05-20 26112]

"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-13 1117184]

"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-07-12 110592]

"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 212992]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2006-5-20 156784]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-20 24576]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-23 13:18 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Symantec\\LiveUpdate\\LuComServer_2_6.EXE"=

"c:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe"=

"c:\\WINDOWS\\system32\\DLA\\DLACTRLW.EXE"=

"c:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\mimboot.exe"=

"c:\\Program Files\\America Online 9.0\\aoltray.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/7/2009 7:57 PM 206256]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/26/2009 3:24 PM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/26/2009 3:24 PM 108552]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/26/2009 3:24 PM 908056]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/26/2009 3:24 PM 297752]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/7/2009 7:56 PM 348824]

.

Contents of the 'Scheduled Tasks' folder

2009-10-06 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-13 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (D6YGJ0B1-Eric).job

- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-05-20 23:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

Trusted Zone: internet

Trusted Zone: musicmatch.com\online

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-dabuluzipi - niwaluyu.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-13 06:03

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(416)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\McAfee.com\Agent\Mcdetect.exe

c:\progra~1\McAfee.com\VSO\McShield.exe

c:\progra~1\McAfee.com\Agent\McTskshd.exe

c:\progra~1\McAfee.com\PERSON~1\MpfService.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe

c:\windows\system32\wdfmgr.exe

c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe

c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-10-13 6:09 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-13 11:09

Pre-Run: 40,611,393,536 bytes free

Post-Run: 40,530,321,408 bytes free

221 --- E O F --- 2009-10-13 11:08

HiJack This Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:15:16 AM, on 10/13/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe

C:\Program Files\America Online 9.0\aoltray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\explorer.exe

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Eric\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - (no file)

O2 - BHO: (no name) - {49abb7e8-dda5-4080-9a46-37fc2e15c28d} - vetahadu.dll (file missing)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup

O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1243419416828

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: wehebopa.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--

End of file - 10310 bytes

Link to post
Share on other sites

  • Staff
Downloaded and purchased xxx scanner because it advertised that it could fix Security Tools, but didn't

Ask for your money back ;)

------------

Delete any existing copy of ComboFix.exe and then visit this webpage for instructions for downloading a fresh one:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that.

Link to post
Share on other sites

You can bet I'm gonna do that - and guess which one I'm going to buy ;)

Here is the newest ComboFix log. THANK YOU THANK YOU THANK YOU!

ComboFix 09-10-15.01 - Eric 10/15/2009 17:46.1.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.487 [GMT -5:00]

Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\85760430

c:\documents and settings\All Users\Application Data\85760430\85760430.bat

c:\documents and settings\All Users\Application Data\85760430\85760430.exe

c:\windows\system32\dehaseha.dll.tmp

c:\windows\system32\fujewipe.dll

c:\windows\system32\gerogije.dll

c:\windows\system32\godanihe.dll

c:\windows\system32\hawajifi.dll

c:\windows\system32\hojahuge.dll

c:\windows\system32\husugudi.dll

c:\windows\system32\meruyuva.dll

c:\windows\system32\mirikiri.dll

c:\windows\system32\punehomi.dll

c:\windows\system32\tuwefake.dll

c:\windows\system32\vajoneyo.dll

c:\windows\system32\vetahadu.dll.tmp

c:\windows\system32\wamejawe.dll

c:\windows\system32\yubiwojo.dll

c:\windows\system32\yuterahi.dll

c:\windows\system32\zufajudi.dll

.

((((((((((((((((((((((((( Files Created from 2009-09-15 to 2009-10-15 )))))))))))))))))))))))))))))))

.

2009-10-15 22:40 . 2009-10-15 22:41 -------- d-----w- C:\Combo-Fix

2009-10-15 02:12 . 2009-10-15 02:14 -------- d-----w- c:\program files\Windows Live Safety Center

2009-10-09 19:01 . 2009-10-09 19:01 -------- d-----w- c:\documents and settings\Eric\Application Data\Malwarebytes

2009-10-09 12:49 . 2009-10-09 12:49 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\WMTools Downloaded Files

2009-10-08 22:43 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-08 22:43 . 2009-10-11 19:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-08 22:43 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-08 00:57 . 2008-12-11 13:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-10-08 00:57 . 2009-08-24 19:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-10-08 00:57 . 2009-08-19 16:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-10-08 00:56 . 2009-10-08 00:58 -------- d-----w- c:\program files\Common Files\PC Tools

2009-10-08 00:56 . 2008-12-10 16:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-10-08 00:56 . 2009-10-14 23:38 -------- d-----w- c:\program files\Spyware Doctor

2009-10-08 00:02 . 2006-05-20 17:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Symantec

2009-10-03 22:02 . 2009-10-03 22:02 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-27 03:26 . 2009-09-27 03:26 -------- d-sh--w- c:\windows\ftpcache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-15 22:27 . 2009-10-08 00:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-10-14 23:17 . 2009-05-26 21:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-10-12 20:20 . 2009-05-26 16:13 34800 ----a-w- c:\documents and settings\Eric\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-12 20:16 . 2006-05-20 17:02 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-10-12 20:13 . 2006-05-20 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-10-12 20:10 . 2006-05-20 17:00 -------- d-----w- c:\program files\Common Files\Corel

2009-10-08 00:56 . 2009-10-08 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-10-08 00:56 . 2009-10-08 00:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools

2009-10-08 00:43 . 2009-10-08 00:22 -------- d-----w- c:\program files\winlogon

2009-10-08 00:22 . 2009-10-08 00:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-10-08 00:22 . 2009-10-08 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-27 03:24 . 2009-05-26 21:01 -------- d-----w- c:\program files\Yahoo! Games

2009-09-12 17:58 . 2009-05-29 22:20 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys

2009-09-12 17:58 . 2009-05-29 22:20 88 --sh--r- c:\windows\system32\3EF6841A13.sys

2009-09-11 14:18 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:03 . 2004-08-10 17:51 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 07:36 . 2004-08-10 17:51 832512 ----a-w- c:\windows\system32\wininet.dll

2009-08-29 07:36 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-08-29 07:36 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll

2009-08-27 00:13 . 2009-05-26 16:42 -------- d-----w- c:\documents and settings\Eric\Application Data\AdobeUM

2009-08-26 08:00 . 2004-08-10 17:51 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-23 13:18 . 2009-05-26 20:24 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-23 13:18 . 2009-05-26 20:24 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-23 13:18 . 2009-05-26 20:24 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-19 15:34 . 2009-08-19 15:33 -------- d-----w- c:\program files\iTunes

2009-08-19 15:33 . 2009-08-19 15:33 -------- d-----w- c:\program files\iPod

2009-08-19 15:33 . 2009-05-27 16:07 -------- d-----w- c:\program files\Common Files\Apple

2009-08-07 00:24 . 2004-08-10 18:02 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-07 00:24 . 2004-08-10 18:02 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-07 00:24 . 2008-10-16 19:09 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-07 00:24 . 2004-08-10 18:02 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-07 00:24 . 2004-08-10 18:02 53472 ------w- c:\windows\system32\wuauclt.exe

2009-08-07 00:24 . 2004-08-10 17:50 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-07 00:23 . 2004-08-10 18:02 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-07 00:23 . 2009-05-27 14:36 274288 ----a-w- c:\windows\system32\mucltui.dll

2009-08-07 00:23 . 2008-10-16 19:07 215920 ----a-w- c:\windows\system32\muweb.dll

2009-08-07 00:23 . 2004-08-10 18:02 1929952 ----a-w- c:\windows\system32\wuaueng.dll

2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 15:13 . 2004-08-10 17:51 2145280 ------w- c:\windows\system32\ntoskrnl.exe

2009-08-04 14:20 . 2004-08-04 03:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe

2009-07-15 22:40 . 2009-07-15 22:40 1090082 --sha-w- c:\windows\system32\roloropo.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-09-02 16:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]

"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]

"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-09 110592]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]

"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 106496]

"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840]

"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-08-18 999424]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-03 2023704]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-05-20 26112]

"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-13 1117184]

"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-07-12 110592]

"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 212992]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2006-5-20 156784]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-20 24576]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-23 13:18 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Symantec\\LiveUpdate\\LuComServer_2_6.EXE"=

"c:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe"=

"c:\\WINDOWS\\system32\\DLA\\DLACTRLW.EXE"=

"c:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\mimboot.exe"=

"c:\\Program Files\\America Online 9.0\\aoltray.exe"=

"c:\\Program Files\\Canon\\MyPrinter\\BJMYPRT.EXE"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/7/2009 7:57 PM 206256]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/26/2009 3:24 PM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/26/2009 3:24 PM 108552]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/26/2009 3:24 PM 908056]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/26/2009 3:24 PM 297752]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/7/2009 7:56 PM 348824]

.

Contents of the 'Scheduled Tasks' folder

2009-10-06 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-15 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (D6YGJ0B1-Eric).job

- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-05-20 23:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

Trusted Zone: internet

Trusted Zone: musicmatch.com\online

.

- - - - ORPHANS REMOVED - - - -

BHO-{49abb7e8-dda5-4080-9a46-37fc2e15c28d} - gerogije.dll

HKLM-Run-85760430 - c:\documents and settings\All Users\Application Data\85760430\85760430.exe

HKLM-Run-vawalamow - c:\windows\system32\yubiwojo.dll

HKLM-Run-dabuluzipi - husugudi.dll

SharedTaskScheduler-{4caf3005-e5f3-41c5-a68e-f35e7acbe290} - c:\windows\system32\yubiwojo.dll

SSODL-jatumamey-{4caf3005-e5f3-41c5-a68e-f35e7acbe290} - c:\windows\system32\yubiwojo.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-15 17:53

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2792)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\McAfee.com\Agent\Mcdetect.exe

c:\progra~1\McAfee.com\VSO\McShield.exe

c:\progra~1\McAfee.com\Agent\McTskshd.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe

c:\progra~1\McAfee.com\PERSON~1\MpfService.exe

c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe

c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe

c:\windows\system32\wdfmgr.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-10-15 17:58 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-15 22:58

ComboFix2.txt 2009-10-13 11:09

Pre-Run: 43,614,420,992 bytes free

Post-Run: 43,568,259,072 bytes free

241 --- E O F --- 2009-10-15 22:24

Link to post
Share on other sites

  • Staff

c:\program files\winlogon -- this appears to be something you created. I'm going to ignore that

c:\windows\system32\roloropo.exe - this one can be manually deleted. It won't resist deletion. Just be careful not to double click on it.

----------

ESET Online Scanner

  • Please go to the following link ESET Online Scanner Link
  • Tick the box YES, I accept the Terms Of Use
  • Click the Start button
  • Now click the Install button
  • Click Start
    The scanner engine will initialise and update
  • Do Not tick the box Remove found threats
  • Click the Scan button
    The scan will now run, please be patient
  • When the scan finishes click the Details tab
  • Copy and paste the contents of the C:\Program Files\EsetOnlineScanner\log.txt back here.

Link to post
Share on other sites

You are right! Winlogon was Malwarebytes renamed when I was trying to sneak it in. I deleted it, and also deleted c:\windows\system32\roloropo.exe.

Here are the results of the ESET scan:

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\85760430\85760430.exe.vir a variant of Win32/Kryptik.AVG trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\dehaseha.dll.tmp.vir a variant of Win32/Adware.SuperJuan.F application

C:\Qoobox\Quarantine\C\WINDOWS\system32\gerogije.dll.vir a variant of Win32/Adware.SuperJuan.H application

C:\Qoobox\Quarantine\C\WINDOWS\system32\godanihe.dll.vir a variant of Win32/Adware.Virtumonde.NFR application

C:\Qoobox\Quarantine\C\WINDOWS\system32\hawajifi.dll.vir a variant of Win32/Adware.Virtumonde.NFR application

C:\Qoobox\Quarantine\C\WINDOWS\system32\hojahuge.dll.vir a variant of Win32/Adware.SuperJuan.F application

C:\Qoobox\Quarantine\C\WINDOWS\system32\husugudi.dll.vir a variant of Win32/Adware.SuperJuan.H application

C:\Qoobox\Quarantine\C\WINDOWS\system32\meruyuva.dll.vir a variant of Win32/Adware.Virtumonde.NFR application

C:\Qoobox\Quarantine\C\WINDOWS\system32\mirikiri.dll.vir a variant of Win32/Adware.SuperJuan.H application

C:\Qoobox\Quarantine\C\WINDOWS\system32\punehomi.dll.vir a variant of Win32/Adware.SuperJuan.H application

C:\Qoobox\Quarantine\C\WINDOWS\system32\tuwefake.dll.vir a variant of Win32/Adware.Virtumonde.NFR application

C:\Qoobox\Quarantine\C\WINDOWS\system32\vajoneyo.dll.vir Win32/Adware.Virtumonde.NFT application

C:\Qoobox\Quarantine\C\WINDOWS\system32\vetahadu.dll.tmp.vir a variant of Win32/Adware.SuperJuan.F application

C:\Qoobox\Quarantine\C\WINDOWS\system32\wamejawe.dll.vir a variant of Win32/AntiAV.NCZ trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\yuterahi.dll.vir a variant of Win32/Adware.Virtumonde.NFR application

C:\Qoobox\Quarantine\C\WINDOWS\system32\zufajudi.dll.vir a variant of Win32/Adware.SuperJuan.F application

C:\RECYCLER\S-1-5-21-518518524-701283741-3043286967-1006\Dc2.exe a variant of Win32/Kryptik.AVG trojan

Thank you again!

Link to post
Share on other sites

  • Staff

Of the stuff found,

C:\RECYCLER\S-1-5-21-518518524-701283741-3043286967-1006\Dc2.exe is that roloropo.exe you just deleted.

C:\QooBox is ComboFix's quarantine folder. We'll take care of it when we uninstall ComboFix

I don't think Security Tool is coming back <_<

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. Uninstall ComboFix ... do not skip this step
    This process will perform some post cleanup measures.
    Do this by going to to Start > Run & typing in ComboFix /u
  2. ANTIVIRUS SOFTWARE
    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  3. Microsoft Windows Updatehttp://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  4. http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  5. http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  6. http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://www.spywareinfoforum.com/index.php?showtopic=60955

After doing all these, your system will be optimised against future threats.

.

Have a safe & happy computing day. wave.gif

Kindly respond to this thread once more so we can mark this thread as resolved.

Link to post
Share on other sites

I don't know what else to say but offer you my humble thanks. We will, for sure, follow your tips for safer surfing. In fact, I'm going right now to set his default browser to Firefox. I've already taken care of some of your other suggestions.

Once again...thank you. You RAWK!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.