Jump to content

Trojan.Vundo.H Keeps coming back, please help


Recommended Posts

About a week ago we started getting popups on our laptop. We use Google Chrome as my primary browser and these popups are usually for some kind of antivirus or registry defender software.

I had Ad-Aware and Avira along with Malwarebytes on the laptop and began having issues with them. As I was unaware of the Vundo.H virus I did not think anything of the .dll files that kept being spotted by Avira because they looked like system files that were ok (naive!). Ad-Aware just kept finding a malicious program, but it never stopped scanning and never seemed to help.

Malwarebytes would not run, so I have had to download the .exe. file under a fake name. I just ran a scan, re-booted and it seems like all is clean according to last scan, but everything has seemed fine before when I have done the same and then the popups come back. I have uninstalled Ad-Aware and Avira and just have Malwarebytes on the laptop currently. Every time I re-boot the computer it asks me to run the fake named Malwarebytes file, don't know if this is important.

Here are my most recent logs from Malwarebytes and HijackThis:

Malwarebytes first:

Malwarebytes' Anti-Malware 1.41

Database version: 3192

Windows 5.1.2600 Service Pack 3

11/17/2009 8:17:40 PM

mbam-log-2009-11-17 (20-17-40).txt

Scan type: Quick Scan

Objects scanned: 117042

Time elapsed: 8 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:19:44 PM, on 11/17/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE

C:\Documents and Settings\Ian\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe

C:\Program Files\trend micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\GCHSNE84s.exe" /runcleanupscript

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')

O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: Add to Evernote - res://C:\Program Files\Evernote\Evernote3\enbar.dll/2000

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll

O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab

O20 - AppInit_DLLs: c:\windows\system32\dehageja.dll c:\windows\system32\sawigewe.dll c:\windows\system32\muyasera.dll firewege.dll c:\windows\system32\figorana.dll

O21 - SSODL: pabahudiy - {ebb1fbc2-c7c8-447e-87bb-e63fc137bc09} - c:\windows\system32\dehageja.dll (file missing)

O21 - SSODL: dufewizig - {bfb28379-704b-4c29-9def-197b70381362} - c:\windows\system32\sawigewe.dll (file missing)

O21 - SSODL: giwunisel - {c440e98f-0851-4314-a50f-6e02783dddab} - c:\windows\system32\muyasera.dll (file missing)

O21 - SSODL: fimojamob - {800fb12d-091e-4406-8afc-aee62d1230c4} - c:\windows\system32\figorana.dll (file missing)

O22 - SharedTaskScheduler: tokatiluy - {ebb1fbc2-c7c8-447e-87bb-e63fc137bc09} - c:\windows\system32\dehageja.dll (file missing)

O22 - SharedTaskScheduler: kupuhivus - {bfb28379-704b-4c29-9def-197b70381362} - c:\windows\system32\sawigewe.dll (file missing)

O22 - SharedTaskScheduler: gahurihor - {c440e98f-0851-4314-a50f-6e02783dddab} - c:\windows\system32\muyasera.dll (file missing)

O22 - SharedTaskScheduler: gahurihor - {800fb12d-091e-4406-8afc-aee62d1230c4} - c:\windows\system32\figorana.dll (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe

--

End of file - 11674 bytes

I am not very savvy when it comes to this stuff, so any help that anyone can provide would be greatly appreciated.

Link to post
Share on other sites

  • Staff

Hi,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O20 - AppInit_DLLs: c:\windows\system32\dehageja.dll c:\windows\system32\sawigewe.dll c:\windows\system32\muyasera.dll firewege.dll c:\windows\system32\figorana.dll

O21 - SSODL: pabahudiy - {ebb1fbc2-c7c8-447e-87bb-e63fc137bc09} - c:\windows\system32\dehageja.dll (file missing)

O21 - SSODL: dufewizig - {bfb28379-704b-4c29-9def-197b70381362} - c:\windows\system32\sawigewe.dll (file missing)

O21 - SSODL: giwunisel - {c440e98f-0851-4314-a50f-6e02783dddab} - c:\windows\system32\muyasera.dll (file missing)

O21 - SSODL: fimojamob - {800fb12d-091e-4406-8afc-aee62d1230c4} - c:\windows\system32\figorana.dll (file missing)

O22 - SharedTaskScheduler: tokatiluy - {ebb1fbc2-c7c8-447e-87bb-e63fc137bc09} - c:\windows\system32\dehageja.dll (file missing)

O22 - SharedTaskScheduler: kupuhivus - {bfb28379-704b-4c29-9def-197b70381362} - c:\windows\system32\sawigewe.dll (file missing)

O22 - SharedTaskScheduler: gahurihor - {c440e98f-0851-4314-a50f-6e02783dddab} - c:\windows\system32\muyasera.dll (file missing)

O22 - SharedTaskScheduler: gahurihor - {800fb12d-091e-4406-8afc-aee62d1230c4} - c:\windows\system32\figorana.dll (file missing)

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

Reboot and post a new HIjackThislog in your next reply.

By the way, is there any reason why you don't have an Antivirus installed? It could have prevented this all though....

Link to post
Share on other sites

Here is HijackThis log. I just got another popup as I was opening this thread. As to the lack of antivirus, I did have Avira, but as I stated before, being a novice of sorts, I ignored its warnings because they files it was referencing were system32 files and I thought they were normal.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:00:23 PM, on 11/18/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Documents and Settings\Ian\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe

C:\Program Files\trend micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\GCHSNE84s.exe" /runcleanupscript

O4 - HKLM\..\Run: [zakedeyen] Rundll32.exe "c:\windows\system32\merisemo.dll",a

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')

O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: Add to Evernote - res://C:\Program Files\Evernote\Evernote3\enbar.dll/2000

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll

O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab

O20 - AppInit_DLLs: c:\windows\system32\merisemo.dll,gimuhohe.dll

O21 - SSODL: zogonubas - {92c02eaf-4edb-4a24-be35-e2b9ec613ce4} - c:\windows\system32\merisemo.dll

O22 - SharedTaskScheduler: jugezatag - {92c02eaf-4edb-4a24-be35-e2b9ec613ce4} - c:\windows\system32\merisemo.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe

--

End of file - 10926 bytes

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

ComboFix 09-11-19.03 - Ian 11/19/2009 14:55.1.1 - x86

Combo Fix Log

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.208 [GMT -8:00]

Running from: c:\documents and settings\Ian\Desktop\ComboFix.exe

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\gavewuwu.dll

c:\windows\system32\gimuhohe.dll

c:\windows\system32\mizukobe.dll

c:\windows\system32\muyipigu.dll

c:\windows\system32\soyinajo.dll

c:\windows\system32\sozivado.dll

c:\windows\system32\tebusuka.dll

c:\windows\system32\tuyalaze.dll

c:\windows\system32\vabuwida.dll

c:\windows\system32\vidapahu.dll

c:\windows\system32\wuwopusi.dll

c:\windows\system32\zayiyahu.dll

c:\windows\system32\zetojusu.dll

c:\windows\Tasks\jturbivp.job

c:\windows\Tasks\kbgwoait.job

.

((((((((((((((((((((((((( Files Created from 2009-10-19 to 2009-11-19 )))))))))))))))))))))))))))))))

.

2009-11-18 02:50 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-18 02:50 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-17 06:24 . 2009-11-18 04:15 -------- d-----w- c:\program files\trend micro

2009-11-17 06:24 . 2009-11-17 06:28 -------- dc----w- C:\rsit

2009-11-10 21:41 . 2009-11-10 21:41 -------- d-sh--w- c:\documents and settings\Erin\PrivacIE

2009-11-10 21:38 . 2009-11-10 21:39 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\Temp

2009-11-09 17:10 . 2009-11-09 17:10 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2009-11-09 17:08 . 2009-11-09 17:08 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-11-06 16:15 . 2009-11-06 16:15 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2009-11-06 16:05 . 2009-11-18 02:28 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0

2009-11-06 16:05 . 2009-10-03 08:15 2924848 -c----w- c:\documents and settings\All Users\Application Data\~0\Ad-AwareInstallation.exe

2009-10-26 19:54 . 2009-10-26 19:54 6729728 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181625-18178.dll

2009-10-23 14:30 . 2009-10-30 04:01 -------- d-----w- c:\documents and settings\Ian\Application Data\HpUpdate

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-18 02:55 . 2009-07-27 05:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-18 02:28 . 2008-10-18 19:31 -------- dc----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-11-06 15:44 . 2007-11-10 08:31 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-10-26 22:32 . 2006-05-09 13:20 -------- d-----w- c:\program files\Quicken

2009-10-26 19:54 . 2009-05-19 03:14 245760 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE

2009-10-23 14:30 . 2006-05-09 10:35 -------- d-----w- c:\program files\Hp

2009-10-23 14:30 . 2006-05-09 10:35 -------- d-----w- c:\program files\Hewlett-Packard

2009-09-29 03:18 . 2009-09-29 03:17 -------- d-----w- c:\program files\Common Files\Real

2009-09-29 03:17 . 2009-09-29 03:17 -------- d-----w- c:\program files\Common Files\xing shared

2009-09-29 03:17 . 2003-03-19 12:14 499712 ----a-w- c:\windows\system32\msvcp71.dll

2009-09-29 03:17 . 2003-02-21 20:42 348160 ----a-w- c:\windows\system32\msvcr71.dll

2009-09-29 03:17 . 2009-09-29 03:17 -------- d-----w- c:\program files\Real

2009-09-28 20:07 . 2007-12-24 22:53 -------- d-----w- c:\documents and settings\Ian\Application Data\ZoomBrowser EX

2009-09-28 20:05 . 2007-12-24 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser

2009-09-16 01:31 . 2007-12-15 19:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2009-09-11 14:18 . 2004-08-04 21:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:03 . 2004-08-04 21:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 08:08 . 2004-08-04 21:00 916480 ----a-w- c:\windows\system32\wininet.dll

2009-08-26 08:00 . 2004-08-04 21:00 247326 ----a-w- c:\windows\system32\strmdll.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-01 68856]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"Google Update"="c:\documents and settings\Ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-28 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]

"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]

"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]

"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]

"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-27 712704]

"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 81920]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-29 198160]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\GCHSNE84s.exe" [2009-11-18 1312080]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-04-18 61952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-1-2 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKLM\~\startupfolder\C:^Documents and Settings^Ian^Start Menu^Programs^StartUp^Vongo Tray.lnk]

path=c:\documents and settings\Ian\Start Menu\Programs\StartUp\Vongo Tray.lnk

backup=c:\windows\pss\Vongo Tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe"=

"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=

"c:\\WINDOWS\\system32\\CHDAudPropShortcut.exe"=

"c:\\WINDOWS\\system32\\hkcmd.exe"=

"c:\\WINDOWS\\system32\\igfxsrvc.exe"=

"c:\\Program Files\\Hewlett-Packard\\HP Quick Launch Buttons\\QLBCTRL.exe"=

"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=

"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [9/28/2006 3:32 PM 9472]

.

Contents of the 'Scheduled Tasks' folder

2009-11-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3630159010-1157496936-744325326-1006Core.job

- c:\documents and settings\Erin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-06 03:35]

2009-11-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3630159010-1157496936-744325326-1006UA.job

- c:\documents and settings\Erin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-06 03:35]

2009-11-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3630159010-1157496936-744325326-1007Core.job

- c:\documents and settings\Ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-28 01:14]

2009-11-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3630159010-1157496936-744325326-1007UA.job

- c:\documents and settings\Ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-28 01:14]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/?.home=ytie

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Google Search

IE: &Translate English Word

IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000

IE: Backward Links

IE: Cached Snapshot of Page

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: Similar Pages

IE: Translate Page into English

.

- - - - ORPHANS REMOVED - - - -

BHO-{ce6d658a-723a-4ca2-a7f0-3c6755ab5ec8} - gavewuwu.dll

HKLM-Run-zakedeyen - c:\windows\system32\zayiyahu.dll

HKLM-Run-putesakapi - muyipigu.dll

SharedTaskScheduler-{c450711b-1a5e-49da-9a19-1ea2b39f8eec} - c:\windows\system32\zayiyahu.dll

SSODL-ninejewat-{c450711b-1a5e-49da-9a19-1ea2b39f8eec} - c:\windows\system32\zayiyahu.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-19 15:19

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????\??????(?@???????@

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,cd,90,1f,8c,ef,53,2a,48,bb,78,83,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,cd,90,1f,8c,ef,53,2a,48,bb,78,83,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(188)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

c:\program files\Maxtor\OneTouch\Utils\SyncServices.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\windows\system32\wscntfy.exe

c:\documents and settings\Ian\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe

c:\program files\iPod\bin\iPodService.exe

c:\progra~1\HPQ\Shared\HPQTOA~1.EXE

c:\program files\Java\jre6\bin\jucheck.exe

.

**************************************************************************

.

Completion time: 2009-11-19 15:25 - machine was rebooted

ComboFix-quarantined-files.txt 2009-11-19 23:24

Pre-Run: 3,912,933,376 bytes free

Post-Run: 4,231,364,608 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 611470EAB9F0C9A2B0120B18D365AF3E

Link to post
Share on other sites

  • Staff

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

OK, ran the uninstall, no problems there.

So far I have not seen any popups since the Combo Fix was run. I don't know what the next step is, if there is one, however I do have a few questions:

1) Every time I tun the laptop on, once the desktop loads I get a window asking me if I want to run the Malwarebytes .exe program. This file is the one with a randomly generated fake name which I downloaded previously because the Vundo.H would not let me run the regular one. Is this normal? Should I uninstall and download a new version of Malwarebytes? Should I just go ahead an run it?

2) I am seeing the little yellow balloons about updating Java, Windows is telling me that updates are ready, and I have windows Security Alerts according to the taskbar in the bottom right hand corner. Is it safe to go ahead and update this stuff?

3) What are the next steps for me? I have been perusing the forums and information on this site and bleepingcomputer.com to educate myself and it seems like there is an overwhelming amount of information about what software I should have to keep this from happening again. Can you give me recommendations? Along with Malwarebytes, I used to have Ad-Aware and Avira. I have used Spybot previously on an old computer and have read that Spyware Blaster is good. Also, what about a Firewall? Windows XP has one, but do I need to get something else? I also use CCleaner to clean up my registry and stuff to make sure the laptop is running as fast as possible. Is this an ok program?

4) Is Google Chrome a good browser, I used to have Firefox, but I was having issues with add-ons and a friend had Chrome on his computer. I really like its simplicity, however I am reading that Firefox is still the best, is this true?

Lastly, I really appreciate your help, you're a life(PC)-saver.

Link to post
Share on other sites

  • Staff

Hi,

Yes, we are done here.

To answer your questions....

1) Every time I tun the laptop on, once the desktop loads I get a window asking me if I want to run the Malwarebytes .exe program. This file is the one with a randomly generated fake name which I downloaded previously because the Vundo.H would not let me run the regular one. Is this normal? Should I uninstall and download a new version of Malwarebytes? Should I just go ahead an run it?

Yes, uninstall Malwarebytes and reinstall it again, but before you do, open HijackThis, click "scan" and check the following entry in it:

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\GCHSNE84s.exe" /runcleanupscript

Then click the fix checked button below.

2) I am seeing the little yellow balloons about updating Java, Windows is telling me that updates are ready, and I have windows Security Alerts according to the taskbar in the bottom right hand corner. Is it safe to go ahead and update this stuff?
Yes, please allow to install the updates.
3) What are the next steps for me? I have been perusing the forums and information on this site and bleepingcomputer.com to educate myself and it seems like there is an overwhelming amount of information about what software I should have to keep this from happening again. Can you give me recommendations? Along with Malwarebytes, I used to have Ad-Aware and Avira. I have used Spybot previously on an old computer and have read that Spyware Blaster is good. Also, what about a Firewall? Windows XP has one, but do I need to get something else? I also use CCleaner to clean up my registry and stuff to make sure the laptop is running as fast as possible. Is this an ok program?
There are so many things you can do to prevent malware...

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

As for a firewall, if you know how to use a firewall, then I recommend a 3rd party Firewall. For some users, a 3rd party firewall may be too advanced since they would block everything in it, so in that case, stick with the XP Firewall.

Ccleaner is a good program to clean up unneeded files (like cache, recycle bin contents etc), but I do not recommend the registry cleaning option. I actually do not recommend any registry cleaner if you don't have enough knowledge about the Windows registry. Read here why: http://miekiemoes.blogspot.com/2008/02/reg...weaking_13.html

Cleaning orphaned keys in the registry won't speed up anyway, on the contrary sometimes, because the registry becomes more fragmented.

4) Is Google Chrome a good browser, I used to have Firefox, but I was having issues with add-ons and a friend had Chrome on his computer. I really like its simplicity, however I am reading that Firefox is still the best, is this true?
Every browser has its advantages and disadvantages. Some prefer Google chrome, others stick with Firefox, others use Opera etc.. so it will be a matter of testing which one you like the most.

I still use Firefox in combination with the NoScript add-on to make browsing more safe.

Hope I could answer your questions. :)

Happy Surfing again!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.