Jump to content

Help needed to remove vundo.h


Recommended Posts

Last week my PC had the Security Tool virus. I stomped it out using Malwarebytes, however, it keeps coming back after reboots. Malwarebytes is detecting and removing what it finds. However, there must be something that it is missing.

Below are the latest logs from Malwarebytes, (latest version), (I ran it until it was clean). Also, is log from hijackthis

1) Malware bytes Log

Malwarebytes' Anti-Malware 1.41

Database version: 2955

Windows 5.1.2600 Service Pack 2

10/13/2009 10:55:01 PM

mbam-log-2009-10-13 (22-55-01).txt

Scan type: Quick Scan

Objects scanned: 109334

Time elapsed: 5 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

2) hijackthis log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:55:53 PM, on 10/13/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Drivers\trcboot.exe

C:\Program Files\ActivIdentity\ActivClient\accoca.exe

C:\Program Files\PC Backup\AgentService.exe

C:\WINDOWS\system32\agrsmsvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\HPAVAD~1\avChgSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

c:\program files\eds\ucr\edsencryptionmonitor.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\lxdicoms.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Drivers\pcssenslogon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Prot_srv.exe

C:\Program Files\Pointsec\Connect\PointSecConnect.exe

C:\WINDOWS\system32\pstartSr.exe

C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe

C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe

C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\WebDrive\wdService.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Microsoft Office Communicator\communicator.exe

C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe

C:\Program Files\ActivIdentity\ActivClient\acevents.exe

C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Hewlett-Packard\GetITIcon\GetITShell.exe

C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe

C:\Program Files\PC Backup\Agent.exe

C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe

C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ActivIdentity\ActivClient\acsagent.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Malwarebytes' Anti-Malware\Main pgm.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.portal.hp.com/search/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://athp.hp.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://athp.hp.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autocache.hp.com/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {437d1bb5-9c19-46d1-8e79-26e0981e14bc} - wojukoro.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [COEMsgDisplay] c:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_15\bin\jusched.exe"

O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey

O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"

O4 - HKLM\..\Run: [iDA] c:\Program Files\Hewlett-Packard\PC COE\IDA.EXE

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] c:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [GetITIcon] C:\Program Files\Hewlett-Packard\GetITIcon\GetITShell.exe

O4 - HKLM\..\Run: [Pointsec Tray] C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

O4 - HKLM\..\Run: [AgentUiRunKey] "C:\Program Files\PC Backup\Agent.exe" -ni -sss -e http://localhost:16386/

O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"

O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\Main pgm.exe" /runcleanupscript

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\skeelsfr\Application Data\mjusbsp\cdloader2.exe" MAGICJACK

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - .DEFAULT User Startup: create_shortcut.lnk = C:\Users\davenutt\create_shortcut.vbs (User 'Default user')

O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe

O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: Fix Common Internet Explorer Problems - {E270AB82-96D5-45DB-ABE3-0BC038B92334} - C:\Program Files\Hewlett-Packard\IEToolBar\HP IE Fix.exe

O9 - Extra 'Tools' menuitem: Fix Common Internet Explorer Problems - {E270AB82-96D5-45DB-ABE3-0BC038B92334} - C:\Program Files\Hewlett-Packard\IEToolBar\HP IE Fix.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com

O15 - Trusted Zone: http://ie.config.asia.compaq.com

O15 - Trusted Zone: http://ie.config.eur.compaq.com

O15 - Trusted Zone: http://ie.config.im.hou.compaq.com

O15 - Trusted Zone: http://ie.config.jp.compaq.com

O15 - Trusted Zone: http://*.compaq.com

O15 - Trusted Zone: http://*.compaq.com.ar

O15 - Trusted Zone: http://*.compaq.com.br

O15 - Trusted Zone: http://*.compaq.com.co

O15 - Trusted Zone: http://*.compaq.com.mx

O15 - Trusted Zone: http://*.compaq.com.sg

O15 - Trusted Zone: http://*.compaq.com.ve

O15 - Trusted Zone: http://*.cpqcorp.net

O15 - Trusted Zone: http://*.dcu.org

O15 - Trusted Zone: http://ie.config.ecom.dec.com

O15 - Trusted Zone: http://*.hp.com

O15 - Trusted Zone: http://*.hpqcorp.net

O15 - Trusted Zone: http://ie.config.tandem.com

O15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)

O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)

O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)

O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)

O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)

O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)

O16 - DPF: {00000033-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms33 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall33.cab

O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPITWeb/Customer...DataManager.CAB

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1169809900876

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...tDetection2.cab

O16 - DPF: {857ABA85-8AB2-4C9E-8FAA-D2A963739859} (HPPKI Control) - https://digitalbadge.external.hp.com/hp/HPPKI.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\Software\..\Telephony: DomainName = americas.hpqcorp.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = AMERICAS.hpqcorp.net,AMERICAS.cpqcorp.net,hpqcorp.net,cpqcorp.net

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = AMERICAS.hpqcorp.net,AMERICAS.cpqcorp.net,hpqcorp.net,cpqcorp.net

O20 - AppInit_DLLs: c:\windows\system32\wunuveye.dll bibuwoge.dll c:\windows\system32\vunogenu.dll c:\windows\system32\lewazasu.dll tamuyali.dll

O20 - Winlogon Notify: ackpbsc - C:\WINDOWS\system32\ackpbsc.dll

O20 - Winlogon Notify: acunlock - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll

O21 - SSODL: yobalokoz - {23ff5c3d-d2be-46eb-ba84-c7095121699d} - c:\windows\system32\zilebobi.dll (file missing)

O21 - SSODL: gozobizos - {081302e3-61cb-4e6a-91ad-423e12b1bcee} - c:\windows\system32\vunogenu.dll (file missing)

O21 - SSODL: rerokotit - {cfd317d9-1219-4be9-9b0d-a8d4d2cf5af3} - c:\windows\system32\lewazasu.dll (file missing)

O22 - SharedTaskScheduler: jugezatag - {23ff5c3d-d2be-46eb-ba84-c7095121699d} - c:\windows\system32\zilebobi.dll (file missing)

O22 - SharedTaskScheduler: jugezatag - {081302e3-61cb-4e6a-91ad-423e12b1bcee} - c:\windows\system32\vunogenu.dll (file missing)

O22 - SharedTaskScheduler: mujuzedij - {cfd317d9-1219-4be9-9b0d-a8d4d2cf5af3} - c:\windows\system32\lewazasu.dll (file missing)

O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe

O23 - Service: AgentService - Iron Mountain Incorporated - C:\Program Files\PC Backup\AgentService.exe

O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: HP-AV Change Monitor Service (AvChgSvc) - Unknown owner - C:\PROGRA~1\HPAVAD~1\avChgSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe

O23 - Service: IBM Command Line Trace (cstrcser) - IBM Corporation - C:\WINDOWS\system32\drivers\cstrcser.exe

O23 - Service: EDS Encryption Monitor (EdsEncryptionMonitor) - EDS - c:\program files\eds\ucr\edsencryptionmonitor.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe

O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe

O23 - Service: PCSLogon - Unknown owner - C:\WINDOWS\system32\Drivers\pcssenslogon.exe

O23 - Service: Pointsec - Unknown owner - C:\WINDOWS\system32\Prot_srv.exe

O23 - Service: Pointsec Connect - Pointsec Mobile Technologies AB - C:\Program Files\Pointsec\Connect\PointSecConnect.exe

O23 - Service: Pointsec Service Start (Pointsec_start) - Unknown owner - C:\WINDOWS\system32\pstartSr.exe

O23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe

O23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe

O23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe

O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE

O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

O23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:\WINDOWS\system32\Drivers\trcboot.exe

O23 - Service: WebDrive Service (WebDriveService) - South River Technologies, LLC - C:\Program Files\WebDrive\wdService.exe

--

End of file - 17026 bytes

Link to post
Share on other sites

First, thanks for your time. I do appreciated it. The log from Combofix follows:

ComboFix 09-10-14.06 - skeelsfr 10/14/2009 22:25.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1976.1235 [GMT -4:00]

Running from: c:\documents and settings\skeelsfr\Desktop\ComboFix.exe

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\recycler\S-1-5-21-1708537768-1682526488-1343024091-500

c:\windows\Installer\161b06f.msp

c:\windows\Installer\161b070.msp

c:\windows\Installer\1adda31.msp

c:\windows\Installer\1adda32.msp

c:\windows\Installer\71b43d.msp

c:\windows\Installer\71b43e.msp

c:\windows\system32\drivers\etc\lmhosts

c:\windows\system32\gugasara.dll

c:\windows\system32\kerodaru.dll

c:\windows\system32\lipupara.dll

c:\windows\system32\mozulavo.dll

c:\windows\system32\pimeyewe.dll

c:\windows\system32\puhikuga.dll.tmp

c:\windows\system32\sySInfo.ocx

c:\windows\system32\tamuyali.dll.tmp

c:\windows\system32\wojukoro.dll.tmp

c:\windows\system32\zefugabe.dll

.

((((((((((((((((((((((((( Files Created from 2009-09-15 to 2009-10-15 )))))))))))))))))))))))))))))))

.

2009-10-13 17:09 . 2009-10-13 17:09 -------- d-----w- c:\windows\ERUNT

2009-10-13 17:03 . 2009-10-13 17:24 -------- d-----w- C:\SDFix

2009-10-13 15:55 . 2009-10-13 15:55 -------- d-----w- c:\program files\Trend Micro

2009-10-13 14:50 . 2009-10-13 14:50 -------- d-----w- C:\VundoFix Backups

2009-10-09 02:49 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-09 02:49 . 2009-10-09 17:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-09 02:49 . 2009-10-09 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-10-09 02:49 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-08 14:09 . 2009-10-09 14:49 -------- d-----w- C:\!KillBox

2009-10-08 14:01 . 2009-10-08 19:09 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-10-08 12:03 . 2009-10-08 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-10-08 12:03 . 2009-10-08 12:04 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-10-08 11:59 . 2009-10-08 11:59 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\Malwarebytes

2009-10-07 18:08 . 2009-10-07 18:08 -------- d-----w- c:\documents and settings\skeelsfr\WINDOWS

2009-10-02 15:28 . 2009-10-02 15:28 -------- d-----w- c:\documents and settings\skeelsfr\Local Settings\Application Data\Citrix

2009-10-02 15:28 . 2009-10-02 15:28 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\ICAClient

2009-10-02 15:16 . 2009-10-02 15:31 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\Download Manager

2009-09-30 18:07 . 2009-09-30 18:07 -------- d-----w- C:\AIP

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-15 02:33 . 2009-09-02 14:30 -------- d-----w- c:\program files\PC Backup

2009-10-14 17:47 . 2008-12-01 13:43 -------- d-----w- c:\program files\RA2HP

2009-10-14 17:29 . 2009-08-20 12:17 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\mjusbsp

2009-10-06 23:22 . 2009-08-19 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-09-30 18:07 . 2009-08-19 20:50 76072 ----a-w- c:\documents and settings\skeelsfr\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-11 23:03 . 2009-09-11 23:03 81 ----a-w- C:\CTX.DAT

2009-09-11 00:10 . 2009-08-22 13:52 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\Lexmark Productivity Studio

2009-09-10 11:43 . 2009-09-10 11:43 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe

2009-09-04 19:27 . 2009-09-04 19:24 -------- d-----w- c:\program files\Lexmark 3500-4500 Series

2009-09-03 18:24 . 2009-09-03 18:24 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\Windows Search

2009-09-02 14:31 . 2009-09-02 14:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Email Backup Optimization

2009-09-02 12:21 . 2009-09-02 12:21 -------- d-----w- c:\program files\HP

2009-09-01 15:08 . 2009-09-01 15:08 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\FaxCtr

2009-09-01 14:34 . 2009-08-29 14:50 -------- d-----w- c:\program files\Lexmark Fax Solutions

2009-08-29 23:16 . 2009-08-22 13:52 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\Apple Computer

2009-08-29 23:10 . 2009-08-25 11:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2009-08-29 16:24 . 2009-08-25 11:19 -------- d-----w- c:\program files\QuickTime

2009-08-29 16:24 . 2008-11-25 15:51 -------- d-----w- c:\program files\PAL

2009-08-29 16:24 . 2009-08-19 01:29 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2009-08-29 16:23 . 2008-11-25 15:47 -------- d-----w- c:\program files\Hewlett-Packard

2009-08-29 14:50 . 2009-08-29 14:50 -------- d-----w- c:\documents and settings\All Users\Application Data\FaxCtr

2009-08-29 14:50 . 2009-08-29 14:50 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint

2009-08-25 11:48 . 2009-08-25 11:37 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-08-25 11:20 . 2009-08-25 11:20 -------- d-----w- c:\program files\iTunes

2009-08-25 11:20 . 2009-08-25 11:20 -------- d-----w- c:\program files\iPod

2009-08-25 11:20 . 2009-08-25 11:19 -------- d-----w- c:\program files\Common Files\Apple

2009-08-25 11:19 . 2009-08-25 11:19 -------- d-----w- c:\program files\Bonjour

2009-08-25 11:19 . 2009-08-25 11:19 -------- d-----w- c:\program files\Apple Software Update

2009-08-25 11:19 . 2009-08-25 11:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-08-23 17:57 . 2009-08-23 17:57 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\Windows Desktop Search

2009-08-23 17:55 . 2009-08-23 17:55 -------- d-----w- c:\program files\Windows Desktop Search

2009-08-22 13:52 . 2009-08-22 13:52 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\TomTom

2009-08-22 13:52 . 2009-08-22 13:52 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\Millennia

2009-08-22 13:52 . 2009-08-22 13:52 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\Libronix DLS

2009-08-21 00:58 . 2009-08-21 00:58 -------- d-----w- c:\program files\IBM

2009-08-21 00:57 . 2009-08-21 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\IBM

2009-08-19 20:50 . 2009-08-19 20:50 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\Sonic

2009-08-19 13:31 . 2009-08-19 13:31 -------- d-----w- c:\program files\SapInstSelectorv2

2009-08-19 13:31 . 2009-08-19 13:31 73216 ----a-w- c:\windows\ST6UNST.EXE

2009-08-19 13:31 . 2009-08-19 13:31 286720 ------w- c:\windows\Setup1.exe

2009-08-19 11:42 . 2009-08-19 11:42 -------- d-----w- c:\program files\Common Files\ESRI

2009-08-19 11:42 . 2009-08-19 11:40 -------- d-----w- c:\program files\SAP

2009-08-19 11:42 . 2009-08-19 11:41 -------- d-----w- c:\program files\Common Files\SAP Shared

2009-08-19 02:59 . 2009-08-19 02:59 -------- d--h--w- c:\documents and settings\All Users\Application Data\WebDrive

2009-08-19 02:59 . 2009-08-19 02:59 -------- d-----w- c:\program files\EDS

2009-08-19 02:59 . 2009-08-19 02:59 -------- d-----w- c:\program files\WebDrive

2009-08-19 02:59 . 2009-08-19 02:59 -------- d-----w- c:\program files\Pointsec

2009-08-19 02:59 . 2009-08-19 02:58 2097152 ------w- C:\PROT_INS.SYS

2009-08-19 02:58 . 2009-08-19 02:58 6 ----a-w- C:\VOL_CHAR.DAT

2009-08-19 01:31 . 2009-08-19 01:31 -------- d-----w- c:\program files\Microsoft Works

2009-08-19 01:31 . 2008-12-22 16:27 -------- d-----w- c:\program files\MSBuild

2009-08-05 09:11 . 1980-01-01 00:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-31 01:22 . 2009-07-31 01:22 27672 ----a-w- c:\documents and settings\hpadmin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-29 14:23 . 1980-01-01 00:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-07-29 04:53 . 1980-01-01 00:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-07-17 18:55 . 1980-01-01 00:00 58880 ----a-w- c:\windows\system32\atl.dll

2006-12-29 20:15 . 2009-08-19 11:43 3100672 ----a-w- c:\program files\Common Files\sapxlhelper.dll

2006-12-29 20:15 . 2009-08-19 11:43 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll

2006-12-29 20:15 . 2009-08-19 11:43 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx

2006-12-29 20:15 . 2009-08-19 11:43 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll

2006-12-07 15:26 . 2009-08-19 11:43 1129984 ----a-w- c:\program files\Common Files\SAPActiveXL.xlt

2006-12-07 15:26 . 2009-08-19 11:43 1124864 ----a-w- c:\program files\Common Files\SAPActiveXL_nosig.xlt

2009-07-14 13:05 . 2009-07-14 13:05 51712 --sha-w- c:\windows\system32\fabarupa.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-03-17 2289664]

"cdloader"="c:\documents and settings\skeelsfr\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"COEMsgDisplay"="c:\program files\Hewlett-Packard\PC COE\COEMsgDisplay.exe" [2007-04-11 26624]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-07-08 115560]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-02-15 39792]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_15\bin\jusched.exe" [2008-02-09 75256]

"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-11-25 5720072]

"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2008-05-13 297000]

"IDA"="c:\program files\Hewlett-Packard\PC COE\IDA.EXE" [2008-08-12 176128]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-05 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-05 170520]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-05 141848]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-18 178712]

"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-11-20 488752]

"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-31 177456]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1040384]

"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2008-04-21 197904]

"GetITIcon"="c:\program files\Hewlett-Packard\GetITIcon\GetITShell.exe" [2009-05-05 864256]

"Pointsec Tray"="c:\program files\Pointsec\Pointsec for PC\P95Tray.exe" [2006-12-04 941424]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-05-07 312240]

"AgentUiRunKey"="c:\program files\PC Backup\Agent.exe" [2009-03-10 244536]

"lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-05-07 435120]

"lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-03-05 20480]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\Main pgm.exe" [2009-09-10 1312080]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2008-5-13 128552]

DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2009-7-30 197904]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableNT4Policy"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoMSAppLogo5ChannelNotify"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]

2008-05-13 09:20 109568 ----a-w- c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]

2008-05-13 09:20 286720 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst]

2007-05-15 20:13 49152 ----a-w- c:\windows\system32\pcsinst.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radexecd.exe"=

"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RADUISHELL.exe"=

"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radtray.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Lexmark 3500-4500 Series\\Wireless\\lxdiwpss.exe"=

"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\scan\\scanman6.exe"=

"c:\\Program Files\\Lexmark Fax Solutions\\faxctr.exe"=

"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=

"c:\\Program Files\\Lexmark 3500-4500 Series\\App4r.exe"=

"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=

"c:\\WINDOWS\\system32\\lxdicfg.exe"=

"c:\\WINDOWS\\system32\\lxdicoms.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=

"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=

"c:\\WINDOWS\\system32\\dllhost.exe"=

"c:\\Documents and Settings\\skeelsfr\\Application Data\\mjusbsp\\magicJack.exe"=

R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [12/4/2006 5:49 PM 235392]

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [5/1/2008 6:23 AM 24064]

R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/13/2008 5:20 AM 198184]

R2 AgentService;AgentService;c:\program files\PC Backup\AgentService.exe [3/10/2009 6:15 PM 6608192]

R2 AvChgSvc;HP-AV Change Monitor Service;c:\progra~1\HPAVAD~1\avChgSvc.exe [11/25/2008 12:21 PM 238080]

R2 EdsEncryptionMonitor;EDS Encryption Monitor;c:\program files\EDS\UCR\EdsEncryptionMonitor.exe [6/19/2007 12:01 PM 40960]

R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]

R2 PCSLogon;PCSLogon;c:\windows\system32\drivers\pcssenslogon.exe [5/15/2007 5:09 AM 61440]

R2 Pointsec Connect;Pointsec Connect;c:\program files\Pointsec\Connect\PointSecConnect.exe [6/4/2007 10:01 AM 28672]

R2 radexecd;HP OVCM Notify Daemon;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe [2/20/2007 8:59 AM 270510]

R2 radsched;HP OVCM Scheduler Daemon;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe [3/22/2007 12:19 PM 172205]

R2 Radstgms;HP OVCM MSI Redirector;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe [7/3/2008 8:28 AM 315570]

R2 WebDriveFSD;WebDrive Filesystem Driver;c:\program files\WebDrive\wdfsd.sys [5/19/2007 11:38 PM 167552]

R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\drivers\akbus.sys [4/6/2007 6:46 AM 13619]

R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\drivers\akpcsc.sys [11/25/2008 12:57 PM 9493]

R3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\drivers\aksbus.sys [4/6/2007 6:46 AM 13647]

R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\drivers\akspcsc.sys [11/25/2008 12:57 PM 10161]

R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [7/30/2009 9:16 PM 193840]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 7:26 PM 102448]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/17/2007 5:33 AM 41216]

R3 RadiaMsi;RadiaMsi;c:\windows\system32\drivers\radiamsi.sys [8/3/2007 10:31 AM 23424]

S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [9/4/2009 3:27 PM 99248]

S2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [12/4/2006 5:49 PM 146720]

S2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [12/4/2006 5:49 PM 109856]

S3 AKSIM;ActivKey Sim;c:\windows\system32\drivers\aksim.sys [11/25/2008 12:57 PM 27008]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/8/2008 1:45 PM 23888]

S3 cstrcser;IBM Command Line Trace;c:\windows\system32\drivers\cstrcser.exe [5/15/2007 5:09 AM 36864]

S3 LV_Tracker;LV_Tracker;c:\windows\system32\drivers\LV_Tracker.sys [3/10/2009 6:15 PM 45384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{597923B7-C2AA-43B8-9367-1F6CC7AAB0CC}]

msiexec.exe /fu {597923B7-C2AA-43B8-9367-1F6CC7AAB0CC} /qb!

.

Contents of the 'Scheduled Tasks' folder

2009-10-15 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}000.job

- c:\progra~1\HEWLET~1\PCCOE~1\Aimsi.dll [2009-03-27 21:35]

2009-10-15 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}001.job

- c:\progra~1\HEWLET~1\PCCOE~1\Aimsi.dll [2009-03-27 21:35]

2009-10-15 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}000.job

- c:\progra~1\HEWLET~1\PCCOE~1\clinvsi.dll [2008-09-07 17:06]

2009-10-15 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.job

- c:\program files\Hewlett-Packard\PC COE\coetl32.exe [2007-06-23 23:27]

2009-10-15 c:\windows\Tasks\IDA{E1B2A4DD-AE06-4B97-9B55-8E8F1348E7FB}000.job

- c:\progra~1\HEWLET~1\PCCOE~1\critupsi.dll [1998-10-21 18:29]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://athp.hp.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}

IE: {{E270AB82-96D5-45DB-ABE3-0BC038B92334} - c:\program files\Hewlett-Packard\IEToolBar\HP IE Fix.exe

Trusted Zone: compaq.com

Trusted Zone: compaq.com\ie.config.asia

Trusted Zone: compaq.com\ie.config.eur

Trusted Zone: compaq.com\ie.config.im.hou

Trusted Zone: compaq.com\ie.config.jp

Trusted Zone: compaq.com.ar

Trusted Zone: compaq.com.br

Trusted Zone: compaq.com.co

Trusted Zone: compaq.com.mx

Trusted Zone: compaq.com.sg

Trusted Zone: compaq.com.ve

Trusted Zone: cpqcorp.net

Trusted Zone: dcu.org

Trusted Zone: dec.com\ie.config.ecom

Trusted Zone: hp.com

Trusted Zone: hpqcorp.net

Trusted Zone: tandem.com\ie.config

Trusted Zone: compaq.com\ie.config.asia

Trusted Zone: compaq.com\ie.config.eur

Trusted Zone: compaq.com\ie.config.im.hou

Trusted Zone: compaq.com\ie.config.jp

Trusted Zone: dec.com\ie.config.ecom

Trusted Zone: tandem.com\ie.config

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{23ff5c3d-d2be-46eb-ba84-c7095121699d} - c:\windows\system32\zilebobi.dll

SharedTaskScheduler-{081302e3-61cb-4e6a-91ad-423e12b1bcee} - c:\windows\system32\vunogenu.dll

SharedTaskScheduler-{cfd317d9-1219-4be9-9b0d-a8d4d2cf5af3} - c:\windows\system32\lewazasu.dll

SSODL-yobalokoz-{23ff5c3d-d2be-46eb-ba84-c7095121699d} - c:\windows\system32\zilebobi.dll

SSODL-gozobizos-{081302e3-61cb-4e6a-91ad-423e12b1bcee} - c:\windows\system32\vunogenu.dll

SSODL-rerokotit-{cfd317d9-1219-4be9-9b0d-a8d4d2cf5af3} - c:\windows\system32\lewazasu.dll

SafeBoot-Symantec Antvirus

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-14 22:35

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1272)

c:\windows\system32\pssogina.dll

c:\windows\system32\ackpbsc.dll

c:\windows\system32\aclog.dll

c:\windows\system32\accrypto.dll

c:\windows\system32\ACLIBEAY.dll

c:\windows\system32\acevtsub.dll

c:\windows\system32\asphat32.dll

c:\windows\system32\acerrmes.dll

c:\windows\system32\aspcom.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\acerrmrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\asphatrc.dll

c:\program files\ActivIdentity\ActivClient\acunlock.dll

c:\windows\system32\aipingui.dll

c:\windows\system32\aicext.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\aipinguirc.dll

c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\acunlockrc.dll

c:\windows\system32\pcsinst.dll

- - - - - - - > 'explorer.exe'(5536)

c:\windows\system32\WININET.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe

c:\program files\Symantec\Symantec Endpoint Protection\SNAC.EXE

c:\program files\ActivIdentity\ActivClient\acevents.exe

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\windows\system32\scardsvr.exe

c:\windows\system32\drivers\trcboot.exe

c:\windows\system32\agrsmsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMON.EXE

c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\lxdicoms.exe

c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

c:\program files\WebDrive\wdService.exe

c:\windows\system32\searchindexer.exe

c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe

c:\program files\ActivIdentity\ActivClient\acevents.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\program files\Hewlett-Packard\Shared\HpqToaster.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-10-15 22:39 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-15 02:39

Pre-Run: 126,608,162,816 bytes free

Post-Run: 126,445,654,016 bytes free

382

Link to post
Share on other sites

  • Staff

Open NOTEPAD and copy/paste the text in the quotebox below into it:

http://www.malwarebytes.org/forums/index.php?showtopic=27743
COLLECT::
c:\windows\system32\fabarupa.dll
FOLDER::
C:\VundoFix Backups
DIRLOOK::
c:\documents and settings\skeelsfr\WINDOWS

Save this as "CFScript"

CFScriptB-4.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Additonally, ComboFix will generate a zipped file at C:\Qoobox\Quarantine\[4]Submit@Date_Time.zip

Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/submit-malware.php?channel=4

---------------

ESET Online Scanner

  • Please go to the following link ESET Online Scanner Link
  • Tick the box YES, I accept the Terms Of Use
  • Click the Start button
  • Now click the Install button
  • Click Start
    The scanner engine will initialise and update
  • Do Not tick the box Remove found threats
  • Click the Scan button
    The scan will now run, please be patient
  • When the scan finishes click the Details tab
  • Copy and paste the contents of the C:\Program Files\EsetOnlineScanner\log.txt back here.

---------------

In your next post, please include fresh logs from:

  1. Online scan
  2. ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

Link to post
Share on other sites

1. I encountered no problems while executing these steps.

2. My PC is functioning normally at the moement. This is not uncommon as Malwarebytes knocks it down to a point where it take time and/or a reboot for the popup's to start again. However, the online scan did detect some virus's that I have not previously detected.

The two log files, (Combofix and Online scan) follow:

ComboFix 09-10-14.06 - skeelsfr 10/14/2009 23:05.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1976.1232 [GMT -4:00]

Running from: c:\documents and settings\skeelsfr\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\skeelsfr\Desktop\CFScript.txt

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

file zipped: c:\windows\system32\fabarupa.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\VundoFix Backups

c:\windows\system32\fabarupa.dll

.

((((((((((((((((((((((((( Files Created from 2009-09-15 to 2009-10-15 )))))))))))))))))))))))))))))))

.

2009-10-13 17:09 . 2009-10-13 17:09 -------- d-----w- c:\windows\ERUNT

2009-10-13 17:03 . 2009-10-13 17:24 -------- d-----w- C:\SDFix

2009-10-13 15:55 . 2009-10-13 15:55 -------- d-----w- c:\program files\Trend Micro

2009-10-09 02:49 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-09 02:49 . 2009-10-09 17:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-09 02:49 . 2009-10-09 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-10-09 02:49 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-08 14:09 . 2009-10-09 14:49 -------- d-----w- C:\!KillBox

2009-10-08 14:01 . 2009-10-08 19:09 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-10-08 12:03 . 2009-10-08 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-10-08 12:03 . 2009-10-08 12:04 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-10-08 11:59 . 2009-10-08 11:59 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\Malwarebytes

2009-10-07 18:08 . 2009-10-07 18:08 -------- d-----w- c:\documents and settings\skeelsfr\WINDOWS

2009-10-02 15:28 . 2009-10-02 15:28 -------- d-----w- c:\documents and settings\skeelsfr\Local Settings\Application Data\Citrix

2009-10-02 15:28 . 2009-10-02 15:28 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\ICAClient

2009-10-02 15:16 . 2009-10-02 15:31 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\Download Manager

2009-09-30 18:07 . 2009-09-30 18:07 -------- d-----w- C:\AIP

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-15 02:33 . 2009-09-02 14:30 -------- d-----w- c:\program files\PC Backup

2009-10-14 17:47 . 2008-12-01 13:43 -------- d-----w- c:\program files\RA2HP

2009-10-14 17:29 . 2009-08-20 12:17 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\mjusbsp

2009-10-06 23:22 . 2009-08-19 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-09-30 18:07 . 2009-08-19 20:50 76072 ----a-w- c:\documents and settings\skeelsfr\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-11 23:03 . 2009-09-11 23:03 81 ----a-w- C:\CTX.DAT

2009-09-11 00:10 . 2009-08-22 13:52 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\Lexmark Productivity Studio

2009-09-10 11:43 . 2009-09-10 11:43 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe

2009-09-04 19:27 . 2009-09-04 19:24 -------- d-----w- c:\program files\Lexmark 3500-4500 Series

2009-09-03 18:24 . 2009-09-03 18:24 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\Windows Search

2009-09-02 14:31 . 2009-09-02 14:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Email Backup Optimization

2009-09-02 12:21 . 2009-09-02 12:21 -------- d-----w- c:\program files\HP

2009-09-01 15:08 . 2009-09-01 15:08 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\FaxCtr

2009-09-01 14:34 . 2009-08-29 14:50 -------- d-----w- c:\program files\Lexmark Fax Solutions

2009-08-29 23:16 . 2009-08-22 13:52 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\Apple Computer

2009-08-29 23:10 . 2009-08-25 11:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2009-08-29 16:24 . 2009-08-25 11:19 -------- d-----w- c:\program files\QuickTime

2009-08-29 16:24 . 2008-11-25 15:51 -------- d-----w- c:\program files\PAL

2009-08-29 16:24 . 2009-08-19 01:29 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2009-08-29 16:23 . 2008-11-25 15:47 -------- d-----w- c:\program files\Hewlett-Packard

2009-08-29 14:50 . 2009-08-29 14:50 -------- d-----w- c:\documents and settings\All Users\Application Data\FaxCtr

2009-08-29 14:50 . 2009-08-29 14:50 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint

2009-08-25 11:48 . 2009-08-25 11:37 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-08-25 11:20 . 2009-08-25 11:20 -------- d-----w- c:\program files\iTunes

2009-08-25 11:20 . 2009-08-25 11:20 -------- d-----w- c:\program files\iPod

2009-08-25 11:20 . 2009-08-25 11:19 -------- d-----w- c:\program files\Common Files\Apple

2009-08-25 11:19 . 2009-08-25 11:19 -------- d-----w- c:\program files\Bonjour

2009-08-25 11:19 . 2009-08-25 11:19 -------- d-----w- c:\program files\Apple Software Update

2009-08-25 11:19 . 2009-08-25 11:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-08-23 17:57 . 2009-08-23 17:57 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\Windows Desktop Search

2009-08-23 17:55 . 2009-08-23 17:55 -------- d-----w- c:\program files\Windows Desktop Search

2009-08-22 13:52 . 2009-08-22 13:52 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\TomTom

2009-08-22 13:52 . 2009-08-22 13:52 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\Millennia

2009-08-22 13:52 . 2009-08-22 13:52 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\Libronix DLS

2009-08-21 00:58 . 2009-08-21 00:58 -------- d-----w- c:\program files\IBM

2009-08-21 00:57 . 2009-08-21 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\IBM

2009-08-19 20:50 . 2009-08-19 20:50 -------- d-----w- c:\documents and settings\skeelsfr\Application Data\Sonic

2009-08-19 13:31 . 2009-08-19 13:31 -------- d-----w- c:\program files\SapInstSelectorv2

2009-08-19 13:31 . 2009-08-19 13:31 73216 ----a-w- c:\windows\ST6UNST.EXE

2009-08-19 13:31 . 2009-08-19 13:31 286720 ------w- c:\windows\Setup1.exe

2009-08-19 11:42 . 2009-08-19 11:42 -------- d-----w- c:\program files\Common Files\ESRI

2009-08-19 11:42 . 2009-08-19 11:40 -------- d-----w- c:\program files\SAP

2009-08-19 11:42 . 2009-08-19 11:41 -------- d-----w- c:\program files\Common Files\SAP Shared

2009-08-19 02:59 . 2009-08-19 02:59 -------- d--h--w- c:\documents and settings\All Users\Application Data\WebDrive

2009-08-19 02:59 . 2009-08-19 02:59 -------- d-----w- c:\program files\EDS

2009-08-19 02:59 . 2009-08-19 02:59 -------- d-----w- c:\program files\WebDrive

2009-08-19 02:59 . 2009-08-19 02:59 -------- d-----w- c:\program files\Pointsec

2009-08-19 02:59 . 2009-08-19 02:58 2097152 ------w- C:\PROT_INS.SYS

2009-08-19 02:58 . 2009-08-19 02:58 6 ----a-w- C:\VOL_CHAR.DAT

2009-08-19 01:31 . 2009-08-19 01:31 -------- d-----w- c:\program files\Microsoft Works

2009-08-19 01:31 . 2008-12-22 16:27 -------- d-----w- c:\program files\MSBuild

2009-08-05 09:11 . 1980-01-01 00:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-31 01:22 . 2009-07-31 01:22 27672 ----a-w- c:\documents and settings\hpadmin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-29 14:23 . 1980-01-01 00:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-07-29 04:53 . 1980-01-01 00:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-07-17 18:55 . 1980-01-01 00:00 58880 ----a-w- c:\windows\system32\atl.dll

2006-12-29 20:15 . 2009-08-19 11:43 3100672 ----a-w- c:\program files\Common Files\sapxlhelper.dll

2006-12-29 20:15 . 2009-08-19 11:43 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll

2006-12-29 20:15 . 2009-08-19 11:43 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx

2006-12-29 20:15 . 2009-08-19 11:43 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll

2006-12-07 15:26 . 2009-08-19 11:43 1129984 ----a-w- c:\program files\Common Files\SAPActiveXL.xlt

2006-12-07 15:26 . 2009-08-19 11:43 1124864 ----a-w- c:\program files\Common Files\SAPActiveXL_nosig.xlt

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\documents and settings\skeelsfr\WINDOWS ----

((((((((((((((((((((((((((((( SnapShot@2009-10-15_02.35.31 )))))))))))))))))))))))))))))))))))))))))

.

- 1980-01-01 00:00 . 2009-10-15 02:25 79360 c:\windows\system32\perfc009.dat

+ 1980-01-01 00:00 . 2009-10-15 02:38 79360 c:\windows\system32\perfc009.dat

+ 1980-01-01 00:00 . 2009-10-15 02:38 465640 c:\windows\system32\perfh009.dat

- 1980-01-01 00:00 . 2009-10-15 02:25 465640 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-03-17 2289664]

"cdloader"="c:\documents and settings\skeelsfr\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"COEMsgDisplay"="c:\program files\Hewlett-Packard\PC COE\COEMsgDisplay.exe" [2007-04-11 26624]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-07-08 115560]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-02-15 39792]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_15\bin\jusched.exe" [2008-02-09 75256]

"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-11-25 5720072]

"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2008-05-13 297000]

"IDA"="c:\program files\Hewlett-Packard\PC COE\IDA.EXE" [2008-08-12 176128]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-05 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-05 170520]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-05 141848]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-18 178712]

"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-11-20 488752]

"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-31 177456]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1040384]

"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2008-04-21 197904]

"GetITIcon"="c:\program files\Hewlett-Packard\GetITIcon\GetITShell.exe" [2009-05-05 864256]

"Pointsec Tray"="c:\program files\Pointsec\Pointsec for PC\P95Tray.exe" [2006-12-04 941424]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-05-07 312240]

"AgentUiRunKey"="c:\program files\PC Backup\Agent.exe" [2009-03-10 244536]

"lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-05-07 435120]

"lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-03-05 20480]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\Main pgm.exe" [2009-09-10 1312080]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2008-5-13 128552]

DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2009-7-30 197904]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableNT4Policy"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoMSAppLogo5ChannelNotify"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]

2008-05-13 09:20 109568 ----a-w- c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]

2008-05-13 09:20 286720 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst]

2007-05-15 20:13 49152 ----a-w- c:\windows\system32\pcsinst.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radexecd.exe"=

"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RADUISHELL.exe"=

"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radtray.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Lexmark 3500-4500 Series\\Wireless\\lxdiwpss.exe"=

"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\scan\\scanman6.exe"=

"c:\\Program Files\\Lexmark Fax Solutions\\faxctr.exe"=

"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=

"c:\\Program Files\\Lexmark 3500-4500 Series\\App4r.exe"=

"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=

"c:\\WINDOWS\\system32\\lxdicfg.exe"=

"c:\\WINDOWS\\system32\\lxdicoms.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=

"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=

"c:\\WINDOWS\\system32\\dllhost.exe"=

"c:\\Documents and Settings\\skeelsfr\\Application Data\\mjusbsp\\magicJack.exe"=

R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [12/4/2006 5:49 PM 235392]

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [5/1/2008 6:23 AM 24064]

R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/13/2008 5:20 AM 198184]

R2 AgentService;AgentService;c:\program files\PC Backup\AgentService.exe [3/10/2009 6:15 PM 6608192]

R2 AvChgSvc;HP-AV Change Monitor Service;c:\progra~1\HPAVAD~1\avChgSvc.exe [11/25/2008 12:21 PM 238080]

R2 EdsEncryptionMonitor;EDS Encryption Monitor;c:\program files\EDS\UCR\EdsEncryptionMonitor.exe [6/19/2007 12:01 PM 40960]

R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]

R2 Pointsec Connect;Pointsec Connect;c:\program files\Pointsec\Connect\PointSecConnect.exe [6/4/2007 10:01 AM 28672]

R2 radexecd;HP OVCM Notify Daemon;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe [2/20/2007 8:59 AM 270510]

R2 radsched;HP OVCM Scheduler Daemon;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe [3/22/2007 12:19 PM 172205]

R2 Radstgms;HP OVCM MSI Redirector;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe [7/3/2008 8:28 AM 315570]

R2 WebDriveFSD;WebDrive Filesystem Driver;c:\program files\WebDrive\wdfsd.sys [5/19/2007 11:38 PM 167552]

R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\drivers\akbus.sys [4/6/2007 6:46 AM 13619]

R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\drivers\akpcsc.sys [11/25/2008 12:57 PM 9493]

R3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\drivers\aksbus.sys [4/6/2007 6:46 AM 13647]

R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\drivers\akspcsc.sys [11/25/2008 12:57 PM 10161]

R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [7/30/2009 9:16 PM 193840]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 7:26 PM 102448]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/17/2007 5:33 AM 41216]

R3 RadiaMsi;RadiaMsi;c:\windows\system32\drivers\radiamsi.sys [8/3/2007 10:31 AM 23424]

S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [9/4/2009 3:27 PM 99248]

S2 PCSLogon;PCSLogon;c:\windows\system32\drivers\pcssenslogon.exe [5/15/2007 5:09 AM 61440]

S2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [12/4/2006 5:49 PM 146720]

S2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [12/4/2006 5:49 PM 109856]

S3 AKSIM;ActivKey Sim;c:\windows\system32\drivers\aksim.sys [11/25/2008 12:57 PM 27008]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/8/2008 1:45 PM 23888]

S3 cstrcser;IBM Command Line Trace;c:\windows\system32\drivers\cstrcser.exe [5/15/2007 5:09 AM 36864]

S3 LV_Tracker;LV_Tracker;c:\windows\system32\drivers\LV_Tracker.sys [3/10/2009 6:15 PM 45384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{597923B7-C2AA-43B8-9367-1F6CC7AAB0CC}]

msiexec.exe /fu {597923B7-C2AA-43B8-9367-1F6CC7AAB0CC} /qb!

.

Contents of the 'Scheduled Tasks' folder

2009-10-15 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}000.job

- c:\progra~1\HEWLET~1\PCCOE~1\Aimsi.dll [2009-03-27 21:35]

2009-10-15 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}001.job

- c:\progra~1\HEWLET~1\PCCOE~1\Aimsi.dll [2009-03-27 21:35]

2009-10-15 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}000.job

- c:\progra~1\HEWLET~1\PCCOE~1\clinvsi.dll [2008-09-07 17:06]

2009-10-15 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.job

- c:\program files\Hewlett-Packard\PC COE\coetl32.exe [2007-06-23 23:27]

2009-10-15 c:\windows\Tasks\IDA{E1B2A4DD-AE06-4B97-9B55-8E8F1348E7FB}000.job

- c:\progra~1\HEWLET~1\PCCOE~1\critupsi.dll [1998-10-21 18:29]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://athp.hp.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}

IE: {{E270AB82-96D5-45DB-ABE3-0BC038B92334} - c:\program files\Hewlett-Packard\IEToolBar\HP IE Fix.exe

Trusted Zone: compaq.com

Trusted Zone: compaq.com\ie.config.asia

Trusted Zone: compaq.com\ie.config.eur

Trusted Zone: compaq.com\ie.config.im.hou

Trusted Zone: compaq.com\ie.config.jp

Trusted Zone: compaq.com.ar

Trusted Zone: compaq.com.br

Trusted Zone: compaq.com.co

Trusted Zone: compaq.com.mx

Trusted Zone: compaq.com.sg

Trusted Zone: compaq.com.ve

Trusted Zone: cpqcorp.net

Trusted Zone: dcu.org

Trusted Zone: dec.com\ie.config.ecom

Trusted Zone: hp.com

Trusted Zone: hpqcorp.net

Trusted Zone: tandem.com\ie.config

Trusted Zone: compaq.com\ie.config.asia

Trusted Zone: compaq.com\ie.config.eur

Trusted Zone: compaq.com\ie.config.im.hou

Trusted Zone: compaq.com\ie.config.jp

Trusted Zone: dec.com\ie.config.ecom

Trusted Zone: tandem.com\ie.config

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-14 23:10

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1272)

c:\windows\system32\pssogina.dll

c:\windows\system32\ackpbsc.dll

c:\windows\system32\aclog.dll

c:\windows\system32\accrypto.dll

c:\windows\system32\ACLIBEAY.dll

c:\windows\system32\acevtsub.dll

c:\windows\system32\asphat32.dll

c:\windows\system32\acerrmes.dll

c:\windows\system32\aspcom.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\acerrmrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\asphatrc.dll

c:\program files\ActivIdentity\ActivClient\acunlock.dll

c:\windows\system32\aipingui.dll

c:\windows\system32\aicext.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\aipinguirc.dll

c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\acunlockrc.dll

c:\windows\system32\pcsinst.dll

.

Completion time: 2009-10-15 23:11

ComboFix-quarantined-files.txt 2009-10-15 03:11

Pre-Run: 126,459,506,688 bytes free

Post-Run: 126,431,858,688 bytes free

326

Upload was successful

ONline Log follows

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=6

# iexplore.exe=7.00.6000.16876 (vista_gdr.090625-2339)

# OnlineScanner.ocx=1.0.0.6050

# api_version=3.0.2

# EOSSerial=da028da3b529ef4abc139ece4c7ce4ad

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-10-15 03:48:38

# local_time=2009-10-14 11:48:38 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=3585 63 50 0 0

# compatibility_mode=5889 63 259 1 129000520997281742

# scanned=77892

# found=12

# cleaned=0

# scan_time=1564

C:\Qoobox\Quarantine\C\WINDOWS\system32\gugasara.dll.vir a variant of Win32/AntiAV.NCZ trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\kerodaru.dll.vir Win32/KillAV.NFO trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\lipupara.dll.vir a variant of Win32/AntiAV.NCZ trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\puhikuga.dll.tmp.vir a variant of Win32/Adware.SuperJuan.F application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\tamuyali.dll.tmp.vir a variant of Win32/Adware.SuperJuan.F application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\wojukoro.dll.tmp.vir a variant of Win32/Adware.SuperJuan.F application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\zefugabe.dll.vir a variant of Win32/Adware.SuperJuan.F application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{40A9C770-9957-4CD1-8CA8-2B0B29CCF829}\RP1\A0000017.dll a variant of Win32/AntiAV.NCZ trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{40A9C770-9957-4CD1-8CA8-2B0B29CCF829}\RP1\A0000018.dll Win32/KillAV.NFO trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{40A9C770-9957-4CD1-8CA8-2B0B29CCF829}\RP1\A0000019.dll a variant of Win32/AntiAV.NCZ trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{40A9C770-9957-4CD1-8CA8-2B0B29CCF829}\RP1\A0000023.dll a variant of Win32/Adware.SuperJuan.F application 00000000000000000000000000000000 I

C:\WINDOWS\system32\futoyiyi.dll.tmp a variant of Win32/Adware.SuperJuan.F application 00000000000000000000000000000000 I

Link to post
Share on other sites

  • Staff

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
C:\WINDOWS\system32\futoyiyi.dll.tmp
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
for %%g in (
"%systemdrive%\VundoFix Backups"
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
pause
del %0

Save this as fix.bat Choose to "Save type as - All Files"

It should look like this: bat_icon.gif

Double click on fix.bat & allow it to run

Post back to tell me what it says

Link to post
Share on other sites

  • Staff

Of the stuff NOD32 found,

C:\QooBox is ComboFix's quarantine folder. We'va already taken care of that

C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reseting/clearing the cache in a little while

----------------------

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. Uninstall ComboFix ... do not skip this step
    This process will perform some post cleanup measures.
    Do this by going to to Start > Run & typing in ComboFix /u
  2. ANTIVIRUS SOFTWARE
    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  3. Microsoft Windows Updatehttp://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  4. http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  5. http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  6. http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://www.spywareinfoforum.com/index.php?showtopic=60955

After doing all these, your system will be optimised against future threats.

.

Have a safe & happy computing day. wave.gif

Kindly respond to this thread once more so we can mark this thread as resolved.

Link to post
Share on other sites

I did remove Combofix per instructions.

I must admit I am seriously impress with the process you used. I'm not an idiot, however, clearly you know a lot about this.

Thanks for your help and time. You saved me some time and money so, in return, tomorrow I will purchase Malwarebyte.

Are you aware if the identify of who created vundo.h is known and if (legal) authorities can/will do any thing?

Again, thanks!

Link to post
Share on other sites

  • Staff
Are you aware if the identify of who created vundo.h is known and if (legal) authorities can/will do any thing?

Vundo is more likely the work of a group on individuals who are incapable of earning a honest's day pay.

If their identities be known, we'll all make a small donation to a fund for their retirement.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.